Fix possible buffer overrun.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #ifndef OPENSSL_NO_DH
119 #include <openssl/dh.h>
120 #include <openssl/bn.h>
121 #endif
122 #include "ssl_locl.h"
123
124 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
125
126 #ifndef OPENSSL_NO_TLSEXT
127 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
128                                 const unsigned char *sess_id, int sesslen,
129                                 SSL_SESSION **psess);
130 static int ssl_check_clienthello_tlsext_early(SSL *s);
131 int ssl_check_serverhello_tlsext(SSL *s);
132 #endif
133
134 SSL3_ENC_METHOD const TLSv1_enc_data={
135         tls1_enc,
136         tls1_mac,
137         tls1_setup_key_block,
138         tls1_generate_master_secret,
139         tls1_change_cipher_state,
140         tls1_final_finish_mac,
141         TLS1_FINISH_MAC_LENGTH,
142         tls1_cert_verify_mac,
143         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
144         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
145         tls1_alert_code,
146         tls1_export_keying_material,
147         0,
148         SSL3_HM_HEADER_LENGTH,
149         ssl3_set_handshake_header,
150         ssl3_handshake_write
151         };
152
153 SSL3_ENC_METHOD const TLSv1_1_enc_data={
154         tls1_enc,
155         tls1_mac,
156         tls1_setup_key_block,
157         tls1_generate_master_secret,
158         tls1_change_cipher_state,
159         tls1_final_finish_mac,
160         TLS1_FINISH_MAC_LENGTH,
161         tls1_cert_verify_mac,
162         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
163         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
164         tls1_alert_code,
165         tls1_export_keying_material,
166         SSL_ENC_FLAG_EXPLICIT_IV,
167         SSL3_HM_HEADER_LENGTH,
168         ssl3_set_handshake_header,
169         ssl3_handshake_write
170         };
171
172 SSL3_ENC_METHOD const TLSv1_2_enc_data={
173         tls1_enc,
174         tls1_mac,
175         tls1_setup_key_block,
176         tls1_generate_master_secret,
177         tls1_change_cipher_state,
178         tls1_final_finish_mac,
179         TLS1_FINISH_MAC_LENGTH,
180         tls1_cert_verify_mac,
181         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
182         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
183         tls1_alert_code,
184         tls1_export_keying_material,
185         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
186                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
187         SSL3_HM_HEADER_LENGTH,
188         ssl3_set_handshake_header,
189         ssl3_handshake_write
190         };
191
192 long tls1_default_timeout(void)
193         {
194         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
195          * is way too long for http, the cache would over fill */
196         return(60*60*2);
197         }
198
199 int tls1_new(SSL *s)
200         {
201         if (!ssl3_new(s)) return(0);
202         s->method->ssl_clear(s);
203         return(1);
204         }
205
206 void tls1_free(SSL *s)
207         {
208 #ifndef OPENSSL_NO_TLSEXT
209         if (s->tlsext_session_ticket)
210                 {
211                 OPENSSL_free(s->tlsext_session_ticket);
212                 }
213 #endif /* OPENSSL_NO_TLSEXT */
214         ssl3_free(s);
215         }
216
217 void tls1_clear(SSL *s)
218         {
219         ssl3_clear(s);
220         s->version = s->method->version;
221         }
222
223 #ifndef OPENSSL_NO_EC
224
225 typedef struct
226         {
227         int nid;                /* Curve NID */
228         int secbits;            /* Bits of security (from SP800-57) */
229         unsigned int flags;     /* Flags: currently just field type */
230         } tls_curve_info;
231
232 #define TLS_CURVE_CHAR2         0x1
233 #define TLS_CURVE_PRIME         0x0
234
235 static tls_curve_info nid_list[] =
236         {
237                 {NID_sect163k1, 80, TLS_CURVE_CHAR2},/* sect163k1 (1) */
238                 {NID_sect163r1, 80, TLS_CURVE_CHAR2},/* sect163r1 (2) */
239                 {NID_sect163r2, 80, TLS_CURVE_CHAR2},/* sect163r2 (3) */
240                 {NID_sect193r1, 80, TLS_CURVE_CHAR2},/* sect193r1 (4) */ 
241                 {NID_sect193r2, 80, TLS_CURVE_CHAR2},/* sect193r2 (5) */ 
242                 {NID_sect233k1, 112, TLS_CURVE_CHAR2},/* sect233k1 (6) */
243                 {NID_sect233r1, 112, TLS_CURVE_CHAR2},/* sect233r1 (7) */ 
244                 {NID_sect239k1, 112, TLS_CURVE_CHAR2},/* sect239k1 (8) */ 
245                 {NID_sect283k1, 128, TLS_CURVE_CHAR2},/* sect283k1 (9) */
246                 {NID_sect283r1, 128, TLS_CURVE_CHAR2},/* sect283r1 (10) */ 
247                 {NID_sect409k1, 192, TLS_CURVE_CHAR2},/* sect409k1 (11) */ 
248                 {NID_sect409r1, 192, TLS_CURVE_CHAR2},/* sect409r1 (12) */
249                 {NID_sect571k1, 256, TLS_CURVE_CHAR2},/* sect571k1 (13) */ 
250                 {NID_sect571r1, 256, TLS_CURVE_CHAR2},/* sect571r1 (14) */ 
251                 {NID_secp160k1, 80, TLS_CURVE_PRIME},/* secp160k1 (15) */
252                 {NID_secp160r1, 80, TLS_CURVE_PRIME},/* secp160r1 (16) */ 
253                 {NID_secp160r2, 80, TLS_CURVE_PRIME},/* secp160r2 (17) */ 
254                 {NID_secp192k1, 80, TLS_CURVE_PRIME},/* secp192k1 (18) */
255                 {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME},/* secp192r1 (19) */ 
256                 {NID_secp224k1, 112, TLS_CURVE_PRIME},/* secp224k1 (20) */ 
257                 {NID_secp224r1, 112, TLS_CURVE_PRIME},/* secp224r1 (21) */
258                 {NID_secp256k1, 128, TLS_CURVE_PRIME},/* secp256k1 (22) */ 
259                 {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME},/* secp256r1 (23) */ 
260                 {NID_secp384r1, 192, TLS_CURVE_PRIME},/* secp384r1 (24) */
261                 {NID_secp521r1, 256, TLS_CURVE_PRIME},/* secp521r1 (25) */      
262                 {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ 
263                 {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ 
264                 {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME},/* brainpool512r1 (28) */   
265         };
266
267
268 static const unsigned char ecformats_default[] = 
269         {
270         TLSEXT_ECPOINTFORMAT_uncompressed,
271         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
272         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
273         };
274
275 static const unsigned char eccurves_default[] =
276         {
277                 0,14, /* sect571r1 (14) */ 
278                 0,13, /* sect571k1 (13) */ 
279                 0,25, /* secp521r1 (25) */      
280                 0,28, /* brainpool512r1 (28) */ 
281                 0,11, /* sect409k1 (11) */ 
282                 0,12, /* sect409r1 (12) */
283                 0,27, /* brainpoolP384r1 (27) */        
284                 0,24, /* secp384r1 (24) */
285                 0,9,  /* sect283k1 (9) */
286                 0,10, /* sect283r1 (10) */ 
287                 0,26, /* brainpoolP256r1 (26) */        
288                 0,22, /* secp256k1 (22) */ 
289                 0,23, /* secp256r1 (23) */ 
290                 0,8,  /* sect239k1 (8) */ 
291                 0,6,  /* sect233k1 (6) */
292                 0,7,  /* sect233r1 (7) */ 
293                 0,20, /* secp224k1 (20) */ 
294                 0,21, /* secp224r1 (21) */
295                 0,4,  /* sect193r1 (4) */ 
296                 0,5,  /* sect193r2 (5) */ 
297                 0,18, /* secp192k1 (18) */
298                 0,19, /* secp192r1 (19) */ 
299                 0,1,  /* sect163k1 (1) */
300                 0,2,  /* sect163r1 (2) */
301                 0,3,  /* sect163r2 (3) */
302                 0,15, /* secp160k1 (15) */
303                 0,16, /* secp160r1 (16) */ 
304                 0,17, /* secp160r2 (17) */ 
305         };
306
307 static const unsigned char suiteb_curves[] =
308         {
309                 0, TLSEXT_curve_P_256,
310                 0, TLSEXT_curve_P_384
311         };
312
313 int tls1_ec_curve_id2nid(int curve_id)
314         {
315         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
316         if ((curve_id < 1) || ((unsigned int)curve_id >
317                                 sizeof(nid_list)/sizeof(nid_list[0])))
318                 return 0;
319         return nid_list[curve_id-1].nid;
320         }
321
322 int tls1_ec_nid2curve_id(int nid)
323         {
324         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
325         switch (nid)
326                 {
327         case NID_sect163k1: /* sect163k1 (1) */
328                 return 1;
329         case NID_sect163r1: /* sect163r1 (2) */
330                 return 2;
331         case NID_sect163r2: /* sect163r2 (3) */
332                 return 3;
333         case NID_sect193r1: /* sect193r1 (4) */ 
334                 return 4;
335         case NID_sect193r2: /* sect193r2 (5) */ 
336                 return 5;
337         case NID_sect233k1: /* sect233k1 (6) */
338                 return 6;
339         case NID_sect233r1: /* sect233r1 (7) */ 
340                 return 7;
341         case NID_sect239k1: /* sect239k1 (8) */ 
342                 return 8;
343         case NID_sect283k1: /* sect283k1 (9) */
344                 return 9;
345         case NID_sect283r1: /* sect283r1 (10) */ 
346                 return 10;
347         case NID_sect409k1: /* sect409k1 (11) */ 
348                 return 11;
349         case NID_sect409r1: /* sect409r1 (12) */
350                 return 12;
351         case NID_sect571k1: /* sect571k1 (13) */ 
352                 return 13;
353         case NID_sect571r1: /* sect571r1 (14) */ 
354                 return 14;
355         case NID_secp160k1: /* secp160k1 (15) */
356                 return 15;
357         case NID_secp160r1: /* secp160r1 (16) */ 
358                 return 16;
359         case NID_secp160r2: /* secp160r2 (17) */ 
360                 return 17;
361         case NID_secp192k1: /* secp192k1 (18) */
362                 return 18;
363         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
364                 return 19;
365         case NID_secp224k1: /* secp224k1 (20) */ 
366                 return 20;
367         case NID_secp224r1: /* secp224r1 (21) */
368                 return 21;
369         case NID_secp256k1: /* secp256k1 (22) */ 
370                 return 22;
371         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
372                 return 23;
373         case NID_secp384r1: /* secp384r1 (24) */
374                 return 24;
375         case NID_secp521r1:  /* secp521r1 (25) */       
376                 return 25;
377         case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
378                 return 26;
379         case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
380                 return 27;
381         case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
382                 return 28;
383         default:
384                 return 0;
385                 }
386         }
387 /* Get curves list, if "sess" is set return client curves otherwise
388  * preferred list
389  */
390 static void tls1_get_curvelist(SSL *s, int sess,
391                                         const unsigned char **pcurves,
392                                         size_t *pcurveslen)
393         {
394         if (sess)
395                 {
396                 *pcurves = s->session->tlsext_ellipticcurvelist;
397                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
398                 return;
399                 }
400         /* For Suite B mode only include P-256, P-384 */
401         switch (tls1_suiteb(s))
402                 {
403         case SSL_CERT_FLAG_SUITEB_128_LOS:
404                 *pcurves = suiteb_curves;
405                 *pcurveslen = sizeof(suiteb_curves);
406                 break;
407
408         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
409                 *pcurves = suiteb_curves;
410                 *pcurveslen = 2;
411                 break;
412
413         case SSL_CERT_FLAG_SUITEB_192_LOS:
414                 *pcurves = suiteb_curves + 2;
415                 *pcurveslen = 2;
416                 break;
417         default:
418                 *pcurves = s->tlsext_ellipticcurvelist;
419                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
420                 }
421         if (!*pcurves)
422                 {
423                 *pcurves = eccurves_default;
424                 *pcurveslen = sizeof(eccurves_default);
425                 }
426         }
427
428 /* See if curve is allowed by security callback */
429 static int tls_curve_allowed(SSL *s, const unsigned char *curve, int op)
430         {
431         tls_curve_info *cinfo;
432         if (curve[0])
433                 return 1;
434         if ((curve[1] < 1) || ((size_t)curve[1] >
435                                 sizeof(nid_list)/sizeof(nid_list[0])))
436                 return 0;
437         cinfo = &nid_list[curve[1]-1];
438         return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)curve);
439         }
440
441 /* Check a curve is one of our preferences */
442 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
443         {
444         const unsigned char *curves;
445         size_t curveslen, i;
446         unsigned int suiteb_flags = tls1_suiteb(s);
447         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
448                 return 0;
449         /* Check curve matches Suite B preferences */
450         if (suiteb_flags)
451                 {
452                 unsigned long cid = s->s3->tmp.new_cipher->id;
453                 if (p[1])
454                         return 0;
455                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
456                         {
457                         if (p[2] != TLSEXT_curve_P_256)
458                                 return 0;
459                         }
460                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
461                         {
462                         if (p[2] != TLSEXT_curve_P_384)
463                                 return 0;
464                         }
465                 else    /* Should never happen */
466                         return 0;
467                 }
468         tls1_get_curvelist(s, 0, &curves, &curveslen);
469         for (i = 0; i < curveslen; i += 2, curves += 2)
470                 {
471                 if (p[1] == curves[0] && p[2] == curves[1])
472                         return tls_curve_allowed(s, p + 1, SSL_SECOP_CURVE_CHECK);
473                 }
474         return 0;
475         }
476
477 /* Return nth shared curve. If nmatch == -1 return number of
478  * matches. For nmatch == -2 return the NID of the curve to use for
479  * an EC tmp key.
480  */
481
482 int tls1_shared_curve(SSL *s, int nmatch)
483         {
484         const unsigned char *pref, *supp;
485         size_t preflen, supplen, i, j;
486         int k;
487         /* Can't do anything on client side */
488         if (s->server == 0)
489                 return -1;
490         if (nmatch == -2)
491                 {
492                 if (tls1_suiteb(s))
493                         {
494                         /* For Suite B ciphersuite determines curve: we 
495                          * already know these are acceptable due to previous
496                          * checks.
497                          */
498                         unsigned long cid = s->s3->tmp.new_cipher->id;
499                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
500                                 return NID_X9_62_prime256v1; /* P-256 */
501                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
502                                 return NID_secp384r1; /* P-384 */
503                         /* Should never happen */
504                         return NID_undef;
505                         }
506                 /* If not Suite B just return first preference shared curve */
507                 nmatch = 0;
508                 }
509         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
510                                 &supp, &supplen);
511         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
512                                 &pref, &preflen);
513         preflen /= 2;
514         supplen /= 2;
515         k = 0;
516         for (i = 0; i < preflen; i++, pref+=2)
517                 {
518                 const unsigned char *tsupp = supp;
519                 for (j = 0; j < supplen; j++, tsupp+=2)
520                         {
521                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
522                                 {
523                                 if (!tls_curve_allowed(s, pref, SSL_SECOP_CURVE_SHARED))
524                                         continue;
525                                 if (nmatch == k)
526                                         {
527                                         int id = (pref[0] << 8) | pref[1];
528                                         return tls1_ec_curve_id2nid(id);
529                                         }
530                                 k++;
531                                 }
532                         }
533                 }
534         if (nmatch == -1)
535                 return k;
536         return 0;
537         }
538
539 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
540                         int *curves, size_t ncurves)
541         {
542         unsigned char *clist, *p;
543         size_t i;
544         /* Bitmap of curves included to detect duplicates: only works
545          * while curve ids < 32 
546          */
547         unsigned long dup_list = 0;
548         clist = OPENSSL_malloc(ncurves * 2);
549         if (!clist)
550                 return 0;
551         for (i = 0, p = clist; i < ncurves; i++)
552                 {
553                 unsigned long idmask;
554                 int id;
555                 id = tls1_ec_nid2curve_id(curves[i]);
556                 idmask = 1L << id;
557                 if (!id || (dup_list & idmask))
558                         {
559                         OPENSSL_free(clist);
560                         return 0;
561                         }
562                 dup_list |= idmask;
563                 s2n(id, p);
564                 }
565         if (*pext)
566                 OPENSSL_free(*pext);
567         *pext = clist;
568         *pextlen = ncurves * 2;
569         return 1;
570         }
571
572 #define MAX_CURVELIST   28
573
574 typedef struct
575         {
576         size_t nidcnt;
577         int nid_arr[MAX_CURVELIST];
578         } nid_cb_st;
579
580 static int nid_cb(const char *elem, int len, void *arg)
581         {
582         nid_cb_st *narg = arg;
583         size_t i;
584         int nid;
585         char etmp[20];
586         if (narg->nidcnt == MAX_CURVELIST)
587                 return 0;
588         if (len > (int)(sizeof(etmp) - 1))
589                 return 0;
590         memcpy(etmp, elem, len);
591         etmp[len] = 0;
592         nid = EC_curve_nist2nid(etmp);
593         if (nid == NID_undef)
594                 nid = OBJ_sn2nid(etmp);
595         if (nid == NID_undef)
596                 nid = OBJ_ln2nid(etmp);
597         if (nid == NID_undef)
598                 return 0;
599         for (i = 0; i < narg->nidcnt; i++)
600                 if (narg->nid_arr[i] == nid)
601                         return 0;
602         narg->nid_arr[narg->nidcnt++] = nid;
603         return 1;
604         }
605 /* Set curves based on a colon separate list */
606 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
607                                 const char *str)
608         {
609         nid_cb_st ncb;
610         ncb.nidcnt = 0;
611         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
612                 return 0;
613         if (pext == NULL)
614                 return 1;
615         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
616         }
617 /* For an EC key set TLS id and required compression based on parameters */
618 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
619                                 EC_KEY *ec)
620         {
621         int is_prime, id;
622         const EC_GROUP *grp;
623         const EC_METHOD *meth;
624         if (!ec)
625                 return 0;
626         /* Determine if it is a prime field */
627         grp = EC_KEY_get0_group(ec);
628         if (!grp)
629                 return 0;
630         meth = EC_GROUP_method_of(grp);
631         if (!meth)
632                 return 0;
633         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
634                 is_prime = 1;
635         else
636                 is_prime = 0;
637         /* Determine curve ID */
638         id = EC_GROUP_get_curve_name(grp);
639         id = tls1_ec_nid2curve_id(id);
640         /* If we have an ID set it, otherwise set arbitrary explicit curve */
641         if (id)
642                 {
643                 curve_id[0] = 0;
644                 curve_id[1] = (unsigned char)id;
645                 }
646         else
647                 {
648                 curve_id[0] = 0xff;
649                 if (is_prime)
650                         curve_id[1] = 0x01;
651                 else
652                         curve_id[1] = 0x02;
653                 }
654         if (comp_id)
655                 {
656                 if (EC_KEY_get0_public_key(ec) == NULL)
657                         return 0;
658                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
659                         {
660                         if (is_prime)
661                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
662                         else
663                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
664                         }
665                 else
666                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
667                 }
668         return 1;
669         }
670 /* Check an EC key is compatible with extensions */
671 static int tls1_check_ec_key(SSL *s,
672                         unsigned char *curve_id, unsigned char *comp_id)
673         {
674         const unsigned char *p;
675         size_t plen, i;
676         int j;
677         /* If point formats extension present check it, otherwise everything
678          * is supported (see RFC4492).
679          */
680         if (comp_id && s->session->tlsext_ecpointformatlist)
681                 {
682                 p = s->session->tlsext_ecpointformatlist;
683                 plen = s->session->tlsext_ecpointformatlist_length;
684                 for (i = 0; i < plen; i++, p++)
685                         {
686                         if (*comp_id == *p)
687                                 break;
688                         }
689                 if (i == plen)
690                         return 0;
691                 }
692         if (!curve_id)
693                 return 1;
694         /* Check curve is consistent with client and server preferences */
695         for (j = 0; j <= 1; j++)
696                 {
697                 tls1_get_curvelist(s, j, &p, &plen);
698                 for (i = 0; i < plen; i+=2, p+=2)
699                         {
700                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
701                                 break;
702                         }
703                 if (i == plen)
704                         return 0;
705                 /* For clients can only check sent curve list */
706                 if (!s->server)
707                         break;
708                 }
709         return 1;
710         }
711
712 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
713                                         size_t *pformatslen)
714         {
715         /* If we have a custom point format list use it otherwise
716          * use default */
717         if (s->tlsext_ecpointformatlist)
718                 {
719                 *pformats = s->tlsext_ecpointformatlist;
720                 *pformatslen = s->tlsext_ecpointformatlist_length;
721                 }
722         else
723                 {
724                 *pformats = ecformats_default;
725                 /* For Suite B we don't support char2 fields */
726                 if (tls1_suiteb(s))
727                         *pformatslen = sizeof(ecformats_default) - 1;
728                 else
729                         *pformatslen = sizeof(ecformats_default);
730                 }
731         }
732
733 /* Check cert parameters compatible with extensions: currently just checks
734  * EC certificates have compatible curves and compression.
735  */
736 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
737         {
738         unsigned char comp_id, curve_id[2];
739         EVP_PKEY *pkey;
740         int rv;
741         pkey = X509_get_pubkey(x);
742         if (!pkey)
743                 return 0;
744         /* If not EC nothing to do */
745         if (pkey->type != EVP_PKEY_EC)
746                 {
747                 EVP_PKEY_free(pkey);
748                 return 1;
749                 }
750         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
751         EVP_PKEY_free(pkey);
752         if (!rv)
753                 return 0;
754         /* Can't check curve_id for client certs as we don't have a
755          * supported curves extension.
756          */
757         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
758         if (!rv)
759                 return 0;
760         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
761          * SHA384+P-384, adjust digest if necessary.
762          */
763         if (set_ee_md && tls1_suiteb(s))
764                 {
765                 int check_md;
766                 size_t i;
767                 CERT *c = s->cert;
768                 if (curve_id[0])
769                         return 0;
770                 /* Check to see we have necessary signing algorithm */
771                 if (curve_id[1] == TLSEXT_curve_P_256)
772                         check_md = NID_ecdsa_with_SHA256;
773                 else if (curve_id[1] == TLSEXT_curve_P_384)
774                         check_md = NID_ecdsa_with_SHA384;
775                 else
776                         return 0; /* Should never happen */
777                 for (i = 0; i < c->shared_sigalgslen; i++)
778                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
779                                 break;
780                 if (i == c->shared_sigalgslen)
781                         return 0;
782                 if (set_ee_md == 2)
783                         {
784                         if (check_md == NID_ecdsa_with_SHA256)
785                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
786                         else
787                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
788                         }
789                 }
790         return rv;
791         }
792 /* Check EC temporary key is compatible with client extensions */
793 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
794         {
795         unsigned char curve_id[2];
796         EC_KEY *ec = s->cert->ecdh_tmp;
797 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
798         /* Allow any curve: not just those peer supports */
799         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
800                 return 1;
801 #endif
802         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
803          * no other curves permitted.
804          */
805         if (tls1_suiteb(s))
806                 {
807                 /* Curve to check determined by ciphersuite */
808                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
809                         curve_id[1] = TLSEXT_curve_P_256;
810                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
811                         curve_id[1] = TLSEXT_curve_P_384;
812                 else
813                         return 0;
814                 curve_id[0] = 0;
815                 /* Check this curve is acceptable */
816                 if (!tls1_check_ec_key(s, curve_id, NULL))
817                         return 0;
818                 /* If auto or setting curve from callback assume OK */
819                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
820                         return 1;
821                 /* Otherwise check curve is acceptable */
822                 else 
823                         {
824                         unsigned char curve_tmp[2];
825                         if (!ec)
826                                 return 0;
827                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
828                                 return 0;
829                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
830                                 return 1;
831                         return 0;
832                         }
833                         
834                 }
835         if (s->cert->ecdh_tmp_auto)
836                 {
837                 /* Need a shared curve */
838                 if (tls1_shared_curve(s, 0))
839                         return 1;
840                 else return 0;
841                 }
842         if (!ec)
843                 {
844                 if (s->cert->ecdh_tmp_cb)
845                         return 1;
846                 else
847                         return 0;
848                 }
849         if (!tls1_set_ec_id(curve_id, NULL, ec))
850                 return 0;
851 /* Set this to allow use of invalid curves for testing */
852 #if 0
853         return 1;
854 #else
855         return tls1_check_ec_key(s, curve_id, NULL);
856 #endif
857         }
858
859 #else
860
861 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
862         {
863         return 1;
864         }
865
866 #endif /* OPENSSL_NO_EC */
867
868 #ifndef OPENSSL_NO_TLSEXT
869
870 /* List of supported signature algorithms and hashes. Should make this
871  * customisable at some point, for now include everything we support.
872  */
873
874 #ifdef OPENSSL_NO_RSA
875 #define tlsext_sigalg_rsa(md) /* */
876 #else
877 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
878 #endif
879
880 #ifdef OPENSSL_NO_DSA
881 #define tlsext_sigalg_dsa(md) /* */
882 #else
883 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
884 #endif
885
886 #ifdef OPENSSL_NO_ECDSA
887 #define tlsext_sigalg_ecdsa(md) /* */
888 #else
889 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
890 #endif
891
892 #define tlsext_sigalg(md) \
893                 tlsext_sigalg_rsa(md) \
894                 tlsext_sigalg_dsa(md) \
895                 tlsext_sigalg_ecdsa(md)
896
897 static unsigned char tls12_sigalgs[] = {
898 #ifndef OPENSSL_NO_SHA512
899         tlsext_sigalg(TLSEXT_hash_sha512)
900         tlsext_sigalg(TLSEXT_hash_sha384)
901 #endif
902 #ifndef OPENSSL_NO_SHA256
903         tlsext_sigalg(TLSEXT_hash_sha256)
904         tlsext_sigalg(TLSEXT_hash_sha224)
905 #endif
906 #ifndef OPENSSL_NO_SHA
907         tlsext_sigalg(TLSEXT_hash_sha1)
908 #endif
909 };
910 #ifndef OPENSSL_NO_ECDSA
911 static unsigned char suiteb_sigalgs[] = {
912         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
913         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
914 };
915 #endif
916 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
917         {
918         /* If Suite B mode use Suite B sigalgs only, ignore any other
919          * preferences.
920          */
921 #ifndef OPENSSL_NO_EC
922         switch (tls1_suiteb(s))
923                 {
924         case SSL_CERT_FLAG_SUITEB_128_LOS:
925                 *psigs = suiteb_sigalgs;
926                 return sizeof(suiteb_sigalgs);
927
928         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
929                 *psigs = suiteb_sigalgs;
930                 return 2;
931
932         case SSL_CERT_FLAG_SUITEB_192_LOS:
933                 *psigs = suiteb_sigalgs + 2;
934                 return 2;
935                 }
936 #endif
937         /* If server use client authentication sigalgs if not NULL */
938         if (s->server && s->cert->client_sigalgs)
939                 {
940                 *psigs = s->cert->client_sigalgs;
941                 return s->cert->client_sigalgslen;
942                 }
943         else if (s->cert->conf_sigalgs)
944                 {
945                 *psigs = s->cert->conf_sigalgs;
946                 return s->cert->conf_sigalgslen;
947                 }
948         else
949                 {
950                 *psigs = tls12_sigalgs;
951                 return sizeof(tls12_sigalgs);
952                 }
953         }
954 /* Check signature algorithm is consistent with sent supported signature
955  * algorithms and if so return relevant digest.
956  */
957 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
958                                 const unsigned char *sig, EVP_PKEY *pkey)
959         {
960         const unsigned char *sent_sigs;
961         size_t sent_sigslen, i;
962         int sigalg = tls12_get_sigid(pkey);
963         /* Should never happen */
964         if (sigalg == -1)
965                 return -1;
966         /* Check key type is consistent with signature */
967         if (sigalg != (int)sig[1])
968                 {
969                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
970                 return 0;
971                 }
972 #ifndef OPENSSL_NO_EC
973         if (pkey->type == EVP_PKEY_EC)
974                 {
975                 unsigned char curve_id[2], comp_id;
976                 /* Check compression and curve matches extensions */
977                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
978                         return 0;
979                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
980                         {
981                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
982                         return 0;
983                         }
984                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
985                 if (tls1_suiteb(s))
986                         {
987                         if (curve_id[0])
988                                 return 0;
989                         if (curve_id[1] == TLSEXT_curve_P_256)
990                                 {
991                                 if (sig[0] != TLSEXT_hash_sha256)
992                                         {
993                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
994                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
995                                         return 0;
996                                         }
997                                 }
998                         else if (curve_id[1] == TLSEXT_curve_P_384)
999                                 {
1000                                 if (sig[0] != TLSEXT_hash_sha384)
1001                                         {
1002                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1003                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
1004                                         return 0;
1005                                         }
1006                                 }
1007                         else
1008                                 return 0;
1009                         }
1010                 }
1011         else if (tls1_suiteb(s))
1012                 return 0;
1013 #endif
1014
1015         /* Check signature matches a type we sent */
1016         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1017         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
1018                 {
1019                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1020                         break;
1021                 }
1022         /* Allow fallback to SHA1 if not strict mode */
1023         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
1024                 {
1025                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1026                 return 0;
1027                 }
1028         *pmd = tls12_get_hash(sig[0]);
1029         if (*pmd == NULL)
1030                 {
1031                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
1032                 return 0;
1033                 }
1034         /* Make sure security callback allows algorithm */
1035         if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
1036                                 EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
1037                                                                 (void *)sig))
1038                 {
1039                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
1040                 return 0;
1041                 }
1042         /* Store the digest used so applications can retrieve it if they
1043          * wish.
1044          */
1045         if (s->session && s->session->sess_cert)
1046                 s->session->sess_cert->peer_key->digest = *pmd;
1047         return 1;
1048         }
1049
1050 /* Get a mask of disabled algorithms: an algorithm is disabled
1051  * if it isn't supported or doesn't appear in supported signature
1052  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1053  * session and not global settings.
1054  * 
1055  */
1056 void ssl_set_client_disabled(SSL *s)
1057         {
1058         CERT *c = s->cert;
1059         c->mask_a = 0;
1060         c->mask_k = 0;
1061         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1062         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1063                 c->mask_ssl = SSL_TLSV1_2;
1064         else
1065                 c->mask_ssl = 0;
1066         ssl_set_sig_mask(&c->mask_a, s, SSL_SECOP_SIGALG_MASK);
1067         /* Disable static DH if we don't include any appropriate
1068          * signature algorithms.
1069          */
1070         if (c->mask_a & SSL_aRSA)
1071                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1072         if (c->mask_a & SSL_aDSS)
1073                 c->mask_k |= SSL_kDHd;
1074         if (c->mask_a & SSL_aECDSA)
1075                 c->mask_k |= SSL_kECDHe;
1076 #ifndef OPENSSL_NO_KRB5
1077         if (!kssl_tgt_is_available(s->kssl_ctx))
1078                 {
1079                 c->mask_a |= SSL_aKRB5;
1080                 c->mask_k |= SSL_kKRB5;
1081                 }
1082 #endif
1083 #ifndef OPENSSL_NO_PSK
1084         /* with PSK there must be client callback set */
1085         if (!s->psk_client_callback)
1086                 {
1087                 c->mask_a |= SSL_aPSK;
1088                 c->mask_k |= SSL_kPSK;
1089                 }
1090 #endif /* OPENSSL_NO_PSK */
1091         c->valid = 1;
1092         }
1093
1094 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
1095         {
1096         CERT *ct = s->cert;
1097         if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
1098                 return 1;
1099         return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
1100         }
1101
1102 static int tls_use_ticket(SSL *s)
1103         {
1104         if (s->options & SSL_OP_NO_TICKET)
1105                 return 0;
1106         return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
1107         }
1108
1109 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1110         {
1111         int extdatalen=0;
1112         unsigned char *orig = buf;
1113         unsigned char *ret = buf;
1114 #ifndef OPENSSL_NO_EC
1115         /* See if we support any ECC ciphersuites */
1116         int using_ecc = 0;
1117         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1118                 {
1119                 int i;
1120                 unsigned long alg_k, alg_a;
1121                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1122
1123                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1124                         {
1125                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1126
1127                         alg_k = c->algorithm_mkey;
1128                         alg_a = c->algorithm_auth;
1129                         if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
1130                                 || (alg_a & SSL_aECDSA)))
1131                                 {
1132                                 using_ecc = 1;
1133                                 break;
1134                                 }
1135                         }
1136                 }
1137 #endif
1138
1139         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1140         if (s->client_version == SSL3_VERSION
1141                                         && !s->s3->send_connection_binding)
1142                 return orig;
1143
1144         ret+=2;
1145
1146         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1147
1148         if (s->tlsext_hostname != NULL)
1149                 { 
1150                 /* Add TLS extension servername to the Client Hello message */
1151                 unsigned long size_str;
1152                 long lenmax; 
1153
1154                 /* check for enough space.
1155                    4 for the servername type and entension length
1156                    2 for servernamelist length
1157                    1 for the hostname type
1158                    2 for hostname length
1159                    + hostname length 
1160                 */
1161                    
1162                 if ((lenmax = limit - ret - 9) < 0 
1163                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1164                         return NULL;
1165                         
1166                 /* extension type and length */
1167                 s2n(TLSEXT_TYPE_server_name,ret); 
1168                 s2n(size_str+5,ret);
1169                 
1170                 /* length of servername list */
1171                 s2n(size_str+3,ret);
1172         
1173                 /* hostname type, length and hostname */
1174                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1175                 s2n(size_str,ret);
1176                 memcpy(ret, s->tlsext_hostname, size_str);
1177                 ret+=size_str;
1178                 }
1179
1180         /* Add RI if renegotiating */
1181         if (s->renegotiate)
1182           {
1183           int el;
1184           
1185           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1186               {
1187               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1188               return NULL;
1189               }
1190
1191           if((limit - ret - 4 - el) < 0) return NULL;
1192           
1193           s2n(TLSEXT_TYPE_renegotiate,ret);
1194           s2n(el,ret);
1195
1196           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1197               {
1198               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1199               return NULL;
1200               }
1201
1202           ret += el;
1203         }
1204
1205 #ifndef OPENSSL_NO_SRP
1206         /* Add SRP username if there is one */
1207         if (s->srp_ctx.login != NULL)
1208                 { /* Add TLS extension SRP username to the Client Hello message */
1209
1210                 int login_len = strlen(s->srp_ctx.login);       
1211                 if (login_len > 255 || login_len == 0)
1212                         {
1213                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1214                         return NULL;
1215                         } 
1216
1217                 /* check for enough space.
1218                    4 for the srp type type and entension length
1219                    1 for the srp user identity
1220                    + srp user identity length 
1221                 */
1222                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1223
1224                 /* fill in the extension */
1225                 s2n(TLSEXT_TYPE_srp,ret);
1226                 s2n(login_len+1,ret);
1227                 (*ret++) = (unsigned char) login_len;
1228                 memcpy(ret, s->srp_ctx.login, login_len);
1229                 ret+=login_len;
1230                 }
1231 #endif
1232
1233 #ifndef OPENSSL_NO_EC
1234         if (using_ecc)
1235                 {
1236                 /* Add TLS extension ECPointFormats to the ClientHello message */
1237                 long lenmax; 
1238                 const unsigned char *plist;
1239                 size_t plistlen;
1240                 size_t i;
1241                 unsigned char *etmp;
1242
1243                 tls1_get_formatlist(s, &plist, &plistlen);
1244
1245                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1246                 if (plistlen > (size_t)lenmax) return NULL;
1247                 if (plistlen > 255)
1248                         {
1249                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1250                         return NULL;
1251                         }
1252                 
1253                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1254                 s2n(plistlen + 1,ret);
1255                 *(ret++) = (unsigned char)plistlen ;
1256                 memcpy(ret, plist, plistlen);
1257                 ret+=plistlen;
1258
1259                 /* Add TLS extension EllipticCurves to the ClientHello message */
1260                 plist = s->tlsext_ellipticcurvelist;
1261                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1262
1263                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1264                 if (plistlen > (size_t)lenmax) return NULL;
1265                 if (plistlen > 65532)
1266                         {
1267                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1268                         return NULL;
1269                         }
1270
1271                 
1272                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1273                 etmp = ret + 4;
1274                 /* Copy curve ID if supported */
1275                 for (i = 0; i < plistlen; i += 2, plist += 2)
1276                         {
1277                         if (tls_curve_allowed(s, plist, SSL_SECOP_CURVE_SUPPORTED))
1278                                 {
1279                                 *etmp++ = plist[0];
1280                                 *etmp++ = plist[1];
1281                                 }
1282                         }
1283
1284                 plistlen = etmp - ret - 4;
1285
1286                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1287                  * elliptic_curve_list, but the examples use two bytes.
1288                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1289                  * resolves this to two bytes.
1290                  */
1291                 s2n(plistlen + 2, ret);
1292                 s2n(plistlen, ret);
1293                 ret+=plistlen;
1294                 }
1295 #endif /* OPENSSL_NO_EC */
1296
1297         if (tls_use_ticket(s))
1298                 {
1299                 int ticklen;
1300                 if (!s->new_session && s->session && s->session->tlsext_tick)
1301                         ticklen = s->session->tlsext_ticklen;
1302                 else if (s->session && s->tlsext_session_ticket &&
1303                          s->tlsext_session_ticket->data)
1304                         {
1305                         ticklen = s->tlsext_session_ticket->length;
1306                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1307                         if (!s->session->tlsext_tick)
1308                                 return NULL;
1309                         memcpy(s->session->tlsext_tick,
1310                                s->tlsext_session_ticket->data,
1311                                ticklen);
1312                         s->session->tlsext_ticklen = ticklen;
1313                         }
1314                 else
1315                         ticklen = 0;
1316                 if (ticklen == 0 && s->tlsext_session_ticket &&
1317                     s->tlsext_session_ticket->data == NULL)
1318                         goto skip_ext;
1319                 /* Check for enough room 2 for extension type, 2 for len
1320                  * rest for ticket
1321                  */
1322                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1323                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1324                 s2n(ticklen,ret);
1325                 if (ticklen)
1326                         {
1327                         memcpy(ret, s->session->tlsext_tick, ticklen);
1328                         ret += ticklen;
1329                         }
1330                 }
1331                 skip_ext:
1332
1333         if (SSL_USE_SIGALGS(s))
1334                 {
1335                 size_t salglen;
1336                 const unsigned char *salg;
1337                 unsigned char *etmp;
1338                 salglen = tls12_get_psigalgs(s, &salg);
1339                 if ((size_t)(limit - ret) < salglen + 6)
1340                         return NULL; 
1341                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1342                 etmp = ret;
1343                 /* Skip over lengths for now */
1344                 ret += 4;
1345                 salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
1346                 /* Fill in lengths */
1347                 s2n(salglen + 2, etmp);
1348                 s2n(salglen, etmp);
1349                 ret += salglen;
1350                 }
1351
1352 #ifdef TLSEXT_TYPE_opaque_prf_input
1353         if (s->s3->client_opaque_prf_input != NULL)
1354                 {
1355                 size_t col = s->s3->client_opaque_prf_input_len;
1356                 
1357                 if ((long)(limit - ret - 6 - col) < 0)
1358                         return NULL;
1359                 if (col > 0xFFFD) /* can't happen */
1360                         return NULL;
1361
1362                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1363                 s2n(col + 2, ret);
1364                 s2n(col, ret);
1365                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1366                 ret += col;
1367                 }
1368 #endif
1369
1370         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1371                 {
1372                 int i;
1373                 long extlen, idlen, itmp;
1374                 OCSP_RESPID *id;
1375
1376                 idlen = 0;
1377                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1378                         {
1379                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1380                         itmp = i2d_OCSP_RESPID(id, NULL);
1381                         if (itmp <= 0)
1382                                 return NULL;
1383                         idlen += itmp + 2;
1384                         }
1385
1386                 if (s->tlsext_ocsp_exts)
1387                         {
1388                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1389                         if (extlen < 0)
1390                                 return NULL;
1391                         }
1392                 else
1393                         extlen = 0;
1394                         
1395                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1396                 s2n(TLSEXT_TYPE_status_request, ret);
1397                 if (extlen + idlen > 0xFFF0)
1398                         return NULL;
1399                 s2n(extlen + idlen + 5, ret);
1400                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1401                 s2n(idlen, ret);
1402                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1403                         {
1404                         /* save position of id len */
1405                         unsigned char *q = ret;
1406                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1407                         /* skip over id len */
1408                         ret += 2;
1409                         itmp = i2d_OCSP_RESPID(id, &ret);
1410                         /* write id len */
1411                         s2n(itmp, q);
1412                         }
1413                 s2n(extlen, ret);
1414                 if (extlen > 0)
1415                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1416                 }
1417
1418 #ifndef OPENSSL_NO_HEARTBEATS
1419         /* Add Heartbeat extension */
1420         if ((limit - ret - 4 - 1) < 0)
1421                 return NULL;
1422         s2n(TLSEXT_TYPE_heartbeat,ret);
1423         s2n(1,ret);
1424         /* Set mode:
1425          * 1: peer may send requests
1426          * 2: peer not allowed to send requests
1427          */
1428         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1429                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1430         else
1431                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1432 #endif
1433
1434 #ifndef OPENSSL_NO_NEXTPROTONEG
1435         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1436                 {
1437                 /* The client advertises an emtpy extension to indicate its
1438                  * support for Next Protocol Negotiation */
1439                 if (limit - ret - 4 < 0)
1440                         return NULL;
1441                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1442                 s2n(0,ret);
1443                 }
1444 #endif
1445
1446         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1447                 {
1448                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1449                         return NULL;
1450                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1451                 s2n(2 + s->alpn_client_proto_list_len,ret);
1452                 s2n(s->alpn_client_proto_list_len,ret);
1453                 memcpy(ret, s->alpn_client_proto_list,
1454                        s->alpn_client_proto_list_len);
1455                 ret += s->alpn_client_proto_list_len;
1456                 }
1457
1458         if(SSL_get_srtp_profiles(s))
1459                 {
1460                 int el;
1461
1462                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1463                 
1464                 if((limit - ret - 4 - el) < 0) return NULL;
1465
1466                 s2n(TLSEXT_TYPE_use_srtp,ret);
1467                 s2n(el,ret);
1468
1469                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1470                         {
1471                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1472                         return NULL;
1473                         }
1474                 ret += el;
1475                 }
1476
1477         /* Add custom TLS Extensions to ClientHello */
1478         if (s->ctx->custom_cli_ext_records_count)
1479                 {
1480                 size_t i;
1481                 custom_cli_ext_record* record;
1482
1483                 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1484                         {
1485                         const unsigned char* out = NULL;
1486                         unsigned short outlen = 0;
1487
1488                         record = &s->ctx->custom_cli_ext_records[i];
1489                         /* NULL callback sends empty extension */ 
1490                         /* -1 from callback omits extension */
1491                         if (record->fn1)
1492                                 {
1493                                 int cb_retval = 0;
1494                                 cb_retval = record->fn1(s, record->ext_type,
1495                                                         &out, &outlen, al,
1496                                                         record->arg);
1497                                 if (cb_retval == 0)
1498                                         return NULL; /* error */
1499                                 if (cb_retval == -1)
1500                                         continue; /* skip this extension */
1501                                 }
1502                         if (limit < ret + 4 + outlen)
1503                                 return NULL;
1504                         s2n(record->ext_type, ret);
1505                         s2n(outlen, ret);
1506                         memcpy(ret, out, outlen);
1507                         ret += outlen;
1508                         }
1509                 }
1510 #ifdef TLSEXT_TYPE_encrypt_then_mac
1511         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1512         s2n(0,ret);
1513 #endif
1514
1515         /* Add padding to workaround bugs in F5 terminators.
1516          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
1517          *
1518          * NB: because this code works out the length of all existing
1519          * extensions it MUST always appear last.
1520          */
1521         if (s->options & SSL_OP_TLSEXT_PADDING)
1522                 {
1523                 int hlen = ret - (unsigned char *)s->init_buf->data;
1524                 /* The code in s23_clnt.c to build ClientHello messages
1525                  * includes the 5-byte record header in the buffer, while
1526                  * the code in s3_clnt.c does not.
1527                  */
1528                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1529                         hlen -= 5;
1530                 if (hlen > 0xff && hlen < 0x200)
1531                         {
1532                         hlen = 0x200 - hlen;
1533                         if (hlen >= 4)
1534                                 hlen -= 4;
1535                         else
1536                                 hlen = 0;
1537
1538                         s2n(TLSEXT_TYPE_padding, ret);
1539                         s2n(hlen, ret);
1540                         memset(ret, 0, hlen);
1541                         ret += hlen;
1542                         }
1543                 }
1544
1545         if ((extdatalen = ret-orig-2)== 0) 
1546                 return orig;
1547
1548         s2n(extdatalen, orig);
1549         return ret;
1550         }
1551
1552 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
1553         {
1554         int extdatalen=0;
1555         unsigned char *orig = buf;
1556         unsigned char *ret = buf;
1557         size_t i;
1558         custom_srv_ext_record *record;
1559 #ifndef OPENSSL_NO_NEXTPROTONEG
1560         int next_proto_neg_seen;
1561 #endif
1562 #ifndef OPENSSL_NO_EC
1563         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1564         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1565         int using_ecc = (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1566         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1567 #endif
1568         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1569         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1570                 return orig;
1571         
1572         ret+=2;
1573         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1574
1575         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1576                 { 
1577                 if ((long)(limit - ret - 4) < 0) return NULL; 
1578
1579                 s2n(TLSEXT_TYPE_server_name,ret);
1580                 s2n(0,ret);
1581                 }
1582
1583         if(s->s3->send_connection_binding)
1584         {
1585           int el;
1586           
1587           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1588               {
1589               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1590               return NULL;
1591               }
1592
1593           if((limit - ret - 4 - el) < 0) return NULL;
1594           
1595           s2n(TLSEXT_TYPE_renegotiate,ret);
1596           s2n(el,ret);
1597
1598           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1599               {
1600               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1601               return NULL;
1602               }
1603
1604           ret += el;
1605         }
1606
1607 #ifndef OPENSSL_NO_EC
1608         if (using_ecc)
1609                 {
1610                 const unsigned char *plist;
1611                 size_t plistlen;
1612                 /* Add TLS extension ECPointFormats to the ServerHello message */
1613                 long lenmax; 
1614
1615                 tls1_get_formatlist(s, &plist, &plistlen);
1616
1617                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1618                 if (plistlen > (size_t)lenmax) return NULL;
1619                 if (plistlen > 255)
1620                         {
1621                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1622                         return NULL;
1623                         }
1624                 
1625                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1626                 s2n(plistlen + 1,ret);
1627                 *(ret++) = (unsigned char) plistlen;
1628                 memcpy(ret, plist, plistlen);
1629                 ret+=plistlen;
1630
1631                 }
1632         /* Currently the server should not respond with a SupportedCurves extension */
1633 #endif /* OPENSSL_NO_EC */
1634
1635         if (s->tlsext_ticket_expected && tls_use_ticket(s))
1636                 { 
1637                 if ((long)(limit - ret - 4) < 0) return NULL; 
1638                 s2n(TLSEXT_TYPE_session_ticket,ret);
1639                 s2n(0,ret);
1640                 }
1641
1642         if (s->tlsext_status_expected)
1643                 { 
1644                 if ((long)(limit - ret - 4) < 0) return NULL; 
1645                 s2n(TLSEXT_TYPE_status_request,ret);
1646                 s2n(0,ret);
1647                 }
1648
1649 #ifdef TLSEXT_TYPE_opaque_prf_input
1650         if (s->s3->server_opaque_prf_input != NULL)
1651                 {
1652                 size_t sol = s->s3->server_opaque_prf_input_len;
1653                 
1654                 if ((long)(limit - ret - 6 - sol) < 0)
1655                         return NULL;
1656                 if (sol > 0xFFFD) /* can't happen */
1657                         return NULL;
1658
1659                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1660                 s2n(sol + 2, ret);
1661                 s2n(sol, ret);
1662                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1663                 ret += sol;
1664                 }
1665 #endif
1666
1667         if(s->srtp_profile)
1668                 {
1669                 int el;
1670
1671                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1672                 
1673                 if((limit - ret - 4 - el) < 0) return NULL;
1674
1675                 s2n(TLSEXT_TYPE_use_srtp,ret);
1676                 s2n(el,ret);
1677
1678                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1679                         {
1680                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1681                         return NULL;
1682                         }
1683                 ret+=el;
1684                 }
1685
1686         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1687                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1688                 { const unsigned char cryptopro_ext[36] = {
1689                         0xfd, 0xe8, /*65000*/
1690                         0x00, 0x20, /*32 bytes length*/
1691                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1692                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1693                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1694                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1695                         if (limit-ret<36) return NULL;
1696                         memcpy(ret,cryptopro_ext,36);
1697                         ret+=36;
1698
1699                 }
1700
1701 #ifndef OPENSSL_NO_HEARTBEATS
1702         /* Add Heartbeat extension if we've received one */
1703         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1704                 {
1705                 if ((limit - ret - 4 - 1) < 0)
1706                         return NULL;
1707                 s2n(TLSEXT_TYPE_heartbeat,ret);
1708                 s2n(1,ret);
1709                 /* Set mode:
1710                  * 1: peer may send requests
1711                  * 2: peer not allowed to send requests
1712                  */
1713                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1714                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1715                 else
1716                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1717
1718                 }
1719 #endif
1720
1721 #ifndef OPENSSL_NO_NEXTPROTONEG
1722         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1723         s->s3->next_proto_neg_seen = 0;
1724         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1725                 {
1726                 const unsigned char *npa;
1727                 unsigned int npalen;
1728                 int r;
1729
1730                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1731                 if (r == SSL_TLSEXT_ERR_OK)
1732                         {
1733                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1734                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1735                         s2n(npalen,ret);
1736                         memcpy(ret, npa, npalen);
1737                         ret += npalen;
1738                         s->s3->next_proto_neg_seen = 1;
1739                         }
1740                 }
1741 #endif
1742
1743         for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++)
1744                 {
1745                 const unsigned char *out = NULL;
1746                 unsigned short outlen = 0;
1747                 int cb_retval = 0;
1748
1749                 record = &s->ctx->custom_srv_ext_records[i];
1750
1751                 /* NULL callback or -1 omits extension */
1752                 if (!record->fn2)
1753                         continue;
1754                 cb_retval = record->fn2(s, record->ext_type,
1755                                                                 &out, &outlen, al,
1756                                                                 record->arg);
1757                 if (cb_retval == 0)
1758                         return NULL; /* error */
1759                 if (cb_retval == -1)
1760                         continue; /* skip this extension */
1761                 if (limit < ret + 4 + outlen)
1762                         return NULL;
1763                 s2n(record->ext_type, ret);
1764                 s2n(outlen, ret);
1765                 memcpy(ret, out, outlen);
1766                 ret += outlen;
1767                 }
1768 #ifdef TLSEXT_TYPE_encrypt_then_mac
1769         if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
1770                 {
1771                 /* Don't use encrypt_then_mac if AEAD: might want
1772                  * to disable for other ciphersuites too.
1773                  */
1774                 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD)
1775                         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
1776                 else
1777                         {
1778                         s2n(TLSEXT_TYPE_encrypt_then_mac,ret);
1779                         s2n(0,ret);
1780                         }
1781                 }
1782 #endif
1783
1784         if (s->s3->alpn_selected)
1785                 {
1786                 const unsigned char *selected = s->s3->alpn_selected;
1787                 unsigned len = s->s3->alpn_selected_len;
1788
1789                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1790                         return NULL;
1791                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1792                 s2n(3 + len,ret);
1793                 s2n(1 + len,ret);
1794                 *ret++ = len;
1795                 memcpy(ret, selected, len);
1796                 ret += len;
1797                 }
1798
1799         if ((extdatalen = ret-orig-2)== 0) 
1800                 return orig;
1801
1802         s2n(extdatalen, orig);
1803         return ret;
1804         }
1805
1806 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1807  * ClientHello.
1808  *   data: the contents of the extension, not including the type and length.
1809  *   data_len: the number of bytes in |data|
1810  *   al: a pointer to the alert value to send in the event of a non-zero
1811  *       return.
1812  *
1813  *   returns: 0 on success. */
1814 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1815                                          unsigned data_len, int *al)
1816         {
1817         unsigned i;
1818         unsigned proto_len;
1819         const unsigned char *selected;
1820         unsigned char selected_len;
1821         int r;
1822
1823         if (s->ctx->alpn_select_cb == NULL)
1824                 return 0;
1825
1826         if (data_len < 2)
1827                 goto parse_error;
1828
1829         /* data should contain a uint16 length followed by a series of 8-bit,
1830          * length-prefixed strings. */
1831         i = ((unsigned) data[0]) << 8 |
1832             ((unsigned) data[1]);
1833         data_len -= 2;
1834         data += 2;
1835         if (data_len != i)
1836                 goto parse_error;
1837
1838         if (data_len < 2)
1839                 goto parse_error;
1840
1841         for (i = 0; i < data_len;)
1842                 {
1843                 proto_len = data[i];
1844                 i++;
1845
1846                 if (proto_len == 0)
1847                         goto parse_error;
1848
1849                 if (i + proto_len < i || i + proto_len > data_len)
1850                         goto parse_error;
1851
1852                 i += proto_len;
1853                 }
1854
1855         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1856                                    s->ctx->alpn_select_cb_arg);
1857         if (r == SSL_TLSEXT_ERR_OK) {
1858                 if (s->s3->alpn_selected)
1859                         OPENSSL_free(s->s3->alpn_selected);
1860                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1861                 if (!s->s3->alpn_selected)
1862                         {
1863                         *al = SSL_AD_INTERNAL_ERROR;
1864                         return -1;
1865                         }
1866                 memcpy(s->s3->alpn_selected, selected, selected_len);
1867                 s->s3->alpn_selected_len = selected_len;
1868         }
1869         return 0;
1870
1871 parse_error:
1872         *al = SSL_AD_DECODE_ERROR;
1873         return -1;
1874         }
1875
1876 #ifndef OPENSSL_NO_EC
1877 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1878  * SecureTransport using the TLS extension block in |d|, of length |n|.
1879  * Safari, since 10.6, sends exactly these extensions, in this order:
1880  *   SNI,
1881  *   elliptic_curves
1882  *   ec_point_formats
1883  *
1884  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1885  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1886  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1887  * 10.8..10.8.3 (which don't work).
1888  */
1889 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1890         unsigned short type, size;
1891         static const unsigned char kSafariExtensionsBlock[] = {
1892                 0x00, 0x0a,  /* elliptic_curves extension */
1893                 0x00, 0x08,  /* 8 bytes */
1894                 0x00, 0x06,  /* 6 bytes of curve ids */
1895                 0x00, 0x17,  /* P-256 */
1896                 0x00, 0x18,  /* P-384 */
1897                 0x00, 0x19,  /* P-521 */
1898
1899                 0x00, 0x0b,  /* ec_point_formats */
1900                 0x00, 0x02,  /* 2 bytes */
1901                 0x01,        /* 1 point format */
1902                 0x00,        /* uncompressed */
1903         };
1904
1905         /* The following is only present in TLS 1.2 */
1906         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1907                 0x00, 0x0d,  /* signature_algorithms */
1908                 0x00, 0x0c,  /* 12 bytes */
1909                 0x00, 0x0a,  /* 10 bytes */
1910                 0x05, 0x01,  /* SHA-384/RSA */
1911                 0x04, 0x01,  /* SHA-256/RSA */
1912                 0x02, 0x01,  /* SHA-1/RSA */
1913                 0x04, 0x03,  /* SHA-256/ECDSA */
1914                 0x02, 0x03,  /* SHA-1/ECDSA */
1915         };
1916
1917         if (data >= (d+n-2))
1918                 return;
1919         data += 2;
1920
1921         if (data > (d+n-4))
1922                 return;
1923         n2s(data,type);
1924         n2s(data,size);
1925
1926         if (type != TLSEXT_TYPE_server_name)
1927                 return;
1928
1929         if (data+size > d+n)
1930                 return;
1931         data += size;
1932
1933         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
1934                 {
1935                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1936                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1937
1938                 if (data + len1 + len2 != d+n)
1939                         return;
1940                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1941                         return;
1942                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1943                         return;
1944                 }
1945         else
1946                 {
1947                 const size_t len = sizeof(kSafariExtensionsBlock);
1948
1949                 if (data + len != d+n)
1950                         return;
1951                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1952                         return;
1953                 }
1954
1955         s->s3->is_probably_safari = 1;
1956 }
1957 #endif /* !OPENSSL_NO_EC */
1958
1959 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1960         {       
1961         unsigned short type;
1962         unsigned short size;
1963         unsigned short len;
1964         unsigned char *data = *p;
1965         int renegotiate_seen = 0;
1966         size_t i;
1967
1968         s->servername_done = 0;
1969         s->tlsext_status_type = -1;
1970 #ifndef OPENSSL_NO_NEXTPROTONEG
1971         s->s3->next_proto_neg_seen = 0;
1972 #endif
1973
1974         if (s->s3->alpn_selected)
1975                 {
1976                 OPENSSL_free(s->s3->alpn_selected);
1977                 s->s3->alpn_selected = NULL;
1978                 }
1979
1980         /* Clear observed custom extensions */
1981         s->s3->serverinfo_client_tlsext_custom_types_count = 0;
1982         if (s->s3->serverinfo_client_tlsext_custom_types != NULL)
1983                 {
1984                 OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types);
1985                 s->s3->serverinfo_client_tlsext_custom_types = NULL;
1986                 }
1987
1988 #ifndef OPENSSL_NO_HEARTBEATS
1989         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1990                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1991 #endif
1992
1993 #ifndef OPENSSL_NO_EC
1994         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1995                 ssl_check_for_safari(s, data, d, n);
1996 #endif /* !OPENSSL_NO_EC */
1997
1998         /* Clear any signature algorithms extension received */
1999         if (s->cert->peer_sigalgs)
2000                 {
2001                 OPENSSL_free(s->cert->peer_sigalgs);
2002                 s->cert->peer_sigalgs = NULL;
2003                 }
2004         /* Clear any shared sigtnature algorithms */
2005         if (s->cert->shared_sigalgs)
2006                 {
2007                 OPENSSL_free(s->cert->shared_sigalgs);
2008                 s->cert->shared_sigalgs = NULL;
2009                 }
2010         /* Clear certificate digests and validity flags */
2011         for (i = 0; i < SSL_PKEY_NUM; i++)
2012                 {
2013                 s->cert->pkeys[i].digest = NULL;
2014                 s->cert->pkeys[i].valid_flags = 0;
2015                 }
2016
2017 #ifdef TLSEXT_TYPE_encrypt_then_mac
2018         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2019 #endif
2020
2021         if (data >= (d+n-2))
2022                 goto ri_check;
2023         n2s(data,len);
2024
2025         if (data > (d+n-len)) 
2026                 goto ri_check;
2027
2028         while (data <= (d+n-4))
2029                 {
2030                 n2s(data,type);
2031                 n2s(data,size);
2032
2033                 if (data+size > (d+n))
2034                         goto ri_check;
2035 #if 0
2036                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
2037 #endif
2038                 if (s->tlsext_debug_cb)
2039                         s->tlsext_debug_cb(s, 0, type, data, size,
2040                                                 s->tlsext_debug_arg);
2041 /* The servername extension is treated as follows:
2042
2043    - Only the hostname type is supported with a maximum length of 255.
2044    - The servername is rejected if too long or if it contains zeros,
2045      in which case an fatal alert is generated.
2046    - The servername field is maintained together with the session cache.
2047    - When a session is resumed, the servername call back invoked in order
2048      to allow the application to position itself to the right context. 
2049    - The servername is acknowledged if it is new for a session or when 
2050      it is identical to a previously used for the same session. 
2051      Applications can control the behaviour.  They can at any time
2052      set a 'desirable' servername for a new SSL object. This can be the
2053      case for example with HTTPS when a Host: header field is received and
2054      a renegotiation is requested. In this case, a possible servername
2055      presented in the new client hello is only acknowledged if it matches
2056      the value of the Host: field. 
2057    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2058      if they provide for changing an explicit servername context for the session,
2059      i.e. when the session has been established with a servername extension. 
2060    - On session reconnect, the servername extension may be absent. 
2061
2062 */      
2063
2064                 if (type == TLSEXT_TYPE_server_name)
2065                         {
2066                         unsigned char *sdata;
2067                         int servname_type;
2068                         int dsize; 
2069                 
2070                         if (size < 2) 
2071                                 {
2072                                 *al = SSL_AD_DECODE_ERROR;
2073                                 return 0;
2074                                 }
2075                         n2s(data,dsize);  
2076                         size -= 2;
2077                         if (dsize > size  ) 
2078                                 {
2079                                 *al = SSL_AD_DECODE_ERROR;
2080                                 return 0;
2081                                 } 
2082
2083                         sdata = data;
2084                         while (dsize > 3) 
2085                                 {
2086                                 servname_type = *(sdata++); 
2087                                 n2s(sdata,len);
2088                                 dsize -= 3;
2089
2090                                 if (len > dsize) 
2091                                         {
2092                                         *al = SSL_AD_DECODE_ERROR;
2093                                         return 0;
2094                                         }
2095                                 if (s->servername_done == 0)
2096                                 switch (servname_type)
2097                                         {
2098                                 case TLSEXT_NAMETYPE_host_name:
2099                                         if (!s->hit)
2100                                                 {
2101                                                 if(s->session->tlsext_hostname)
2102                                                         {
2103                                                         *al = SSL_AD_DECODE_ERROR;
2104                                                         return 0;
2105                                                         }
2106                                                 if (len > TLSEXT_MAXLEN_host_name)
2107                                                         {
2108                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2109                                                         return 0;
2110                                                         }
2111                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2112                                                         {
2113                                                         *al = TLS1_AD_INTERNAL_ERROR;
2114                                                         return 0;
2115                                                         }
2116                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2117                                                 s->session->tlsext_hostname[len]='\0';
2118                                                 if (strlen(s->session->tlsext_hostname) != len) {
2119                                                         OPENSSL_free(s->session->tlsext_hostname);
2120                                                         s->session->tlsext_hostname = NULL;
2121                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2122                                                         return 0;
2123                                                 }
2124                                                 s->servername_done = 1; 
2125
2126                                                 }
2127                                         else 
2128                                                 s->servername_done = s->session->tlsext_hostname
2129                                                         && strlen(s->session->tlsext_hostname) == len 
2130                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2131                                         
2132                                         break;
2133
2134                                 default:
2135                                         break;
2136                                         }
2137                                  
2138                                 dsize -= len;
2139                                 }
2140                         if (dsize != 0) 
2141                                 {
2142                                 *al = SSL_AD_DECODE_ERROR;
2143                                 return 0;
2144                                 }
2145
2146                         }
2147 #ifndef OPENSSL_NO_SRP
2148                 else if (type == TLSEXT_TYPE_srp)
2149                         {
2150                         if (size <= 0 || ((len = data[0])) != (size -1))
2151                                 {
2152                                 *al = SSL_AD_DECODE_ERROR;
2153                                 return 0;
2154                                 }
2155                         if (s->srp_ctx.login != NULL)
2156                                 {
2157                                 *al = SSL_AD_DECODE_ERROR;
2158                                 return 0;
2159                                 }
2160                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2161                                 return -1;
2162                         memcpy(s->srp_ctx.login, &data[1], len);
2163                         s->srp_ctx.login[len]='\0';
2164   
2165                         if (strlen(s->srp_ctx.login) != len) 
2166                                 {
2167                                 *al = SSL_AD_DECODE_ERROR;
2168                                 return 0;
2169                                 }
2170                         }
2171 #endif
2172
2173 #ifndef OPENSSL_NO_EC
2174                 else if (type == TLSEXT_TYPE_ec_point_formats)
2175                         {
2176                         unsigned char *sdata = data;
2177                         int ecpointformatlist_length = *(sdata++);
2178
2179                         if (ecpointformatlist_length != size - 1 || 
2180                                 ecpointformatlist_length < 1)
2181                                 {
2182                                 *al = TLS1_AD_DECODE_ERROR;
2183                                 return 0;
2184                                 }
2185                         if (!s->hit)
2186                                 {
2187                                 if(s->session->tlsext_ecpointformatlist)
2188                                         {
2189                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2190                                         s->session->tlsext_ecpointformatlist = NULL;
2191                                         }
2192                                 s->session->tlsext_ecpointformatlist_length = 0;
2193                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2194                                         {
2195                                         *al = TLS1_AD_INTERNAL_ERROR;
2196                                         return 0;
2197                                         }
2198                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2199                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2200                                 }
2201 #if 0
2202                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2203                         sdata = s->session->tlsext_ecpointformatlist;
2204                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2205                                 fprintf(stderr,"%i ",*(sdata++));
2206                         fprintf(stderr,"\n");
2207 #endif
2208                         }
2209                 else if (type == TLSEXT_TYPE_elliptic_curves)
2210                         {
2211                         unsigned char *sdata = data;
2212                         int ellipticcurvelist_length = (*(sdata++) << 8);
2213                         ellipticcurvelist_length += (*(sdata++));
2214
2215                         if (ellipticcurvelist_length != size - 2 ||
2216                                 ellipticcurvelist_length < 1)
2217                                 {
2218                                 *al = TLS1_AD_DECODE_ERROR;
2219                                 return 0;
2220                                 }
2221                         if (!s->hit)
2222                                 {
2223                                 if(s->session->tlsext_ellipticcurvelist)
2224                                         {
2225                                         *al = TLS1_AD_DECODE_ERROR;
2226                                         return 0;
2227                                         }
2228                                 s->session->tlsext_ellipticcurvelist_length = 0;
2229                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2230                                         {
2231                                         *al = TLS1_AD_INTERNAL_ERROR;
2232                                         return 0;
2233                                         }
2234                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2235                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2236                                 }
2237 #if 0
2238                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2239                         sdata = s->session->tlsext_ellipticcurvelist;
2240                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2241                                 fprintf(stderr,"%i ",*(sdata++));
2242                         fprintf(stderr,"\n");
2243 #endif
2244                         }
2245 #endif /* OPENSSL_NO_EC */
2246 #ifdef TLSEXT_TYPE_opaque_prf_input
2247                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2248                         {
2249                         unsigned char *sdata = data;
2250
2251                         if (size < 2)
2252                                 {
2253                                 *al = SSL_AD_DECODE_ERROR;
2254                                 return 0;
2255                                 }
2256                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2257                         if (s->s3->client_opaque_prf_input_len != size - 2)
2258                                 {
2259                                 *al = SSL_AD_DECODE_ERROR;
2260                                 return 0;
2261                                 }
2262
2263                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2264                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2265                         if (s->s3->client_opaque_prf_input_len == 0)
2266                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2267                         else
2268                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2269                         if (s->s3->client_opaque_prf_input == NULL)
2270                                 {
2271                                 *al = TLS1_AD_INTERNAL_ERROR;
2272                                 return 0;
2273                                 }
2274                         }
2275 #endif
2276                 else if (type == TLSEXT_TYPE_session_ticket)
2277                         {
2278                         if (s->tls_session_ticket_ext_cb &&
2279                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2280                                 {
2281                                 *al = TLS1_AD_INTERNAL_ERROR;
2282                                 return 0;
2283                                 }
2284                         }
2285                 else if (type == TLSEXT_TYPE_renegotiate)
2286                         {
2287                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2288                                 return 0;
2289                         renegotiate_seen = 1;
2290                         }
2291                 else if (type == TLSEXT_TYPE_signature_algorithms)
2292                         {
2293                         int dsize;
2294                         if (s->cert->peer_sigalgs || size < 2) 
2295                                 {
2296                                 *al = SSL_AD_DECODE_ERROR;
2297                                 return 0;
2298                                 }
2299                         n2s(data,dsize);
2300                         size -= 2;
2301                         if (dsize != size || dsize & 1 || !dsize) 
2302                                 {
2303                                 *al = SSL_AD_DECODE_ERROR;
2304                                 return 0;
2305                                 }
2306                         if (!tls1_process_sigalgs(s, data, dsize))
2307                                 {
2308                                 *al = SSL_AD_DECODE_ERROR;
2309                                 return 0;
2310                                 }
2311                         /* If sigalgs received and no shared algorithms fatal
2312                          * error.
2313                          */
2314                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2315                                 {
2316                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2317                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2318                                 *al = SSL_AD_ILLEGAL_PARAMETER;
2319                                 return 0;
2320                                 }
2321                         }
2322                 else if (type == TLSEXT_TYPE_status_request)
2323                         {
2324                 
2325                         if (size < 5) 
2326                                 {
2327                                 *al = SSL_AD_DECODE_ERROR;
2328                                 return 0;
2329                                 }
2330
2331                         s->tlsext_status_type = *data++;
2332                         size--;
2333                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2334                                 {
2335                                 const unsigned char *sdata;
2336                                 int dsize;
2337                                 /* Read in responder_id_list */
2338                                 n2s(data,dsize);
2339                                 size -= 2;
2340                                 if (dsize > size  ) 
2341                                         {
2342                                         *al = SSL_AD_DECODE_ERROR;
2343                                         return 0;
2344                                         }
2345                                 while (dsize > 0)
2346                                         {
2347                                         OCSP_RESPID *id;
2348                                         int idsize;
2349                                         if (dsize < 4)
2350                                                 {
2351                                                 *al = SSL_AD_DECODE_ERROR;
2352                                                 return 0;
2353                                                 }
2354                                         n2s(data, idsize);
2355                                         dsize -= 2 + idsize;
2356                                         size -= 2 + idsize;
2357                                         if (dsize < 0)
2358                                                 {
2359                                                 *al = SSL_AD_DECODE_ERROR;
2360                                                 return 0;
2361                                                 }
2362                                         sdata = data;
2363                                         data += idsize;
2364                                         id = d2i_OCSP_RESPID(NULL,
2365                                                                 &sdata, idsize);
2366                                         if (!id)
2367                                                 {
2368                                                 *al = SSL_AD_DECODE_ERROR;
2369                                                 return 0;
2370                                                 }
2371                                         if (data != sdata)
2372                                                 {
2373                                                 OCSP_RESPID_free(id);
2374                                                 *al = SSL_AD_DECODE_ERROR;
2375                                                 return 0;
2376                                                 }
2377                                         if (!s->tlsext_ocsp_ids
2378                                                 && !(s->tlsext_ocsp_ids =
2379                                                 sk_OCSP_RESPID_new_null()))
2380                                                 {
2381                                                 OCSP_RESPID_free(id);
2382                                                 *al = SSL_AD_INTERNAL_ERROR;
2383                                                 return 0;
2384                                                 }
2385                                         if (!sk_OCSP_RESPID_push(
2386                                                         s->tlsext_ocsp_ids, id))
2387                                                 {
2388                                                 OCSP_RESPID_free(id);
2389                                                 *al = SSL_AD_INTERNAL_ERROR;
2390                                                 return 0;
2391                                                 }
2392                                         }
2393
2394                                 /* Read in request_extensions */
2395                                 if (size < 2)
2396                                         {
2397                                         *al = SSL_AD_DECODE_ERROR;
2398                                         return 0;
2399                                         }
2400                                 n2s(data,dsize);
2401                                 size -= 2;
2402                                 if (dsize != size)
2403                                         {
2404                                         *al = SSL_AD_DECODE_ERROR;
2405                                         return 0;
2406                                         }
2407                                 sdata = data;
2408                                 if (dsize > 0)
2409                                         {
2410                                         if (s->tlsext_ocsp_exts)
2411                                                 {
2412                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2413                                                                            X509_EXTENSION_free);
2414                                                 }
2415
2416                                         s->tlsext_ocsp_exts =
2417                                                 d2i_X509_EXTENSIONS(NULL,
2418                                                         &sdata, dsize);
2419                                         if (!s->tlsext_ocsp_exts
2420                                                 || (data + dsize != sdata))
2421                                                 {
2422                                                 *al = SSL_AD_DECODE_ERROR;
2423                                                 return 0;
2424                                                 }
2425                                         }
2426                                 }
2427                                 /* We don't know what to do with any other type
2428                                 * so ignore it.
2429                                 */
2430                                 else
2431                                         s->tlsext_status_type = -1;
2432                         }
2433 #ifndef OPENSSL_NO_HEARTBEATS
2434                 else if (type == TLSEXT_TYPE_heartbeat)
2435                         {
2436                         switch(data[0])
2437                                 {
2438                                 case 0x01:      /* Client allows us to send HB requests */
2439                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2440                                                         break;
2441                                 case 0x02:      /* Client doesn't accept HB requests */
2442                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2443                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2444                                                         break;
2445                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2446                                                         return 0;
2447                                 }
2448                         }
2449 #endif
2450 #ifndef OPENSSL_NO_NEXTPROTONEG
2451                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2452                          s->s3->tmp.finish_md_len == 0 &&
2453                          s->s3->alpn_selected == NULL)
2454                         {
2455                         /* We shouldn't accept this extension on a
2456                          * renegotiation.
2457                          *
2458                          * s->new_session will be set on renegotiation, but we
2459                          * probably shouldn't rely that it couldn't be set on
2460                          * the initial renegotation too in certain cases (when
2461                          * there's some other reason to disallow resuming an
2462                          * earlier session -- the current code won't be doing
2463                          * anything like that, but this might change).
2464
2465                          * A valid sign that there's been a previous handshake
2466                          * in this connection is if s->s3->tmp.finish_md_len >
2467                          * 0.  (We are talking about a check that will happen
2468                          * in the Hello protocol round, well before a new
2469                          * Finished message could have been computed.) */
2470                         s->s3->next_proto_neg_seen = 1;
2471                         }
2472 #endif
2473
2474                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2475                          s->ctx->alpn_select_cb &&
2476                          s->s3->tmp.finish_md_len == 0)
2477                         {
2478                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2479                                 return 0;
2480 #ifndef OPENSSL_NO_NEXTPROTONEG
2481                         /* ALPN takes precedence over NPN. */
2482                         s->s3->next_proto_neg_seen = 0;
2483 #endif
2484                         }
2485
2486                 /* session ticket processed earlier */
2487                 else if (type == TLSEXT_TYPE_use_srtp)
2488                         {
2489                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2490                                                               al))
2491                                 return 0;
2492                         }
2493                 /* If this ClientHello extension was unhandled and this is 
2494                  * a nonresumed connection, check whether the extension is a 
2495                  * custom TLS Extension (has a custom_srv_ext_record), and if
2496                  * so call the callback and record the extension number so that
2497                  * an appropriate ServerHello may be later returned.
2498                  */
2499                 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2500                         {
2501                         custom_srv_ext_record *record;
2502
2503                         for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2504                                 {
2505                                 record = &s->ctx->custom_srv_ext_records[i];
2506                                 if (type == record->ext_type)
2507                                         {
2508                                         if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2509                                                 return 0;
2510                                         }                                               
2511                                 }
2512                         }
2513 #ifdef TLSEXT_TYPE_encrypt_then_mac
2514                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2515                         s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2516 #endif
2517
2518                 data+=size;
2519                 }
2520
2521         *p = data;
2522
2523         ri_check:
2524
2525         /* Need RI if renegotiating */
2526
2527         if (!renegotiate_seen && s->renegotiate &&
2528                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2529                 {
2530                 *al = SSL_AD_HANDSHAKE_FAILURE;
2531                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2532                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2533                 return 0;
2534                 }
2535         /* If no signature algorithms extension set default values */
2536         if (!s->cert->peer_sigalgs)
2537                 ssl_cert_set_default_md(s->cert);
2538
2539         return 1;
2540         }
2541
2542 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2543         {
2544         int al = -1;
2545         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2546                 {
2547                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2548                 return 0;
2549                 }
2550
2551         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2552                 {
2553                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2554                 return 0;
2555                 }
2556         return 1;
2557 }
2558
2559 #ifndef OPENSSL_NO_NEXTPROTONEG
2560 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2561  * elements of zero length are allowed and the set of elements must exactly fill
2562  * the length of the block. */
2563 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2564         {
2565         unsigned int off = 0;
2566
2567         while (off < len)
2568                 {
2569                 if (d[off] == 0)
2570                         return 0;
2571                 off += d[off];
2572                 off++;
2573                 }
2574
2575         return off == len;
2576         }
2577 #endif
2578
2579 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2580         {
2581         unsigned short length;
2582         unsigned short type;
2583         unsigned short size;
2584         unsigned char *data = *p;
2585         int tlsext_servername = 0;
2586         int renegotiate_seen = 0;
2587
2588 #ifndef OPENSSL_NO_NEXTPROTONEG
2589         s->s3->next_proto_neg_seen = 0;
2590 #endif
2591
2592         if (s->s3->alpn_selected)
2593                 {
2594                 OPENSSL_free(s->s3->alpn_selected);
2595                 s->s3->alpn_selected = NULL;
2596                 }
2597
2598 #ifndef OPENSSL_NO_HEARTBEATS
2599         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2600                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2601 #endif
2602
2603 #ifdef TLSEXT_TYPE_encrypt_then_mac
2604         s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
2605 #endif
2606
2607         if (data >= (d+n-2))
2608                 goto ri_check;
2609
2610         n2s(data,length);
2611         if (data+length != d+n)
2612                 {
2613                 *al = SSL_AD_DECODE_ERROR;
2614                 return 0;
2615                 }
2616
2617         while(data <= (d+n-4))
2618                 {
2619                 n2s(data,type);
2620                 n2s(data,size);
2621
2622                 if (data+size > (d+n))
2623                         goto ri_check;
2624
2625                 if (s->tlsext_debug_cb)
2626                         s->tlsext_debug_cb(s, 1, type, data, size,
2627                                                 s->tlsext_debug_arg);
2628
2629                 if (type == TLSEXT_TYPE_server_name)
2630                         {
2631                         if (s->tlsext_hostname == NULL || size > 0)
2632                                 {
2633                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2634                                 return 0;
2635                                 }
2636                         tlsext_servername = 1;   
2637                         }
2638
2639 #ifndef OPENSSL_NO_EC
2640                 else if (type == TLSEXT_TYPE_ec_point_formats)
2641                         {
2642                         unsigned char *sdata = data;
2643                         int ecpointformatlist_length = *(sdata++);
2644
2645                         if (ecpointformatlist_length != size - 1)
2646                                 {
2647                                 *al = TLS1_AD_DECODE_ERROR;
2648                                 return 0;
2649                                 }
2650                         s->session->tlsext_ecpointformatlist_length = 0;
2651                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2652                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2653                                 {
2654                                 *al = TLS1_AD_INTERNAL_ERROR;
2655                                 return 0;
2656                                 }
2657                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2658                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2659 #if 0
2660                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2661                         sdata = s->session->tlsext_ecpointformatlist;
2662                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2663                                 fprintf(stderr,"%i ",*(sdata++));
2664                         fprintf(stderr,"\n");
2665 #endif
2666                         }
2667 #endif /* OPENSSL_NO_EC */
2668
2669                 else if (type == TLSEXT_TYPE_session_ticket)
2670                         {
2671                         if (s->tls_session_ticket_ext_cb &&
2672                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2673                                 {
2674                                 *al = TLS1_AD_INTERNAL_ERROR;
2675                                 return 0;
2676                                 }
2677                         if (!tls_use_ticket(s) || (size > 0))
2678                                 {
2679                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2680                                 return 0;
2681                                 }
2682                         s->tlsext_ticket_expected = 1;
2683                         }
2684 #ifdef TLSEXT_TYPE_opaque_prf_input
2685                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2686                         {
2687                         unsigned char *sdata = data;
2688
2689                         if (size < 2)
2690                                 {
2691                                 *al = SSL_AD_DECODE_ERROR;
2692                                 return 0;
2693                                 }
2694                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2695                         if (s->s3->server_opaque_prf_input_len != size - 2)
2696                                 {
2697                                 *al = SSL_AD_DECODE_ERROR;
2698                                 return 0;
2699                                 }
2700                         
2701                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2702                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2703                         if (s->s3->server_opaque_prf_input_len == 0)
2704                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2705                         else
2706                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2707
2708                         if (s->s3->server_opaque_prf_input == NULL)
2709                                 {
2710                                 *al = TLS1_AD_INTERNAL_ERROR;
2711                                 return 0;
2712                                 }
2713                         }
2714 #endif
2715                 else if (type == TLSEXT_TYPE_status_request)
2716                         {
2717                         /* MUST be empty and only sent if we've requested
2718                          * a status request message.
2719                          */ 
2720                         if ((s->tlsext_status_type == -1) || (size > 0))
2721                                 {
2722                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2723                                 return 0;
2724                                 }
2725                         /* Set flag to expect CertificateStatus message */
2726                         s->tlsext_status_expected = 1;
2727                         }
2728 #ifndef OPENSSL_NO_NEXTPROTONEG
2729                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2730                          s->s3->tmp.finish_md_len == 0)
2731                         {
2732                         unsigned char *selected;
2733                         unsigned char selected_len;
2734
2735                         /* We must have requested it. */
2736                         if (s->ctx->next_proto_select_cb == NULL)
2737                                 {
2738                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2739                                 return 0;
2740                                 }
2741                         /* The data must be valid */
2742                         if (!ssl_next_proto_validate(data, size))
2743                                 {
2744                                 *al = TLS1_AD_DECODE_ERROR;
2745                                 return 0;
2746                                 }
2747                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2748                                 {
2749                                 *al = TLS1_AD_INTERNAL_ERROR;
2750                                 return 0;
2751                                 }
2752                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2753                         if (!s->next_proto_negotiated)
2754                                 {
2755                                 *al = TLS1_AD_INTERNAL_ERROR;
2756                                 return 0;
2757                                 }
2758                         memcpy(s->next_proto_negotiated, selected, selected_len);
2759                         s->next_proto_negotiated_len = selected_len;
2760                         s->s3->next_proto_neg_seen = 1;
2761                         }
2762 #endif
2763
2764                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2765                         {
2766                         unsigned len;
2767
2768                         /* We must have requested it. */
2769                         if (s->alpn_client_proto_list == NULL)
2770                                 {
2771                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2772                                 return 0;
2773                                 }
2774                         if (size < 4)
2775                                 {
2776                                 *al = TLS1_AD_DECODE_ERROR;
2777                                 return 0;
2778                                 }
2779                         /* The extension data consists of:
2780                          *   uint16 list_length
2781                          *   uint8 proto_length;
2782                          *   uint8 proto[proto_length]; */
2783                         len = data[0];
2784                         len <<= 8;
2785                         len |= data[1];
2786                         if (len != (unsigned) size - 2)
2787                                 {
2788                                 *al = TLS1_AD_DECODE_ERROR;
2789                                 return 0;
2790                                 }
2791                         len = data[2];
2792                         if (len != (unsigned) size - 3)
2793                                 {
2794                                 *al = TLS1_AD_DECODE_ERROR;
2795                                 return 0;
2796                                 }
2797                         if (s->s3->alpn_selected)
2798                                 OPENSSL_free(s->s3->alpn_selected);
2799                         s->s3->alpn_selected = OPENSSL_malloc(len);
2800                         if (!s->s3->alpn_selected)
2801                                 {
2802                                 *al = TLS1_AD_INTERNAL_ERROR;
2803                                 return 0;
2804                                 }
2805                         memcpy(s->s3->alpn_selected, data + 3, len);
2806                         s->s3->alpn_selected_len = len;
2807                         }
2808
2809                 else if (type == TLSEXT_TYPE_renegotiate)
2810                         {
2811                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2812                                 return 0;
2813                         renegotiate_seen = 1;
2814                         }
2815 #ifndef OPENSSL_NO_HEARTBEATS
2816                 else if (type == TLSEXT_TYPE_heartbeat)
2817                         {
2818                         switch(data[0])
2819                                 {
2820                                 case 0x01:      /* Server allows us to send HB requests */
2821                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2822                                                         break;
2823                                 case 0x02:      /* Server doesn't accept HB requests */
2824                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2825                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2826                                                         break;
2827                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2828                                                         return 0;
2829                                 }
2830                         }
2831 #endif
2832                 else if (type == TLSEXT_TYPE_use_srtp)
2833                         {
2834                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2835                                                               al))
2836                                 return 0;
2837                         }
2838                 /* If this extension type was not otherwise handled, but 
2839                  * matches a custom_cli_ext_record, then send it to the c
2840                  * callback */
2841                 else if (s->ctx->custom_cli_ext_records_count)
2842                         {
2843                         size_t i;
2844                         custom_cli_ext_record* record;
2845
2846                         for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2847                                 {
2848                                 record = &s->ctx->custom_cli_ext_records[i];
2849                                 if (record->ext_type == type)
2850                                         {
2851                                         if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2852                                                 return 0;
2853                                         break;
2854                                         }
2855                                 }                       
2856                         }
2857 #ifdef TLSEXT_TYPE_encrypt_then_mac
2858                 else if (type == TLSEXT_TYPE_encrypt_then_mac)
2859                         {
2860                         /* Ignore if inappropriate ciphersuite */
2861                         if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
2862                                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
2863                         }
2864 #endif
2865  
2866                 data += size;
2867                 }
2868
2869         if (data != d+n)
2870                 {
2871                 *al = SSL_AD_DECODE_ERROR;
2872                 return 0;
2873                 }
2874
2875         if (!s->hit && tlsext_servername == 1)
2876                 {
2877                 if (s->tlsext_hostname)
2878                         {
2879                         if (s->session->tlsext_hostname == NULL)
2880                                 {
2881                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2882                                 if (!s->session->tlsext_hostname)
2883                                         {
2884                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2885                                         return 0;
2886                                         }
2887                                 }
2888                         else 
2889                                 {
2890                                 *al = SSL_AD_DECODE_ERROR;
2891                                 return 0;
2892                                 }
2893                         }
2894                 }
2895
2896         *p = data;
2897
2898         ri_check:
2899
2900         /* Determine if we need to see RI. Strictly speaking if we want to
2901          * avoid an attack we should *always* see RI even on initial server
2902          * hello because the client doesn't see any renegotiation during an
2903          * attack. However this would mean we could not connect to any server
2904          * which doesn't support RI so for the immediate future tolerate RI
2905          * absence on initial connect only.
2906          */
2907         if (!renegotiate_seen
2908                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2909                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2910                 {
2911                 *al = SSL_AD_HANDSHAKE_FAILURE;
2912                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2913                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2914                 return 0;
2915                 }
2916
2917         return 1;
2918         }
2919
2920
2921 int ssl_prepare_clienthello_tlsext(SSL *s)
2922         {
2923
2924 #ifdef TLSEXT_TYPE_opaque_prf_input
2925         {
2926                 int r = 1;
2927         
2928                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2929                         {
2930                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2931                         if (!r)
2932                                 return -1;
2933                         }
2934
2935                 if (s->tlsext_opaque_prf_input != NULL)
2936                         {
2937                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2938                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2939
2940                         if (s->tlsext_opaque_prf_input_len == 0)
2941                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2942                         else
2943                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2944                         if (s->s3->client_opaque_prf_input == NULL)
2945                                 {
2946                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2947                                 return -1;
2948                                 }
2949                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2950                         }
2951
2952                 if (r == 2)
2953                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2954                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2955         }
2956 #endif
2957
2958         return 1;
2959         }
2960
2961 int ssl_prepare_serverhello_tlsext(SSL *s)
2962         {
2963         return 1;
2964         }
2965
2966 static int ssl_check_clienthello_tlsext_early(SSL *s)
2967         {
2968         int ret=SSL_TLSEXT_ERR_NOACK;
2969         int al = SSL_AD_UNRECOGNIZED_NAME;
2970
2971 #ifndef OPENSSL_NO_EC
2972         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2973          * ssl3_choose_cipher in s3_lib.c.
2974          */
2975         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2976          * ssl3_choose_cipher in s3_lib.c.
2977          */
2978 #endif
2979
2980         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2981                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2982         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2983                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2984
2985 #ifdef TLSEXT_TYPE_opaque_prf_input
2986         {
2987                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2988                  * but we might be sending an alert in response to the client hello,
2989                  * so this has to happen here in
2990                  * ssl_check_clienthello_tlsext_early(). */
2991
2992                 int r = 1;
2993         
2994                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2995                         {
2996                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2997                         if (!r)
2998                                 {
2999                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3000                                 al = SSL_AD_INTERNAL_ERROR;
3001                                 goto err;
3002                                 }
3003                         }
3004
3005                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
3006                         OPENSSL_free(s->s3->server_opaque_prf_input);
3007                 s->s3->server_opaque_prf_input = NULL;
3008
3009                 if (s->tlsext_opaque_prf_input != NULL)
3010                         {
3011                         if (s->s3->client_opaque_prf_input != NULL &&
3012                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
3013                                 {
3014                                 /* can only use this extension if we have a server opaque PRF input
3015                                  * of the same length as the client opaque PRF input! */
3016
3017                                 if (s->tlsext_opaque_prf_input_len == 0)
3018                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
3019                                 else
3020                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
3021                                 if (s->s3->server_opaque_prf_input == NULL)
3022                                         {
3023                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3024                                         al = SSL_AD_INTERNAL_ERROR;
3025                                         goto err;
3026                                         }
3027                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
3028                                 }
3029                         }
3030
3031                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
3032                         {
3033                         /* The callback wants to enforce use of the extension,
3034                          * but we can't do that with the client opaque PRF input;
3035                          * abort the handshake.
3036                          */
3037                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3038                         al = SSL_AD_HANDSHAKE_FAILURE;
3039                         }
3040         }
3041
3042  err:
3043 #endif
3044         switch (ret)
3045                 {
3046                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3047                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3048                         return -1;
3049
3050                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3051                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3052                         return 1; 
3053                                         
3054                 case SSL_TLSEXT_ERR_NOACK:
3055                         s->servername_done=0;
3056                         default:
3057                 return 1;
3058                 }
3059         }
3060
3061 int ssl_check_clienthello_tlsext_late(SSL *s)
3062         {
3063         int ret = SSL_TLSEXT_ERR_OK;
3064         int al;
3065
3066         /* If status request then ask callback what to do.
3067          * Note: this must be called after servername callbacks in case
3068          * the certificate has changed, and must be called after the cipher
3069          * has been chosen because this may influence which certificate is sent
3070          */
3071         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3072                 {
3073                 int r;
3074          &