473bd94b3fc0b2057afdbc54c3152a4ec6f7956e
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157 #ifndef OPENSSL_NO_TLSEXT
158         if (s->tlsext_session_ticket)
159                 {
160                 OPENSSL_free(s->tlsext_session_ticket);
161                 }
162 #endif /* OPENSSL_NO_TLSEXT */
163         ssl3_free(s);
164         }
165
166 void tls1_clear(SSL *s)
167         {
168         ssl3_clear(s);
169         s->version = s->method->version;
170         }
171
172 #ifndef OPENSSL_NO_EC
173
174 static int nid_list[] =
175         {
176                 NID_sect163k1, /* sect163k1 (1) */
177                 NID_sect163r1, /* sect163r1 (2) */
178                 NID_sect163r2, /* sect163r2 (3) */
179                 NID_sect193r1, /* sect193r1 (4) */ 
180                 NID_sect193r2, /* sect193r2 (5) */ 
181                 NID_sect233k1, /* sect233k1 (6) */
182                 NID_sect233r1, /* sect233r1 (7) */ 
183                 NID_sect239k1, /* sect239k1 (8) */ 
184                 NID_sect283k1, /* sect283k1 (9) */
185                 NID_sect283r1, /* sect283r1 (10) */ 
186                 NID_sect409k1, /* sect409k1 (11) */ 
187                 NID_sect409r1, /* sect409r1 (12) */
188                 NID_sect571k1, /* sect571k1 (13) */ 
189                 NID_sect571r1, /* sect571r1 (14) */ 
190                 NID_secp160k1, /* secp160k1 (15) */
191                 NID_secp160r1, /* secp160r1 (16) */ 
192                 NID_secp160r2, /* secp160r2 (17) */ 
193                 NID_secp192k1, /* secp192k1 (18) */
194                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
195                 NID_secp224k1, /* secp224k1 (20) */ 
196                 NID_secp224r1, /* secp224r1 (21) */
197                 NID_secp256k1, /* secp256k1 (22) */ 
198                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
199                 NID_secp384r1, /* secp384r1 (24) */
200                 NID_secp521r1  /* secp521r1 (25) */     
201         };
202
203 static int pref_list[] =
204         {
205                 NID_sect571r1, /* sect571r1 (14) */ 
206                 NID_sect571k1, /* sect571k1 (13) */ 
207                 NID_secp521r1, /* secp521r1 (25) */     
208                 NID_sect409k1, /* sect409k1 (11) */ 
209                 NID_sect409r1, /* sect409r1 (12) */
210                 NID_secp384r1, /* secp384r1 (24) */
211                 NID_sect283k1, /* sect283k1 (9) */
212                 NID_sect283r1, /* sect283r1 (10) */ 
213                 NID_secp256k1, /* secp256k1 (22) */ 
214                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
215                 NID_sect239k1, /* sect239k1 (8) */ 
216                 NID_sect233k1, /* sect233k1 (6) */
217                 NID_sect233r1, /* sect233r1 (7) */ 
218                 NID_secp224k1, /* secp224k1 (20) */ 
219                 NID_secp224r1, /* secp224r1 (21) */
220                 NID_sect193r1, /* sect193r1 (4) */ 
221                 NID_sect193r2, /* sect193r2 (5) */ 
222                 NID_secp192k1, /* secp192k1 (18) */
223                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
224                 NID_sect163k1, /* sect163k1 (1) */
225                 NID_sect163r1, /* sect163r1 (2) */
226                 NID_sect163r2, /* sect163r2 (3) */
227                 NID_secp160k1, /* secp160k1 (15) */
228                 NID_secp160r1, /* secp160r1 (16) */ 
229                 NID_secp160r2, /* secp160r2 (17) */ 
230         };
231
232 int tls1_ec_curve_id2nid(int curve_id)
233         {
234         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
235         if ((curve_id < 1) || ((unsigned int)curve_id >
236                                 sizeof(nid_list)/sizeof(nid_list[0])))
237                 return 0;
238         return nid_list[curve_id-1];
239         }
240
241 int tls1_ec_nid2curve_id(int nid)
242         {
243         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
244         switch (nid)
245                 {
246         case NID_sect163k1: /* sect163k1 (1) */
247                 return 1;
248         case NID_sect163r1: /* sect163r1 (2) */
249                 return 2;
250         case NID_sect163r2: /* sect163r2 (3) */
251                 return 3;
252         case NID_sect193r1: /* sect193r1 (4) */ 
253                 return 4;
254         case NID_sect193r2: /* sect193r2 (5) */ 
255                 return 5;
256         case NID_sect233k1: /* sect233k1 (6) */
257                 return 6;
258         case NID_sect233r1: /* sect233r1 (7) */ 
259                 return 7;
260         case NID_sect239k1: /* sect239k1 (8) */ 
261                 return 8;
262         case NID_sect283k1: /* sect283k1 (9) */
263                 return 9;
264         case NID_sect283r1: /* sect283r1 (10) */ 
265                 return 10;
266         case NID_sect409k1: /* sect409k1 (11) */ 
267                 return 11;
268         case NID_sect409r1: /* sect409r1 (12) */
269                 return 12;
270         case NID_sect571k1: /* sect571k1 (13) */ 
271                 return 13;
272         case NID_sect571r1: /* sect571r1 (14) */ 
273                 return 14;
274         case NID_secp160k1: /* secp160k1 (15) */
275                 return 15;
276         case NID_secp160r1: /* secp160r1 (16) */ 
277                 return 16;
278         case NID_secp160r2: /* secp160r2 (17) */ 
279                 return 17;
280         case NID_secp192k1: /* secp192k1 (18) */
281                 return 18;
282         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
283                 return 19;
284         case NID_secp224k1: /* secp224k1 (20) */ 
285                 return 20;
286         case NID_secp224r1: /* secp224r1 (21) */
287                 return 21;
288         case NID_secp256k1: /* secp256k1 (22) */ 
289                 return 22;
290         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
291                 return 23;
292         case NID_secp384r1: /* secp384r1 (24) */
293                 return 24;
294         case NID_secp521r1:  /* secp521r1 (25) */       
295                 return 25;
296         default:
297                 return 0;
298                 }
299         }
300 #endif /* OPENSSL_NO_EC */
301
302 #ifndef OPENSSL_NO_TLSEXT
303
304 /* List of supported signature algorithms and hashes. Should make this
305  * customisable at some point, for now include everything we support.
306  */
307
308 #ifdef OPENSSL_NO_RSA
309 #define tlsext_sigalg_rsa(md) /* */
310 #else
311 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
312 #endif
313
314 #ifdef OPENSSL_NO_DSA
315 #define tlsext_sigalg_dsa(md) /* */
316 #else
317 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
318 #endif
319
320 #ifdef OPENSSL_NO_ECDSA
321 #define tlsext_sigalg_ecdsa(md) /* */
322 #else
323 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
324 #endif
325
326 #define tlsext_sigalg(md) \
327                 tlsext_sigalg_rsa(md) \
328                 tlsext_sigalg_dsa(md) \
329                 tlsext_sigalg_ecdsa(md)
330
331 static unsigned char tls12_sigalgs[] = {
332 #ifndef OPENSSL_NO_SHA512
333         tlsext_sigalg(TLSEXT_hash_sha512)
334         tlsext_sigalg(TLSEXT_hash_sha384)
335 #endif
336 #ifndef OPENSSL_NO_SHA256
337         tlsext_sigalg(TLSEXT_hash_sha256)
338         tlsext_sigalg(TLSEXT_hash_sha224)
339 #endif
340 #ifndef OPENSSL_NO_SHA
341         tlsext_sigalg(TLSEXT_hash_sha1)
342 #endif
343 #ifndef OPENSSL_NO_MD5
344         tlsext_sigalg_rsa(TLSEXT_hash_md5)
345 #endif
346 };
347
348 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
349         {
350         size_t slen = sizeof(tls12_sigalgs);
351 #ifdef OPENSSL_FIPS
352         /* If FIPS mode don't include MD5 which is last */
353         if (FIPS_mode())
354                 slen -= 2;
355 #endif
356         if (p)
357                 memcpy(p, tls12_sigalgs, slen);
358         return (int)slen;
359         }
360
361 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
362         {
363         int extdatalen=0;
364         unsigned char *ret = p;
365
366         /* don't add extensions for SSLv3 unless doing secure renegotiation */
367         if (s->client_version == SSL3_VERSION
368                                         && !s->s3->send_connection_binding)
369                 return p;
370
371         ret+=2;
372
373         if (ret>=limit) return NULL; /* this really never occurs, but ... */
374
375         if (s->tlsext_hostname != NULL)
376                 { 
377                 /* Add TLS extension servername to the Client Hello message */
378                 unsigned long size_str;
379                 long lenmax; 
380
381                 /* check for enough space.
382                    4 for the servername type and entension length
383                    2 for servernamelist length
384                    1 for the hostname type
385                    2 for hostname length
386                    + hostname length 
387                 */
388                    
389                 if ((lenmax = limit - ret - 9) < 0 
390                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
391                         return NULL;
392                         
393                 /* extension type and length */
394                 s2n(TLSEXT_TYPE_server_name,ret); 
395                 s2n(size_str+5,ret);
396                 
397                 /* length of servername list */
398                 s2n(size_str+3,ret);
399         
400                 /* hostname type, length and hostname */
401                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
402                 s2n(size_str,ret);
403                 memcpy(ret, s->tlsext_hostname, size_str);
404                 ret+=size_str;
405                 }
406
407         /* Add RI if renegotiating */
408         if (s->renegotiate)
409           {
410           int el;
411           
412           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
413               {
414               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
415               return NULL;
416               }
417
418           if((limit - p - 4 - el) < 0) return NULL;
419           
420           s2n(TLSEXT_TYPE_renegotiate,ret);
421           s2n(el,ret);
422
423           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
424               {
425               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
426               return NULL;
427               }
428
429           ret += el;
430         }
431
432 #ifndef OPENSSL_NO_SRP
433 #define MIN(x,y) (((x)<(y))?(x):(y))
434         /* we add SRP username the first time only if we have one! */
435         if (s->srp_ctx.login != NULL)
436                 {/* Add TLS extension SRP username to the Client Hello message */
437                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
438                 long lenmax; 
439
440                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
441                 if (login_len > lenmax) return NULL;
442                 if (login_len > 255)
443                         {
444                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
445                         return NULL;
446                         }
447                 s2n(TLSEXT_TYPE_srp,ret);
448                 s2n(login_len+1,ret);
449
450                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
451                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
452                 ret+=login_len;
453                 }
454 #endif
455
456 #ifndef OPENSSL_NO_EC
457         if (s->tlsext_ecpointformatlist != NULL &&
458             s->version != DTLS1_VERSION)
459                 {
460                 /* Add TLS extension ECPointFormats to the ClientHello message */
461                 long lenmax; 
462
463                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
464                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
465                 if (s->tlsext_ecpointformatlist_length > 255)
466                         {
467                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
468                         return NULL;
469                         }
470                 
471                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
472                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
473                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
474                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
475                 ret+=s->tlsext_ecpointformatlist_length;
476                 }
477         if (s->tlsext_ellipticcurvelist != NULL &&
478             s->version != DTLS1_VERSION)
479                 {
480                 /* Add TLS extension EllipticCurves to the ClientHello message */
481                 long lenmax; 
482
483                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
484                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
485                 if (s->tlsext_ellipticcurvelist_length > 65532)
486                         {
487                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
488                         return NULL;
489                         }
490                 
491                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
492                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
493
494                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
495                  * elliptic_curve_list, but the examples use two bytes.
496                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
497                  * resolves this to two bytes.
498                  */
499                 s2n(s->tlsext_ellipticcurvelist_length, ret);
500                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
501                 ret+=s->tlsext_ellipticcurvelist_length;
502                 }
503 #endif /* OPENSSL_NO_EC */
504
505         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
506                 {
507                 int ticklen;
508                 if (!s->new_session && s->session && s->session->tlsext_tick)
509                         ticklen = s->session->tlsext_ticklen;
510                 else if (s->session && s->tlsext_session_ticket &&
511                          s->tlsext_session_ticket->data)
512                         {
513                         ticklen = s->tlsext_session_ticket->length;
514                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
515                         if (!s->session->tlsext_tick)
516                                 return NULL;
517                         memcpy(s->session->tlsext_tick,
518                                s->tlsext_session_ticket->data,
519                                ticklen);
520                         s->session->tlsext_ticklen = ticklen;
521                         }
522                 else
523                         ticklen = 0;
524                 if (ticklen == 0 && s->tlsext_session_ticket &&
525                     s->tlsext_session_ticket->data == NULL)
526                         goto skip_ext;
527                 /* Check for enough room 2 for extension type, 2 for len
528                  * rest for ticket
529                  */
530                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
531                 s2n(TLSEXT_TYPE_session_ticket,ret); 
532                 s2n(ticklen,ret);
533                 if (ticklen)
534                         {
535                         memcpy(ret, s->session->tlsext_tick, ticklen);
536                         ret += ticklen;
537                         }
538                 }
539                 skip_ext:
540
541         if (TLS1_get_version(s) >= TLS1_2_VERSION)
542                 {
543                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
544                         return NULL; 
545                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
546                 s2n(sizeof(tls12_sigalgs) + 2, ret);
547                 s2n(sizeof(tls12_sigalgs), ret);
548                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
549                 ret += sizeof(tls12_sigalgs);
550                 }
551
552 #ifdef TLSEXT_TYPE_opaque_prf_input
553         if (s->s3->client_opaque_prf_input != NULL &&
554             s->version != DTLS1_VERSION)
555                 {
556                 size_t col = s->s3->client_opaque_prf_input_len;
557                 
558                 if ((long)(limit - ret - 6 - col < 0))
559                         return NULL;
560                 if (col > 0xFFFD) /* can't happen */
561                         return NULL;
562
563                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
564                 s2n(col + 2, ret);
565                 s2n(col, ret);
566                 memcpy(ret, s->s3->client_opaque_prf_input, col);
567                 ret += col;
568                 }
569 #endif
570
571         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
572             s->version != DTLS1_VERSION)
573                 {
574                 int i;
575                 long extlen, idlen, itmp;
576                 OCSP_RESPID *id;
577
578                 idlen = 0;
579                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
580                         {
581                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
582                         itmp = i2d_OCSP_RESPID(id, NULL);
583                         if (itmp <= 0)
584                                 return NULL;
585                         idlen += itmp + 2;
586                         }
587
588                 if (s->tlsext_ocsp_exts)
589                         {
590                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
591                         if (extlen < 0)
592                                 return NULL;
593                         }
594                 else
595                         extlen = 0;
596                         
597                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
598                 s2n(TLSEXT_TYPE_status_request, ret);
599                 if (extlen + idlen > 0xFFF0)
600                         return NULL;
601                 s2n(extlen + idlen + 5, ret);
602                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
603                 s2n(idlen, ret);
604                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
605                         {
606                         /* save position of id len */
607                         unsigned char *q = ret;
608                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
609                         /* skip over id len */
610                         ret += 2;
611                         itmp = i2d_OCSP_RESPID(id, &ret);
612                         /* write id len */
613                         s2n(itmp, q);
614                         }
615                 s2n(extlen, ret);
616                 if (extlen > 0)
617                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
618                 }
619
620 #ifndef OPENSSL_NO_NEXTPROTONEG
621         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
622                 {
623                 /* The client advertises an emtpy extension to indicate its
624                  * support for Next Protocol Negotiation */
625                 if (limit - ret - 4 < 0)
626                         return NULL;
627                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
628                 s2n(0,ret);
629                 }
630 #endif
631
632         if(SSL_get_srtp_profiles(s))
633                 {
634                 int el;
635
636                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
637                 
638                 if((limit - p - 4 - el) < 0) return NULL;
639
640                 s2n(TLSEXT_TYPE_use_srtp,ret);
641                 s2n(el,ret);
642
643                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
644                         {
645                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
646                         return NULL;
647                         }
648                 ret += el;
649                 }
650
651         if ((extdatalen = ret-p-2)== 0) 
652                 return p;
653
654         s2n(extdatalen,p);
655         return ret;
656         }
657
658 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
659         {
660         int extdatalen=0;
661         unsigned char *ret = p;
662 #ifndef OPENSSL_NO_NEXTPROTONEG
663         int next_proto_neg_seen;
664 #endif
665
666         /* don't add extensions for SSLv3, unless doing secure renegotiation */
667         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
668                 return p;
669         
670         ret+=2;
671         if (ret>=limit) return NULL; /* this really never occurs, but ... */
672
673         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
674                 { 
675                 if ((long)(limit - ret - 4) < 0) return NULL; 
676
677                 s2n(TLSEXT_TYPE_server_name,ret);
678                 s2n(0,ret);
679                 }
680
681         if(s->s3->send_connection_binding)
682         {
683           int el;
684           
685           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
686               {
687               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
688               return NULL;
689               }
690
691           if((limit - p - 4 - el) < 0) return NULL;
692           
693           s2n(TLSEXT_TYPE_renegotiate,ret);
694           s2n(el,ret);
695
696           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
697               {
698               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
699               return NULL;
700               }
701
702           ret += el;
703         }
704
705 #ifndef OPENSSL_NO_EC
706         if (s->tlsext_ecpointformatlist != NULL &&
707             s->version != DTLS1_VERSION)
708                 {
709                 /* Add TLS extension ECPointFormats to the ServerHello message */
710                 long lenmax; 
711
712                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
713                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
714                 if (s->tlsext_ecpointformatlist_length > 255)
715                         {
716                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
717                         return NULL;
718                         }
719                 
720                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
721                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
722                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
723                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
724                 ret+=s->tlsext_ecpointformatlist_length;
725
726                 }
727         /* Currently the server should not respond with a SupportedCurves extension */
728 #endif /* OPENSSL_NO_EC */
729
730         if (s->tlsext_ticket_expected
731                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
732                 { 
733                 if ((long)(limit - ret - 4) < 0) return NULL; 
734                 s2n(TLSEXT_TYPE_session_ticket,ret);
735                 s2n(0,ret);
736                 }
737
738         if (s->tlsext_status_expected)
739                 { 
740                 if ((long)(limit - ret - 4) < 0) return NULL; 
741                 s2n(TLSEXT_TYPE_status_request,ret);
742                 s2n(0,ret);
743                 }
744
745 #ifdef TLSEXT_TYPE_opaque_prf_input
746         if (s->s3->server_opaque_prf_input != NULL &&
747             s->version != DTLS1_VERSION)
748                 {
749                 size_t sol = s->s3->server_opaque_prf_input_len;
750                 
751                 if ((long)(limit - ret - 6 - sol) < 0)
752                         return NULL;
753                 if (sol > 0xFFFD) /* can't happen */
754                         return NULL;
755
756                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
757                 s2n(sol + 2, ret);
758                 s2n(sol, ret);
759                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
760                 ret += sol;
761                 }
762 #endif
763
764         if(s->srtp_profile)
765                 {
766                 int el;
767
768                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
769                 
770                 if((limit - p - 4 - el) < 0) return NULL;
771
772                 s2n(TLSEXT_TYPE_use_srtp,ret);
773                 s2n(el,ret);
774
775                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
776                         {
777                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
778                         return NULL;
779                         }
780                 ret+=el;
781                 }
782
783         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
784                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
785                 { const unsigned char cryptopro_ext[36] = {
786                         0xfd, 0xe8, /*65000*/
787                         0x00, 0x20, /*32 bytes length*/
788                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
789                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
790                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
791                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
792                         if (limit-ret<36) return NULL;
793                         memcpy(ret,cryptopro_ext,36);
794                         ret+=36;
795
796                 }
797
798 #ifndef OPENSSL_NO_NEXTPROTONEG
799         next_proto_neg_seen = s->s3->next_proto_neg_seen;
800         s->s3->next_proto_neg_seen = 0;
801         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
802                 {
803                 const unsigned char *npa;
804                 unsigned int npalen;
805                 int r;
806
807                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
808                 if (r == SSL_TLSEXT_ERR_OK)
809                         {
810                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
811                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
812                         s2n(npalen,ret);
813                         memcpy(ret, npa, npalen);
814                         ret += npalen;
815                         s->s3->next_proto_neg_seen = 1;
816                         }
817                 }
818 #endif
819
820         if ((extdatalen = ret-p-2)== 0) 
821                 return p;
822
823         s2n(extdatalen,p);
824         return ret;
825         }
826
827 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
828         {
829         unsigned short type;
830         unsigned short size;
831         unsigned short len;
832         unsigned char *data = *p;
833         int renegotiate_seen = 0;
834         int sigalg_seen = 0;
835
836         s->servername_done = 0;
837         s->tlsext_status_type = -1;
838
839         if (data >= (d+n-2))
840                 goto ri_check;
841         n2s(data,len);
842
843         if (data > (d+n-len)) 
844                 goto ri_check;
845
846         while (data <= (d+n-4))
847                 {
848                 n2s(data,type);
849                 n2s(data,size);
850
851                 if (data+size > (d+n))
852                         goto ri_check;
853 #if 0
854                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
855 #endif
856                 if (s->tlsext_debug_cb)
857                         s->tlsext_debug_cb(s, 0, type, data, size,
858                                                 s->tlsext_debug_arg);
859 /* The servername extension is treated as follows:
860
861    - Only the hostname type is supported with a maximum length of 255.
862    - The servername is rejected if too long or if it contains zeros,
863      in which case an fatal alert is generated.
864    - The servername field is maintained together with the session cache.
865    - When a session is resumed, the servername call back invoked in order
866      to allow the application to position itself to the right context. 
867    - The servername is acknowledged if it is new for a session or when 
868      it is identical to a previously used for the same session. 
869      Applications can control the behaviour.  They can at any time
870      set a 'desirable' servername for a new SSL object. This can be the
871      case for example with HTTPS when a Host: header field is received and
872      a renegotiation is requested. In this case, a possible servername
873      presented in the new client hello is only acknowledged if it matches
874      the value of the Host: field. 
875    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
876      if they provide for changing an explicit servername context for the session,
877      i.e. when the session has been established with a servername extension. 
878    - On session reconnect, the servername extension may be absent. 
879
880 */      
881
882                 if (type == TLSEXT_TYPE_server_name)
883                         {
884                         unsigned char *sdata;
885                         int servname_type;
886                         int dsize; 
887                 
888                         if (size < 2) 
889                                 {
890                                 *al = SSL_AD_DECODE_ERROR;
891                                 return 0;
892                                 }
893                         n2s(data,dsize);  
894                         size -= 2;
895                         if (dsize > size  ) 
896                                 {
897                                 *al = SSL_AD_DECODE_ERROR;
898                                 return 0;
899                                 } 
900
901                         sdata = data;
902                         while (dsize > 3) 
903                                 {
904                                 servname_type = *(sdata++); 
905                                 n2s(sdata,len);
906                                 dsize -= 3;
907
908                                 if (len > dsize) 
909                                         {
910                                         *al = SSL_AD_DECODE_ERROR;
911                                         return 0;
912                                         }
913                                 if (s->servername_done == 0)
914                                 switch (servname_type)
915                                         {
916                                 case TLSEXT_NAMETYPE_host_name:
917                                         if (!s->hit)
918                                                 {
919                                                 if(s->session->tlsext_hostname)
920                                                         {
921                                                         *al = SSL_AD_DECODE_ERROR;
922                                                         return 0;
923                                                         }
924                                                 if (len > TLSEXT_MAXLEN_host_name)
925                                                         {
926                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
927                                                         return 0;
928                                                         }
929                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
930                                                         {
931                                                         *al = TLS1_AD_INTERNAL_ERROR;
932                                                         return 0;
933                                                         }
934                                                 memcpy(s->session->tlsext_hostname, sdata, len);
935                                                 s->session->tlsext_hostname[len]='\0';
936                                                 if (strlen(s->session->tlsext_hostname) != len) {
937                                                         OPENSSL_free(s->session->tlsext_hostname);
938                                                         s->session->tlsext_hostname = NULL;
939                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
940                                                         return 0;
941                                                 }
942                                                 s->servername_done = 1; 
943
944                                                 }
945                                         else 
946                                                 s->servername_done = s->session->tlsext_hostname
947                                                         && strlen(s->session->tlsext_hostname) == len 
948                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
949                                         
950                                         break;
951
952                                 default:
953                                         break;
954                                         }
955                                  
956                                 dsize -= len;
957                                 }
958                         if (dsize != 0) 
959                                 {
960                                 *al = SSL_AD_DECODE_ERROR;
961                                 return 0;
962                                 }
963
964                         }
965 #ifndef OPENSSL_NO_SRP
966                 else if (type == TLSEXT_TYPE_srp)
967                         {
968                         if (size > 0)
969                                 {
970                                 len = data[0];
971                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
972                                         return -1;
973                                 memcpy(s->srp_ctx.login, &data[1], len);
974                                 s->srp_ctx.login[len]='\0';  
975                                 }
976                         }
977 #endif
978
979 #ifndef OPENSSL_NO_EC
980                 else if (type == TLSEXT_TYPE_ec_point_formats &&
981                      s->version != DTLS1_VERSION)
982                         {
983                         unsigned char *sdata = data;
984                         int ecpointformatlist_length = *(sdata++);
985
986                         if (ecpointformatlist_length != size - 1)
987                                 {
988                                 *al = TLS1_AD_DECODE_ERROR;
989                                 return 0;
990                                 }
991                         if (!s->hit)
992                                 {
993                                 if(s->session->tlsext_ecpointformatlist)
994                                         {
995                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
996                                         s->session->tlsext_ecpointformatlist = NULL;
997                                         }
998                                 s->session->tlsext_ecpointformatlist_length = 0;
999                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1000                                         {
1001                                         *al = TLS1_AD_INTERNAL_ERROR;
1002                                         return 0;
1003                                         }
1004                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1005                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1006                                 }
1007 #if 0
1008                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1009                         sdata = s->session->tlsext_ecpointformatlist;
1010                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1011                                 fprintf(stderr,"%i ",*(sdata++));
1012                         fprintf(stderr,"\n");
1013 #endif
1014                         }
1015                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1016                      s->version != DTLS1_VERSION)
1017                         {
1018                         unsigned char *sdata = data;
1019                         int ellipticcurvelist_length = (*(sdata++) << 8);
1020                         ellipticcurvelist_length += (*(sdata++));
1021
1022                         if (ellipticcurvelist_length != size - 2)
1023                                 {
1024                                 *al = TLS1_AD_DECODE_ERROR;
1025                                 return 0;
1026                                 }
1027                         if (!s->hit)
1028                                 {
1029                                 if(s->session->tlsext_ellipticcurvelist)
1030                                         {
1031                                         *al = TLS1_AD_DECODE_ERROR;
1032                                         return 0;
1033                                         }
1034                                 s->session->tlsext_ellipticcurvelist_length = 0;
1035                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1036                                         {
1037                                         *al = TLS1_AD_INTERNAL_ERROR;
1038                                         return 0;
1039                                         }
1040                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1041                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1042                                 }
1043 #if 0
1044                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1045                         sdata = s->session->tlsext_ellipticcurvelist;
1046                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1047                                 fprintf(stderr,"%i ",*(sdata++));
1048                         fprintf(stderr,"\n");
1049 #endif
1050                         }
1051 #endif /* OPENSSL_NO_EC */
1052 #ifdef TLSEXT_TYPE_opaque_prf_input
1053                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1054                      s->version != DTLS1_VERSION)
1055                         {
1056                         unsigned char *sdata = data;
1057
1058                         if (size < 2)
1059                                 {
1060                                 *al = SSL_AD_DECODE_ERROR;
1061                                 return 0;
1062                                 }
1063                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1064                         if (s->s3->client_opaque_prf_input_len != size - 2)
1065                                 {
1066                                 *al = SSL_AD_DECODE_ERROR;
1067                                 return 0;
1068                                 }
1069
1070                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1071                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1072                         if (s->s3->client_opaque_prf_input_len == 0)
1073                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1074                         else
1075                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1076                         if (s->s3->client_opaque_prf_input == NULL)
1077                                 {
1078                                 *al = TLS1_AD_INTERNAL_ERROR;
1079                                 return 0;
1080                                 }
1081                         }
1082 #endif
1083                 else if (type == TLSEXT_TYPE_session_ticket)
1084                         {
1085                         if (s->tls_session_ticket_ext_cb &&
1086                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1087                                 {
1088                                 *al = TLS1_AD_INTERNAL_ERROR;
1089                                 return 0;
1090                                 }
1091                         }
1092                 else if (type == TLSEXT_TYPE_renegotiate)
1093                         {
1094                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1095                                 return 0;
1096                         renegotiate_seen = 1;
1097                         }
1098                 else if (type == TLSEXT_TYPE_signature_algorithms)
1099                         {
1100                         int dsize;
1101                         if (sigalg_seen || size < 2) 
1102                                 {
1103                                 *al = SSL_AD_DECODE_ERROR;
1104                                 return 0;
1105                                 }
1106                         sigalg_seen = 1;
1107                         n2s(data,dsize);
1108                         size -= 2;
1109                         if (dsize != size || dsize & 1) 
1110                                 {
1111                                 *al = SSL_AD_DECODE_ERROR;
1112                                 return 0;
1113                                 }
1114                         if (!tls1_process_sigalgs(s, data, dsize))
1115                                 {
1116                                 *al = SSL_AD_DECODE_ERROR;
1117                                 return 0;
1118                                 }
1119                         }
1120                 else if (type == TLSEXT_TYPE_status_request &&
1121                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1122                         {
1123                 
1124                         if (size < 5) 
1125                                 {
1126                                 *al = SSL_AD_DECODE_ERROR;
1127                                 return 0;
1128                                 }
1129
1130                         s->tlsext_status_type = *data++;
1131                         size--;
1132                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1133                                 {
1134                                 const unsigned char *sdata;
1135                                 int dsize;
1136                                 /* Read in responder_id_list */
1137                                 n2s(data,dsize);
1138                                 size -= 2;
1139                                 if (dsize > size  ) 
1140                                         {
1141                                         *al = SSL_AD_DECODE_ERROR;
1142                                         return 0;
1143                                         }
1144                                 while (dsize > 0)
1145                                         {
1146                                         OCSP_RESPID *id;
1147                                         int idsize;
1148                                         if (dsize < 4)
1149                                                 {
1150                                                 *al = SSL_AD_DECODE_ERROR;
1151                                                 return 0;
1152                                                 }
1153                                         n2s(data, idsize);
1154                                         dsize -= 2 + idsize;
1155                                         size -= 2 + idsize;
1156                                         if (dsize < 0)
1157                                                 {
1158                                                 *al = SSL_AD_DECODE_ERROR;
1159                                                 return 0;
1160                                                 }
1161                                         sdata = data;
1162                                         data += idsize;
1163                                         id = d2i_OCSP_RESPID(NULL,
1164                                                                 &sdata, idsize);
1165                                         if (!id)
1166                                                 {
1167                                                 *al = SSL_AD_DECODE_ERROR;
1168                                                 return 0;
1169                                                 }
1170                                         if (data != sdata)
1171                                                 {
1172                                                 OCSP_RESPID_free(id);
1173                                                 *al = SSL_AD_DECODE_ERROR;
1174                                                 return 0;
1175                                                 }
1176                                         if (!s->tlsext_ocsp_ids
1177                                                 && !(s->tlsext_ocsp_ids =
1178                                                 sk_OCSP_RESPID_new_null()))
1179                                                 {
1180                                                 OCSP_RESPID_free(id);
1181                                                 *al = SSL_AD_INTERNAL_ERROR;
1182                                                 return 0;
1183                                                 }
1184                                         if (!sk_OCSP_RESPID_push(
1185                                                         s->tlsext_ocsp_ids, id))
1186                                                 {
1187                                                 OCSP_RESPID_free(id);
1188                                                 *al = SSL_AD_INTERNAL_ERROR;
1189                                                 return 0;
1190                                                 }
1191                                         }
1192
1193                                 /* Read in request_extensions */
1194                                 if (size < 2)
1195                                         {
1196                                         *al = SSL_AD_DECODE_ERROR;
1197                                         return 0;
1198                                         }
1199                                 n2s(data,dsize);
1200                                 size -= 2;
1201                                 if (dsize != size)
1202                                         {
1203                                         *al = SSL_AD_DECODE_ERROR;
1204                                         return 0;
1205                                         }
1206                                 sdata = data;
1207                                 if (dsize > 0)
1208                                         {
1209                                         s->tlsext_ocsp_exts =
1210                                                 d2i_X509_EXTENSIONS(NULL,
1211                                                         &sdata, dsize);
1212                                         if (!s->tlsext_ocsp_exts
1213                                                 || (data + dsize != sdata))
1214                                                 {
1215                                                 *al = SSL_AD_DECODE_ERROR;
1216                                                 return 0;
1217                                                 }
1218                                         }
1219                                 }
1220                                 /* We don't know what to do with any other type
1221                                 * so ignore it.
1222                                 */
1223                                 else
1224                                         s->tlsext_status_type = -1;
1225                         }
1226 #ifndef OPENSSL_NO_NEXTPROTONEG
1227                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1228                          s->s3->tmp.finish_md_len == 0)
1229                         {
1230                         /* We shouldn't accept this extension on a
1231                          * renegotiation.
1232                          *
1233                          * s->new_session will be set on renegotiation, but we
1234                          * probably shouldn't rely that it couldn't be set on
1235                          * the initial renegotation too in certain cases (when
1236                          * there's some other reason to disallow resuming an
1237                          * earlier session -- the current code won't be doing
1238                          * anything like that, but this might change).
1239
1240                          * A valid sign that there's been a previous handshake
1241                          * in this connection is if s->s3->tmp.finish_md_len >
1242                          * 0.  (We are talking about a check that will happen
1243                          * in the Hello protocol round, well before a new
1244                          * Finished message could have been computed.) */
1245                         s->s3->next_proto_neg_seen = 1;
1246                         }
1247 #endif
1248
1249                 /* session ticket processed earlier */
1250                 else if (type == TLSEXT_TYPE_use_srtp)
1251                         {
1252                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1253                                                               al))
1254                                 return 0;
1255                         }
1256
1257                 data+=size;
1258                 }
1259                                 
1260         *p = data;
1261
1262         ri_check:
1263
1264         /* Need RI if renegotiating */
1265
1266         if (!renegotiate_seen && s->renegotiate &&
1267                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1268                 {
1269                 *al = SSL_AD_HANDSHAKE_FAILURE;
1270                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1271                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1272                 return 0;
1273                 }
1274
1275         return 1;
1276         }
1277
1278 #ifndef OPENSSL_NO_NEXTPROTONEG
1279 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1280  * elements of zero length are allowed and the set of elements must exactly fill
1281  * the length of the block. */
1282 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1283         {
1284         unsigned int off = 0;
1285
1286         while (off < len)
1287                 {
1288                 if (d[off] == 0)
1289                         return 0;
1290                 off += d[off];
1291                 off++;
1292                 }
1293
1294         return off == len;
1295         }
1296 #endif
1297
1298 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1299         {
1300         unsigned short length;
1301         unsigned short type;
1302         unsigned short size;
1303         unsigned char *data = *p;
1304         int tlsext_servername = 0;
1305         int renegotiate_seen = 0;
1306
1307         if (data >= (d+n-2))
1308                 goto ri_check;
1309
1310         n2s(data,length);
1311         if (data+length != d+n)
1312                 {
1313                 *al = SSL_AD_DECODE_ERROR;
1314                 return 0;
1315                 }
1316
1317         while(data <= (d+n-4))
1318                 {
1319                 n2s(data,type);
1320                 n2s(data,size);
1321
1322                 if (data+size > (d+n))
1323                         goto ri_check;
1324
1325                 if (s->tlsext_debug_cb)
1326                         s->tlsext_debug_cb(s, 1, type, data, size,
1327                                                 s->tlsext_debug_arg);
1328
1329                 if (type == TLSEXT_TYPE_server_name)
1330                         {
1331                         if (s->tlsext_hostname == NULL || size > 0)
1332                                 {
1333                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1334                                 return 0;
1335                                 }
1336                         tlsext_servername = 1;   
1337                         }
1338
1339 #ifndef OPENSSL_NO_EC
1340                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1341                      s->version != DTLS1_VERSION)
1342                         {
1343                         unsigned char *sdata = data;
1344                         int ecpointformatlist_length = *(sdata++);
1345
1346                         if (ecpointformatlist_length != size - 1)
1347                                 {
1348                                 *al = TLS1_AD_DECODE_ERROR;
1349                                 return 0;
1350                                 }
1351                         s->session->tlsext_ecpointformatlist_length = 0;
1352                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1353                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1354                                 {
1355                                 *al = TLS1_AD_INTERNAL_ERROR;
1356                                 return 0;
1357                                 }
1358                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1359                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1360 #if 0
1361                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1362                         sdata = s->session->tlsext_ecpointformatlist;
1363                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1364                                 fprintf(stderr,"%i ",*(sdata++));
1365                         fprintf(stderr,"\n");
1366 #endif
1367                         }
1368 #endif /* OPENSSL_NO_EC */
1369
1370                 else if (type == TLSEXT_TYPE_session_ticket)
1371                         {
1372                         if (s->tls_session_ticket_ext_cb &&
1373                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1374                                 {
1375                                 *al = TLS1_AD_INTERNAL_ERROR;
1376                                 return 0;
1377                                 }
1378                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1379                                 || (size > 0))
1380                                 {
1381                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1382                                 return 0;
1383                                 }
1384                         s->tlsext_ticket_expected = 1;
1385                         }
1386 #ifdef TLSEXT_TYPE_opaque_prf_input
1387                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1388                      s->version != DTLS1_VERSION)
1389                         {
1390                         unsigned char *sdata = data;
1391
1392                         if (size < 2)
1393                                 {
1394                                 *al = SSL_AD_DECODE_ERROR;
1395                                 return 0;
1396                                 }
1397                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1398                         if (s->s3->server_opaque_prf_input_len != size - 2)
1399                                 {
1400                                 *al = SSL_AD_DECODE_ERROR;
1401                                 return 0;
1402                                 }
1403                         
1404                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1405                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1406                         if (s->s3->server_opaque_prf_input_len == 0)
1407                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1408                         else
1409                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1410
1411                         if (s->s3->server_opaque_prf_input == NULL)
1412                                 {
1413                                 *al = TLS1_AD_INTERNAL_ERROR;
1414                                 return 0;
1415                                 }
1416                         }
1417 #endif
1418                 else if (type == TLSEXT_TYPE_status_request &&
1419                          s->version != DTLS1_VERSION)
1420                         {
1421                         /* MUST be empty and only sent if we've requested
1422                          * a status request message.
1423                          */ 
1424                         if ((s->tlsext_status_type == -1) || (size > 0))
1425                                 {
1426                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1427                                 return 0;
1428                                 }
1429                         /* Set flag to expect CertificateStatus message */
1430                         s->tlsext_status_expected = 1;
1431                         }
1432 #ifndef OPENSSL_NO_NEXTPROTONEG
1433                 else if (type == TLSEXT_TYPE_next_proto_neg)
1434                         {
1435                         unsigned char *selected;
1436                         unsigned char selected_len;
1437
1438                         /* We must have requested it. */
1439                         if ((s->ctx->next_proto_select_cb == NULL))
1440                                 {
1441                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1442                                 return 0;
1443                                 }
1444                         /* The data must be valid */
1445                         if (!ssl_next_proto_validate(data, size))
1446                                 {
1447                                 *al = TLS1_AD_DECODE_ERROR;
1448                                 return 0;
1449                                 }
1450                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1451                                 {
1452                                 *al = TLS1_AD_INTERNAL_ERROR;
1453                                 return 0;
1454                                 }
1455                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1456                         if (!s->next_proto_negotiated)
1457                                 {
1458                                 *al = TLS1_AD_INTERNAL_ERROR;
1459                                 return 0;
1460                                 }
1461                         memcpy(s->next_proto_negotiated, selected, selected_len);
1462                         s->next_proto_negotiated_len = selected_len;
1463                         }
1464 #endif
1465                 else if (type == TLSEXT_TYPE_renegotiate)
1466                         {
1467                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1468                                 return 0;
1469                         renegotiate_seen = 1;
1470                         }
1471                 else if (type == TLSEXT_TYPE_use_srtp)
1472                         {
1473                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1474                                                               al))
1475                                 return 0;
1476                         }
1477
1478                 data+=size;             
1479                 }
1480
1481         if (data != d+n)
1482                 {
1483                 *al = SSL_AD_DECODE_ERROR;
1484                 return 0;
1485                 }
1486
1487         if (!s->hit && tlsext_servername == 1)
1488                 {
1489                 if (s->tlsext_hostname)
1490                         {
1491                         if (s->session->tlsext_hostname == NULL)
1492                                 {
1493                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1494                                 if (!s->session->tlsext_hostname)
1495                                         {
1496                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1497                                         return 0;
1498                                         }
1499                                 }
1500                         else 
1501                                 {
1502                                 *al = SSL_AD_DECODE_ERROR;
1503                                 return 0;
1504                                 }
1505                         }
1506                 }
1507
1508         *p = data;
1509
1510         ri_check:
1511
1512         /* Determine if we need to see RI. Strictly speaking if we want to
1513          * avoid an attack we should *always* see RI even on initial server
1514          * hello because the client doesn't see any renegotiation during an
1515          * attack. However this would mean we could not connect to any server
1516          * which doesn't support RI so for the immediate future tolerate RI
1517          * absence on initial connect only.
1518          */
1519         if (!renegotiate_seen
1520                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1521                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1522                 {
1523                 *al = SSL_AD_HANDSHAKE_FAILURE;
1524                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1525                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1526                 return 0;
1527                 }
1528
1529         return 1;
1530         }
1531
1532
1533 int ssl_prepare_clienthello_tlsext(SSL *s)
1534         {
1535 #ifndef OPENSSL_NO_EC
1536         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1537          * and elliptic curves we support.
1538          */
1539         int using_ecc = 0;
1540         int i;
1541         unsigned char *j;
1542         unsigned long alg_k, alg_a;
1543         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1544
1545         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1546                 {
1547                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1548
1549                 alg_k = c->algorithm_mkey;
1550                 alg_a = c->algorithm_auth;
1551                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1552                         {
1553                         using_ecc = 1;
1554                         break;
1555                         }
1556                 }
1557         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1558         if (using_ecc)
1559                 {
1560                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1561                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1562                         {
1563                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1564                         return -1;
1565                         }
1566                 s->tlsext_ecpointformatlist_length = 3;
1567                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1568                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1569                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1570
1571                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1572                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1573                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1574                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1575                         {
1576                         s->tlsext_ellipticcurvelist_length = 0;
1577                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1578                         return -1;
1579                         }
1580                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1581                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1582                         {
1583                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1584                         s2n(id,j);
1585                         }
1586                 }
1587 #endif /* OPENSSL_NO_EC */
1588
1589 #ifdef TLSEXT_TYPE_opaque_prf_input
1590         {
1591                 int r = 1;
1592         
1593                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1594                         {
1595                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1596                         if (!r)
1597                                 return -1;
1598                         }
1599
1600                 if (s->tlsext_opaque_prf_input != NULL)
1601                         {
1602                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1603                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1604
1605                         if (s->tlsext_opaque_prf_input_len == 0)
1606                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1607                         else
1608                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1609                         if (s->s3->client_opaque_prf_input == NULL)
1610                                 {
1611                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1612                                 return -1;
1613                                 }
1614                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1615                         }
1616
1617                 if (r == 2)
1618                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1619                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1620         }
1621 #endif
1622
1623         return 1;
1624         }
1625
1626 int ssl_prepare_serverhello_tlsext(SSL *s)
1627         {
1628 #ifndef OPENSSL_NO_EC
1629         /* If we are server and using an ECC cipher suite, send the point formats we support 
1630          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1631          * supposed to send an EllipticCurves extension.
1632          */
1633
1634         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1635         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1636         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1637         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1638         
1639         if (using_ecc)
1640                 {
1641                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1642                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1643                         {
1644                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1645                         return -1;
1646                         }
1647                 s->tlsext_ecpointformatlist_length = 3;
1648                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1649                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1650                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1651                 }
1652 #endif /* OPENSSL_NO_EC */
1653
1654         return 1;
1655         }
1656
1657 int ssl_check_clienthello_tlsext(SSL *s)
1658         {
1659         int ret=SSL_TLSEXT_ERR_NOACK;
1660         int al = SSL_AD_UNRECOGNIZED_NAME;
1661
1662 #ifndef OPENSSL_NO_EC
1663         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1664          * ssl3_choose_cipher in s3_lib.c.
1665          */
1666         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1667          * ssl3_choose_cipher in s3_lib.c.
1668          */
1669 #endif
1670
1671         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1672                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1673         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1674                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1675
1676         /* If status request then ask callback what to do.
1677          * Note: this must be called after servername callbacks in case 
1678          * the certificate has changed.
1679          */
1680         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1681                 {
1682                 int r;
1683                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1684                 switch (r)
1685                         {
1686                         /* We don't want to send a status request response */
1687                         case SSL_TLSEXT_ERR_NOACK:
1688                                 s->tlsext_status_expected = 0;
1689                                 break;
1690                         /* status request response should be sent */
1691                         case SSL_TLSEXT_ERR_OK:
1692                                 if (s->tlsext_ocsp_resp)
1693                                         s->tlsext_status_expected = 1;
1694                                 else
1695                                         s->tlsext_status_expected = 0;
1696                                 break;
1697                         /* something bad happened */
1698                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1699                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1700                                 al = SSL_AD_INTERNAL_ERROR;
1701                                 goto err;
1702                         }
1703                 }
1704         else
1705                 s->tlsext_status_expected = 0;
1706
1707 #ifdef TLSEXT_TYPE_opaque_prf_input
1708         {
1709                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1710                  * but we might be sending an alert in response to the client hello,
1711                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1712
1713                 int r = 1;
1714         
1715                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1716                         {
1717                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1718                         if (!r)
1719                                 {
1720                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1721                                 al = SSL_AD_INTERNAL_ERROR;
1722                                 goto err;
1723                                 }
1724                         }
1725
1726                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1727                         OPENSSL_free(s->s3->server_opaque_prf_input);
1728                 s->s3->server_opaque_prf_input = NULL;
1729
1730                 if (s->tlsext_opaque_prf_input != NULL)
1731                         {
1732                         if (s->s3->client_opaque_prf_input != NULL &&
1733                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1734                                 {
1735                                 /* can only use this extension if we have a server opaque PRF input
1736                                  * of the same length as the client opaque PRF input! */
1737
1738                                 if (s->tlsext_opaque_prf_input_len == 0)
1739                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1740                                 else
1741                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1742                                 if (s->s3->server_opaque_prf_input == NULL)
1743                                         {
1744                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1745                                         al = SSL_AD_INTERNAL_ERROR;
1746                                         goto err;
1747                                         }
1748                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1749                                 }
1750                         }
1751
1752                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1753                         {
1754                         /* The callback wants to enforce use of the extension,
1755                          * but we can't do that with the client opaque PRF input;
1756                          * abort the handshake.
1757                          */
1758                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1759                         al = SSL_AD_HANDSHAKE_FAILURE;
1760                         }
1761         }
1762
1763 #endif
1764  err:
1765         switch (ret)
1766                 {
1767                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1768                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1769                         return -1;
1770
1771                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1772                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1773                         return 1; 
1774                                         
1775                 case SSL_TLSEXT_ERR_NOACK:
1776                         s->servername_done=0;
1777                         default:
1778                 return 1;
1779                 }
1780         }
1781
1782 int ssl_check_serverhello_tlsext(SSL *s)
1783         {
1784         int ret=SSL_TLSEXT_ERR_NOACK;
1785         int al = SSL_AD_UNRECOGNIZED_NAME;
1786
1787 #ifndef OPENSSL_NO_EC
1788         /* If we are client and using an elliptic curve cryptography cipher
1789          * suite, then if server returns an EC point formats lists extension
1790          * it must contain uncompressed.
1791          */
1792         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1793         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1794         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1795             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1796             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1797                 {
1798                 /* we are using an ECC cipher */
1799                 size_t i;
1800                 unsigned char *list;
1801                 int found_uncompressed = 0;
1802                 list = s->session->tlsext_ecpointformatlist;
1803                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1804                         {
1805                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1806                                 {
1807                                 found_uncompressed = 1;
1808                                 break;
1809                                 }
1810                         }
1811                 if (!found_uncompressed)
1812                         {
1813                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1814                         return -1;
1815                         }
1816                 }
1817         ret = SSL_TLSEXT_ERR_OK;
1818 #endif /* OPENSSL_NO_EC */
1819
1820         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1821                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1822         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1823                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1824
1825 #ifdef TLSEXT_TYPE_opaque_prf_input
1826         if (s->s3->server_opaque_prf_input_len > 0)
1827                 {
1828                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1829                  * So first verify that we really have a value from the server too. */
1830
1831                 if (s->s3->server_opaque_prf_input == NULL)
1832                         {
1833                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1834                         al = SSL_AD_HANDSHAKE_FAILURE;
1835                         }
1836                 
1837                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1838                  * that we have a client opaque PRF input of the same size. */
1839                 if (s->s3->client_opaque_prf_input == NULL ||
1840                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1841                         {
1842                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1843                         al = SSL_AD_ILLEGAL_PARAMETER;
1844                         }
1845                 }
1846 #endif
1847
1848         /* If we've requested certificate status and we wont get one
1849          * tell the callback
1850          */
1851         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1852                         && s->ctx && s->ctx->tlsext_status_cb)
1853                 {
1854                 int r;
1855                 /* Set resp to NULL, resplen to -1 so callback knows
1856                  * there is no response.
1857                  */
1858                 if (s->tlsext_ocsp_resp)
1859                         {
1860                         OPENSSL_free(s->tlsext_ocsp_resp);
1861                         s->tlsext_ocsp_resp = NULL;
1862                         }
1863                 s->tlsext_ocsp_resplen = -1;
1864                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1865                 if (r == 0)
1866                         {
1867                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1868                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1869                         }
1870                 if (r < 0)
1871                         {
1872                         al = SSL_AD_INTERNAL_ERROR;
1873                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1874                         }
1875                 }
1876
1877         switch (ret)
1878                 {
1879                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1880                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1881                         return -1;
1882
1883                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1884                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1885                         return 1; 
1886                                         
1887                 case SSL_TLSEXT_ERR_NOACK:
1888                         s->servername_done=0;
1889                         default:
1890                 return 1;
1891                 }
1892         }
1893
1894 /* Since the server cache lookup is done early on in the processing of the
1895  * ClientHello, and other operations depend on the result, we need to handle
1896  * any TLS session ticket extension at the same time.
1897  *
1898  *   session_id: points at the session ID in the ClientHello. This code will
1899  *       read past the end of this in order to parse out the session ticket
1900  *       extension, if any.
1901  *   len: the length of the session ID.
1902  *   limit: a pointer to the first byte after the ClientHello.
1903  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1904  *       point to the resulting session.
1905  *
1906  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1907  * ciphersuite, in which case we have no use for session tickets and one will
1908  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1909  *
1910  * Returns:
1911  *   -1: fatal error, either from parsing or decrypting the ticket.
1912  *    0: no ticket was found (or was ignored, based on settings).
1913  *    1: a zero length extension was found, indicating that the client supports
1914  *       session tickets but doesn't currently have one to offer.
1915  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
1916  *       couldn't be decrypted because of a non-fatal error.
1917  *    3: a ticket was successfully decrypted and *ret was set.
1918  *
1919  * Side effects:
1920  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1921  *   a new session ticket to the client because the client indicated support
1922  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1923  *   a session ticket or we couldn't use the one it gave us, or if
1924  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1925  *   Otherwise, s->tlsext_ticket_expected is set to 0.
1926  */
1927 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1928                         const unsigned char *limit, SSL_SESSION **ret)
1929         {
1930         /* Point after session ID in client hello */
1931         const unsigned char *p = session_id + len;
1932         unsigned short i;
1933
1934         *ret = NULL;
1935         s->tlsext_ticket_expected = 0;
1936
1937         /* If tickets disabled behave as if no ticket present
1938          * to permit stateful resumption.
1939          */
1940         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1941                 return 0;
1942         if ((s->version <= SSL3_VERSION) || !limit)
1943                 return 0;
1944         if (p >= limit)
1945                 return -1;
1946         /* Skip past DTLS cookie */
1947         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1948                 {
1949                 i = *(p++);
1950                 p+= i;
1951                 if (p >= limit)
1952                         return -1;
1953                 }
1954         /* Skip past cipher list */
1955         n2s(p, i);
1956         p+= i;
1957         if (p >= limit)
1958                 return -1;
1959         /* Skip past compression algorithm list */
1960         i = *(p++);
1961         p += i;
1962         if (p > limit)
1963                 return -1;
1964         /* Now at start of extensions */
1965         if ((p + 2) >= limit)
1966                 return 0;
1967         n2s(p, i);
1968         while ((p + 4) <= limit)
1969                 {
1970                 unsigned short type, size;
1971                 n2s(p, type);
1972                 n2s(p, size);
1973                 if (p + size > limit)
1974                         return 0;
1975                 if (type == TLSEXT_TYPE_session_ticket)
1976                         {
1977                         int r;
1978                         if (size == 0)
1979                                 {
1980                                 /* The client will accept a ticket but doesn't
1981                                  * currently have one. */
1982                                 s->tlsext_ticket_expected = 1;
1983                                 return 1;
1984                                 }
1985                         if (s->tls_session_secret_cb)
1986                                 {
1987                                 /* Indicate that the ticket couldn't be
1988                                  * decrypted rather than generating the session
1989                                  * from ticket now, trigger abbreviated
1990                                  * handshake based on external mechanism to
1991                                  * calculate the master secret later. */
1992                                 return 2;
1993                                 }
1994                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
1995                         switch (r)
1996                                 {
1997                                 case 2: /* ticket couldn't be decrypted */
1998                                         s->tlsext_ticket_expected = 1;
1999                                         return 2;
2000                                 case 3: /* ticket was decrypted */
2001                                         return r;
2002                                 case 4: /* ticket decrypted but need to renew */
2003                                         s->tlsext_ticket_expected = 1;
2004                                         return 3;
2005                                 default: /* fatal error */
2006                                         return -1;
2007                                 }
2008                         }
2009                 p += size;
2010                 }
2011         return 0;
2012         }
2013
2014 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2015  *
2016  *   etick: points to the body of the session ticket extension.
2017  *   eticklen: the length of the session tickets extenion.
2018  *   sess_id: points at the session ID.
2019  *   sesslen: the length of the session ID.
2020  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2021  *       point to the resulting session.
2022  *
2023  * Returns:
2024  *   -1: fatal error, either from parsing or decrypting the ticket.
2025  *    2: the ticket couldn't be decrypted.
2026  *    3: a ticket was successfully decrypted and *psess was set.
2027  *    4: same as 3, but the ticket needs to be renewed.
2028  */
2029 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2030                                 const unsigned char *sess_id, int sesslen,
2031                                 SSL_SESSION **psess)
2032         {
2033         SSL_SESSION *sess;
2034         unsigned char *sdec;
2035         const unsigned char *p;
2036         int slen, mlen, renew_ticket = 0;
2037         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2038         HMAC_CTX hctx;
2039         EVP_CIPHER_CTX ctx;
2040         SSL_CTX *tctx = s->initial_ctx;
2041         /* Need at least keyname + iv + some encrypted data */
2042         if (eticklen < 48)
2043                 return 2;
2044         /* Initialize session ticket encryption and HMAC contexts */
2045         HMAC_CTX_init(&hctx);
2046         EVP_CIPHER_CTX_init(&ctx);
2047         if (tctx->tlsext_ticket_key_cb)
2048                 {
2049                 unsigned char *nctick = (unsigned char *)etick;
2050                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2051                                                         &ctx, &hctx, 0);
2052                 if (rv < 0)
2053                         return -1;
2054                 if (rv == 0)
2055                         return 2;
2056                 if (rv == 2)
2057                         renew_ticket = 1;
2058                 }
2059         else
2060                 {
2061                 /* Check key name matches */
2062                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2063                         return 2;
2064                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2065                                         tlsext_tick_md(), NULL);
2066                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2067                                 tctx->tlsext_tick_aes_key, etick + 16);
2068                 }
2069         /* Attempt to process session ticket, first conduct sanity and
2070          * integrity checks on ticket.
2071          */
2072         mlen = HMAC_size(&hctx);
2073         if (mlen < 0)
2074                 {
2075                 EVP_CIPHER_CTX_cleanup(&ctx);
2076                 return -1;
2077                 }
2078         eticklen -= mlen;
2079         /* Check HMAC of encrypted ticket */
2080         HMAC_Update(&hctx, etick, eticklen);
2081         HMAC_Final(&hctx, tick_hmac, NULL);
2082         HMAC_CTX_cleanup(&hctx);
2083         if (memcmp(tick_hmac, etick + eticklen, mlen))
2084                 return 2;
2085         /* Attempt to decrypt session data */
2086         /* Move p after IV to start of encrypted ticket, update length */
2087         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2088         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2089         sdec = OPENSSL_malloc(eticklen);
2090         if (!sdec)
2091                 {
2092                 EVP_CIPHER_CTX_cleanup(&ctx);
2093                 return -1;
2094                 }
2095         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2096         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2097                 return 2;
2098         slen += mlen;
2099         EVP_CIPHER_CTX_cleanup(&ctx);
2100         p = sdec;
2101
2102         sess = d2i_SSL_SESSION(NULL, &p, slen);
2103         OPENSSL_free(sdec);
2104         if (sess)
2105                 {
2106                 /* The session ID, if non-empty, is used by some clients to
2107                  * detect that the ticket has been accepted. So we copy it to
2108                  * the session structure. If it is empty set length to zero
2109                  * as required by standard.
2110                  */
2111                 if (sesslen)
2112                         memcpy(sess->session_id, sess_id, sesslen);
2113                 sess->session_id_length = sesslen;
2114                 *psess = sess;
2115                 if (renew_ticket)
2116                         return 4;
2117                 else
2118                         return 3;
2119                 }
2120         ERR_clear_error();
2121         /* For session parse failure, indicate that we need to send a new
2122          * ticket. */
2123         return 2;
2124         }
2125
2126 /* Tables to translate from NIDs to TLS v1.2 ids */
2127
2128 typedef struct 
2129         {
2130         int nid;
2131         int id;
2132         } tls12_lookup;
2133
2134 static tls12_lookup tls12_md[] = {
2135 #ifndef OPENSSL_NO_MD5
2136         {NID_md5, TLSEXT_hash_md5},
2137 #endif
2138 #ifndef OPENSSL_NO_SHA
2139         {NID_sha1, TLSEXT_hash_sha1},
2140 #endif
2141 #ifndef OPENSSL_NO_SHA256
2142         {NID_sha224, TLSEXT_hash_sha224},
2143         {NID_sha256, TLSEXT_hash_sha256},
2144 #endif
2145 #ifndef OPENSSL_NO_SHA512
2146         {NID_sha384, TLSEXT_hash_sha384},
2147         {NID_sha512, TLSEXT_hash_sha512}
2148 #endif
2149 };
2150
2151 static tls12_lookup tls12_sig[] = {
2152 #ifndef OPENSSL_NO_RSA
2153         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2154 #endif
2155 #ifndef OPENSSL_NO_RSA
2156         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2157 #endif
2158 #ifndef OPENSSL_NO_ECDSA
2159         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2160 #endif
2161 };
2162
2163 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2164         {
2165         size_t i;
2166         for (i = 0; i < tlen; i++)
2167                 {
2168                 if (table[i].nid == nid)
2169                         return table[i].id;
2170                 }
2171         return -1;
2172         }
2173 #if 0
2174 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2175         {
2176         size_t i;
2177         for (i = 0; i < tlen; i++)
2178                 {
2179                 if (table[i].id == id)
2180                         return table[i].nid;
2181                 }
2182         return -1;
2183         }
2184 #endif
2185
2186 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2187         {
2188         int sig_id, md_id;
2189         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2190                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2191         if (md_id == -1)
2192                 return 0;
2193         sig_id = tls12_get_sigid(pk);
2194         if (sig_id == -1)
2195                 return 0;
2196         p[0] = (unsigned char)md_id;
2197         p[1] = (unsigned char)sig_id;
2198         return 1;
2199         }
2200
2201 int tls12_get_sigid(const EVP_PKEY *pk)
2202         {
2203         return tls12_find_id(pk->type, tls12_sig,
2204                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2205         }
2206
2207 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2208         {
2209         switch(hash_alg)
2210                 {
2211 #ifndef OPENSSL_NO_MD5
2212                 case TLSEXT_hash_md5:
2213 #ifdef OPENSSL_FIPS
2214                 if (FIPS_mode())
2215                         return NULL;
2216 #endif
2217                 return EVP_md5();
2218 #endif
2219 #ifndef OPENSSL_NO_SHA
2220                 case TLSEXT_hash_sha1:
2221                 return EVP_sha1();
2222 #endif
2223 #ifndef OPENSSL_NO_SHA256
2224                 case TLSEXT_hash_sha224:
2225                 return EVP_sha224();
2226
2227                 case TLSEXT_hash_sha256:
2228                 return EVP_sha256();
2229 #endif
2230 #ifndef OPENSSL_NO_SHA512
2231                 case TLSEXT_hash_sha384:
2232                 return EVP_sha384();
2233
2234                 case TLSEXT_hash_sha512:
2235                 return EVP_sha512();
2236 #endif
2237                 default:
2238                 return NULL;
2239
2240                 }
2241         }
2242
2243 /* Set preferred digest for each key type */
2244
2245 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2246         {
2247         int i, idx;
2248         const EVP_MD *md;
2249         CERT *c = s->cert;
2250         /* Extension ignored for TLS versions below 1.2 */
2251         if (TLS1_get_version(s) < TLS1_2_VERSION)
2252                 return 1;
2253         /* Should never happen */
2254         if (!c)
2255                 return 0;
2256
2257         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2258         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2259         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2260         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2261
2262         for (i = 0; i < dsize; i += 2)
2263                 {
2264                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2265
2266                 switch(sig_alg)
2267                         {
2268 #ifndef OPENSSL_NO_RSA
2269                         case TLSEXT_signature_rsa:
2270                         idx = SSL_PKEY_RSA_SIGN;
2271                         break;
2272 #endif
2273 #ifndef OPENSSL_NO_DSA
2274                         case TLSEXT_signature_dsa:
2275                         idx = SSL_PKEY_DSA_SIGN;
2276                         break;
2277 #endif
2278 #ifndef OPENSSL_NO_ECDSA
2279                         case TLSEXT_signature_ecdsa:
2280                         idx = SSL_PKEY_ECC;
2281                         break;
2282 #endif
2283                         default:
2284                         continue;
2285                         }
2286
2287                 if (c->pkeys[idx].digest == NULL)
2288                         {
2289                         md = tls12_get_hash(hash_alg);
2290                         if (md)
2291                                 {
2292                                 c->pkeys[idx].digest = md;
2293                                 if (idx == SSL_PKEY_RSA_SIGN)
2294                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2295                                 }
2296                         }
2297
2298                 }
2299
2300
2301         /* Set any remaining keys to default values. NOTE: if alg is not
2302          * supported it stays as NULL.
2303          */
2304 #ifndef OPENSSL_NO_DSA
2305         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2306                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2307 #endif
2308 #ifndef OPENSSL_NO_RSA
2309         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2310                 {
2311                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2312                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2313                 }
2314 #endif
2315 #ifndef OPENSSL_NO_ECDSA
2316         if (!c->pkeys[SSL_PKEY_ECC].digest)
2317                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2318 #endif
2319         return 1;
2320         }
2321
2322 #endif