x86_64-xlate.pl: proper solution for RT#2620.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207                 NID_sect571r1, /* sect571r1 (14) */ 
208                 NID_sect571k1, /* sect571k1 (13) */ 
209                 NID_secp521r1, /* secp521r1 (25) */     
210                 NID_sect409k1, /* sect409k1 (11) */ 
211                 NID_sect409r1, /* sect409r1 (12) */
212                 NID_secp384r1, /* secp384r1 (24) */
213                 NID_sect283k1, /* sect283k1 (9) */
214                 NID_sect283r1, /* sect283r1 (10) */ 
215                 NID_secp256k1, /* secp256k1 (22) */ 
216                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
217                 NID_sect239k1, /* sect239k1 (8) */ 
218                 NID_sect233k1, /* sect233k1 (6) */
219                 NID_sect233r1, /* sect233r1 (7) */ 
220                 NID_secp224k1, /* secp224k1 (20) */ 
221                 NID_secp224r1, /* secp224r1 (21) */
222                 NID_sect193r1, /* sect193r1 (4) */ 
223                 NID_sect193r2, /* sect193r2 (5) */ 
224                 NID_secp192k1, /* secp192k1 (18) */
225                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
226                 NID_sect163k1, /* sect163k1 (1) */
227                 NID_sect163r1, /* sect163r1 (2) */
228                 NID_sect163r2, /* sect163r2 (3) */
229                 NID_secp160k1, /* secp160k1 (15) */
230                 NID_secp160r1, /* secp160r1 (16) */ 
231                 NID_secp160r2, /* secp160r2 (17) */ 
232         };
233
234 int tls1_ec_curve_id2nid(int curve_id)
235         {
236         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237         if ((curve_id < 1) || ((unsigned int)curve_id >
238                                 sizeof(nid_list)/sizeof(nid_list[0])))
239                 return 0;
240         return nid_list[curve_id-1];
241         }
242
243 int tls1_ec_nid2curve_id(int nid)
244         {
245         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246         switch (nid)
247                 {
248         case NID_sect163k1: /* sect163k1 (1) */
249                 return 1;
250         case NID_sect163r1: /* sect163r1 (2) */
251                 return 2;
252         case NID_sect163r2: /* sect163r2 (3) */
253                 return 3;
254         case NID_sect193r1: /* sect193r1 (4) */ 
255                 return 4;
256         case NID_sect193r2: /* sect193r2 (5) */ 
257                 return 5;
258         case NID_sect233k1: /* sect233k1 (6) */
259                 return 6;
260         case NID_sect233r1: /* sect233r1 (7) */ 
261                 return 7;
262         case NID_sect239k1: /* sect239k1 (8) */ 
263                 return 8;
264         case NID_sect283k1: /* sect283k1 (9) */
265                 return 9;
266         case NID_sect283r1: /* sect283r1 (10) */ 
267                 return 10;
268         case NID_sect409k1: /* sect409k1 (11) */ 
269                 return 11;
270         case NID_sect409r1: /* sect409r1 (12) */
271                 return 12;
272         case NID_sect571k1: /* sect571k1 (13) */ 
273                 return 13;
274         case NID_sect571r1: /* sect571r1 (14) */ 
275                 return 14;
276         case NID_secp160k1: /* secp160k1 (15) */
277                 return 15;
278         case NID_secp160r1: /* secp160r1 (16) */ 
279                 return 16;
280         case NID_secp160r2: /* secp160r2 (17) */ 
281                 return 17;
282         case NID_secp192k1: /* secp192k1 (18) */
283                 return 18;
284         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
285                 return 19;
286         case NID_secp224k1: /* secp224k1 (20) */ 
287                 return 20;
288         case NID_secp224r1: /* secp224r1 (21) */
289                 return 21;
290         case NID_secp256k1: /* secp256k1 (22) */ 
291                 return 22;
292         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
293                 return 23;
294         case NID_secp384r1: /* secp384r1 (24) */
295                 return 24;
296         case NID_secp521r1:  /* secp521r1 (25) */       
297                 return 25;
298         default:
299                 return 0;
300                 }
301         }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329                 tlsext_sigalg_rsa(md) \
330                 tlsext_sigalg_dsa(md) \
331                 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335         tlsext_sigalg(TLSEXT_hash_sha512)
336         tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339         tlsext_sigalg(TLSEXT_hash_sha256)
340         tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343         tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346         tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351         {
352         size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354         /* If FIPS mode don't include MD5 which is last */
355         if (FIPS_mode())
356                 slen -= 2;
357 #endif
358         if (p)
359                 memcpy(p, tls12_sigalgs, slen);
360         return (int)slen;
361         }
362
363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364         {
365         int extdatalen=0;
366         unsigned char *ret = p;
367
368         /* don't add extensions for SSLv3 unless doing secure renegotiation */
369         if (s->client_version == SSL3_VERSION
370                                         && !s->s3->send_connection_binding)
371                 return p;
372
373         ret+=2;
374
375         if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377         if (s->tlsext_hostname != NULL)
378                 { 
379                 /* Add TLS extension servername to the Client Hello message */
380                 unsigned long size_str;
381                 long lenmax; 
382
383                 /* check for enough space.
384                    4 for the servername type and entension length
385                    2 for servernamelist length
386                    1 for the hostname type
387                    2 for hostname length
388                    + hostname length 
389                 */
390                    
391                 if ((lenmax = limit - ret - 9) < 0 
392                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
393                         return NULL;
394                         
395                 /* extension type and length */
396                 s2n(TLSEXT_TYPE_server_name,ret); 
397                 s2n(size_str+5,ret);
398                 
399                 /* length of servername list */
400                 s2n(size_str+3,ret);
401         
402                 /* hostname type, length and hostname */
403                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404                 s2n(size_str,ret);
405                 memcpy(ret, s->tlsext_hostname, size_str);
406                 ret+=size_str;
407                 }
408
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413           
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419
420           if((limit - p - 4 - el) < 0) return NULL;
421           
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430
431           ret += el;
432         }
433
434 #ifndef OPENSSL_NO_SRP
435 #define MIN(x,y) (((x)<(y))?(x):(y))
436         /* we add SRP username the first time only if we have one! */
437         if (s->srp_ctx.login != NULL)
438                 {/* Add TLS extension SRP username to the Client Hello message */
439                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
440                 long lenmax; 
441
442                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
443                 if (login_len > lenmax) return NULL;
444                 if (login_len > 255)
445                         {
446                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
447                         return NULL;
448                         }
449                 s2n(TLSEXT_TYPE_srp,ret);
450                 s2n(login_len+1,ret);
451
452                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
453                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
454                 ret+=login_len;
455                 }
456 #endif
457
458 #ifndef OPENSSL_NO_EC
459         if (s->tlsext_ecpointformatlist != NULL &&
460             s->version != DTLS1_VERSION)
461                 {
462                 /* Add TLS extension ECPointFormats to the ClientHello message */
463                 long lenmax; 
464
465                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
466                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
467                 if (s->tlsext_ecpointformatlist_length > 255)
468                         {
469                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
470                         return NULL;
471                         }
472                 
473                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
474                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
475                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
476                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
477                 ret+=s->tlsext_ecpointformatlist_length;
478                 }
479         if (s->tlsext_ellipticcurvelist != NULL &&
480             s->version != DTLS1_VERSION)
481                 {
482                 /* Add TLS extension EllipticCurves to the ClientHello message */
483                 long lenmax; 
484
485                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
486                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
487                 if (s->tlsext_ellipticcurvelist_length > 65532)
488                         {
489                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
490                         return NULL;
491                         }
492                 
493                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
494                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
495
496                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
497                  * elliptic_curve_list, but the examples use two bytes.
498                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
499                  * resolves this to two bytes.
500                  */
501                 s2n(s->tlsext_ellipticcurvelist_length, ret);
502                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
503                 ret+=s->tlsext_ellipticcurvelist_length;
504                 }
505 #endif /* OPENSSL_NO_EC */
506
507         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
508                 {
509                 int ticklen;
510                 if (!s->new_session && s->session && s->session->tlsext_tick)
511                         ticklen = s->session->tlsext_ticklen;
512                 else if (s->session && s->tlsext_session_ticket &&
513                          s->tlsext_session_ticket->data)
514                         {
515                         ticklen = s->tlsext_session_ticket->length;
516                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
517                         if (!s->session->tlsext_tick)
518                                 return NULL;
519                         memcpy(s->session->tlsext_tick,
520                                s->tlsext_session_ticket->data,
521                                ticklen);
522                         s->session->tlsext_ticklen = ticklen;
523                         }
524                 else
525                         ticklen = 0;
526                 if (ticklen == 0 && s->tlsext_session_ticket &&
527                     s->tlsext_session_ticket->data == NULL)
528                         goto skip_ext;
529                 /* Check for enough room 2 for extension type, 2 for len
530                  * rest for ticket
531                  */
532                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
533                 s2n(TLSEXT_TYPE_session_ticket,ret); 
534                 s2n(ticklen,ret);
535                 if (ticklen)
536                         {
537                         memcpy(ret, s->session->tlsext_tick, ticklen);
538                         ret += ticklen;
539                         }
540                 }
541                 skip_ext:
542
543         if (TLS1_get_version(s) >= TLS1_2_VERSION)
544                 {
545                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
546                         return NULL; 
547                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
548                 s2n(sizeof(tls12_sigalgs) + 2, ret);
549                 s2n(sizeof(tls12_sigalgs), ret);
550                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
551                 ret += sizeof(tls12_sigalgs);
552                 }
553
554 #ifdef TLSEXT_TYPE_opaque_prf_input
555         if (s->s3->client_opaque_prf_input != NULL &&
556             s->version != DTLS1_VERSION)
557                 {
558                 size_t col = s->s3->client_opaque_prf_input_len;
559                 
560                 if ((long)(limit - ret - 6 - col < 0))
561                         return NULL;
562                 if (col > 0xFFFD) /* can't happen */
563                         return NULL;
564
565                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
566                 s2n(col + 2, ret);
567                 s2n(col, ret);
568                 memcpy(ret, s->s3->client_opaque_prf_input, col);
569                 ret += col;
570                 }
571 #endif
572
573         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
574             s->version != DTLS1_VERSION)
575                 {
576                 int i;
577                 long extlen, idlen, itmp;
578                 OCSP_RESPID *id;
579
580                 idlen = 0;
581                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
582                         {
583                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
584                         itmp = i2d_OCSP_RESPID(id, NULL);
585                         if (itmp <= 0)
586                                 return NULL;
587                         idlen += itmp + 2;
588                         }
589
590                 if (s->tlsext_ocsp_exts)
591                         {
592                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
593                         if (extlen < 0)
594                                 return NULL;
595                         }
596                 else
597                         extlen = 0;
598                         
599                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
600                 s2n(TLSEXT_TYPE_status_request, ret);
601                 if (extlen + idlen > 0xFFF0)
602                         return NULL;
603                 s2n(extlen + idlen + 5, ret);
604                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
605                 s2n(idlen, ret);
606                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
607                         {
608                         /* save position of id len */
609                         unsigned char *q = ret;
610                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
611                         /* skip over id len */
612                         ret += 2;
613                         itmp = i2d_OCSP_RESPID(id, &ret);
614                         /* write id len */
615                         s2n(itmp, q);
616                         }
617                 s2n(extlen, ret);
618                 if (extlen > 0)
619                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
620                 }
621
622 #ifndef OPENSSL_NO_HEARTBEATS
623         /* Add Heartbeat extension */
624         s2n(TLSEXT_TYPE_heartbeat,ret);
625         s2n(1,ret);
626         /* Set mode:
627          * 1: peer may send requests
628          * 2: peer not allowed to send requests
629          */
630         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
631                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
632         else
633                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
634 #endif
635
636 #ifndef OPENSSL_NO_NEXTPROTONEG
637         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
638                 {
639                 /* The client advertises an emtpy extension to indicate its
640                  * support for Next Protocol Negotiation */
641                 if (limit - ret - 4 < 0)
642                         return NULL;
643                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
644                 s2n(0,ret);
645                 }
646 #endif
647
648         if(SSL_get_srtp_profiles(s))
649                 {
650                 int el;
651
652                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
653                 
654                 if((limit - p - 4 - el) < 0) return NULL;
655
656                 s2n(TLSEXT_TYPE_use_srtp,ret);
657                 s2n(el,ret);
658
659                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
660                         {
661                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
662                         return NULL;
663                         }
664                 ret += el;
665                 }
666
667         if ((extdatalen = ret-p-2)== 0) 
668                 return p;
669
670         s2n(extdatalen,p);
671         return ret;
672         }
673
674 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
675         {
676         int extdatalen=0;
677         unsigned char *ret = p;
678 #ifndef OPENSSL_NO_NEXTPROTONEG
679         int next_proto_neg_seen;
680 #endif
681
682         /* don't add extensions for SSLv3, unless doing secure renegotiation */
683         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
684                 return p;
685         
686         ret+=2;
687         if (ret>=limit) return NULL; /* this really never occurs, but ... */
688
689         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
690                 { 
691                 if ((long)(limit - ret - 4) < 0) return NULL; 
692
693                 s2n(TLSEXT_TYPE_server_name,ret);
694                 s2n(0,ret);
695                 }
696
697         if(s->s3->send_connection_binding)
698         {
699           int el;
700           
701           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
702               {
703               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
704               return NULL;
705               }
706
707           if((limit - p - 4 - el) < 0) return NULL;
708           
709           s2n(TLSEXT_TYPE_renegotiate,ret);
710           s2n(el,ret);
711
712           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
713               {
714               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
715               return NULL;
716               }
717
718           ret += el;
719         }
720
721 #ifndef OPENSSL_NO_EC
722         if (s->tlsext_ecpointformatlist != NULL &&
723             s->version != DTLS1_VERSION)
724                 {
725                 /* Add TLS extension ECPointFormats to the ServerHello message */
726                 long lenmax; 
727
728                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
729                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
730                 if (s->tlsext_ecpointformatlist_length > 255)
731                         {
732                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733                         return NULL;
734                         }
735                 
736                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
737                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
738                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
739                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
740                 ret+=s->tlsext_ecpointformatlist_length;
741
742                 }
743         /* Currently the server should not respond with a SupportedCurves extension */
744 #endif /* OPENSSL_NO_EC */
745
746         if (s->tlsext_ticket_expected
747                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
748                 { 
749                 if ((long)(limit - ret - 4) < 0) return NULL; 
750                 s2n(TLSEXT_TYPE_session_ticket,ret);
751                 s2n(0,ret);
752                 }
753
754         if (s->tlsext_status_expected)
755                 { 
756                 if ((long)(limit - ret - 4) < 0) return NULL; 
757                 s2n(TLSEXT_TYPE_status_request,ret);
758                 s2n(0,ret);
759                 }
760
761 #ifdef TLSEXT_TYPE_opaque_prf_input
762         if (s->s3->server_opaque_prf_input != NULL &&
763             s->version != DTLS1_VERSION)
764                 {
765                 size_t sol = s->s3->server_opaque_prf_input_len;
766                 
767                 if ((long)(limit - ret - 6 - sol) < 0)
768                         return NULL;
769                 if (sol > 0xFFFD) /* can't happen */
770                         return NULL;
771
772                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
773                 s2n(sol + 2, ret);
774                 s2n(sol, ret);
775                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
776                 ret += sol;
777                 }
778 #endif
779
780         if(s->srtp_profile)
781                 {
782                 int el;
783
784                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
785                 
786                 if((limit - p - 4 - el) < 0) return NULL;
787
788                 s2n(TLSEXT_TYPE_use_srtp,ret);
789                 s2n(el,ret);
790
791                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
792                         {
793                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
794                         return NULL;
795                         }
796                 ret+=el;
797                 }
798
799         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
800                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
801                 { const unsigned char cryptopro_ext[36] = {
802                         0xfd, 0xe8, /*65000*/
803                         0x00, 0x20, /*32 bytes length*/
804                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
805                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
806                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
807                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
808                         if (limit-ret<36) return NULL;
809                         memcpy(ret,cryptopro_ext,36);
810                         ret+=36;
811
812                 }
813
814 #ifndef OPENSSL_NO_HEARTBEATS
815         /* Add Heartbeat extension if we've received one */
816         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
817                 {
818                 s2n(TLSEXT_TYPE_heartbeat,ret);
819                 s2n(1,ret);
820                 /* Set mode:
821                  * 1: peer may send requests
822                  * 2: peer not allowed to send requests
823                  */
824                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
825                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
826                 else
827                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
828
829                 }
830 #endif
831
832 #ifndef OPENSSL_NO_NEXTPROTONEG
833         next_proto_neg_seen = s->s3->next_proto_neg_seen;
834         s->s3->next_proto_neg_seen = 0;
835         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
836                 {
837                 const unsigned char *npa;
838                 unsigned int npalen;
839                 int r;
840
841                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
842                 if (r == SSL_TLSEXT_ERR_OK)
843                         {
844                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
845                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
846                         s2n(npalen,ret);
847                         memcpy(ret, npa, npalen);
848                         ret += npalen;
849                         s->s3->next_proto_neg_seen = 1;
850                         }
851                 }
852 #endif
853
854         if ((extdatalen = ret-p-2)== 0) 
855                 return p;
856
857         s2n(extdatalen,p);
858         return ret;
859         }
860
861 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
862         {
863         unsigned short type;
864         unsigned short size;
865         unsigned short len;
866         unsigned char *data = *p;
867         int renegotiate_seen = 0;
868         int sigalg_seen = 0;
869
870         s->servername_done = 0;
871         s->tlsext_status_type = -1;
872 #ifndef OPENSSL_NO_NEXTPROTONEG
873         s->s3->next_proto_neg_seen = 0;
874 #endif
875
876 #ifndef OPENSSL_NO_HEARTBEATS
877         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
878                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
879 #endif
880
881         if (data >= (d+n-2))
882                 goto ri_check;
883         n2s(data,len);
884
885         if (data > (d+n-len)) 
886                 goto ri_check;
887
888         while (data <= (d+n-4))
889                 {
890                 n2s(data,type);
891                 n2s(data,size);
892
893                 if (data+size > (d+n))
894                         goto ri_check;
895 #if 0
896                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
897 #endif
898                 if (s->tlsext_debug_cb)
899                         s->tlsext_debug_cb(s, 0, type, data, size,
900                                                 s->tlsext_debug_arg);
901 /* The servername extension is treated as follows:
902
903    - Only the hostname type is supported with a maximum length of 255.
904    - The servername is rejected if too long or if it contains zeros,
905      in which case an fatal alert is generated.
906    - The servername field is maintained together with the session cache.
907    - When a session is resumed, the servername call back invoked in order
908      to allow the application to position itself to the right context. 
909    - The servername is acknowledged if it is new for a session or when 
910      it is identical to a previously used for the same session. 
911      Applications can control the behaviour.  They can at any time
912      set a 'desirable' servername for a new SSL object. This can be the
913      case for example with HTTPS when a Host: header field is received and
914      a renegotiation is requested. In this case, a possible servername
915      presented in the new client hello is only acknowledged if it matches
916      the value of the Host: field. 
917    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
918      if they provide for changing an explicit servername context for the session,
919      i.e. when the session has been established with a servername extension. 
920    - On session reconnect, the servername extension may be absent. 
921
922 */      
923
924                 if (type == TLSEXT_TYPE_server_name)
925                         {
926                         unsigned char *sdata;
927                         int servname_type;
928                         int dsize; 
929                 
930                         if (size < 2) 
931                                 {
932                                 *al = SSL_AD_DECODE_ERROR;
933                                 return 0;
934                                 }
935                         n2s(data,dsize);  
936                         size -= 2;
937                         if (dsize > size  ) 
938                                 {
939                                 *al = SSL_AD_DECODE_ERROR;
940                                 return 0;
941                                 } 
942
943                         sdata = data;
944                         while (dsize > 3) 
945                                 {
946                                 servname_type = *(sdata++); 
947                                 n2s(sdata,len);
948                                 dsize -= 3;
949
950                                 if (len > dsize) 
951                                         {
952                                         *al = SSL_AD_DECODE_ERROR;
953                                         return 0;
954                                         }
955                                 if (s->servername_done == 0)
956                                 switch (servname_type)
957                                         {
958                                 case TLSEXT_NAMETYPE_host_name:
959                                         if (!s->hit)
960                                                 {
961                                                 if(s->session->tlsext_hostname)
962                                                         {
963                                                         *al = SSL_AD_DECODE_ERROR;
964                                                         return 0;
965                                                         }
966                                                 if (len > TLSEXT_MAXLEN_host_name)
967                                                         {
968                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
969                                                         return 0;
970                                                         }
971                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
972                                                         {
973                                                         *al = TLS1_AD_INTERNAL_ERROR;
974                                                         return 0;
975                                                         }
976                                                 memcpy(s->session->tlsext_hostname, sdata, len);
977                                                 s->session->tlsext_hostname[len]='\0';
978                                                 if (strlen(s->session->tlsext_hostname) != len) {
979                                                         OPENSSL_free(s->session->tlsext_hostname);
980                                                         s->session->tlsext_hostname = NULL;
981                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
982                                                         return 0;
983                                                 }
984                                                 s->servername_done = 1; 
985
986                                                 }
987                                         else 
988                                                 s->servername_done = s->session->tlsext_hostname
989                                                         && strlen(s->session->tlsext_hostname) == len 
990                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
991                                         
992                                         break;
993
994                                 default:
995                                         break;
996                                         }
997                                  
998                                 dsize -= len;
999                                 }
1000                         if (dsize != 0) 
1001                                 {
1002                                 *al = SSL_AD_DECODE_ERROR;
1003                                 return 0;
1004                                 }
1005
1006                         }
1007 #ifndef OPENSSL_NO_SRP
1008                 else if (type == TLSEXT_TYPE_srp)
1009                         {
1010                         if (size > 0)
1011                                 {
1012                                 len = data[0];
1013                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1014                                         return -1;
1015                                 memcpy(s->srp_ctx.login, &data[1], len);
1016                                 s->srp_ctx.login[len]='\0';  
1017                                 }
1018                         }
1019 #endif
1020
1021 #ifndef OPENSSL_NO_EC
1022                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1023                      s->version != DTLS1_VERSION)
1024                         {
1025                         unsigned char *sdata = data;
1026                         int ecpointformatlist_length = *(sdata++);
1027
1028                         if (ecpointformatlist_length != size - 1)
1029                                 {
1030                                 *al = TLS1_AD_DECODE_ERROR;
1031                                 return 0;
1032                                 }
1033                         if (!s->hit)
1034                                 {
1035                                 if(s->session->tlsext_ecpointformatlist)
1036                                         {
1037                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1038                                         s->session->tlsext_ecpointformatlist = NULL;
1039                                         }
1040                                 s->session->tlsext_ecpointformatlist_length = 0;
1041                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1042                                         {
1043                                         *al = TLS1_AD_INTERNAL_ERROR;
1044                                         return 0;
1045                                         }
1046                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1047                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1048                                 }
1049 #if 0
1050                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1051                         sdata = s->session->tlsext_ecpointformatlist;
1052                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1053                                 fprintf(stderr,"%i ",*(sdata++));
1054                         fprintf(stderr,"\n");
1055 #endif
1056                         }
1057                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1058                      s->version != DTLS1_VERSION)
1059                         {
1060                         unsigned char *sdata = data;
1061                         int ellipticcurvelist_length = (*(sdata++) << 8);
1062                         ellipticcurvelist_length += (*(sdata++));
1063
1064                         if (ellipticcurvelist_length != size - 2)
1065                                 {
1066                                 *al = TLS1_AD_DECODE_ERROR;
1067                                 return 0;
1068                                 }
1069                         if (!s->hit)
1070                                 {
1071                                 if(s->session->tlsext_ellipticcurvelist)
1072                                         {
1073                                         *al = TLS1_AD_DECODE_ERROR;
1074                                         return 0;
1075                                         }
1076                                 s->session->tlsext_ellipticcurvelist_length = 0;
1077                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1078                                         {
1079                                         *al = TLS1_AD_INTERNAL_ERROR;
1080                                         return 0;
1081                                         }
1082                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1083                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1084                                 }
1085 #if 0
1086                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1087                         sdata = s->session->tlsext_ellipticcurvelist;
1088                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1089                                 fprintf(stderr,"%i ",*(sdata++));
1090                         fprintf(stderr,"\n");
1091 #endif
1092                         }
1093 #endif /* OPENSSL_NO_EC */
1094 #ifdef TLSEXT_TYPE_opaque_prf_input
1095                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1096                      s->version != DTLS1_VERSION)
1097                         {
1098                         unsigned char *sdata = data;
1099
1100                         if (size < 2)
1101                                 {
1102                                 *al = SSL_AD_DECODE_ERROR;
1103                                 return 0;
1104                                 }
1105                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1106                         if (s->s3->client_opaque_prf_input_len != size - 2)
1107                                 {
1108                                 *al = SSL_AD_DECODE_ERROR;
1109                                 return 0;
1110                                 }
1111
1112                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1113                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1114                         if (s->s3->client_opaque_prf_input_len == 0)
1115                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1116                         else
1117                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1118                         if (s->s3->client_opaque_prf_input == NULL)
1119                                 {
1120                                 *al = TLS1_AD_INTERNAL_ERROR;
1121                                 return 0;
1122                                 }
1123                         }
1124 #endif
1125                 else if (type == TLSEXT_TYPE_session_ticket)
1126                         {
1127                         if (s->tls_session_ticket_ext_cb &&
1128                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1129                                 {
1130                                 *al = TLS1_AD_INTERNAL_ERROR;
1131                                 return 0;
1132                                 }
1133                         }
1134                 else if (type == TLSEXT_TYPE_renegotiate)
1135                         {
1136                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1137                                 return 0;
1138                         renegotiate_seen = 1;
1139                         }
1140                 else if (type == TLSEXT_TYPE_signature_algorithms)
1141                         {
1142                         int dsize;
1143                         if (sigalg_seen || size < 2) 
1144                                 {
1145                                 *al = SSL_AD_DECODE_ERROR;
1146                                 return 0;
1147                                 }
1148                         sigalg_seen = 1;
1149                         n2s(data,dsize);
1150                         size -= 2;
1151                         if (dsize != size || dsize & 1) 
1152                                 {
1153                                 *al = SSL_AD_DECODE_ERROR;
1154                                 return 0;
1155                                 }
1156                         if (!tls1_process_sigalgs(s, data, dsize))
1157                                 {
1158                                 *al = SSL_AD_DECODE_ERROR;
1159                                 return 0;
1160                                 }
1161                         }
1162                 else if (type == TLSEXT_TYPE_status_request &&
1163                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1164                         {
1165                 
1166                         if (size < 5) 
1167                                 {
1168                                 *al = SSL_AD_DECODE_ERROR;
1169                                 return 0;
1170                                 }
1171
1172                         s->tlsext_status_type = *data++;
1173                         size--;
1174                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1175                                 {
1176                                 const unsigned char *sdata;
1177                                 int dsize;
1178                                 /* Read in responder_id_list */
1179                                 n2s(data,dsize);
1180                                 size -= 2;
1181                                 if (dsize > size  ) 
1182                                         {
1183                                         *al = SSL_AD_DECODE_ERROR;
1184                                         return 0;
1185                                         }
1186                                 while (dsize > 0)
1187                                         {
1188                                         OCSP_RESPID *id;
1189                                         int idsize;
1190                                         if (dsize < 4)
1191                                                 {
1192                                                 *al = SSL_AD_DECODE_ERROR;
1193                                                 return 0;
1194                                                 }
1195                                         n2s(data, idsize);
1196                                         dsize -= 2 + idsize;
1197                                         size -= 2 + idsize;
1198                                         if (dsize < 0)
1199                                                 {
1200                                                 *al = SSL_AD_DECODE_ERROR;
1201                                                 return 0;
1202                                                 }
1203                                         sdata = data;
1204                                         data += idsize;
1205                                         id = d2i_OCSP_RESPID(NULL,
1206                                                                 &sdata, idsize);
1207                                         if (!id)
1208                                                 {
1209                                                 *al = SSL_AD_DECODE_ERROR;
1210                                                 return 0;
1211                                                 }
1212                                         if (data != sdata)
1213                                                 {
1214                                                 OCSP_RESPID_free(id);
1215                                                 *al = SSL_AD_DECODE_ERROR;
1216                                                 return 0;
1217                                                 }
1218                                         if (!s->tlsext_ocsp_ids
1219                                                 && !(s->tlsext_ocsp_ids =
1220                                                 sk_OCSP_RESPID_new_null()))
1221                                                 {
1222                                                 OCSP_RESPID_free(id);
1223                                                 *al = SSL_AD_INTERNAL_ERROR;
1224                                                 return 0;
1225                                                 }
1226                                         if (!sk_OCSP_RESPID_push(
1227                                                         s->tlsext_ocsp_ids, id))
1228                                                 {
1229                                                 OCSP_RESPID_free(id);
1230                                                 *al = SSL_AD_INTERNAL_ERROR;
1231                                                 return 0;
1232                                                 }
1233                                         }
1234
1235                                 /* Read in request_extensions */
1236                                 if (size < 2)
1237                                         {
1238                                         *al = SSL_AD_DECODE_ERROR;
1239                                         return 0;
1240                                         }
1241                                 n2s(data,dsize);
1242                                 size -= 2;
1243                                 if (dsize != size)
1244                                         {
1245                                         *al = SSL_AD_DECODE_ERROR;
1246                                         return 0;
1247                                         }
1248                                 sdata = data;
1249                                 if (dsize > 0)
1250                                         {
1251                                         if (s->tlsext_ocsp_exts)
1252                                                 {
1253                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1254                                                                            X509_EXTENSION_free);
1255                                                 }
1256
1257                                         s->tlsext_ocsp_exts =
1258                                                 d2i_X509_EXTENSIONS(NULL,
1259                                                         &sdata, dsize);
1260                                         if (!s->tlsext_ocsp_exts
1261                                                 || (data + dsize != sdata))
1262                                                 {
1263                                                 *al = SSL_AD_DECODE_ERROR;
1264                                                 return 0;
1265                                                 }
1266                                         }
1267                                 }
1268                                 /* We don't know what to do with any other type
1269                                 * so ignore it.
1270                                 */
1271                                 else
1272                                         s->tlsext_status_type = -1;
1273                         }
1274 #ifndef OPENSSL_NO_HEARTBEATS
1275                 else if (type == TLSEXT_TYPE_heartbeat)
1276                         {
1277                         switch(data[0])
1278                                 {
1279                                 case 0x01:      /* Client allows us to send HB requests */
1280                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1281                                                         break;
1282                                 case 0x02:      /* Client doesn't accept HB requests */
1283                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1284                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1285                                                         break;
1286                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1287                                                         return 0;
1288                                 }
1289                         }
1290 #endif
1291 #ifndef OPENSSL_NO_NEXTPROTONEG
1292                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1293                          s->s3->tmp.finish_md_len == 0)
1294                         {
1295                         /* We shouldn't accept this extension on a
1296                          * renegotiation.
1297                          *
1298                          * s->new_session will be set on renegotiation, but we
1299                          * probably shouldn't rely that it couldn't be set on
1300                          * the initial renegotation too in certain cases (when
1301                          * there's some other reason to disallow resuming an
1302                          * earlier session -- the current code won't be doing
1303                          * anything like that, but this might change).
1304
1305                          * A valid sign that there's been a previous handshake
1306                          * in this connection is if s->s3->tmp.finish_md_len >
1307                          * 0.  (We are talking about a check that will happen
1308                          * in the Hello protocol round, well before a new
1309                          * Finished message could have been computed.) */
1310                         s->s3->next_proto_neg_seen = 1;
1311                         }
1312 #endif
1313
1314                 /* session ticket processed earlier */
1315                 else if (type == TLSEXT_TYPE_use_srtp)
1316                         {
1317                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1318                                                               al))
1319                                 return 0;
1320                         }
1321
1322                 data+=size;
1323                 }
1324                                 
1325         *p = data;
1326
1327         ri_check:
1328
1329         /* Need RI if renegotiating */
1330
1331         if (!renegotiate_seen && s->renegotiate &&
1332                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1333                 {
1334                 *al = SSL_AD_HANDSHAKE_FAILURE;
1335                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1336                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1337                 return 0;
1338                 }
1339
1340         return 1;
1341         }
1342
1343 #ifndef OPENSSL_NO_NEXTPROTONEG
1344 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1345  * elements of zero length are allowed and the set of elements must exactly fill
1346  * the length of the block. */
1347 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1348         {
1349         unsigned int off = 0;
1350
1351         while (off < len)
1352                 {
1353                 if (d[off] == 0)
1354                         return 0;
1355                 off += d[off];
1356                 off++;
1357                 }
1358
1359         return off == len;
1360         }
1361 #endif
1362
1363 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1364         {
1365         unsigned short length;
1366         unsigned short type;
1367         unsigned short size;
1368         unsigned char *data = *p;
1369         int tlsext_servername = 0;
1370         int renegotiate_seen = 0;
1371
1372 #ifndef OPENSSL_NO_NEXTPROTONEG
1373         s->s3->next_proto_neg_seen = 0;
1374 #endif
1375
1376 #ifndef OPENSSL_NO_HEARTBEATS
1377         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1378                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1379 #endif
1380
1381         if (data >= (d+n-2))
1382                 goto ri_check;
1383
1384         n2s(data,length);
1385         if (data+length != d+n)
1386                 {
1387                 *al = SSL_AD_DECODE_ERROR;
1388                 return 0;
1389                 }
1390
1391         while(data <= (d+n-4))
1392                 {
1393                 n2s(data,type);
1394                 n2s(data,size);
1395
1396                 if (data+size > (d+n))
1397                         goto ri_check;
1398
1399                 if (s->tlsext_debug_cb)
1400                         s->tlsext_debug_cb(s, 1, type, data, size,
1401                                                 s->tlsext_debug_arg);
1402
1403                 if (type == TLSEXT_TYPE_server_name)
1404                         {
1405                         if (s->tlsext_hostname == NULL || size > 0)
1406                                 {
1407                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1408                                 return 0;
1409                                 }
1410                         tlsext_servername = 1;   
1411                         }
1412
1413 #ifndef OPENSSL_NO_EC
1414                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1415                      s->version != DTLS1_VERSION)
1416                         {
1417                         unsigned char *sdata = data;
1418                         int ecpointformatlist_length = *(sdata++);
1419
1420                         if (ecpointformatlist_length != size - 1)
1421                                 {
1422                                 *al = TLS1_AD_DECODE_ERROR;
1423                                 return 0;
1424                                 }
1425                         s->session->tlsext_ecpointformatlist_length = 0;
1426                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1427                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1428                                 {
1429                                 *al = TLS1_AD_INTERNAL_ERROR;
1430                                 return 0;
1431                                 }
1432                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1433                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1434 #if 0
1435                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1436                         sdata = s->session->tlsext_ecpointformatlist;
1437                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1438                                 fprintf(stderr,"%i ",*(sdata++));
1439                         fprintf(stderr,"\n");
1440 #endif
1441                         }
1442 #endif /* OPENSSL_NO_EC */
1443
1444                 else if (type == TLSEXT_TYPE_session_ticket)
1445                         {
1446                         if (s->tls_session_ticket_ext_cb &&
1447                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1448                                 {
1449                                 *al = TLS1_AD_INTERNAL_ERROR;
1450                                 return 0;
1451                                 }
1452                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1453                                 || (size > 0))
1454                                 {
1455                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1456                                 return 0;
1457                                 }
1458                         s->tlsext_ticket_expected = 1;
1459                         }
1460 #ifdef TLSEXT_TYPE_opaque_prf_input
1461                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1462                      s->version != DTLS1_VERSION)
1463                         {
1464                         unsigned char *sdata = data;
1465
1466                         if (size < 2)
1467                                 {
1468                                 *al = SSL_AD_DECODE_ERROR;
1469                                 return 0;
1470                                 }
1471                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1472                         if (s->s3->server_opaque_prf_input_len != size - 2)
1473                                 {
1474                                 *al = SSL_AD_DECODE_ERROR;
1475                                 return 0;
1476                                 }
1477                         
1478                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1479                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1480                         if (s->s3->server_opaque_prf_input_len == 0)
1481                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1482                         else
1483                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1484
1485                         if (s->s3->server_opaque_prf_input == NULL)
1486                                 {
1487                                 *al = TLS1_AD_INTERNAL_ERROR;
1488                                 return 0;
1489                                 }
1490                         }
1491 #endif
1492                 else if (type == TLSEXT_TYPE_status_request &&
1493                          s->version != DTLS1_VERSION)
1494                         {
1495                         /* MUST be empty and only sent if we've requested
1496                          * a status request message.
1497                          */ 
1498                         if ((s->tlsext_status_type == -1) || (size > 0))
1499                                 {
1500                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1501                                 return 0;
1502                                 }
1503                         /* Set flag to expect CertificateStatus message */
1504                         s->tlsext_status_expected = 1;
1505                         }
1506 #ifndef OPENSSL_NO_NEXTPROTONEG
1507                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1508                          s->s3->tmp.finish_md_len == 0)
1509                         {
1510                         unsigned char *selected;
1511                         unsigned char selected_len;
1512
1513                         /* We must have requested it. */
1514                         if ((s->ctx->next_proto_select_cb == NULL))
1515                                 {
1516                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1517                                 return 0;
1518                                 }
1519                         /* The data must be valid */
1520                         if (!ssl_next_proto_validate(data, size))
1521                                 {
1522                                 *al = TLS1_AD_DECODE_ERROR;
1523                                 return 0;
1524                                 }
1525                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1526                                 {
1527                                 *al = TLS1_AD_INTERNAL_ERROR;
1528                                 return 0;
1529                                 }
1530                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1531                         if (!s->next_proto_negotiated)
1532                                 {
1533                                 *al = TLS1_AD_INTERNAL_ERROR;
1534                                 return 0;
1535                                 }
1536                         memcpy(s->next_proto_negotiated, selected, selected_len);
1537                         s->next_proto_negotiated_len = selected_len;
1538                         s->s3->next_proto_neg_seen = 1;
1539                         }
1540 #endif
1541                 else if (type == TLSEXT_TYPE_renegotiate)
1542                         {
1543                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1544                                 return 0;
1545                         renegotiate_seen = 1;
1546                         }
1547 #ifndef OPENSSL_NO_HEARTBEATS
1548                 else if (type == TLSEXT_TYPE_heartbeat)
1549                         {
1550                         switch(data[0])
1551                                 {
1552                                 case 0x01:      /* Server allows us to send HB requests */
1553                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1554                                                         break;
1555                                 case 0x02:      /* Server doesn't accept HB requests */
1556                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1557                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1558                                                         break;
1559                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1560                                                         return 0;
1561                                 }
1562                         }
1563 #endif
1564                 else if (type == TLSEXT_TYPE_use_srtp)
1565                         {
1566                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1567                                                               al))
1568                                 return 0;
1569                         }
1570
1571                 data+=size;             
1572                 }
1573
1574         if (data != d+n)
1575                 {
1576                 *al = SSL_AD_DECODE_ERROR;
1577                 return 0;
1578                 }
1579
1580         if (!s->hit && tlsext_servername == 1)
1581                 {
1582                 if (s->tlsext_hostname)
1583                         {
1584                         if (s->session->tlsext_hostname == NULL)
1585                                 {
1586                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1587                                 if (!s->session->tlsext_hostname)
1588                                         {
1589                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1590                                         return 0;
1591                                         }
1592                                 }
1593                         else 
1594                                 {
1595                                 *al = SSL_AD_DECODE_ERROR;
1596                                 return 0;
1597                                 }
1598                         }
1599                 }
1600
1601         *p = data;
1602
1603         ri_check:
1604
1605         /* Determine if we need to see RI. Strictly speaking if we want to
1606          * avoid an attack we should *always* see RI even on initial server
1607          * hello because the client doesn't see any renegotiation during an
1608          * attack. However this would mean we could not connect to any server
1609          * which doesn't support RI so for the immediate future tolerate RI
1610          * absence on initial connect only.
1611          */
1612         if (!renegotiate_seen
1613                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1614                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1615                 {
1616                 *al = SSL_AD_HANDSHAKE_FAILURE;
1617                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1618                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1619                 return 0;
1620                 }
1621
1622         return 1;
1623         }
1624
1625
1626 int ssl_prepare_clienthello_tlsext(SSL *s)
1627         {
1628 #ifndef OPENSSL_NO_EC
1629         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1630          * and elliptic curves we support.
1631          */
1632         int using_ecc = 0;
1633         int i;
1634         unsigned char *j;
1635         unsigned long alg_k, alg_a;
1636         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1637
1638         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1639                 {
1640                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1641
1642                 alg_k = c->algorithm_mkey;
1643                 alg_a = c->algorithm_auth;
1644                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1645                         {
1646                         using_ecc = 1;
1647                         break;
1648                         }
1649                 }
1650         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1651         if (using_ecc)
1652                 {
1653                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1654                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1655                         {
1656                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1657                         return -1;
1658                         }
1659                 s->tlsext_ecpointformatlist_length = 3;
1660                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1661                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1662                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1663
1664                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1665                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1666                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1667                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1668                         {
1669                         s->tlsext_ellipticcurvelist_length = 0;
1670                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1671                         return -1;
1672                         }
1673                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1674                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1675                         {
1676                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1677                         s2n(id,j);
1678                         }
1679                 }
1680 #endif /* OPENSSL_NO_EC */
1681
1682 #ifdef TLSEXT_TYPE_opaque_prf_input
1683         {
1684                 int r = 1;
1685         
1686                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1687                         {
1688                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1689                         if (!r)
1690                                 return -1;
1691                         }
1692
1693                 if (s->tlsext_opaque_prf_input != NULL)
1694                         {
1695                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1696                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1697
1698                         if (s->tlsext_opaque_prf_input_len == 0)
1699                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1700                         else
1701                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1702                         if (s->s3->client_opaque_prf_input == NULL)
1703                                 {
1704                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1705                                 return -1;
1706                                 }
1707                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1708                         }
1709
1710                 if (r == 2)
1711                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1712                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1713         }
1714 #endif
1715
1716         return 1;
1717         }
1718
1719 int ssl_prepare_serverhello_tlsext(SSL *s)
1720         {
1721 #ifndef OPENSSL_NO_EC
1722         /* If we are server and using an ECC cipher suite, send the point formats we support 
1723          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1724          * supposed to send an EllipticCurves extension.
1725          */
1726
1727         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1728         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1729         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1730         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1731         
1732         if (using_ecc)
1733                 {
1734                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1735                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1736                         {
1737                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1738                         return -1;
1739                         }
1740                 s->tlsext_ecpointformatlist_length = 3;
1741                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1742                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1743                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1744                 }
1745 #endif /* OPENSSL_NO_EC */
1746
1747         return 1;
1748         }
1749
1750 int ssl_check_clienthello_tlsext(SSL *s)
1751         {
1752         int ret=SSL_TLSEXT_ERR_NOACK;
1753         int al = SSL_AD_UNRECOGNIZED_NAME;
1754
1755 #ifndef OPENSSL_NO_EC
1756         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1757          * ssl3_choose_cipher in s3_lib.c.
1758          */
1759         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1760          * ssl3_choose_cipher in s3_lib.c.
1761          */
1762 #endif
1763
1764         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1765                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1766         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1767                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1768
1769         /* If status request then ask callback what to do.
1770          * Note: this must be called after servername callbacks in case 
1771          * the certificate has changed.
1772          */
1773         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1774                 {
1775                 int r;
1776                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1777                 switch (r)
1778                         {
1779                         /* We don't want to send a status request response */
1780                         case SSL_TLSEXT_ERR_NOACK:
1781                                 s->tlsext_status_expected = 0;
1782                                 break;
1783                         /* status request response should be sent */
1784                         case SSL_TLSEXT_ERR_OK:
1785                                 if (s->tlsext_ocsp_resp)
1786                                         s->tlsext_status_expected = 1;
1787                                 else
1788                                         s->tlsext_status_expected = 0;
1789                                 break;
1790                         /* something bad happened */
1791                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1792                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1793                                 al = SSL_AD_INTERNAL_ERROR;
1794                                 goto err;
1795                         }
1796                 }
1797         else
1798                 s->tlsext_status_expected = 0;
1799
1800 #ifdef TLSEXT_TYPE_opaque_prf_input
1801         {
1802                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1803                  * but we might be sending an alert in response to the client hello,
1804                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1805
1806                 int r = 1;
1807         
1808                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1809                         {
1810                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1811                         if (!r)
1812                                 {
1813                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1814                                 al = SSL_AD_INTERNAL_ERROR;
1815                                 goto err;
1816                                 }
1817                         }
1818
1819                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1820                         OPENSSL_free(s->s3->server_opaque_prf_input);
1821                 s->s3->server_opaque_prf_input = NULL;
1822
1823                 if (s->tlsext_opaque_prf_input != NULL)
1824                         {
1825                         if (s->s3->client_opaque_prf_input != NULL &&
1826                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1827                                 {
1828                                 /* can only use this extension if we have a server opaque PRF input
1829                                  * of the same length as the client opaque PRF input! */
1830
1831                                 if (s->tlsext_opaque_prf_input_len == 0)
1832                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1833                                 else
1834                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1835                                 if (s->s3->server_opaque_prf_input == NULL)
1836                                         {
1837                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1838                                         al = SSL_AD_INTERNAL_ERROR;
1839                                         goto err;
1840                                         }
1841                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1842                                 }
1843                         }
1844
1845                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1846                         {
1847                         /* The callback wants to enforce use of the extension,
1848                          * but we can't do that with the client opaque PRF input;
1849                          * abort the handshake.
1850                          */
1851                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1852                         al = SSL_AD_HANDSHAKE_FAILURE;
1853                         }
1854         }
1855
1856 #endif
1857  err:
1858         switch (ret)
1859                 {
1860                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1861                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1862                         return -1;
1863
1864                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1865                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1866                         return 1; 
1867                                         
1868                 case SSL_TLSEXT_ERR_NOACK:
1869                         s->servername_done=0;
1870                         default:
1871                 return 1;
1872                 }
1873         }
1874
1875 int ssl_check_serverhello_tlsext(SSL *s)
1876         {
1877         int ret=SSL_TLSEXT_ERR_NOACK;
1878         int al = SSL_AD_UNRECOGNIZED_NAME;
1879
1880 #ifndef OPENSSL_NO_EC
1881         /* If we are client and using an elliptic curve cryptography cipher
1882          * suite, then if server returns an EC point formats lists extension
1883          * it must contain uncompressed.
1884          */
1885         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1886         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1887         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1888             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1889             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1890                 {
1891                 /* we are using an ECC cipher */
1892                 size_t i;
1893                 unsigned char *list;
1894                 int found_uncompressed = 0;
1895                 list = s->session->tlsext_ecpointformatlist;
1896                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1897                         {
1898                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1899                                 {
1900                                 found_uncompressed = 1;
1901                                 break;
1902                                 }
1903                         }
1904                 if (!found_uncompressed)
1905                         {
1906                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1907                         return -1;
1908                         }
1909                 }
1910         ret = SSL_TLSEXT_ERR_OK;
1911 #endif /* OPENSSL_NO_EC */
1912
1913         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1914                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1915         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1916                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1917
1918 #ifdef TLSEXT_TYPE_opaque_prf_input
1919         if (s->s3->server_opaque_prf_input_len > 0)
1920                 {
1921                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1922                  * So first verify that we really have a value from the server too. */
1923
1924                 if (s->s3->server_opaque_prf_input == NULL)
1925                         {
1926                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1927                         al = SSL_AD_HANDSHAKE_FAILURE;
1928                         }
1929                 
1930                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1931                  * that we have a client opaque PRF input of the same size. */
1932                 if (s->s3->client_opaque_prf_input == NULL ||
1933                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1934                         {
1935                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1936                         al = SSL_AD_ILLEGAL_PARAMETER;
1937                         }
1938                 }
1939 #endif
1940
1941         /* If we've requested certificate status and we wont get one
1942          * tell the callback
1943          */
1944         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1945                         && s->ctx && s->ctx->tlsext_status_cb)
1946                 {
1947                 int r;
1948                 /* Set resp to NULL, resplen to -1 so callback knows
1949                  * there is no response.
1950                  */
1951                 if (s->tlsext_ocsp_resp)
1952                         {
1953                         OPENSSL_free(s->tlsext_ocsp_resp);
1954                         s->tlsext_ocsp_resp = NULL;
1955                         }
1956                 s->tlsext_ocsp_resplen = -1;
1957                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1958                 if (r == 0)
1959                         {
1960                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1961                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1962                         }
1963                 if (r < 0)
1964                         {
1965                         al = SSL_AD_INTERNAL_ERROR;
1966                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1967                         }
1968                 }
1969
1970         switch (ret)
1971                 {
1972                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1973                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1974                         return -1;
1975
1976                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1977                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1978                         return 1; 
1979                                         
1980                 case SSL_TLSEXT_ERR_NOACK:
1981                         s->servername_done=0;
1982                         default:
1983                 return 1;
1984                 }
1985         }
1986
1987 /* Since the server cache lookup is done early on in the processing of the
1988  * ClientHello, and other operations depend on the result, we need to handle
1989  * any TLS session ticket extension at the same time.
1990  *
1991  *   session_id: points at the session ID in the ClientHello. This code will
1992  *       read past the end of this in order to parse out the session ticket
1993  *       extension, if any.
1994  *   len: the length of the session ID.
1995  *   limit: a pointer to the first byte after the ClientHello.
1996  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1997  *       point to the resulting session.
1998  *
1999  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2000  * ciphersuite, in which case we have no use for session tickets and one will
2001  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2002  *
2003  * Returns:
2004  *   -1: fatal error, either from parsing or decrypting the ticket.
2005  *    0: no ticket was found (or was ignored, based on settings).
2006  *    1: a zero length extension was found, indicating that the client supports
2007  *       session tickets but doesn't currently have one to offer.
2008  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2009  *       couldn't be decrypted because of a non-fatal error.
2010  *    3: a ticket was successfully decrypted and *ret was set.
2011  *
2012  * Side effects:
2013  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2014  *   a new session ticket to the client because the client indicated support
2015  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2016  *   a session ticket or we couldn't use the one it gave us, or if
2017  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2018  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2019  */
2020 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2021                         const unsigned char *limit, SSL_SESSION **ret)
2022         {
2023         /* Point after session ID in client hello */
2024         const unsigned char *p = session_id + len;
2025         unsigned short i;
2026
2027         *ret = NULL;
2028         s->tlsext_ticket_expected = 0;
2029
2030         /* If tickets disabled behave as if no ticket present
2031          * to permit stateful resumption.
2032          */
2033         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2034                 return 0;
2035         if ((s->version <= SSL3_VERSION) || !limit)
2036                 return 0;
2037         if (p >= limit)
2038                 return -1;
2039         /* Skip past DTLS cookie */
2040         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2041                 {
2042                 i = *(p++);
2043                 p+= i;
2044                 if (p >= limit)
2045                         return -1;
2046                 }
2047         /* Skip past cipher list */
2048         n2s(p, i);
2049         p+= i;
2050         if (p >= limit)
2051                 return -1;
2052         /* Skip past compression algorithm list */
2053         i = *(p++);
2054         p += i;
2055         if (p > limit)
2056                 return -1;
2057         /* Now at start of extensions */
2058         if ((p + 2) >= limit)
2059                 return 0;
2060         n2s(p, i);
2061         while ((p + 4) <= limit)
2062                 {
2063                 unsigned short type, size;
2064                 n2s(p, type);
2065                 n2s(p, size);
2066                 if (p + size > limit)
2067                         return 0;
2068                 if (type == TLSEXT_TYPE_session_ticket)
2069                         {
2070                         int r;
2071                         if (size == 0)
2072                                 {
2073                                 /* The client will accept a ticket but doesn't
2074                                  * currently have one. */
2075                                 s->tlsext_ticket_expected = 1;
2076                                 return 1;
2077                                 }
2078                         if (s->tls_session_secret_cb)
2079                                 {
2080                                 /* Indicate that the ticket couldn't be
2081                                  * decrypted rather than generating the session
2082                                  * from ticket now, trigger abbreviated
2083                                  * handshake based on external mechanism to
2084                                  * calculate the master secret later. */
2085                                 return 2;
2086                                 }
2087                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2088                         switch (r)
2089                                 {
2090                                 case 2: /* ticket couldn't be decrypted */
2091                                         s->tlsext_ticket_expected = 1;
2092                                         return 2;
2093                                 case 3: /* ticket was decrypted */
2094                                         return r;
2095                                 case 4: /* ticket decrypted but need to renew */
2096                                         s->tlsext_ticket_expected = 1;
2097                                         return 3;
2098                                 default: /* fatal error */
2099                                         return -1;
2100                                 }
2101                         }
2102                 p += size;
2103                 }
2104         return 0;
2105         }
2106
2107 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2108  *
2109  *   etick: points to the body of the session ticket extension.
2110  *   eticklen: the length of the session tickets extenion.
2111  *   sess_id: points at the session ID.
2112  *   sesslen: the length of the session ID.
2113  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2114  *       point to the resulting session.
2115  *
2116  * Returns:
2117  *   -1: fatal error, either from parsing or decrypting the ticket.
2118  *    2: the ticket couldn't be decrypted.
2119  *    3: a ticket was successfully decrypted and *psess was set.
2120  *    4: same as 3, but the ticket needs to be renewed.
2121  */
2122 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2123                                 const unsigned char *sess_id, int sesslen,
2124                                 SSL_SESSION **psess)
2125         {
2126         SSL_SESSION *sess;
2127         unsigned char *sdec;
2128         const unsigned char *p;
2129         int slen, mlen, renew_ticket = 0;
2130         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2131         HMAC_CTX hctx;
2132         EVP_CIPHER_CTX ctx;
2133         SSL_CTX *tctx = s->initial_ctx;
2134         /* Need at least keyname + iv + some encrypted data */
2135         if (eticklen < 48)
2136                 return 2;
2137         /* Initialize session ticket encryption and HMAC contexts */
2138         HMAC_CTX_init(&hctx);
2139         EVP_CIPHER_CTX_init(&ctx);
2140         if (tctx->tlsext_ticket_key_cb)
2141                 {
2142                 unsigned char *nctick = (unsigned char *)etick;
2143                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2144                                                         &ctx, &hctx, 0);
2145                 if (rv < 0)
2146                         return -1;
2147                 if (rv == 0)
2148                         return 2;
2149                 if (rv == 2)
2150                         renew_ticket = 1;
2151                 }
2152         else
2153                 {
2154                 /* Check key name matches */
2155                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2156                         return 2;
2157                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2158                                         tlsext_tick_md(), NULL);
2159                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2160                                 tctx->tlsext_tick_aes_key, etick + 16);
2161                 }
2162         /* Attempt to process session ticket, first conduct sanity and
2163          * integrity checks on ticket.
2164          */
2165         mlen = HMAC_size(&hctx);
2166         if (mlen < 0)
2167                 {
2168                 EVP_CIPHER_CTX_cleanup(&ctx);
2169                 return -1;
2170                 }
2171         eticklen -= mlen;
2172         /* Check HMAC of encrypted ticket */
2173         HMAC_Update(&hctx, etick, eticklen);
2174         HMAC_Final(&hctx, tick_hmac, NULL);
2175         HMAC_CTX_cleanup(&hctx);
2176         if (memcmp(tick_hmac, etick + eticklen, mlen))
2177                 return 2;
2178         /* Attempt to decrypt session data */
2179         /* Move p after IV to start of encrypted ticket, update length */
2180         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2181         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2182         sdec = OPENSSL_malloc(eticklen);
2183         if (!sdec)
2184                 {
2185                 EVP_CIPHER_CTX_cleanup(&ctx);
2186                 return -1;
2187                 }
2188         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2189         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2190                 return 2;
2191         slen += mlen;
2192         EVP_CIPHER_CTX_cleanup(&ctx);
2193         p = sdec;
2194
2195         sess = d2i_SSL_SESSION(NULL, &p, slen);
2196         OPENSSL_free(sdec);
2197         if (sess)
2198                 {
2199                 /* The session ID, if non-empty, is used by some clients to
2200                  * detect that the ticket has been accepted. So we copy it to
2201                  * the session structure. If it is empty set length to zero
2202                  * as required by standard.
2203                  */
2204                 if (sesslen)
2205                         memcpy(sess->session_id, sess_id, sesslen);
2206                 sess->session_id_length = sesslen;
2207                 *psess = sess;
2208                 if (renew_ticket)
2209                         return 4;
2210                 else
2211                         return 3;
2212                 }
2213         ERR_clear_error();
2214         /* For session parse failure, indicate that we need to send a new
2215          * ticket. */
2216         return 2;
2217         }
2218
2219 /* Tables to translate from NIDs to TLS v1.2 ids */
2220
2221 typedef struct 
2222         {
2223         int nid;
2224         int id;
2225         } tls12_lookup;
2226
2227 static tls12_lookup tls12_md[] = {
2228 #ifndef OPENSSL_NO_MD5
2229         {NID_md5, TLSEXT_hash_md5},
2230 #endif
2231 #ifndef OPENSSL_NO_SHA
2232         {NID_sha1, TLSEXT_hash_sha1},
2233 #endif
2234 #ifndef OPENSSL_NO_SHA256
2235         {NID_sha224, TLSEXT_hash_sha224},
2236         {NID_sha256, TLSEXT_hash_sha256},
2237 #endif
2238 #ifndef OPENSSL_NO_SHA512
2239         {NID_sha384, TLSEXT_hash_sha384},
2240         {NID_sha512, TLSEXT_hash_sha512}
2241 #endif
2242 };
2243
2244 static tls12_lookup tls12_sig[] = {
2245 #ifndef OPENSSL_NO_RSA
2246         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2247 #endif
2248 #ifndef OPENSSL_NO_RSA
2249         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2250 #endif
2251 #ifndef OPENSSL_NO_ECDSA
2252         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2253 #endif
2254 };
2255
2256 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2257         {
2258         size_t i;
2259         for (i = 0; i < tlen; i++)
2260                 {
2261                 if (table[i].nid == nid)
2262                         return table[i].id;
2263                 }
2264         return -1;
2265         }
2266 #if 0
2267 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2268         {
2269         size_t i;
2270         for (i = 0; i < tlen; i++)
2271                 {
2272                 if (table[i].id == id)
2273                         return table[i].nid;
2274                 }
2275         return -1;
2276         }
2277 #endif
2278
2279 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2280         {
2281         int sig_id, md_id;
2282         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2283                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2284         if (md_id == -1)
2285                 return 0;
2286         sig_id = tls12_get_sigid(pk);
2287         if (sig_id == -1)
2288                 return 0;
2289         p[0] = (unsigned char)md_id;
2290         p[1] = (unsigned char)sig_id;
2291         return 1;
2292         }
2293
2294 int tls12_get_sigid(const EVP_PKEY *pk)
2295         {
2296         return tls12_find_id(pk->type, tls12_sig,
2297                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2298         }
2299
2300 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2301         {
2302         switch(hash_alg)
2303                 {
2304 #ifndef OPENSSL_NO_MD5
2305                 case TLSEXT_hash_md5:
2306 #ifdef OPENSSL_FIPS
2307                 if (FIPS_mode())
2308                         return NULL;
2309 #endif
2310                 return EVP_md5();
2311 #endif
2312 #ifndef OPENSSL_NO_SHA
2313                 case TLSEXT_hash_sha1:
2314                 return EVP_sha1();
2315 #endif
2316 #ifndef OPENSSL_NO_SHA256
2317                 case TLSEXT_hash_sha224:
2318                 return EVP_sha224();
2319
2320                 case TLSEXT_hash_sha256:
2321                 return EVP_sha256();
2322 #endif
2323 #ifndef OPENSSL_NO_SHA512
2324                 case TLSEXT_hash_sha384:
2325                 return EVP_sha384();
2326
2327                 case TLSEXT_hash_sha512:
2328                 return EVP_sha512();
2329 #endif
2330                 default:
2331                 return NULL;
2332
2333                 }
2334         }
2335
2336 /* Set preferred digest for each key type */
2337
2338 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2339         {
2340         int i, idx;
2341         const EVP_MD *md;
2342         CERT *c = s->cert;
2343         /* Extension ignored for TLS versions below 1.2 */
2344         if (TLS1_get_version(s) < TLS1_2_VERSION)
2345                 return 1;
2346         /* Should never happen */
2347         if (!c)
2348                 return 0;
2349
2350         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2351         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2352         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2353         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2354
2355         for (i = 0; i < dsize; i += 2)
2356                 {
2357                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2358
2359                 switch(sig_alg)
2360                         {
2361 #ifndef OPENSSL_NO_RSA
2362                         case TLSEXT_signature_rsa:
2363                         idx = SSL_PKEY_RSA_SIGN;
2364                         break;
2365 #endif
2366 #ifndef OPENSSL_NO_DSA
2367                         case TLSEXT_signature_dsa:
2368                         idx = SSL_PKEY_DSA_SIGN;
2369                         break;
2370 #endif
2371 #ifndef OPENSSL_NO_ECDSA
2372                         case TLSEXT_signature_ecdsa:
2373                         idx = SSL_PKEY_ECC;
2374                         break;
2375 #endif
2376                         default:
2377                         continue;
2378                         }
2379
2380                 if (c->pkeys[idx].digest == NULL)
2381                         {
2382                         md = tls12_get_hash(hash_alg);
2383                         if (md)
2384                                 {
2385                                 c->pkeys[idx].digest = md;
2386                                 if (idx == SSL_PKEY_RSA_SIGN)
2387                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2388                                 }
2389                         }
2390
2391                 }
2392
2393
2394         /* Set any remaining keys to default values. NOTE: if alg is not
2395          * supported it stays as NULL.
2396          */
2397 #ifndef OPENSSL_NO_DSA
2398         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2399                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2400 #endif
2401 #ifndef OPENSSL_NO_RSA
2402         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2403                 {
2404                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2405                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2406                 }
2407 #endif
2408 #ifndef OPENSSL_NO_ECDSA
2409         if (!c->pkeys[SSL_PKEY_ECC].digest)
2410                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2411 #endif
2412         return 1;
2413         }
2414
2415 #endif
2416
2417 #ifndef OPENSSL_NO_HEARTBEATS
2418 int
2419 tls1_process_heartbeat(SSL *s)
2420         {
2421         unsigned char *p = &s->s3->rrec.data[0], *pl;
2422         unsigned short hbtype;
2423         unsigned int payload;
2424         unsigned int padding = 16; /* Use minimum padding */
2425
2426         /* Read type and payload length first */
2427         hbtype = *p++;
2428         n2s(p, payload);
2429         pl = p;
2430
2431         if (s->msg_callback)
2432                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2433                         &s->s3->rrec.data[0], s->s3->rrec.length,
2434                         s, s->msg_callback_arg);
2435
2436         if (hbtype == TLS1_HB_REQUEST)
2437                 {
2438                 unsigned char *buffer, *bp;
2439                 int r;
2440
2441                 /* Allocate memory for the response, size is 1 bytes
2442                  * message type, plus 2 bytes payload length, plus
2443                  * payload, plus padding
2444                  */
2445                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2446                 bp = buffer;
2447                 
2448                 /* Enter response type, length and copy payload */
2449                 *bp++ = TLS1_HB_RESPONSE;
2450                 s2n(payload, bp);
2451                 memcpy(bp, pl, payload);
2452                 
2453                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2454
2455                 if (r >= 0 && s->msg_callback)
2456                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2457                                 buffer, 3 + payload + padding,
2458                                 s, s->msg_callback_arg);
2459
2460                 OPENSSL_free(buffer);
2461
2462                 if (r < 0)
2463                         return r;
2464                 }
2465         else if (hbtype == TLS1_HB_RESPONSE)
2466                 {
2467                 unsigned int seq;
2468                 
2469                 /* We only send sequence numbers (2 bytes unsigned int),
2470                  * and 16 random bytes, so we just try to read the
2471                  * sequence number */
2472                 n2s(pl, seq);
2473                 
2474                 if (payload == 18 && seq == s->tlsext_hb_seq)
2475                         {
2476                         s->tlsext_hb_seq++;
2477                         s->tlsext_hb_pending = 0;
2478                         }
2479                 }
2480
2481         return 0;
2482         }
2483
2484 int
2485 tls1_heartbeat(SSL *s)
2486         {
2487         unsigned char *buf, *p;
2488         int ret;
2489         unsigned int payload = 18; /* Sequence number + random bytes */
2490         unsigned int padding = 16; /* Use minimum padding */
2491
2492         /* Only send if peer supports and accepts HB requests... */
2493         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2494             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2495                 {
2496                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2497                 return -1;
2498                 }
2499
2500         /* ...and there is none in flight yet... */
2501         if (s->tlsext_hb_pending)
2502                 {
2503                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2504                 return -1;
2505                 }
2506                 
2507         /* ...and no handshake in progress. */
2508         if (SSL_in_init(s) || s->in_handshake)
2509                 {
2510                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2511                 return -1;
2512                 }
2513                 
2514         /* Check if padding is too long, payload and padding
2515          * must not exceed 2^14 - 3 = 16381 bytes in total.
2516          */
2517         OPENSSL_assert(payload + padding <= 16381);
2518
2519         /* Create HeartBeat message, we just use a sequence number
2520          * as payload to distuingish different messages and add
2521          * some random stuff.
2522          *  - Message Type, 1 byte
2523          *  - Payload Length, 2 bytes (unsigned int)
2524          *  - Payload, the sequence number (2 bytes uint)
2525          *  - Payload, random bytes (16 bytes uint)
2526          *  - Padding
2527          */
2528         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2529         p = buf;
2530         /* Message Type */
2531         *p++ = TLS1_HB_REQUEST;
2532         /* Payload length (18 bytes here) */
2533         s2n(payload, p);
2534         /* Sequence number */
2535         s2n(s->tlsext_hb_seq, p);
2536         /* 16 random bytes */
2537         RAND_pseudo_bytes(p, 16);
2538         p += 16;
2539         /* Random padding */
2540         RAND_pseudo_bytes(p, padding);
2541
2542         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2543         if (ret >= 0)
2544                 {
2545                 if (s->msg_callback)
2546                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2547                                 buf, 3 + payload + padding,
2548                                 s, s->msg_callback_arg);
2549
2550                 s->tlsext_hb_pending = 1;
2551                 }
2552                 
2553         OPENSSL_free(buf);
2554
2555         return ret;
2556         }
2557 #endif