Fix memory leak.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542 /* Check EC server key is compatible with client extensions */
543 int tls1_check_ec_server_key(SSL *s)
544         {
545         int rv;
546         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
547         EVP_PKEY *pkey;
548         unsigned char comp_id, curve_id[2];
549         if (!cpk->x509 || !cpk->privatekey)
550                 return 0;
551         pkey = X509_get_pubkey(cpk->x509);
552         if (!pkey)
553                 return 0;
554         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
555         EVP_PKEY_free(pkey);
556         if (!rv)
557                 return 0;
558         return tls1_check_ec_key(s, curve_id, &comp_id);
559         }
560 /* Check EC temporary key is compatible with client extensions */
561 int tls1_check_ec_tmp_key(SSL *s)
562         {
563         unsigned char curve_id[2];
564         EC_KEY *ec = s->cert->ecdh_tmp;
565         if (s->cert->ecdh_tmp_auto)
566                 {
567                 /* Need a shared curve */
568                 if (tls1_shared_curve(s, 0))
569                         return 1;
570                 else return 0;
571                 }
572         if (!ec)
573                 {
574                 if (s->cert->ecdh_tmp_cb)
575                         return 1;
576                 else
577                         return 0;
578                 }
579         if (!tls1_set_ec_id(curve_id, NULL, ec))
580                 return 1;
581         return tls1_check_ec_key(s, curve_id, NULL);
582         }
583
584 #endif /* OPENSSL_NO_EC */
585
586 #ifndef OPENSSL_NO_TLSEXT
587
588 /* List of supported signature algorithms and hashes. Should make this
589  * customisable at some point, for now include everything we support.
590  */
591
592 #ifdef OPENSSL_NO_RSA
593 #define tlsext_sigalg_rsa(md) /* */
594 #else
595 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
596 #endif
597
598 #ifdef OPENSSL_NO_DSA
599 #define tlsext_sigalg_dsa(md) /* */
600 #else
601 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
602 #endif
603
604 #ifdef OPENSSL_NO_ECDSA
605 #define tlsext_sigalg_ecdsa(md) /* */
606 #else
607 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
608 #endif
609
610 #define tlsext_sigalg(md) \
611                 tlsext_sigalg_rsa(md) \
612                 tlsext_sigalg_dsa(md) \
613                 tlsext_sigalg_ecdsa(md)
614
615 static unsigned char tls12_sigalgs[] = {
616 #ifndef OPENSSL_NO_SHA512
617         tlsext_sigalg(TLSEXT_hash_sha512)
618         tlsext_sigalg(TLSEXT_hash_sha384)
619 #endif
620 #ifndef OPENSSL_NO_SHA256
621         tlsext_sigalg(TLSEXT_hash_sha256)
622         tlsext_sigalg(TLSEXT_hash_sha224)
623 #endif
624 #ifndef OPENSSL_NO_SHA
625         tlsext_sigalg(TLSEXT_hash_sha1)
626 #endif
627 #ifndef OPENSSL_NO_MD5
628         tlsext_sigalg_rsa(TLSEXT_hash_md5)
629 #endif
630 };
631
632 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
633         {
634         size_t slen = sizeof(tls12_sigalgs);
635 #ifdef OPENSSL_FIPS
636         /* If FIPS mode don't include MD5 which is last */
637         if (FIPS_mode())
638                 slen -= 2;
639 #endif
640         if (p)
641                 memcpy(p, tls12_sigalgs, slen);
642         return (int)slen;
643         }
644
645 /* byte_compare is a compare function for qsort(3) that compares bytes. */
646 static int byte_compare(const void *in_a, const void *in_b)
647         {
648         unsigned char a = *((const unsigned char*) in_a);
649         unsigned char b = *((const unsigned char*) in_b);
650
651         if (a > b)
652                 return 1;
653         else if (a < b)
654                 return -1;
655         return 0;
656 }
657
658 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
659         {
660         int extdatalen=0;
661         unsigned char *ret = p;
662 #ifndef OPENSSL_NO_EC
663         /* See if we support any ECC ciphersuites */
664         int using_ecc = 0;
665         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
666                 {
667                 int i;
668                 unsigned long alg_k, alg_a;
669                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
670
671                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
672                         {
673                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
674
675                         alg_k = c->algorithm_mkey;
676                         alg_a = c->algorithm_auth;
677                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
678                                 || (alg_a & SSL_aECDSA)))
679                                 {
680                                 using_ecc = 1;
681                                 break;
682                                 }
683                         }
684                 }
685 #endif
686
687         /* don't add extensions for SSLv3 unless doing secure renegotiation */
688         if (s->client_version == SSL3_VERSION
689                                         && !s->s3->send_connection_binding)
690                 return p;
691
692         ret+=2;
693
694         if (ret>=limit) return NULL; /* this really never occurs, but ... */
695
696         if (s->tlsext_hostname != NULL)
697                 { 
698                 /* Add TLS extension servername to the Client Hello message */
699                 unsigned long size_str;
700                 long lenmax; 
701
702                 /* check for enough space.
703                    4 for the servername type and entension length
704                    2 for servernamelist length
705                    1 for the hostname type
706                    2 for hostname length
707                    + hostname length 
708                 */
709                    
710                 if ((lenmax = limit - ret - 9) < 0 
711                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
712                         return NULL;
713                         
714                 /* extension type and length */
715                 s2n(TLSEXT_TYPE_server_name,ret); 
716                 s2n(size_str+5,ret);
717                 
718                 /* length of servername list */
719                 s2n(size_str+3,ret);
720         
721                 /* hostname type, length and hostname */
722                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
723                 s2n(size_str,ret);
724                 memcpy(ret, s->tlsext_hostname, size_str);
725                 ret+=size_str;
726                 }
727
728         /* Add RI if renegotiating */
729         if (s->renegotiate)
730           {
731           int el;
732           
733           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
734               {
735               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
736               return NULL;
737               }
738
739           if((limit - p - 4 - el) < 0) return NULL;
740           
741           s2n(TLSEXT_TYPE_renegotiate,ret);
742           s2n(el,ret);
743
744           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
745               {
746               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
747               return NULL;
748               }
749
750           ret += el;
751         }
752
753 #ifndef OPENSSL_NO_SRP
754         /* Add SRP username if there is one */
755         if (s->srp_ctx.login != NULL)
756                 { /* Add TLS extension SRP username to the Client Hello message */
757
758                 int login_len = strlen(s->srp_ctx.login);       
759                 if (login_len > 255 || login_len == 0)
760                         {
761                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
762                         return NULL;
763                         } 
764
765                 /* check for enough space.
766                    4 for the srp type type and entension length
767                    1 for the srp user identity
768                    + srp user identity length 
769                 */
770                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
771
772                 /* fill in the extension */
773                 s2n(TLSEXT_TYPE_srp,ret);
774                 s2n(login_len+1,ret);
775                 (*ret++) = (unsigned char) login_len;
776                 memcpy(ret, s->srp_ctx.login, login_len);
777                 ret+=login_len;
778                 }
779 #endif
780
781 #ifndef OPENSSL_NO_EC
782         if (using_ecc)
783                 {
784                 /* Add TLS extension ECPointFormats to the ClientHello message */
785                 long lenmax; 
786                 const unsigned char *plist;
787                 size_t plistlen;
788                 /* If we have a custom point format list use it otherwise
789                  * use default */
790                 plist = s->tlsext_ecpointformatlist;
791                 if (plist)
792                         plistlen = s->tlsext_ecpointformatlist_length;
793                 else
794                         {
795                         plist = ecformats_default;
796                         plistlen = sizeof(ecformats_default);
797                         }
798
799                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
800                 if (plistlen > (size_t)lenmax) return NULL;
801                 if (plistlen > 255)
802                         {
803                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
804                         return NULL;
805                         }
806                 
807                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
808                 s2n(plistlen + 1,ret);
809                 *(ret++) = (unsigned char)plistlen ;
810                 memcpy(ret, plist, plistlen);
811                 ret+=plistlen;
812
813                 /* Add TLS extension EllipticCurves to the ClientHello message */
814                 plist = s->tlsext_ellipticcurvelist;
815                 tls1_get_curvelist(s, 0, &plist, &plistlen);
816
817                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
818                 if (plistlen > (size_t)lenmax) return NULL;
819                 if (plistlen > 65532)
820                         {
821                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
822                         return NULL;
823                         }
824                 
825                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
826                 s2n(plistlen + 2, ret);
827
828                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
829                  * elliptic_curve_list, but the examples use two bytes.
830                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
831                  * resolves this to two bytes.
832                  */
833                 s2n(plistlen, ret);
834                 memcpy(ret, plist, plistlen);
835                 ret+=plistlen;
836                 }
837 #endif /* OPENSSL_NO_EC */
838
839         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
840                 {
841                 int ticklen;
842                 if (!s->new_session && s->session && s->session->tlsext_tick)
843                         ticklen = s->session->tlsext_ticklen;
844                 else if (s->session && s->tlsext_session_ticket &&
845                          s->tlsext_session_ticket->data)
846                         {
847                         ticklen = s->tlsext_session_ticket->length;
848                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
849                         if (!s->session->tlsext_tick)
850                                 return NULL;
851                         memcpy(s->session->tlsext_tick,
852                                s->tlsext_session_ticket->data,
853                                ticklen);
854                         s->session->tlsext_ticklen = ticklen;
855                         }
856                 else
857                         ticklen = 0;
858                 if (ticklen == 0 && s->tlsext_session_ticket &&
859                     s->tlsext_session_ticket->data == NULL)
860                         goto skip_ext;
861                 /* Check for enough room 2 for extension type, 2 for len
862                  * rest for ticket
863                  */
864                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
865                 s2n(TLSEXT_TYPE_session_ticket,ret); 
866                 s2n(ticklen,ret);
867                 if (ticklen)
868                         {
869                         memcpy(ret, s->session->tlsext_tick, ticklen);
870                         ret += ticklen;
871                         }
872                 }
873                 skip_ext:
874
875         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
876                 {
877                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
878                         return NULL; 
879                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
880                 s2n(sizeof(tls12_sigalgs) + 2, ret);
881                 s2n(sizeof(tls12_sigalgs), ret);
882                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
883                 ret += sizeof(tls12_sigalgs);
884                 }
885
886 #ifdef TLSEXT_TYPE_opaque_prf_input
887         if (s->s3->client_opaque_prf_input != NULL &&
888             s->version != DTLS1_VERSION)
889                 {
890                 size_t col = s->s3->client_opaque_prf_input_len;
891                 
892                 if ((long)(limit - ret - 6 - col < 0))
893                         return NULL;
894                 if (col > 0xFFFD) /* can't happen */
895                         return NULL;
896
897                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
898                 s2n(col + 2, ret);
899                 s2n(col, ret);
900                 memcpy(ret, s->s3->client_opaque_prf_input, col);
901                 ret += col;
902                 }
903 #endif
904
905         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
906             s->version != DTLS1_VERSION)
907                 {
908                 int i;
909                 long extlen, idlen, itmp;
910                 OCSP_RESPID *id;
911
912                 idlen = 0;
913                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
914                         {
915                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
916                         itmp = i2d_OCSP_RESPID(id, NULL);
917                         if (itmp <= 0)
918                                 return NULL;
919                         idlen += itmp + 2;
920                         }
921
922                 if (s->tlsext_ocsp_exts)
923                         {
924                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
925                         if (extlen < 0)
926                                 return NULL;
927                         }
928                 else
929                         extlen = 0;
930                         
931                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
932                 s2n(TLSEXT_TYPE_status_request, ret);
933                 if (extlen + idlen > 0xFFF0)
934                         return NULL;
935                 s2n(extlen + idlen + 5, ret);
936                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
937                 s2n(idlen, ret);
938                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
939                         {
940                         /* save position of id len */
941                         unsigned char *q = ret;
942                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
943                         /* skip over id len */
944                         ret += 2;
945                         itmp = i2d_OCSP_RESPID(id, &ret);
946                         /* write id len */
947                         s2n(itmp, q);
948                         }
949                 s2n(extlen, ret);
950                 if (extlen > 0)
951                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
952                 }
953
954 #ifndef OPENSSL_NO_HEARTBEATS
955         /* Add Heartbeat extension */
956         s2n(TLSEXT_TYPE_heartbeat,ret);
957         s2n(1,ret);
958         /* Set mode:
959          * 1: peer may send requests
960          * 2: peer not allowed to send requests
961          */
962         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
963                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
964         else
965                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
966 #endif
967
968 #ifndef OPENSSL_NO_NEXTPROTONEG
969         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
970                 {
971                 /* The client advertises an emtpy extension to indicate its
972                  * support for Next Protocol Negotiation */
973                 if (limit - ret - 4 < 0)
974                         return NULL;
975                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
976                 s2n(0,ret);
977                 }
978 #endif
979
980         if(SSL_get_srtp_profiles(s))
981                 {
982                 int el;
983
984                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
985                 
986                 if((limit - p - 4 - el) < 0) return NULL;
987
988                 s2n(TLSEXT_TYPE_use_srtp,ret);
989                 s2n(el,ret);
990
991                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
992                         {
993                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
994                         return NULL;
995                         }
996                 ret += el;
997                 }
998
999         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1000         /* 2 bytes for extension type */
1001         /* 2 bytes for extension length */
1002         /* 1 byte for the list length */
1003         /* 1 byte for the list (we only support audit proofs) */
1004         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1005                 {
1006                 size_t lenmax;
1007                 const unsigned short ext_len = 2;
1008                 const unsigned char list_len = 1;
1009
1010                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1011
1012                 s2n(TLSEXT_TYPE_server_authz, ret);
1013                 /* Extension length: 2 bytes */
1014                 s2n(ext_len, ret);
1015                 *(ret++) = list_len;
1016                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1017                 }
1018
1019         if ((extdatalen = ret-p-2) == 0)
1020                 return p;
1021
1022         s2n(extdatalen,p);
1023         return ret;
1024         }
1025
1026 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1027         {
1028         int extdatalen=0;
1029         unsigned char *ret = p;
1030 #ifndef OPENSSL_NO_NEXTPROTONEG
1031         int next_proto_neg_seen;
1032 #endif
1033
1034         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1035         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1036                 return p;
1037         
1038         ret+=2;
1039         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1040
1041         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1042                 { 
1043                 if ((long)(limit - ret - 4) < 0) return NULL; 
1044
1045                 s2n(TLSEXT_TYPE_server_name,ret);
1046                 s2n(0,ret);
1047                 }
1048
1049         if(s->s3->send_connection_binding)
1050         {
1051           int el;
1052           
1053           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1054               {
1055               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1056               return NULL;
1057               }
1058
1059           if((limit - p - 4 - el) < 0) return NULL;
1060           
1061           s2n(TLSEXT_TYPE_renegotiate,ret);
1062           s2n(el,ret);
1063
1064           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1065               {
1066               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1067               return NULL;
1068               }
1069
1070           ret += el;
1071         }
1072
1073 #ifndef OPENSSL_NO_EC
1074         if (s->tlsext_ecpointformatlist != NULL &&
1075             s->version != DTLS1_VERSION)
1076                 {
1077                 /* Add TLS extension ECPointFormats to the ServerHello message */
1078                 long lenmax; 
1079
1080                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1081                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1082                 if (s->tlsext_ecpointformatlist_length > 255)
1083                         {
1084                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1085                         return NULL;
1086                         }
1087                 
1088                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1089                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1090                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1091                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1092                 ret+=s->tlsext_ecpointformatlist_length;
1093
1094                 }
1095         /* Currently the server should not respond with a SupportedCurves extension */
1096 #endif /* OPENSSL_NO_EC */
1097
1098         if (s->tlsext_ticket_expected
1099                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1100                 { 
1101                 if ((long)(limit - ret - 4) < 0) return NULL; 
1102                 s2n(TLSEXT_TYPE_session_ticket,ret);
1103                 s2n(0,ret);
1104                 }
1105
1106         if (s->tlsext_status_expected)
1107                 { 
1108                 if ((long)(limit - ret - 4) < 0) return NULL; 
1109                 s2n(TLSEXT_TYPE_status_request,ret);
1110                 s2n(0,ret);
1111                 }
1112
1113 #ifdef TLSEXT_TYPE_opaque_prf_input
1114         if (s->s3->server_opaque_prf_input != NULL &&
1115             s->version != DTLS1_VERSION)
1116                 {
1117                 size_t sol = s->s3->server_opaque_prf_input_len;
1118                 
1119                 if ((long)(limit - ret - 6 - sol) < 0)
1120                         return NULL;
1121                 if (sol > 0xFFFD) /* can't happen */
1122                         return NULL;
1123
1124                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1125                 s2n(sol + 2, ret);
1126                 s2n(sol, ret);
1127                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1128                 ret += sol;
1129                 }
1130 #endif
1131
1132         if(s->srtp_profile)
1133                 {
1134                 int el;
1135
1136                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1137                 
1138                 if((limit - p - 4 - el) < 0) return NULL;
1139
1140                 s2n(TLSEXT_TYPE_use_srtp,ret);
1141                 s2n(el,ret);
1142
1143                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1144                         {
1145                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1146                         return NULL;
1147                         }
1148                 ret+=el;
1149                 }
1150
1151         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1152                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1153                 { const unsigned char cryptopro_ext[36] = {
1154                         0xfd, 0xe8, /*65000*/
1155                         0x00, 0x20, /*32 bytes length*/
1156                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1157                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1158                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1159                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1160                         if (limit-ret<36) return NULL;
1161                         memcpy(ret,cryptopro_ext,36);
1162                         ret+=36;
1163
1164                 }
1165
1166 #ifndef OPENSSL_NO_HEARTBEATS
1167         /* Add Heartbeat extension if we've received one */
1168         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1169                 {
1170                 s2n(TLSEXT_TYPE_heartbeat,ret);
1171                 s2n(1,ret);
1172                 /* Set mode:
1173                  * 1: peer may send requests
1174                  * 2: peer not allowed to send requests
1175                  */
1176                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1177                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1178                 else
1179                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1180
1181                 }
1182 #endif
1183
1184 #ifndef OPENSSL_NO_NEXTPROTONEG
1185         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1186         s->s3->next_proto_neg_seen = 0;
1187         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1188                 {
1189                 const unsigned char *npa;
1190                 unsigned int npalen;
1191                 int r;
1192
1193                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1194                 if (r == SSL_TLSEXT_ERR_OK)
1195                         {
1196                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1197                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1198                         s2n(npalen,ret);
1199                         memcpy(ret, npa, npalen);
1200                         ret += npalen;
1201                         s->s3->next_proto_neg_seen = 1;
1202                         }
1203                 }
1204 #endif
1205
1206         /* If the client supports authz then see whether we have any to offer
1207          * to it. */
1208         if (s->s3->tlsext_authz_client_types_len)
1209                 {
1210                 size_t authz_length;
1211                 /* By now we already know the new cipher, so we can look ahead
1212                  * to see whether the cert we are going to send
1213                  * has any authz data attached to it. */
1214                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1215                 const unsigned char* const orig_authz = authz;
1216                 size_t i;
1217                 unsigned authz_count = 0;
1218
1219                 /* The authz data contains a number of the following structures:
1220                  *      uint8_t authz_type
1221                  *      uint16_t length
1222                  *      uint8_t data[length]
1223                  *
1224                  * First we walk over it to find the number of authz elements. */
1225                 for (i = 0; i < authz_length; i++)
1226                         {
1227                         unsigned short length;
1228                         unsigned char type;
1229
1230                         type = *(authz++);
1231                         if (memchr(s->s3->tlsext_authz_client_types,
1232                                    type,
1233                                    s->s3->tlsext_authz_client_types_len) != NULL)
1234                                 authz_count++;
1235
1236                         n2s(authz, length);
1237                         /* n2s increments authz by 2 */
1238                         i += 2;
1239                         authz += length;
1240                         i += length;
1241                         }
1242
1243                 if (authz_count)
1244                         {
1245                         /* Add TLS extension server_authz to the ServerHello message
1246                          * 2 bytes for extension type
1247                          * 2 bytes for extension length
1248                          * 1 byte for the list length
1249                          * n bytes for the list */
1250                         const unsigned short ext_len = 1 + authz_count;
1251
1252                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1253                         s2n(TLSEXT_TYPE_server_authz, ret);
1254                         s2n(ext_len, ret);
1255                         *(ret++) = authz_count;
1256                         s->s3->tlsext_authz_promised_to_client = 1;
1257                         }
1258
1259                 authz = orig_authz;
1260                 for (i = 0; i < authz_length; i++)
1261                         {
1262                         unsigned short length;
1263                         unsigned char type;
1264
1265                         authz_count++;
1266                         type = *(authz++);
1267                         if (memchr(s->s3->tlsext_authz_client_types,
1268                                    type,
1269                                    s->s3->tlsext_authz_client_types_len) != NULL)
1270                                 *(ret++) = type;
1271                         n2s(authz, length);
1272                         /* n2s increments authz by 2 */
1273                         i += 2;
1274                         authz += length;
1275                         i += length;
1276                         }
1277                 }
1278
1279         if ((extdatalen = ret-p-2)== 0) 
1280                 return p;
1281
1282         s2n(extdatalen,p);
1283         return ret;
1284         }
1285
1286 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1287         {       
1288         unsigned short type;
1289         unsigned short size;
1290         unsigned short len;
1291         unsigned char *data = *p;
1292         int renegotiate_seen = 0;
1293         int sigalg_seen = 0;
1294
1295         s->servername_done = 0;
1296         s->tlsext_status_type = -1;
1297 #ifndef OPENSSL_NO_NEXTPROTONEG
1298         s->s3->next_proto_neg_seen = 0;
1299 #endif
1300
1301 #ifndef OPENSSL_NO_HEARTBEATS
1302         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1303                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1304 #endif
1305
1306         if (data >= (d+n-2))
1307                 goto ri_check;
1308         n2s(data,len);
1309
1310         if (data > (d+n-len)) 
1311                 goto ri_check;
1312
1313         while (data <= (d+n-4))
1314                 {
1315                 n2s(data,type);
1316                 n2s(data,size);
1317
1318                 if (data+size > (d+n))
1319                         goto ri_check;
1320 #if 0
1321                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1322 #endif
1323                 if (s->tlsext_debug_cb)
1324                         s->tlsext_debug_cb(s, 0, type, data, size,
1325                                                 s->tlsext_debug_arg);
1326 /* The servername extension is treated as follows:
1327
1328    - Only the hostname type is supported with a maximum length of 255.
1329    - The servername is rejected if too long or if it contains zeros,
1330      in which case an fatal alert is generated.
1331    - The servername field is maintained together with the session cache.
1332    - When a session is resumed, the servername call back invoked in order
1333      to allow the application to position itself to the right context. 
1334    - The servername is acknowledged if it is new for a session or when 
1335      it is identical to a previously used for the same session. 
1336      Applications can control the behaviour.  They can at any time
1337      set a 'desirable' servername for a new SSL object. This can be the
1338      case for example with HTTPS when a Host: header field is received and
1339      a renegotiation is requested. In this case, a possible servername
1340      presented in the new client hello is only acknowledged if it matches
1341      the value of the Host: field. 
1342    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1343      if they provide for changing an explicit servername context for the session,
1344      i.e. when the session has been established with a servername extension. 
1345    - On session reconnect, the servername extension may be absent. 
1346
1347 */      
1348
1349                 if (type == TLSEXT_TYPE_server_name)
1350                         {
1351                         unsigned char *sdata;
1352                         int servname_type;
1353                         int dsize; 
1354                 
1355                         if (size < 2) 
1356                                 {
1357                                 *al = SSL_AD_DECODE_ERROR;
1358                                 return 0;
1359                                 }
1360                         n2s(data,dsize);  
1361                         size -= 2;
1362                         if (dsize > size  ) 
1363                                 {
1364                                 *al = SSL_AD_DECODE_ERROR;
1365                                 return 0;
1366                                 } 
1367
1368                         sdata = data;
1369                         while (dsize > 3) 
1370                                 {
1371                                 servname_type = *(sdata++); 
1372                                 n2s(sdata,len);
1373                                 dsize -= 3;
1374
1375                                 if (len > dsize) 
1376                                         {
1377                                         *al = SSL_AD_DECODE_ERROR;
1378                                         return 0;
1379                                         }
1380                                 if (s->servername_done == 0)
1381                                 switch (servname_type)
1382                                         {
1383                                 case TLSEXT_NAMETYPE_host_name:
1384                                         if (!s->hit)
1385                                                 {
1386                                                 if(s->session->tlsext_hostname)
1387                                                         {
1388                                                         *al = SSL_AD_DECODE_ERROR;
1389                                                         return 0;
1390                                                         }
1391                                                 if (len > TLSEXT_MAXLEN_host_name)
1392                                                         {
1393                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1394                                                         return 0;
1395                                                         }
1396                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1397                                                         {
1398                                                         *al = TLS1_AD_INTERNAL_ERROR;
1399                                                         return 0;
1400                                                         }
1401                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1402                                                 s->session->tlsext_hostname[len]='\0';
1403                                                 if (strlen(s->session->tlsext_hostname) != len) {
1404                                                         OPENSSL_free(s->session->tlsext_hostname);
1405                                                         s->session->tlsext_hostname = NULL;
1406                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1407                                                         return 0;
1408                                                 }
1409                                                 s->servername_done = 1; 
1410
1411                                                 }
1412                                         else 
1413                                                 s->servername_done = s->session->tlsext_hostname
1414                                                         && strlen(s->session->tlsext_hostname) == len 
1415                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1416                                         
1417                                         break;
1418
1419                                 default:
1420                                         break;
1421                                         }
1422                                  
1423                                 dsize -= len;
1424                                 }
1425                         if (dsize != 0) 
1426                                 {
1427                                 *al = SSL_AD_DECODE_ERROR;
1428                                 return 0;
1429                                 }
1430
1431                         }
1432 #ifndef OPENSSL_NO_SRP
1433                 else if (type == TLSEXT_TYPE_srp)
1434                         {
1435                         if (size <= 0 || ((len = data[0])) != (size -1))
1436                                 {
1437                                 *al = SSL_AD_DECODE_ERROR;
1438                                 return 0;
1439                                 }
1440                         if (s->srp_ctx.login != NULL)
1441                                 {
1442                                 *al = SSL_AD_DECODE_ERROR;
1443                                 return 0;
1444                                 }
1445                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1446                                 return -1;
1447                         memcpy(s->srp_ctx.login, &data[1], len);
1448                         s->srp_ctx.login[len]='\0';
1449   
1450                         if (strlen(s->srp_ctx.login) != len) 
1451                                 {
1452                                 *al = SSL_AD_DECODE_ERROR;
1453                                 return 0;
1454                                 }
1455                         }
1456 #endif
1457
1458 #ifndef OPENSSL_NO_EC
1459                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1460                      s->version != DTLS1_VERSION)
1461                         {
1462                         unsigned char *sdata = data;
1463                         int ecpointformatlist_length = *(sdata++);
1464
1465                         if (ecpointformatlist_length != size - 1)
1466                                 {
1467                                 *al = TLS1_AD_DECODE_ERROR;
1468                                 return 0;
1469                                 }
1470                         if (!s->hit)
1471                                 {
1472                                 if(s->session->tlsext_ecpointformatlist)
1473                                         {
1474                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1475                                         s->session->tlsext_ecpointformatlist = NULL;
1476                                         }
1477                                 s->session->tlsext_ecpointformatlist_length = 0;
1478                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1479                                         {
1480                                         *al = TLS1_AD_INTERNAL_ERROR;
1481                                         return 0;
1482                                         }
1483                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1484                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1485                                 }
1486 #if 0
1487                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1488                         sdata = s->session->tlsext_ecpointformatlist;
1489                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1490                                 fprintf(stderr,"%i ",*(sdata++));
1491                         fprintf(stderr,"\n");
1492 #endif
1493                         }
1494                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1495                      s->version != DTLS1_VERSION)
1496                         {
1497                         unsigned char *sdata = data;
1498                         int ellipticcurvelist_length = (*(sdata++) << 8);
1499                         ellipticcurvelist_length += (*(sdata++));
1500
1501                         if (ellipticcurvelist_length != size - 2)
1502                                 {
1503                                 *al = TLS1_AD_DECODE_ERROR;
1504                                 return 0;
1505                                 }
1506                         if (!s->hit)
1507                                 {
1508                                 if(s->session->tlsext_ellipticcurvelist)
1509                                         {
1510                                         *al = TLS1_AD_DECODE_ERROR;
1511                                         return 0;
1512                                         }
1513                                 s->session->tlsext_ellipticcurvelist_length = 0;
1514                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1515                                         {
1516                                         *al = TLS1_AD_INTERNAL_ERROR;
1517                                         return 0;
1518                                         }
1519                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1520                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1521                                 }
1522 #if 0
1523                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1524                         sdata = s->session->tlsext_ellipticcurvelist;
1525                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1526                                 fprintf(stderr,"%i ",*(sdata++));
1527                         fprintf(stderr,"\n");
1528 #endif
1529                         }
1530 #endif /* OPENSSL_NO_EC */
1531 #ifdef TLSEXT_TYPE_opaque_prf_input
1532                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1533                      s->version != DTLS1_VERSION)
1534                         {
1535                         unsigned char *sdata = data;
1536
1537                         if (size < 2)
1538                                 {
1539                                 *al = SSL_AD_DECODE_ERROR;
1540                                 return 0;
1541                                 }
1542                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1543                         if (s->s3->client_opaque_prf_input_len != size - 2)
1544                                 {
1545                                 *al = SSL_AD_DECODE_ERROR;
1546                                 return 0;
1547                                 }
1548
1549                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1550                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1551                         if (s->s3->client_opaque_prf_input_len == 0)
1552                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1553                         else
1554                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1555                         if (s->s3->client_opaque_prf_input == NULL)
1556                                 {
1557                                 *al = TLS1_AD_INTERNAL_ERROR;
1558                                 return 0;
1559                                 }
1560                         }
1561 #endif
1562                 else if (type == TLSEXT_TYPE_session_ticket)
1563                         {
1564                         if (s->tls_session_ticket_ext_cb &&
1565                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1566                                 {
1567                                 *al = TLS1_AD_INTERNAL_ERROR;
1568                                 return 0;
1569                                 }
1570                         }
1571                 else if (type == TLSEXT_TYPE_renegotiate)
1572                         {
1573                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1574                                 return 0;
1575                         renegotiate_seen = 1;
1576                         }
1577                 else if (type == TLSEXT_TYPE_signature_algorithms)
1578                         {
1579                         int dsize;
1580                         if (sigalg_seen || size < 2) 
1581                                 {
1582                                 *al = SSL_AD_DECODE_ERROR;
1583                                 return 0;
1584                                 }
1585                         sigalg_seen = 1;
1586                         n2s(data,dsize);
1587                         size -= 2;
1588                         if (dsize != size || dsize & 1) 
1589                                 {
1590                                 *al = SSL_AD_DECODE_ERROR;
1591                                 return 0;
1592                                 }
1593                         if (!tls1_process_sigalgs(s, data, dsize))
1594                                 {
1595                                 *al = SSL_AD_DECODE_ERROR;
1596                                 return 0;
1597                                 }
1598                         }
1599                 else if (type == TLSEXT_TYPE_status_request &&
1600                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1601                         {
1602                 
1603                         if (size < 5) 
1604                                 {
1605                                 *al = SSL_AD_DECODE_ERROR;
1606                                 return 0;
1607                                 }
1608
1609                         s->tlsext_status_type = *data++;
1610                         size--;
1611                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1612                                 {
1613                                 const unsigned char *sdata;
1614                                 int dsize;
1615                                 /* Read in responder_id_list */
1616                                 n2s(data,dsize);
1617                                 size -= 2;
1618                                 if (dsize > size  ) 
1619                                         {
1620                                         *al = SSL_AD_DECODE_ERROR;
1621                                         return 0;
1622                                         }
1623                                 while (dsize > 0)
1624                                         {
1625                                         OCSP_RESPID *id;
1626                                         int idsize;
1627                                         if (dsize < 4)
1628                                                 {
1629                                                 *al = SSL_AD_DECODE_ERROR;
1630                                                 return 0;
1631                                                 }
1632                                         n2s(data, idsize);
1633                                         dsize -= 2 + idsize;
1634                                         size -= 2 + idsize;
1635                                         if (dsize < 0)
1636                                                 {
1637                                                 *al = SSL_AD_DECODE_ERROR;
1638                                                 return 0;
1639                                                 }
1640                                         sdata = data;
1641                                         data += idsize;
1642                                         id = d2i_OCSP_RESPID(NULL,
1643                                                                 &sdata, idsize);
1644                                         if (!id)
1645                                                 {
1646                                                 *al = SSL_AD_DECODE_ERROR;
1647                                                 return 0;
1648                                                 }
1649                                         if (data != sdata)
1650                                                 {
1651                                                 OCSP_RESPID_free(id);
1652                                                 *al = SSL_AD_DECODE_ERROR;
1653                                                 return 0;
1654                                                 }
1655                                         if (!s->tlsext_ocsp_ids
1656                                                 && !(s->tlsext_ocsp_ids =
1657                                                 sk_OCSP_RESPID_new_null()))
1658                                                 {
1659                                                 OCSP_RESPID_free(id);
1660                                                 *al = SSL_AD_INTERNAL_ERROR;
1661                                                 return 0;
1662                                                 }
1663                                         if (!sk_OCSP_RESPID_push(
1664                                                         s->tlsext_ocsp_ids, id))
1665                                                 {
1666                                                 OCSP_RESPID_free(id);
1667                                                 *al = SSL_AD_INTERNAL_ERROR;
1668                                                 return 0;
1669                                                 }
1670                                         }
1671
1672                                 /* Read in request_extensions */
1673                                 if (size < 2)
1674                                         {
1675                                         *al = SSL_AD_DECODE_ERROR;
1676                                         return 0;
1677                                         }
1678                                 n2s(data,dsize);
1679                                 size -= 2;
1680                                 if (dsize != size)
1681                                         {
1682                                         *al = SSL_AD_DECODE_ERROR;
1683                                         return 0;
1684                                         }
1685                                 sdata = data;
1686                                 if (dsize > 0)
1687                                         {
1688                                         if (s->tlsext_ocsp_exts)
1689                                                 {
1690                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1691                                                                            X509_EXTENSION_free);
1692                                                 }
1693
1694                                         s->tlsext_ocsp_exts =
1695                                                 d2i_X509_EXTENSIONS(NULL,
1696                                                         &sdata, dsize);
1697                                         if (!s->tlsext_ocsp_exts
1698                                                 || (data + dsize != sdata))
1699                                                 {
1700                                                 *al = SSL_AD_DECODE_ERROR;
1701                                                 return 0;
1702                                                 }
1703                                         }
1704                                 }
1705                                 /* We don't know what to do with any other type
1706                                 * so ignore it.
1707                                 */
1708                                 else
1709                                         s->tlsext_status_type = -1;
1710                         }
1711 #ifndef OPENSSL_NO_HEARTBEATS
1712                 else if (type == TLSEXT_TYPE_heartbeat)
1713                         {
1714                         switch(data[0])
1715                                 {
1716                                 case 0x01:      /* Client allows us to send HB requests */
1717                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1718                                                         break;
1719                                 case 0x02:      /* Client doesn't accept HB requests */
1720                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1721                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1722                                                         break;
1723                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1724                                                         return 0;
1725                                 }
1726                         }
1727 #endif
1728 #ifndef OPENSSL_NO_NEXTPROTONEG
1729                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1730                          s->s3->tmp.finish_md_len == 0)
1731                         {
1732                         /* We shouldn't accept this extension on a
1733                          * renegotiation.
1734                          *
1735                          * s->new_session will be set on renegotiation, but we
1736                          * probably shouldn't rely that it couldn't be set on
1737                          * the initial renegotation too in certain cases (when
1738                          * there's some other reason to disallow resuming an
1739                          * earlier session -- the current code won't be doing
1740                          * anything like that, but this might change).
1741
1742                          * A valid sign that there's been a previous handshake
1743                          * in this connection is if s->s3->tmp.finish_md_len >
1744                          * 0.  (We are talking about a check that will happen
1745                          * in the Hello protocol round, well before a new
1746                          * Finished message could have been computed.) */
1747                         s->s3->next_proto_neg_seen = 1;
1748                         }
1749 #endif
1750
1751                 /* session ticket processed earlier */
1752                 else if (type == TLSEXT_TYPE_use_srtp)
1753                         {
1754                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1755                                                               al))
1756                                 return 0;
1757                         }
1758
1759                 else if (type == TLSEXT_TYPE_server_authz)
1760                         {
1761                         unsigned char *sdata = data;
1762                         unsigned char server_authz_dataformatlist_length;
1763
1764                         if (size == 0)
1765                                 {
1766                                 *al = TLS1_AD_DECODE_ERROR;
1767                                 return 0;
1768                                 }
1769
1770                         server_authz_dataformatlist_length = *(sdata++);
1771
1772                         if (server_authz_dataformatlist_length != size - 1)
1773                                 {
1774                                 *al = TLS1_AD_DECODE_ERROR;
1775                                 return 0;
1776                                 }
1777
1778                         /* Successful session resumption uses the same authz
1779                          * information as the original session so we ignore this
1780                          * in the case of a session resumption. */
1781                         if (!s->hit)
1782                                 {
1783                                 size_t i;
1784                                 if (s->s3->tlsext_authz_client_types != NULL)
1785                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1786                                 s->s3->tlsext_authz_client_types =
1787                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1788                                 if (!s->s3->tlsext_authz_client_types)
1789                                         {
1790                                         *al = TLS1_AD_INTERNAL_ERROR;
1791                                         return 0;
1792                                         }
1793
1794                                 s->s3->tlsext_authz_client_types_len =
1795                                         server_authz_dataformatlist_length;
1796                                 memcpy(s->s3->tlsext_authz_client_types,
1797                                        sdata,
1798                                        server_authz_dataformatlist_length);
1799
1800                                 /* Sort the types in order to check for duplicates. */
1801                                 qsort(s->s3->tlsext_authz_client_types,
1802                                       server_authz_dataformatlist_length,
1803                                       1 /* element size */,
1804                                       byte_compare);
1805
1806                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1807                                         {
1808                                         if (i > 0 &&
1809                                             s->s3->tlsext_authz_client_types[i] ==
1810                                               s->s3->tlsext_authz_client_types[i-1])
1811                                                 {
1812                                                 *al = TLS1_AD_DECODE_ERROR;
1813                                                 return 0;
1814                                                 }
1815                                         }
1816                                 }
1817                         }
1818
1819                 data+=size;
1820                 }
1821
1822         *p = data;
1823
1824         ri_check:
1825
1826         /* Need RI if renegotiating */
1827
1828         if (!renegotiate_seen && s->renegotiate &&
1829                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1830                 {
1831                 *al = SSL_AD_HANDSHAKE_FAILURE;
1832                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1833                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1834                 return 0;
1835                 }
1836
1837         return 1;
1838         }
1839
1840 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1841         {
1842         int al = -1;
1843         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1844                 {
1845                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1846                 return 0;
1847                 }
1848
1849         if (ssl_check_clienthello_tlsext(s) <= 0) 
1850                 {
1851                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1852                 return 0;
1853                 }
1854         return 1;
1855 }
1856
1857 #ifndef OPENSSL_NO_NEXTPROTONEG
1858 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1859  * elements of zero length are allowed and the set of elements must exactly fill
1860  * the length of the block. */
1861 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1862         {
1863         unsigned int off = 0;
1864
1865         while (off < len)
1866                 {
1867                 if (d[off] == 0)
1868                         return 0;
1869                 off += d[off];
1870                 off++;
1871                 }
1872
1873         return off == len;
1874         }
1875 #endif
1876
1877 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1878         {
1879         unsigned short length;
1880         unsigned short type;
1881         unsigned short size;
1882         unsigned char *data = *p;
1883         int tlsext_servername = 0;
1884         int renegotiate_seen = 0;
1885
1886 #ifndef OPENSSL_NO_NEXTPROTONEG
1887         s->s3->next_proto_neg_seen = 0;
1888 #endif
1889
1890 #ifndef OPENSSL_NO_HEARTBEATS
1891         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1892                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1893 #endif
1894
1895         if (data >= (d+n-2))
1896                 goto ri_check;
1897
1898         n2s(data,length);
1899         if (data+length != d+n)
1900                 {
1901                 *al = SSL_AD_DECODE_ERROR;
1902                 return 0;
1903                 }
1904
1905         while(data <= (d+n-4))
1906                 {
1907                 n2s(data,type);
1908                 n2s(data,size);
1909
1910                 if (data+size > (d+n))
1911                         goto ri_check;
1912
1913                 if (s->tlsext_debug_cb)
1914                         s->tlsext_debug_cb(s, 1, type, data, size,
1915                                                 s->tlsext_debug_arg);
1916
1917                 if (type == TLSEXT_TYPE_server_name)
1918                         {
1919                         if (s->tlsext_hostname == NULL || size > 0)
1920                                 {
1921                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1922                                 return 0;
1923                                 }
1924                         tlsext_servername = 1;   
1925                         }
1926
1927 #ifndef OPENSSL_NO_EC
1928                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1929                      s->version != DTLS1_VERSION)
1930                         {
1931                         unsigned char *sdata = data;
1932                         int ecpointformatlist_length = *(sdata++);
1933
1934                         if (ecpointformatlist_length != size - 1)
1935                                 {
1936                                 *al = TLS1_AD_DECODE_ERROR;
1937                                 return 0;
1938                                 }
1939                         s->session->tlsext_ecpointformatlist_length = 0;
1940                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1941                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1942                                 {
1943                                 *al = TLS1_AD_INTERNAL_ERROR;
1944                                 return 0;
1945                                 }
1946                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1947                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1948 #if 0
1949                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1950                         sdata = s->session->tlsext_ecpointformatlist;
1951                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1952                                 fprintf(stderr,"%i ",*(sdata++));
1953                         fprintf(stderr,"\n");
1954 #endif
1955                         }
1956 #endif /* OPENSSL_NO_EC */
1957
1958                 else if (type == TLSEXT_TYPE_session_ticket)
1959                         {
1960                         if (s->tls_session_ticket_ext_cb &&
1961                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1962                                 {
1963                                 *al = TLS1_AD_INTERNAL_ERROR;
1964                                 return 0;
1965                                 }
1966                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1967                                 || (size > 0))
1968                                 {
1969                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1970                                 return 0;
1971                                 }
1972                         s->tlsext_ticket_expected = 1;
1973                         }
1974 #ifdef TLSEXT_TYPE_opaque_prf_input
1975                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1976                      s->version != DTLS1_VERSION)
1977                         {
1978                         unsigned char *sdata = data;
1979
1980                         if (size < 2)
1981                                 {
1982                                 *al = SSL_AD_DECODE_ERROR;
1983                                 return 0;
1984                                 }
1985                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1986                         if (s->s3->server_opaque_prf_input_len != size - 2)
1987                                 {
1988                                 *al = SSL_AD_DECODE_ERROR;
1989                                 return 0;
1990                                 }
1991                         
1992                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1993                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1994                         if (s->s3->server_opaque_prf_input_len == 0)
1995                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1996                         else
1997                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1998
1999                         if (s->s3->server_opaque_prf_input == NULL)
2000                                 {
2001                                 *al = TLS1_AD_INTERNAL_ERROR;
2002                                 return 0;
2003                                 }
2004                         }
2005 #endif
2006                 else if (type == TLSEXT_TYPE_status_request &&
2007                          s->version != DTLS1_VERSION)
2008                         {
2009                         /* MUST be empty and only sent if we've requested
2010                          * a status request message.
2011                          */ 
2012                         if ((s->tlsext_status_type == -1) || (size > 0))
2013                                 {
2014                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2015                                 return 0;
2016                                 }
2017                         /* Set flag to expect CertificateStatus message */
2018                         s->tlsext_status_expected = 1;
2019                         }
2020 #ifndef OPENSSL_NO_NEXTPROTONEG
2021                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2022                          s->s3->tmp.finish_md_len == 0)
2023                         {
2024                         unsigned char *selected;
2025                         unsigned char selected_len;
2026
2027                         /* We must have requested it. */
2028                         if ((s->ctx->next_proto_select_cb == NULL))
2029                                 {
2030                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2031                                 return 0;
2032                                 }
2033                         /* The data must be valid */
2034                         if (!ssl_next_proto_validate(data, size))
2035                                 {
2036                                 *al = TLS1_AD_DECODE_ERROR;
2037                                 return 0;
2038                                 }
2039                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2040                                 {
2041                                 *al = TLS1_AD_INTERNAL_ERROR;
2042                                 return 0;
2043                                 }
2044                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2045                         if (!s->next_proto_negotiated)
2046                                 {
2047                                 *al = TLS1_AD_INTERNAL_ERROR;
2048                                 return 0;
2049                                 }
2050                         memcpy(s->next_proto_negotiated, selected, selected_len);
2051                         s->next_proto_negotiated_len = selected_len;
2052                         s->s3->next_proto_neg_seen = 1;
2053                         }
2054 #endif
2055                 else if (type == TLSEXT_TYPE_renegotiate)
2056                         {
2057                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2058                                 return 0;
2059                         renegotiate_seen = 1;
2060                         }
2061 #ifndef OPENSSL_NO_HEARTBEATS
2062                 else if (type == TLSEXT_TYPE_heartbeat)
2063                         {
2064                         switch(data[0])
2065                                 {
2066                                 case 0x01:      /* Server allows us to send HB requests */
2067                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2068                                                         break;
2069                                 case 0x02:      /* Server doesn't accept HB requests */
2070                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2071                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2072                                                         break;
2073                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2074                                                         return 0;
2075                                 }
2076                         }
2077 #endif
2078                 else if (type == TLSEXT_TYPE_use_srtp)
2079                         {
2080                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2081                                                               al))
2082                                 return 0;
2083                         }
2084
2085                 else if (type == TLSEXT_TYPE_server_authz)
2086                         {
2087                         /* We only support audit proofs. It's an error to send
2088                          * an authz hello extension if the client
2089                          * didn't request a proof. */
2090                         unsigned char *sdata = data;
2091                         unsigned char server_authz_dataformatlist_length;
2092
2093                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2094                                 {
2095                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2096                                 return 0;
2097                                 }
2098
2099                         if (!size)
2100                                 {
2101                                 *al = TLS1_AD_DECODE_ERROR;
2102                                 return 0;
2103                                 }
2104
2105                         server_authz_dataformatlist_length = *(sdata++);
2106                         if (server_authz_dataformatlist_length != size - 1)
2107                                 {
2108                                 *al = TLS1_AD_DECODE_ERROR;
2109                                 return 0;
2110                                 }
2111
2112                         /* We only support audit proofs, so a legal ServerHello
2113                          * authz list contains exactly one entry. */
2114                         if (server_authz_dataformatlist_length != 1 ||
2115                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2116                                 {
2117                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2118                                 return 0;
2119                                 }
2120
2121                         s->s3->tlsext_authz_server_promised = 1;
2122                         }
2123  
2124                 data += size;
2125                 }
2126
2127         if (data != d+n)
2128                 {
2129                 *al = SSL_AD_DECODE_ERROR;
2130                 return 0;
2131                 }
2132
2133         if (!s->hit && tlsext_servername == 1)
2134                 {
2135                 if (s->tlsext_hostname)
2136                         {
2137                         if (s->session->tlsext_hostname == NULL)
2138                                 {
2139                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2140                                 if (!s->session->tlsext_hostname)
2141                                         {
2142                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2143                                         return 0;
2144                                         }
2145                                 }
2146                         else 
2147                                 {
2148                                 *al = SSL_AD_DECODE_ERROR;
2149                                 return 0;
2150                                 }
2151                         }
2152                 }
2153
2154         *p = data;
2155
2156         ri_check:
2157
2158         /* Determine if we need to see RI. Strictly speaking if we want to
2159          * avoid an attack we should *always* see RI even on initial server
2160          * hello because the client doesn't see any renegotiation during an
2161          * attack. However this would mean we could not connect to any server
2162          * which doesn't support RI so for the immediate future tolerate RI
2163          * absence on initial connect only.
2164          */
2165         if (!renegotiate_seen
2166                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2167                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2168                 {
2169                 *al = SSL_AD_HANDSHAKE_FAILURE;
2170                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2171                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2172                 return 0;
2173                 }
2174
2175         return 1;
2176         }
2177
2178
2179 int ssl_prepare_clienthello_tlsext(SSL *s)
2180         {
2181
2182 #ifdef TLSEXT_TYPE_opaque_prf_input
2183         {
2184                 int r = 1;
2185         
2186                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2187                         {
2188                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2189                         if (!r)
2190                                 return -1;
2191                         }
2192
2193                 if (s->tlsext_opaque_prf_input != NULL)
2194                         {
2195                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2196                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2197
2198                         if (s->tlsext_opaque_prf_input_len == 0)
2199                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2200                         else
2201                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2202                         if (s->s3->client_opaque_prf_input == NULL)
2203                                 {
2204                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2205                                 return -1;
2206                                 }
2207                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2208                         }
2209
2210                 if (r == 2)
2211                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2212                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2213         }
2214 #endif
2215
2216         return 1;
2217         }
2218
2219 int ssl_prepare_serverhello_tlsext(SSL *s)
2220         {
2221 #ifndef OPENSSL_NO_EC
2222         /* If we are server and using an ECC cipher suite, send the point formats we support 
2223          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2224          * supposed to send an EllipticCurves extension.
2225          */
2226
2227         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2228         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2229         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2230         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2231         
2232         if (using_ecc)
2233                 {
2234                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2235                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2236                         {
2237                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2238                         return -1;
2239                         }
2240                 s->tlsext_ecpointformatlist_length = 3;
2241                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2242                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2243                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2244                 }
2245 #endif /* OPENSSL_NO_EC */
2246
2247         return 1;
2248         }
2249
2250 static int ssl_check_clienthello_tlsext(SSL *s)
2251         {
2252         int ret=SSL_TLSEXT_ERR_NOACK;
2253         int al = SSL_AD_UNRECOGNIZED_NAME;
2254
2255 #ifndef OPENSSL_NO_EC
2256         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2257          * ssl3_choose_cipher in s3_lib.c.
2258          */
2259         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2260          * ssl3_choose_cipher in s3_lib.c.
2261          */
2262 #endif
2263
2264         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2265                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2266         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2267                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2268
2269         /* If status request then ask callback what to do.
2270          * Note: this must be called after servername callbacks in case 
2271          * the certificate has changed.
2272          */
2273         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2274                 {
2275                 int r;
2276                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2277                 switch (r)
2278                         {
2279                         /* We don't want to send a status request response */
2280                         case SSL_TLSEXT_ERR_NOACK:
2281                                 s->tlsext_status_expected = 0;
2282                                 break;
2283                         /* status request response should be sent */
2284                         case SSL_TLSEXT_ERR_OK:
2285                                 if (s->tlsext_ocsp_resp)
2286                                         s->tlsext_status_expected = 1;
2287                                 else
2288                                         s->tlsext_status_expected = 0;
2289                                 break;
2290                         /* something bad happened */
2291                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2292                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2293                                 al = SSL_AD_INTERNAL_ERROR;
2294                                 goto err;
2295                         }
2296                 }
2297         else
2298                 s->tlsext_status_expected = 0;
2299
2300 #ifdef TLSEXT_TYPE_opaque_prf_input
2301         {
2302                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2303                  * but we might be sending an alert in response to the client hello,
2304                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2305
2306                 int r = 1;
2307         
2308                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2309                         {
2310                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2311                         if (!r)
2312                                 {
2313                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2314                                 al = SSL_AD_INTERNAL_ERROR;
2315                                 goto err;
2316                                 }
2317                         }
2318
2319                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2320                         OPENSSL_free(s->s3->server_opaque_prf_input);
2321                 s->s3->server_opaque_prf_input = NULL;
2322
2323                 if (s->tlsext_opaque_prf_input != NULL)
2324                         {
2325                         if (s->s3->client_opaque_prf_input != NULL &&
2326                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2327                                 {
2328                                 /* can only use this extension if we have a server opaque PRF input
2329                                  * of the same length as the client opaque PRF input! */
2330
2331                                 if (s->tlsext_opaque_prf_input_len == 0)
2332                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2333                                 else
2334                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2335                                 if (s->s3->server_opaque_prf_input == NULL)
2336                                         {
2337                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2338                                         al = SSL_AD_INTERNAL_ERROR;
2339                                         goto err;
2340                                         }
2341                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2342                                 }
2343                         }
2344
2345                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2346                         {
2347                         /* The callback wants to enforce use of the extension,
2348                          * but we can't do that with the client opaque PRF input;
2349                          * abort the handshake.
2350                          */
2351                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2352                         al = SSL_AD_HANDSHAKE_FAILURE;
2353                         }
2354         }
2355
2356 #endif
2357  err:
2358         switch (ret)
2359                 {
2360                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2361                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2362                         return -1;
2363
2364                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2365                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2366                         return 1; 
2367                                         
2368                 case SSL_TLSEXT_ERR_NOACK:
2369                         s->servername_done=0;
2370                         default:
2371                 return 1;
2372                 }
2373         }
2374
2375 int ssl_check_serverhello_tlsext(SSL *s)
2376         {
2377         int ret=SSL_TLSEXT_ERR_NOACK;
2378         int al = SSL_AD_UNRECOGNIZED_NAME;
2379
2380 #ifndef OPENSSL_NO_EC
2381         /* If we are client and using an elliptic curve cryptography cipher
2382          * suite, then if server returns an EC point formats lists extension
2383          * it must contain uncompressed.
2384          */
2385         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2386         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2387         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2388             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2389             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2390                 {
2391                 /* we are using an ECC cipher */
2392                 size_t i;
2393                 unsigned char *list;
2394                 int found_uncompressed = 0;
2395                 list = s->session->tlsext_ecpointformatlist;
2396                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2397                         {
2398                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2399                                 {
2400                                 found_uncompressed = 1;
2401                                 break;
2402                                 }
2403                         }
2404                 if (!found_uncompressed)
2405                         {
2406                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2407                         return -1;
2408                         }
2409                 }
2410         ret = SSL_TLSEXT_ERR_OK;
2411 #endif /* OPENSSL_NO_EC */
2412
2413         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2414                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2415         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2416                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2417
2418 #ifdef TLSEXT_TYPE_opaque_prf_input
2419         if (s->s3->server_opaque_prf_input_len > 0)
2420                 {
2421                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2422                  * So first verify that we really have a value from the server too. */
2423
2424                 if (s->s3->server_opaque_prf_input == NULL)
2425                         {
2426                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2427                         al = SSL_AD_HANDSHAKE_FAILURE;
2428                         }
2429                 
2430                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2431                  * that we have a client opaque PRF input of the same size. */
2432                 if (s->s3->client_opaque_prf_input == NULL ||
2433                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2434                         {
2435                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2436                         al = SSL_AD_ILLEGAL_PARAMETER;
2437                         }
2438                 }
2439 #endif
2440
2441         /* If we've requested certificate status and we wont get one
2442          * tell the callback
2443          */
2444         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2445                         && s->ctx && s->ctx->tlsext_status_cb)
2446                 {
2447                 int r;
2448                 /* Set resp to NULL, resplen to -1 so callback knows
2449                  * there is no response.
2450                  */
2451                 if (s->tlsext_ocsp_resp)
2452                         {
2453                         OPENSSL_free(s->tlsext_ocsp_resp);
2454                         s->tlsext_ocsp_resp = NULL;
2455                         }
2456                 s->tlsext_ocsp_resplen = -1;
2457                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2458                 if (r == 0)
2459                         {
2460                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2461                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2462                         }
2463                 if (r < 0)
2464                         {
2465                         al = SSL_AD_INTERNAL_ERROR;
2466                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2467                         }
2468                 }
2469
2470         switch (ret)
2471                 {
2472                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2473                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2474                         return -1;
2475
2476                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2477                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2478                         return 1; 
2479                                         
2480                 case SSL_TLSEXT_ERR_NOACK:
2481                         s->servername_done=0;
2482                         default:
2483                 return 1;
2484                 }
2485         }
2486
2487 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2488         {
2489         int al = -1;
2490         if (s->version < SSL3_VERSION)
2491                 return 1;
2492         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2493                 {
2494                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2495                 return 0;
2496                 }
2497
2498         if (ssl_check_serverhello_tlsext(s) <= 0) 
2499                 {
2500                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2501                 return 0;
2502                 }
2503         return 1;
2504 }
2505
2506 /* Since the server cache lookup is done early on in the processing of the
2507  * ClientHello, and other operations depend on the result, we need to handle
2508  * any TLS session ticket extension at the same time.
2509  *
2510  *   session_id: points at the session ID in the ClientHello. This code will
2511  *       read past the end of this in order to parse out the session ticket
2512  *       extension, if any.
2513  *   len: the length of the session ID.
2514  *   limit: a pointer to the first byte after the ClientHello.
2515  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2516  *       point to the resulting session.
2517  *
2518  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2519  * ciphersuite, in which case we have no use for session tickets and one will
2520  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2521  *
2522  * Returns:
2523  *   -1: fatal error, either from parsing or decrypting the ticket.
2524  *    0: no ticket was found (or was ignored, based on settings).
2525  *    1: a zero length extension was found, indicating that the client supports
2526  *       session tickets but doesn't currently have one to offer.
2527  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2528  *       couldn't be decrypted because of a non-fatal error.
2529  *    3: a ticket was successfully decrypted and *ret was set.
2530  *
2531  * Side effects:
2532  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2533  *   a new session ticket to the client because the client indicated support
2534  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2535  *   a session ticket or we couldn't use the one it gave us, or if
2536  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2537  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2538  */
2539 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2540                         const unsigned char *limit, SSL_SESSION **ret)
2541         {
2542         /* Point after session ID in client hello */
2543         const unsigned char *p = session_id + len;
2544         unsigned short i;
2545
2546         *ret = NULL;
2547         s->tlsext_ticket_expected = 0;
2548
2549         /* If tickets disabled behave as if no ticket present
2550          * to permit stateful resumption.
2551          */
2552         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2553                 return 0;
2554         if ((s->version <= SSL3_VERSION) || !limit)
2555                 return 0;
2556         if (p >= limit)
2557                 return -1;
2558         /* Skip past DTLS cookie */
2559         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2560                 {
2561                 i = *(p++);
2562                 p+= i;
2563                 if (p >= limit)
2564                         return -1;
2565                 }
2566         /* Skip past cipher list */
2567         n2s(p, i);
2568         p+= i;
2569         if (p >= limit)
2570                 return -1;
2571         /* Skip past compression algorithm list */
2572         i = *(p++);
2573         p += i;
2574         if (p > limit)
2575                 return -1;
2576         /* Now at start of extensions */
2577         if ((p + 2) >= limit)
2578                 return 0;
2579         n2s(p, i);
2580         while ((p + 4) <= limit)
2581                 {
2582                 unsigned short type, size;
2583                 n2s(p, type);
2584                 n2s(p, size);
2585                 if (p + size > limit)
2586                         return 0;
2587                 if (type == TLSEXT_TYPE_session_ticket)
2588                         {
2589                         int r;
2590                         if (size == 0)
2591                                 {
2592                                 /* The client will accept a ticket but doesn't
2593                                  * currently have one. */
2594                                 s->tlsext_ticket_expected = 1;
2595                                 return 1;
2596                                 }
2597                         if (s->tls_session_secret_cb)
2598                                 {
2599                                 /* Indicate that the ticket couldn't be
2600                                  * decrypted rather than generating the session
2601                                  * from ticket now, trigger abbreviated
2602                                  * handshake based on external mechanism to
2603                                  * calculate the master secret later. */
2604                                 return 2;
2605                                 }
2606                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2607                         switch (r)
2608                                 {
2609                                 case 2: /* ticket couldn't be decrypted */
2610                                         s->tlsext_ticket_expected = 1;
2611                                         return 2;
2612                                 case 3: /* ticket was decrypted */
2613                                         return r;
2614                                 case 4: /* ticket decrypted but need to renew */
2615                                         s->tlsext_ticket_expected = 1;
2616                                         return 3;
2617                                 default: /* fatal error */
2618                                         return -1;
2619                                 }
2620                         }
2621                 p += size;
2622                 }
2623         return 0;
2624         }
2625
2626 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2627  *
2628  *   etick: points to the body of the session ticket extension.
2629  *   eticklen: the length of the session tickets extenion.
2630  *   sess_id: points at the session ID.
2631  *   sesslen: the length of the session ID.
2632  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2633  *       point to the resulting session.
2634  *
2635  * Returns:
2636  *   -1: fatal error, either from parsing or decrypting the ticket.
2637  *    2: the ticket couldn't be decrypted.
2638  *    3: a ticket was successfully decrypted and *psess was set.
2639  *    4: same as 3, but the ticket needs to be renewed.
2640  */
2641 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2642                                 const unsigned char *sess_id, int sesslen,
2643                                 SSL_SESSION **psess)
2644         {
2645         SSL_SESSION *sess;
2646         unsigned char *sdec;
2647         const unsigned char *p;
2648         int slen, mlen, renew_ticket = 0;
2649         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2650         HMAC_CTX hctx;
2651         EVP_CIPHER_CTX ctx;
2652         SSL_CTX *tctx = s->initial_ctx;
2653         /* Need at least keyname + iv + some encrypted data */
2654         if (eticklen < 48)
2655                 return 2;
2656         /* Initialize session ticket encryption and HMAC contexts */
2657         HMAC_CTX_init(&hctx);
2658         EVP_CIPHER_CTX_init(&ctx);
2659         if (tctx->tlsext_ticket_key_cb)
2660                 {
2661                 unsigned char *nctick = (unsigned char *)etick;
2662                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2663                                                         &ctx, &hctx, 0);
2664                 if (rv < 0)
2665                         return -1;
2666                 if (rv == 0)
2667                         return 2;
2668                 if (rv == 2)
2669                         renew_ticket = 1;
2670                 }
2671         else
2672                 {
2673                 /* Check key name matches */
2674                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2675                         return 2;
2676                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2677                                         tlsext_tick_md(), NULL);
2678                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2679                                 tctx->tlsext_tick_aes_key, etick + 16);
2680                 }
2681         /* Attempt to process session ticket, first conduct sanity and
2682          * integrity checks on ticket.
2683          */
2684         mlen = HMAC_size(&hctx);
2685         if (mlen < 0)
2686                 {
2687                 EVP_CIPHER_CTX_cleanup(&ctx);
2688                 return -1;
2689                 }
2690         eticklen -= mlen;
2691         /* Check HMAC of encrypted ticket */
2692         HMAC_Update(&hctx, etick, eticklen);
2693         HMAC_Final(&hctx, tick_hmac, NULL);
2694         HMAC_CTX_cleanup(&hctx);
2695         if (memcmp(tick_hmac, etick + eticklen, mlen))
2696                 return 2;
2697         /* Attempt to decrypt session data */
2698         /* Move p after IV to start of encrypted ticket, update length */
2699         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2700         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2701         sdec = OPENSSL_malloc(eticklen);
2702         if (!sdec)
2703                 {
2704                 EVP_CIPHER_CTX_cleanup(&ctx);
2705                 return -1;
2706                 }
2707         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2708         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2709                 return 2;
2710         slen += mlen;
2711         EVP_CIPHER_CTX_cleanup(&ctx);
2712         p = sdec;
2713
2714         sess = d2i_SSL_SESSION(NULL, &p, slen);
2715         OPENSSL_free(sdec);
2716         if (sess)
2717                 {
2718                 /* The session ID, if non-empty, is used by some clients to
2719                  * detect that the ticket has been accepted. So we copy it to
2720                  * the session structure. If it is empty set length to zero
2721                  * as required by standard.
2722                  */
2723                 if (sesslen)
2724                         memcpy(sess->session_id, sess_id, sesslen);
2725                 sess->session_id_length = sesslen;
2726                 *psess = sess;
2727                 if (renew_ticket)
2728                         return 4;
2729                 else
2730                         return 3;
2731                 }
2732         ERR_clear_error();
2733         /* For session parse failure, indicate that we need to send a new
2734          * ticket. */
2735         return 2;
2736         }
2737
2738 /* Tables to translate from NIDs to TLS v1.2 ids */
2739
2740 typedef struct 
2741         {
2742         int nid;
2743         int id;
2744         } tls12_lookup;
2745
2746 static tls12_lookup tls12_md[] = {
2747         {NID_md5, TLSEXT_hash_md5},
2748         {NID_sha1, TLSEXT_hash_sha1},
2749         {NID_sha224, TLSEXT_hash_sha224},
2750         {NID_sha256, TLSEXT_hash_sha256},
2751         {NID_sha384, TLSEXT_hash_sha384},
2752         {NID_sha512, TLSEXT_hash_sha512}
2753 };
2754
2755 static tls12_lookup tls12_sig[] = {
2756         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2757         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2758         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2759 };
2760
2761 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2762         {
2763         size_t i;
2764         for (i = 0; i < tlen; i++)
2765                 {
2766                 if (table[i].nid == nid)
2767                         return table[i].id;
2768                 }
2769         return -1;
2770         }
2771
2772 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2773         {
2774         size_t i;
2775         for (i = 0; i < tlen; i++)
2776                 {
2777                 if ((table[i].id) == id)
2778                         return table[i].nid;
2779                 }
2780         return NID_undef;
2781         }
2782
2783 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2784         {
2785         int sig_id, md_id;
2786         if (!md)
2787                 return 0;
2788         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2789                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2790         if (md_id == -1)
2791                 return 0;
2792         sig_id = tls12_get_sigid(pk);
2793         if (sig_id == -1)
2794                 return 0;
2795         p[0] = (unsigned char)md_id;
2796         p[1] = (unsigned char)sig_id;
2797         return 1;
2798         }
2799
2800 int tls12_get_sigid(const EVP_PKEY *pk)
2801         {
2802         return tls12_find_id(pk->type, tls12_sig,
2803                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2804         }
2805
2806 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2807         {
2808         switch(hash_alg)
2809                 {
2810 #ifndef OPENSSL_NO_MD5
2811                 case TLSEXT_hash_md5:
2812 #ifdef OPENSSL_FIPS
2813                 if (FIPS_mode())
2814                         return NULL;
2815 #endif
2816                 return EVP_md5();
2817 #endif
2818 #ifndef OPENSSL_NO_SHA
2819                 case TLSEXT_hash_sha1:
2820                 return EVP_sha1();
2821 #endif
2822 #ifndef OPENSSL_NO_SHA256
2823                 case TLSEXT_hash_sha224:
2824                 return EVP_sha224();
2825
2826                 case TLSEXT_hash_sha256:
2827                 return EVP_sha256();
2828 #endif
2829 #ifndef OPENSSL_NO_SHA512
2830                 case TLSEXT_hash_sha384:
2831                 return EVP_sha384();
2832
2833                 case TLSEXT_hash_sha512:
2834                 return EVP_sha512();
2835 #endif
2836                 default:
2837                 return NULL;
2838
2839                 }
2840         }
2841
2842 /* Set preferred digest for each key type */
2843
2844 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2845         {
2846         int i, idx;
2847         const EVP_MD *md;
2848         CERT *c = s->cert;
2849         TLS_SIGALGS *sigptr;
2850         /* Extension ignored for TLS versions below 1.2 */
2851         if (TLS1_get_version(s) < TLS1_2_VERSION)
2852                 return 1;
2853         /* Should never happen */
2854         if (!c)
2855                 return 0;
2856
2857         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2858         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2859         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2860         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2861
2862         if (c->sigalgs)
2863                 OPENSSL_free(c->sigalgs);
2864         c->sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS));
2865         if (!c->sigalgs)
2866                 return 0;
2867         c->sigalgslen = dsize/2;
2868
2869         for (i = 0, sigptr = c->sigalgs; i < dsize; i += 2, sigptr++)
2870                 {
2871                 sigptr->rhash = data[i];
2872                 sigptr->rsign = data[i + 1];
2873                 sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md,
2874                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2875                 sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig,
2876                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2877                 if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid,
2878                                                 sigptr->hash_nid,
2879                                                 sigptr->sign_nid))
2880                         sigptr->signandhash_nid = NID_undef;
2881                 switch(sigptr->rsign)
2882                         {
2883 #ifndef OPENSSL_NO_RSA
2884                         case TLSEXT_signature_rsa:
2885                         idx = SSL_PKEY_RSA_SIGN;
2886                         break;
2887 #endif
2888 #ifndef OPENSSL_NO_DSA
2889                         case TLSEXT_signature_dsa:
2890                         idx = SSL_PKEY_DSA_SIGN;
2891                         break;
2892 #endif
2893 #ifndef OPENSSL_NO_ECDSA
2894                         case TLSEXT_signature_ecdsa:
2895                         idx = SSL_PKEY_ECC;
2896                         break;
2897 #endif
2898                         default:
2899                         continue;
2900                         }
2901
2902                 if (c->pkeys[idx].digest == NULL)
2903                         {
2904                         md = tls12_get_hash(sigptr->rhash);
2905                         if (md)
2906                                 {
2907                                 c->pkeys[idx].digest = md;
2908                                 if (idx == SSL_PKEY_RSA_SIGN)
2909                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2910                                 }
2911                         }
2912
2913                 }
2914
2915
2916         /* Set any remaining keys to default values. NOTE: if alg is not
2917          * supported it stays as NULL.
2918          */
2919 #ifndef OPENSSL_NO_DSA
2920         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2921                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2922 #endif
2923 #ifndef OPENSSL_NO_RSA
2924         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2925                 {
2926                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2927                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2928                 }
2929 #endif
2930 #ifndef OPENSSL_NO_ECDSA
2931         if (!c->pkeys[SSL_PKEY_ECC].digest)
2932                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2933 #endif
2934         return 1;
2935         }
2936
2937 #endif
2938
2939 int SSL_get_sigalgs(SSL *s, int idx,
2940                         int *psign, int *phash, int *psignandhash,
2941                         unsigned char *rsig, unsigned char *rhash)
2942         {
2943         if (s->cert->sigalgs == NULL)
2944                 return 0;
2945         if (idx >= 0)
2946                 {
2947                 TLS_SIGALGS *psig;
2948                 if (idx >= (int)s->cert->sigalgslen)
2949                         return 0;
2950                 psig = s->cert->sigalgs + idx;
2951                 if (psign)
2952                         *psign = psig->sign_nid;
2953                 if (phash)
2954                         *phash = psig->hash_nid;
2955                 if (psignandhash)
2956                         *psignandhash = psig->signandhash_nid;
2957                 if (rsig)
2958                         *rsig = psig->rsign;
2959                 if (rhash)
2960                         *rhash = psig->rhash;
2961                 }
2962         return s->cert->sigalgslen;
2963         }
2964         
2965
2966 #ifndef OPENSSL_NO_HEARTBEATS
2967 int
2968 tls1_process_heartbeat(SSL *s)
2969         {
2970         unsigned char *p = &s->s3->rrec.data[0], *pl;
2971         unsigned short hbtype;
2972         unsigned int payload;
2973         unsigned int padding = 16; /* Use minimum padding */
2974
2975         /* Read type and payload length first */
2976         hbtype = *p++;
2977         n2s(p, payload);
2978         pl = p;
2979
2980         if (s->msg_callback)
2981                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2982                         &s->s3->rrec.data[0], s->s3->rrec.length,
2983                         s, s->msg_callback_arg);
2984
2985         if (hbtype == TLS1_HB_REQUEST)
2986                 {
2987                 unsigned char *buffer, *bp;
2988                 int r;
2989
2990                 /* Allocate memory for the response, size is 1 bytes
2991                  * message type, plus 2 bytes payload length, plus
2992                  * payload, plus padding
2993                  */
2994                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2995                 bp = buffer;
2996                 
2997                 /* Enter response type, length and copy payload */
2998                 *bp++ = TLS1_HB_RESPONSE;
2999                 s2n(payload, bp);
3000                 memcpy(bp, pl, payload);
3001                 bp += payload;
3002                 /* Random padding */
3003                 RAND_pseudo_bytes(bp, padding);
3004
3005                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3006
3007                 if (r >= 0 && s->msg_callback)
3008                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3009                                 buffer, 3 + payload + padding,
3010                                 s, s->msg_callback_arg);
3011
3012                 OPENSSL_free(buffer);
3013
3014                 if (r < 0)
3015                         return r;
3016                 }
3017         else if (hbtype == TLS1_HB_RESPONSE)
3018                 {
3019                 unsigned int seq;
3020                 
3021                 /* We only send sequence numbers (2 bytes unsigned int),
3022                  * and 16 random bytes, so we just try to read the
3023                  * sequence number */
3024                 n2s(pl, seq);
3025                 
3026                 if (payload == 18 && seq == s->tlsext_hb_seq)
3027                         {
3028                         s->tlsext_hb_seq++;
3029                         s->tlsext_hb_pending = 0;
3030                         }
3031                 }
3032
3033         return 0;
3034         }
3035
3036 int
3037 tls1_heartbeat(SSL *s)
3038         {
3039         unsigned char *buf, *p;
3040         int ret;
3041         unsigned int payload = 18; /* Sequence number + random bytes */
3042         unsigned int padding = 16; /* Use minimum padding */
3043
3044         /* Only send if peer supports and accepts HB requests... */
3045         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3046             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3047                 {
3048                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3049                 return -1;
3050                 }
3051
3052         /* ...and there is none in flight yet... */
3053         if (s->tlsext_hb_pending)
3054                 {
3055                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3056                 return -1;
3057                 }
3058                 
3059         /* ...and no handshake in progress. */
3060         if (SSL_in_init(s) || s->in_handshake)
3061                 {
3062                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3063                 return -1;
3064                 }
3065                 
3066         /* Check if padding is too long, payload and padding
3067          * must not exceed 2^14 - 3 = 16381 bytes in total.
3068          */
3069         OPENSSL_assert(payload + padding <= 16381);
3070
3071     &n