85a5681f87a41df497151d545be6c9014acafc95
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336
337 /* Return nth shared curve. If nmatch == -1 return number of
338  * matches.
339  */
340
341 int tls1_shared_curve(SSL *s, int nmatch)
342         {
343         const unsigned char *pref, *supp;
344         size_t preflen, supplen, i, j;
345         int k;
346         /* Can't do anything on client side */
347         if (s->server == 0)
348                 return -1;
349         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
350                                 &supp, &supplen);
351         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
352                                 &pref, &preflen);
353         preflen /= 2;
354         supplen /= 2;
355         k = 0;
356         for (i = 0; i < preflen; i++, pref+=2)
357                 {
358                 const unsigned char *tsupp = supp;
359                 for (j = 0; j < supplen; j++, tsupp+=2)
360                         {
361                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
362                                 {
363                                 if (nmatch == k)
364                                         {
365                                         int id = (pref[0] << 8) | pref[1];
366                                         return tls1_ec_curve_id2nid(id);
367                                         }
368                                 k++;
369                                 }
370                         }
371                 }
372         if (nmatch == -1)
373                 return k;
374         return 0;
375         }
376
377 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
378                         int *curves, size_t ncurves)
379         {
380         unsigned char *clist, *p;
381         size_t i;
382         /* Bitmap of curves included to detect duplicates: only works
383          * while curve ids < 32 
384          */
385         unsigned long dup_list = 0;
386         clist = OPENSSL_malloc(ncurves * 2);
387         if (!clist)
388                 return 0;
389         for (i = 0, p = clist; i < ncurves; i++)
390                 {
391                 unsigned long idmask;
392                 int id;
393                 id = tls1_ec_nid2curve_id(curves[i]);
394                 idmask = 1L << id;
395                 if (!id || (dup_list & idmask))
396                         {
397                         OPENSSL_free(clist);
398                         return 0;
399                         }
400                 dup_list |= idmask;
401                 s2n(id, p);
402                 }
403         if (*pext)
404                 OPENSSL_free(*pext);
405         *pext = clist;
406         *pextlen = ncurves * 2;
407         return 1;
408         }
409
410 #define MAX_CURVELIST   25
411
412 typedef struct
413         {
414         size_t nidcnt;
415         int nid_arr[MAX_CURVELIST];
416         } nid_cb_st;
417
418 static int nid_cb(const char *elem, int len, void *arg)
419         {
420         nid_cb_st *narg = arg;
421         size_t i;
422         int nid;
423         char etmp[20];
424         if (narg->nidcnt == MAX_CURVELIST)
425                 return 0;
426         if (len > (int)(sizeof(etmp) - 1))
427                 return 0;
428         memcpy(etmp, elem, len);
429         etmp[len] = 0;
430         nid = EC_curve_nist2nid(etmp);
431         if (nid == NID_undef)
432                 nid = OBJ_sn2nid(etmp);
433         if (nid == NID_undef)
434                 nid = OBJ_ln2nid(etmp);
435         if (nid == NID_undef)
436                 return 0;
437         for (i = 0; i < narg->nidcnt; i++)
438                 if (narg->nid_arr[i] == nid)
439                         return 0;
440         narg->nid_arr[narg->nidcnt++] = nid;
441         return 1;
442         }
443 /* Set curves based on a colon separate list */
444 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
445                                 const char *str)
446         {
447         nid_cb_st ncb;
448         ncb.nidcnt = 0;
449         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
450                 return 0;
451         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
452         }
453 /* For an EC key set TLS id and required compression based on parameters */
454 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
455                                 EC_KEY *ec)
456         {
457         int is_prime, id;
458         const EC_GROUP *grp;
459         const EC_POINT *pt;
460         const EC_METHOD *meth;
461         if (!ec)
462                 return 0;
463         /* Determine if it is a prime field */
464         grp = EC_KEY_get0_group(ec);
465         pt = EC_KEY_get0_public_key(ec);
466         if (!grp || !pt)
467                 return 0;
468         meth = EC_GROUP_method_of(grp);
469         if (!meth)
470                 return 0;
471         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
472                 is_prime = 1;
473         else
474                 is_prime = 0;
475         /* Determine curve ID */
476         id = EC_GROUP_get_curve_name(grp);
477         id = tls1_ec_nid2curve_id(id);
478         /* If we have an ID set it, otherwise set arbitrary explicit curve */
479         if (id)
480                 {
481                 curve_id[0] = 0;
482                 curve_id[1] = (unsigned char)id;
483                 }
484         else
485                 {
486                 curve_id[0] = 0xff;
487                 if (is_prime)
488                         curve_id[1] = 0x01;
489                 else
490                         curve_id[1] = 0x02;
491                 }
492         if (comp_id)
493                 {
494                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
495                         {
496                         if (is_prime)
497                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
498                         else
499                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
500                         }
501                 else
502                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
503                 }
504         return 1;
505         }
506 /* Check an EC key is compatible with extensions */
507 static int tls1_check_ec_key(SSL *s,
508                         unsigned char *curve_id, unsigned char *comp_id)
509         {
510         const unsigned char *p;
511         size_t plen, i;
512         int j;
513         /* If point formats extension present check it, otherwise everything
514          * is supported (see RFC4492).
515          */
516         if (comp_id && s->session->tlsext_ecpointformatlist)
517                 {
518                 p = s->session->tlsext_ecpointformatlist;
519                 plen = s->session->tlsext_ecpointformatlist_length;
520                 for (i = 0; i < plen; i++, p++)
521                         {
522                         if (*comp_id == *p)
523                                 break;
524                         }
525                 if (i == plen)
526                         return 0;
527                 }
528         /* Check curve is consistent with client and server preferences */
529         for (j = 0; j <= 1; j++)
530                 {
531                 tls1_get_curvelist(s, j, &p, &plen);
532                 for (i = 0; i < plen; i+=2, p+=2)
533                         {
534                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
535                                 break;
536                         }
537                 if (i == plen)
538                         return 0;
539                 }
540         return 1;
541         }
542 /* Check EC server key is compatible with client extensions */
543 int tls1_check_ec_server_key(SSL *s)
544         {
545         int rv;
546         CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
547         EVP_PKEY *pkey;
548         unsigned char comp_id, curve_id[2];
549         if (!cpk->x509 || !cpk->privatekey)
550                 return 0;
551         pkey = X509_get_pubkey(cpk->x509);
552         if (!pkey)
553                 return 0;
554         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
555         EVP_PKEY_free(pkey);
556         if (!rv)
557                 return 0;
558         return tls1_check_ec_key(s, curve_id, &comp_id);
559         }
560 /* Check EC temporary key is compatible with client extensions */
561 int tls1_check_ec_tmp_key(SSL *s)
562         {
563         unsigned char curve_id[2];
564         EC_KEY *ec = s->cert->ecdh_tmp;
565         if (s->cert->ecdh_tmp_auto)
566                 {
567                 /* Need a shared curve */
568                 if (tls1_shared_curve(s, 0))
569                         return 1;
570                 else return 0;
571                 }
572         if (!ec)
573                 {
574                 if (s->cert->ecdh_tmp_cb)
575                         return 1;
576                 else
577                         return 0;
578                 }
579         if (!tls1_set_ec_id(curve_id, NULL, ec))
580                 return 1;
581         return tls1_check_ec_key(s, curve_id, NULL);
582         }
583
584 #endif /* OPENSSL_NO_EC */
585
586 #ifndef OPENSSL_NO_TLSEXT
587
588 /* List of supported signature algorithms and hashes. Should make this
589  * customisable at some point, for now include everything we support.
590  */
591
592 #ifdef OPENSSL_NO_RSA
593 #define tlsext_sigalg_rsa(md) /* */
594 #else
595 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
596 #endif
597
598 #ifdef OPENSSL_NO_DSA
599 #define tlsext_sigalg_dsa(md) /* */
600 #else
601 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
602 #endif
603
604 #ifdef OPENSSL_NO_ECDSA
605 #define tlsext_sigalg_ecdsa(md) /* */
606 #else
607 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
608 #endif
609
610 #define tlsext_sigalg(md) \
611                 tlsext_sigalg_rsa(md) \
612                 tlsext_sigalg_dsa(md) \
613                 tlsext_sigalg_ecdsa(md)
614
615 static unsigned char tls12_sigalgs[] = {
616 #ifndef OPENSSL_NO_SHA512
617         tlsext_sigalg(TLSEXT_hash_sha512)
618         tlsext_sigalg(TLSEXT_hash_sha384)
619 #endif
620 #ifndef OPENSSL_NO_SHA256
621         tlsext_sigalg(TLSEXT_hash_sha256)
622         tlsext_sigalg(TLSEXT_hash_sha224)
623 #endif
624 #ifndef OPENSSL_NO_SHA
625         tlsext_sigalg(TLSEXT_hash_sha1)
626 #endif
627 #ifndef OPENSSL_NO_MD5
628         tlsext_sigalg_rsa(TLSEXT_hash_md5)
629 #endif
630 };
631
632 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
633         {
634         size_t slen = sizeof(tls12_sigalgs);
635 #ifdef OPENSSL_FIPS
636         /* If FIPS mode don't include MD5 which is last */
637         if (FIPS_mode())
638                 slen -= 2;
639 #endif
640         if (p)
641                 memcpy(p, tls12_sigalgs, slen);
642         return (int)slen;
643         }
644
645 /* byte_compare is a compare function for qsort(3) that compares bytes. */
646 static int byte_compare(const void *in_a, const void *in_b)
647         {
648         unsigned char a = *((const unsigned char*) in_a);
649         unsigned char b = *((const unsigned char*) in_b);
650
651         if (a > b)
652                 return 1;
653         else if (a < b)
654                 return -1;
655         return 0;
656 }
657
658 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
659         {
660         int extdatalen=0;
661         unsigned char *ret = p;
662 #ifndef OPENSSL_NO_EC
663         /* See if we support any ECC ciphersuites */
664         int using_ecc = 0;
665         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
666                 {
667                 int i;
668                 unsigned long alg_k, alg_a;
669                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
670
671                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
672                         {
673                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
674
675                         alg_k = c->algorithm_mkey;
676                         alg_a = c->algorithm_auth;
677                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
678                                 || (alg_a & SSL_aECDSA)))
679                                 {
680                                 using_ecc = 1;
681                                 break;
682                                 }
683                         }
684                 }
685 #endif
686
687         /* don't add extensions for SSLv3 unless doing secure renegotiation */
688         if (s->client_version == SSL3_VERSION
689                                         && !s->s3->send_connection_binding)
690                 return p;
691
692         ret+=2;
693
694         if (ret>=limit) return NULL; /* this really never occurs, but ... */
695
696         if (s->tlsext_hostname != NULL)
697                 { 
698                 /* Add TLS extension servername to the Client Hello message */
699                 unsigned long size_str;
700                 long lenmax; 
701
702                 /* check for enough space.
703                    4 for the servername type and entension length
704                    2 for servernamelist length
705                    1 for the hostname type
706                    2 for hostname length
707                    + hostname length 
708                 */
709                    
710                 if ((lenmax = limit - ret - 9) < 0 
711                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
712                         return NULL;
713                         
714                 /* extension type and length */
715                 s2n(TLSEXT_TYPE_server_name,ret); 
716                 s2n(size_str+5,ret);
717                 
718                 /* length of servername list */
719                 s2n(size_str+3,ret);
720         
721                 /* hostname type, length and hostname */
722                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
723                 s2n(size_str,ret);
724                 memcpy(ret, s->tlsext_hostname, size_str);
725                 ret+=size_str;
726                 }
727
728         /* Add RI if renegotiating */
729         if (s->renegotiate)
730           {
731           int el;
732           
733           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
734               {
735               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
736               return NULL;
737               }
738
739           if((limit - p - 4 - el) < 0) return NULL;
740           
741           s2n(TLSEXT_TYPE_renegotiate,ret);
742           s2n(el,ret);
743
744           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
745               {
746               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
747               return NULL;
748               }
749
750           ret += el;
751         }
752
753 #ifndef OPENSSL_NO_SRP
754         /* Add SRP username if there is one */
755         if (s->srp_ctx.login != NULL)
756                 { /* Add TLS extension SRP username to the Client Hello message */
757
758                 int login_len = strlen(s->srp_ctx.login);       
759                 if (login_len > 255 || login_len == 0)
760                         {
761                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
762                         return NULL;
763                         } 
764
765                 /* check for enough space.
766                    4 for the srp type type and entension length
767                    1 for the srp user identity
768                    + srp user identity length 
769                 */
770                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
771
772                 /* fill in the extension */
773                 s2n(TLSEXT_TYPE_srp,ret);
774                 s2n(login_len+1,ret);
775                 (*ret++) = (unsigned char) login_len;
776                 memcpy(ret, s->srp_ctx.login, login_len);
777                 ret+=login_len;
778                 }
779 #endif
780
781 #ifndef OPENSSL_NO_EC
782         if (using_ecc)
783                 {
784                 /* Add TLS extension ECPointFormats to the ClientHello message */
785                 long lenmax; 
786                 const unsigned char *plist;
787                 size_t plistlen;
788                 /* If we have a custom point format list use it otherwise
789                  * use default */
790                 plist = s->tlsext_ecpointformatlist;
791                 if (plist)
792                         plistlen = s->tlsext_ecpointformatlist_length;
793                 else
794                         {
795                         plist = ecformats_default;
796                         plistlen = sizeof(ecformats_default);
797                         }
798
799                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
800                 if (plistlen > (size_t)lenmax) return NULL;
801                 if (plistlen > 255)
802                         {
803                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
804                         return NULL;
805                         }
806                 
807                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
808                 s2n(plistlen + 1,ret);
809                 *(ret++) = (unsigned char)plistlen ;
810                 memcpy(ret, plist, plistlen);
811                 ret+=plistlen;
812
813                 /* Add TLS extension EllipticCurves to the ClientHello message */
814                 plist = s->tlsext_ellipticcurvelist;
815                 tls1_get_curvelist(s, 0, &plist, &plistlen);
816
817                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
818                 if (plistlen > (size_t)lenmax) return NULL;
819                 if (plistlen > 65532)
820                         {
821                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
822                         return NULL;
823                         }
824                 
825                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
826                 s2n(plistlen + 2, ret);
827
828                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
829                  * elliptic_curve_list, but the examples use two bytes.
830                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
831                  * resolves this to two bytes.
832                  */
833                 s2n(plistlen, ret);
834                 memcpy(ret, plist, plistlen);
835                 ret+=plistlen;
836                 }
837 #endif /* OPENSSL_NO_EC */
838
839         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
840                 {
841                 int ticklen;
842                 if (!s->new_session && s->session && s->session->tlsext_tick)
843                         ticklen = s->session->tlsext_ticklen;
844                 else if (s->session && s->tlsext_session_ticket &&
845                          s->tlsext_session_ticket->data)
846                         {
847                         ticklen = s->tlsext_session_ticket->length;
848                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
849                         if (!s->session->tlsext_tick)
850                                 return NULL;
851                         memcpy(s->session->tlsext_tick,
852                                s->tlsext_session_ticket->data,
853                                ticklen);
854                         s->session->tlsext_ticklen = ticklen;
855                         }
856                 else
857                         ticklen = 0;
858                 if (ticklen == 0 && s->tlsext_session_ticket &&
859                     s->tlsext_session_ticket->data == NULL)
860                         goto skip_ext;
861                 /* Check for enough room 2 for extension type, 2 for len
862                  * rest for ticket
863                  */
864                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
865                 s2n(TLSEXT_TYPE_session_ticket,ret); 
866                 s2n(ticklen,ret);
867                 if (ticklen)
868                         {
869                         memcpy(ret, s->session->tlsext_tick, ticklen);
870                         ret += ticklen;
871                         }
872                 }
873                 skip_ext:
874
875         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
876                 {
877                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
878                         return NULL; 
879                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
880                 s2n(sizeof(tls12_sigalgs) + 2, ret);
881                 s2n(sizeof(tls12_sigalgs), ret);
882                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
883                 ret += sizeof(tls12_sigalgs);
884                 }
885
886 #ifdef TLSEXT_TYPE_opaque_prf_input
887         if (s->s3->client_opaque_prf_input != NULL &&
888             s->version != DTLS1_VERSION)
889                 {
890                 size_t col = s->s3->client_opaque_prf_input_len;
891                 
892                 if ((long)(limit - ret - 6 - col < 0))
893                         return NULL;
894                 if (col > 0xFFFD) /* can't happen */
895                         return NULL;
896
897                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
898                 s2n(col + 2, ret);
899                 s2n(col, ret);
900                 memcpy(ret, s->s3->client_opaque_prf_input, col);
901                 ret += col;
902                 }
903 #endif
904
905         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
906             s->version != DTLS1_VERSION)
907                 {
908                 int i;
909                 long extlen, idlen, itmp;
910                 OCSP_RESPID *id;
911
912                 idlen = 0;
913                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
914                         {
915                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
916                         itmp = i2d_OCSP_RESPID(id, NULL);
917                         if (itmp <= 0)
918                                 return NULL;
919                         idlen += itmp + 2;
920                         }
921
922                 if (s->tlsext_ocsp_exts)
923                         {
924                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
925                         if (extlen < 0)
926                                 return NULL;
927                         }
928                 else
929                         extlen = 0;
930                         
931                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
932                 s2n(TLSEXT_TYPE_status_request, ret);
933                 if (extlen + idlen > 0xFFF0)
934                         return NULL;
935                 s2n(extlen + idlen + 5, ret);
936                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
937                 s2n(idlen, ret);
938                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
939                         {
940                         /* save position of id len */
941                         unsigned char *q = ret;
942                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
943                         /* skip over id len */
944                         ret += 2;
945                         itmp = i2d_OCSP_RESPID(id, &ret);
946                         /* write id len */
947                         s2n(itmp, q);
948                         }
949                 s2n(extlen, ret);
950                 if (extlen > 0)
951                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
952                 }
953
954 #ifndef OPENSSL_NO_HEARTBEATS
955         /* Add Heartbeat extension */
956         s2n(TLSEXT_TYPE_heartbeat,ret);
957         s2n(1,ret);
958         /* Set mode:
959          * 1: peer may send requests
960          * 2: peer not allowed to send requests
961          */
962         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
963                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
964         else
965                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
966 #endif
967
968 #ifndef OPENSSL_NO_NEXTPROTONEG
969         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
970                 {
971                 /* The client advertises an emtpy extension to indicate its
972                  * support for Next Protocol Negotiation */
973                 if (limit - ret - 4 < 0)
974                         return NULL;
975                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
976                 s2n(0,ret);
977                 }
978 #endif
979
980         if(SSL_get_srtp_profiles(s))
981                 {
982                 int el;
983
984                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
985                 
986                 if((limit - p - 4 - el) < 0) return NULL;
987
988                 s2n(TLSEXT_TYPE_use_srtp,ret);
989                 s2n(el,ret);
990
991                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
992                         {
993                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
994                         return NULL;
995                         }
996                 ret += el;
997                 }
998
999         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1000         /* 2 bytes for extension type */
1001         /* 2 bytes for extension length */
1002         /* 1 byte for the list length */
1003         /* 1 byte for the list (we only support audit proofs) */
1004         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1005                 {
1006                 size_t lenmax;
1007                 const unsigned short ext_len = 2;
1008                 const unsigned char list_len = 1;
1009
1010                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1011
1012                 s2n(TLSEXT_TYPE_server_authz, ret);
1013                 /* Extension length: 2 bytes */
1014                 s2n(ext_len, ret);
1015                 *(ret++) = list_len;
1016                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1017                 }
1018
1019         if ((extdatalen = ret-p-2) == 0)
1020                 return p;
1021
1022         s2n(extdatalen,p);
1023         return ret;
1024         }
1025
1026 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1027         {
1028         int extdatalen=0;
1029         unsigned char *ret = p;
1030 #ifndef OPENSSL_NO_NEXTPROTONEG
1031         int next_proto_neg_seen;
1032 #endif
1033
1034         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1035         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1036                 return p;
1037         
1038         ret+=2;
1039         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1040
1041         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1042                 { 
1043                 if ((long)(limit - ret - 4) < 0) return NULL; 
1044
1045                 s2n(TLSEXT_TYPE_server_name,ret);
1046                 s2n(0,ret);
1047                 }
1048
1049         if(s->s3->send_connection_binding)
1050         {
1051           int el;
1052           
1053           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1054               {
1055               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1056               return NULL;
1057               }
1058
1059           if((limit - p - 4 - el) < 0) return NULL;
1060           
1061           s2n(TLSEXT_TYPE_renegotiate,ret);
1062           s2n(el,ret);
1063
1064           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1065               {
1066               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1067               return NULL;
1068               }
1069
1070           ret += el;
1071         }
1072
1073 #ifndef OPENSSL_NO_EC
1074         if (s->tlsext_ecpointformatlist != NULL &&
1075             s->version != DTLS1_VERSION)
1076                 {
1077                 /* Add TLS extension ECPointFormats to the ServerHello message */
1078                 long lenmax; 
1079
1080                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1081                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1082                 if (s->tlsext_ecpointformatlist_length > 255)
1083                         {
1084                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1085                         return NULL;
1086                         }
1087                 
1088                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1089                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1090                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1091                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1092                 ret+=s->tlsext_ecpointformatlist_length;
1093
1094                 }
1095         /* Currently the server should not respond with a SupportedCurves extension */
1096 #endif /* OPENSSL_NO_EC */
1097
1098         if (s->tlsext_ticket_expected
1099                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1100                 { 
1101                 if ((long)(limit - ret - 4) < 0) return NULL; 
1102                 s2n(TLSEXT_TYPE_session_ticket,ret);
1103                 s2n(0,ret);
1104                 }
1105
1106         if (s->tlsext_status_expected)
1107                 { 
1108                 if ((long)(limit - ret - 4) < 0) return NULL; 
1109                 s2n(TLSEXT_TYPE_status_request,ret);
1110                 s2n(0,ret);
1111                 }
1112
1113 #ifdef TLSEXT_TYPE_opaque_prf_input
1114         if (s->s3->server_opaque_prf_input != NULL &&
1115             s->version != DTLS1_VERSION)
1116                 {
1117                 size_t sol = s->s3->server_opaque_prf_input_len;
1118                 
1119                 if ((long)(limit - ret - 6 - sol) < 0)
1120                         return NULL;
1121                 if (sol > 0xFFFD) /* can't happen */
1122                         return NULL;
1123
1124                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1125                 s2n(sol + 2, ret);
1126                 s2n(sol, ret);
1127                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1128                 ret += sol;
1129                 }
1130 #endif
1131
1132         if(s->srtp_profile)
1133                 {
1134                 int el;
1135
1136                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1137                 
1138                 if((limit - p - 4 - el) < 0) return NULL;
1139
1140                 s2n(TLSEXT_TYPE_use_srtp,ret);
1141                 s2n(el,ret);
1142
1143                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1144                         {
1145                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1146                         return NULL;
1147                         }
1148                 ret+=el;
1149                 }
1150
1151         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1152                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1153                 { const unsigned char cryptopro_ext[36] = {
1154                         0xfd, 0xe8, /*65000*/
1155                         0x00, 0x20, /*32 bytes length*/
1156                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1157                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1158                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1159                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1160                         if (limit-ret<36) return NULL;
1161                         memcpy(ret,cryptopro_ext,36);
1162                         ret+=36;
1163
1164                 }
1165
1166 #ifndef OPENSSL_NO_HEARTBEATS
1167         /* Add Heartbeat extension if we've received one */
1168         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1169                 {
1170                 s2n(TLSEXT_TYPE_heartbeat,ret);
1171                 s2n(1,ret);
1172                 /* Set mode:
1173                  * 1: peer may send requests
1174                  * 2: peer not allowed to send requests
1175                  */
1176                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1177                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1178                 else
1179                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1180
1181                 }
1182 #endif
1183
1184 #ifndef OPENSSL_NO_NEXTPROTONEG
1185         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1186         s->s3->next_proto_neg_seen = 0;
1187         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1188                 {
1189                 const unsigned char *npa;
1190                 unsigned int npalen;
1191                 int r;
1192
1193                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1194                 if (r == SSL_TLSEXT_ERR_OK)
1195                         {
1196                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1197                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1198                         s2n(npalen,ret);
1199                         memcpy(ret, npa, npalen);
1200                         ret += npalen;
1201                         s->s3->next_proto_neg_seen = 1;
1202                         }
1203                 }
1204 #endif
1205
1206         /* If the client supports authz then see whether we have any to offer
1207          * to it. */
1208         if (s->s3->tlsext_authz_client_types_len)
1209                 {
1210                 size_t authz_length;
1211                 /* By now we already know the new cipher, so we can look ahead
1212                  * to see whether the cert we are going to send
1213                  * has any authz data attached to it. */
1214                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1215                 const unsigned char* const orig_authz = authz;
1216                 size_t i;
1217                 unsigned authz_count = 0;
1218
1219                 /* The authz data contains a number of the following structures:
1220                  *      uint8_t authz_type
1221                  *      uint16_t length
1222                  *      uint8_t data[length]
1223                  *
1224                  * First we walk over it to find the number of authz elements. */
1225                 for (i = 0; i < authz_length; i++)
1226                         {
1227                         unsigned short length;
1228                         unsigned char type;
1229
1230                         type = *(authz++);
1231                         if (memchr(s->s3->tlsext_authz_client_types,
1232                                    type,
1233                                    s->s3->tlsext_authz_client_types_len) != NULL)
1234                                 authz_count++;
1235
1236                         n2s(authz, length);
1237                         /* n2s increments authz by 2 */
1238                         i += 2;
1239                         authz += length;
1240                         i += length;
1241                         }
1242
1243                 if (authz_count)
1244                         {
1245                         /* Add TLS extension server_authz to the ServerHello message
1246                          * 2 bytes for extension type
1247                          * 2 bytes for extension length
1248                          * 1 byte for the list length
1249                          * n bytes for the list */
1250                         const unsigned short ext_len = 1 + authz_count;
1251
1252                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1253                         s2n(TLSEXT_TYPE_server_authz, ret);
1254                         s2n(ext_len, ret);
1255                         *(ret++) = authz_count;
1256                         s->s3->tlsext_authz_promised_to_client = 1;
1257                         }
1258
1259                 authz = orig_authz;
1260                 for (i = 0; i < authz_length; i++)
1261                         {
1262                         unsigned short length;
1263                         unsigned char type;
1264
1265                         authz_count++;
1266                         type = *(authz++);
1267                         if (memchr(s->s3->tlsext_authz_client_types,
1268                                    type,
1269                                    s->s3->tlsext_authz_client_types_len) != NULL)
1270                                 *(ret++) = type;
1271                         n2s(authz, length);
1272                         /* n2s increments authz by 2 */
1273                         i += 2;
1274                         authz += length;
1275                         i += length;
1276                         }
1277                 }
1278
1279         if ((extdatalen = ret-p-2)== 0) 
1280                 return p;
1281
1282         s2n(extdatalen,p);
1283         return ret;
1284         }
1285
1286 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1287         {       
1288         unsigned short type;
1289         unsigned short size;
1290         unsigned short len;
1291         unsigned char *data = *p;
1292         int renegotiate_seen = 0;
1293         int sigalg_seen = 0;
1294
1295         s->servername_done = 0;
1296         s->tlsext_status_type = -1;
1297 #ifndef OPENSSL_NO_NEXTPROTONEG
1298         s->s3->next_proto_neg_seen = 0;
1299 #endif
1300
1301 #ifndef OPENSSL_NO_HEARTBEATS
1302         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1303                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1304 #endif
1305
1306         if (data >= (d+n-2))
1307                 goto ri_check;
1308         n2s(data,len);
1309
1310         if (data > (d+n-len)) 
1311                 goto ri_check;
1312
1313         while (data <= (d+n-4))
1314                 {
1315                 n2s(data,type);
1316                 n2s(data,size);
1317
1318                 if (data+size > (d+n))
1319                         goto ri_check;
1320 #if 0
1321                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1322 #endif
1323                 if (s->tlsext_debug_cb)
1324                         s->tlsext_debug_cb(s, 0, type, data, size,
1325                                                 s->tlsext_debug_arg);
1326 /* The servername extension is treated as follows:
1327
1328    - Only the hostname type is supported with a maximum length of 255.
1329    - The servername is rejected if too long or if it contains zeros,
1330      in which case an fatal alert is generated.
1331    - The servername field is maintained together with the session cache.
1332    - When a session is resumed, the servername call back invoked in order
1333      to allow the application to position itself to the right context. 
1334    - The servername is acknowledged if it is new for a session or when 
1335      it is identical to a previously used for the same session. 
1336      Applications can control the behaviour.  They can at any time
1337      set a 'desirable' servername for a new SSL object. This can be the
1338      case for example with HTTPS when a Host: header field is received and
1339      a renegotiation is requested. In this case, a possible servername
1340      presented in the new client hello is only acknowledged if it matches
1341      the value of the Host: field. 
1342    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1343      if they provide for changing an explicit servername context for the session,
1344      i.e. when the session has been established with a servername extension. 
1345    - On session reconnect, the servername extension may be absent. 
1346
1347 */      
1348
1349                 if (type == TLSEXT_TYPE_server_name)
1350                         {
1351                         unsigned char *sdata;
1352                         int servname_type;
1353                         int dsize; 
1354                 
1355                         if (size < 2) 
1356                                 {
1357                                 *al = SSL_AD_DECODE_ERROR;
1358                                 return 0;
1359                                 }
1360                         n2s(data,dsize);  
1361                         size -= 2;
1362                         if (dsize > size  ) 
1363                                 {
1364                                 *al = SSL_AD_DECODE_ERROR;
1365                                 return 0;
1366                                 } 
1367
1368                         sdata = data;
1369                         while (dsize > 3) 
1370                                 {
1371                                 servname_type = *(sdata++); 
1372                                 n2s(sdata,len);
1373                                 dsize -= 3;
1374
1375                                 if (len > dsize) 
1376                                         {
1377                                         *al = SSL_AD_DECODE_ERROR;
1378                                         return 0;
1379                                         }
1380                                 if (s->servername_done == 0)
1381                                 switch (servname_type)
1382                                         {
1383                                 case TLSEXT_NAMETYPE_host_name:
1384                                         if (!s->hit)
1385                                                 {
1386                                                 if(s->session->tlsext_hostname)
1387                                                         {
1388                                                         *al = SSL_AD_DECODE_ERROR;
1389                                                         return 0;
1390                                                         }
1391                                                 if (len > TLSEXT_MAXLEN_host_name)
1392                                                         {
1393                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1394                                                         return 0;
1395                                                         }
1396                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1397                                                         {
1398                                                         *al = TLS1_AD_INTERNAL_ERROR;
1399                                                         return 0;
1400                                                         }
1401                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1402                                                 s->session->tlsext_hostname[len]='\0';
1403                                                 if (strlen(s->session->tlsext_hostname) != len) {
1404                                                         OPENSSL_free(s->session->tlsext_hostname);
1405                                                         s->session->tlsext_hostname = NULL;
1406                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1407                                                         return 0;
1408                                                 }
1409                                                 s->servername_done = 1; 
1410
1411                                                 }
1412                                         else 
1413                                                 s->servername_done = s->session->tlsext_hostname
1414                                                         && strlen(s->session->tlsext_hostname) == len 
1415                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1416                                         
1417                                         break;
1418
1419                                 default:
1420                                         break;
1421                                         }
1422                                  
1423                                 dsize -= len;
1424                                 }
1425                         if (dsize != 0) 
1426                                 {
1427                                 *al = SSL_AD_DECODE_ERROR;
1428                                 return 0;
1429                                 }
1430
1431                         }
1432 #ifndef OPENSSL_NO_SRP
1433                 else if (type == TLSEXT_TYPE_srp)
1434                         {
1435                         if (size <= 0 || ((len = data[0])) != (size -1))
1436                                 {
1437                                 *al = SSL_AD_DECODE_ERROR;
1438                                 return 0;
1439                                 }
1440                         if (s->srp_ctx.login != NULL)
1441                                 {
1442                                 *al = SSL_AD_DECODE_ERROR;
1443                                 return 0;
1444                                 }
1445                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1446                                 return -1;
1447                         memcpy(s->srp_ctx.login, &data[1], len);
1448                         s->srp_ctx.login[len]='\0';
1449   
1450                         if (strlen(s->srp_ctx.login) != len) 
1451                                 {
1452                                 *al = SSL_AD_DECODE_ERROR;
1453                                 return 0;
1454                                 }
1455                         }
1456 #endif
1457
1458 #ifndef OPENSSL_NO_EC
1459                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1460                      s->version != DTLS1_VERSION)
1461                         {
1462                         unsigned char *sdata = data;
1463                         int ecpointformatlist_length = *(sdata++);
1464
1465                         if (ecpointformatlist_length != size - 1)
1466                                 {
1467                                 *al = TLS1_AD_DECODE_ERROR;
1468                                 return 0;
1469                                 }
1470                         if (!s->hit)
1471                                 {
1472                                 if(s->session->tlsext_ecpointformatlist)
1473                                         {
1474                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1475                                         s->session->tlsext_ecpointformatlist = NULL;
1476                                         }
1477                                 s->session->tlsext_ecpointformatlist_length = 0;
1478                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1479                                         {
1480                                         *al = TLS1_AD_INTERNAL_ERROR;
1481                                         return 0;
1482                                         }
1483                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1484                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1485                                 }
1486 #if 0
1487                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1488                         sdata = s->session->tlsext_ecpointformatlist;
1489                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1490                                 fprintf(stderr,"%i ",*(sdata++));
1491                         fprintf(stderr,"\n");
1492 #endif
1493                         }
1494                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1495                      s->version != DTLS1_VERSION)
1496                         {
1497                         unsigned char *sdata = data;
1498                         int ellipticcurvelist_length = (*(sdata++) << 8);
1499                         ellipticcurvelist_length += (*(sdata++));
1500
1501                         if (ellipticcurvelist_length != size - 2)
1502                                 {
1503                                 *al = TLS1_AD_DECODE_ERROR;
1504                                 return 0;
1505                                 }
1506                         if (!s->hit)
1507                                 {
1508                                 if(s->session->tlsext_ellipticcurvelist)
1509                                         {
1510                                         *al = TLS1_AD_DECODE_ERROR;
1511                                         return 0;
1512                                         }
1513                                 s->session->tlsext_ellipticcurvelist_length = 0;
1514                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1515                                         {
1516                                         *al = TLS1_AD_INTERNAL_ERROR;
1517                                         return 0;
1518                                         }
1519                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1520                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1521                                 }
1522 #if 0
1523                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1524                         sdata = s->session->tlsext_ellipticcurvelist;
1525                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1526                                 fprintf(stderr,"%i ",*(sdata++));
1527                         fprintf(stderr,"\n");
1528 #endif
1529                         }
1530 #endif /* OPENSSL_NO_EC */
1531 #ifdef TLSEXT_TYPE_opaque_prf_input
1532                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1533                      s->version != DTLS1_VERSION)
1534                         {
1535                         unsigned char *sdata = data;
1536
1537                         if (size < 2)
1538                                 {
1539                                 *al = SSL_AD_DECODE_ERROR;
1540                                 return 0;
1541                                 }
1542                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1543                         if (s->s3->client_opaque_prf_input_len != size - 2)
1544                                 {
1545                                 *al = SSL_AD_DECODE_ERROR;
1546                                 return 0;
1547                                 }
1548
1549                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1550                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1551                         if (s->s3->client_opaque_prf_input_len == 0)
1552                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1553                         else
1554                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1555                         if (s->s3->client_opaque_prf_input == NULL)
1556                                 {
1557                                 *al = TLS1_AD_INTERNAL_ERROR;
1558                                 return 0;
1559                                 }
1560                         }
1561 #endif
1562                 else if (type == TLSEXT_TYPE_session_ticket)
1563                         {
1564                         if (s->tls_session_ticket_ext_cb &&
1565                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1566                                 {
1567                                 *al = TLS1_AD_INTERNAL_ERROR;
1568                                 return 0;
1569                                 }
1570                         }
1571                 else if (type == TLSEXT_TYPE_renegotiate)
1572                         {
1573                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1574                                 return 0;
1575                         renegotiate_seen = 1;
1576                         }
1577                 else if (type == TLSEXT_TYPE_signature_algorithms)
1578                         {
1579                         int dsize;
1580                         if (sigalg_seen || size < 2) 
1581                                 {
1582                                 *al = SSL_AD_DECODE_ERROR;
1583                                 return 0;
1584                                 }
1585                         sigalg_seen = 1;
1586                         n2s(data,dsize);
1587                         size -= 2;
1588                         if (dsize != size || dsize & 1) 
1589                                 {
1590                                 *al = SSL_AD_DECODE_ERROR;
1591                                 return 0;
1592                                 }
1593                         if (!tls1_process_sigalgs(s, data, dsize))
1594                                 {
1595                                 *al = SSL_AD_DECODE_ERROR;
1596                                 return 0;
1597                                 }
1598                         }
1599                 else if (type == TLSEXT_TYPE_status_request &&
1600                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1601                         {
1602                 
1603                         if (size < 5) 
1604                                 {
1605                                 *al = SSL_AD_DECODE_ERROR;
1606                                 return 0;
1607                                 }
1608
1609                         s->tlsext_status_type = *data++;
1610                         size--;
1611                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1612                                 {
1613                                 const unsigned char *sdata;
1614                                 int dsize;
1615                                 /* Read in responder_id_list */
1616                                 n2s(data,dsize);
1617                                 size -= 2;
1618                                 if (dsize > size  ) 
1619                                         {
1620                                         *al = SSL_AD_DECODE_ERROR;
1621                                         return 0;
1622                                         }
1623                                 while (dsize > 0)
1624                                         {
1625                                         OCSP_RESPID *id;
1626                                         int idsize;
1627                                         if (dsize < 4)
1628                                                 {
1629                                                 *al = SSL_AD_DECODE_ERROR;
1630                                                 return 0;
1631                                                 }
1632                                         n2s(data, idsize);
1633                                         dsize -= 2 + idsize;
1634                                         size -= 2 + idsize;
1635                                         if (dsize < 0)
1636                                                 {
1637                                                 *al = SSL_AD_DECODE_ERROR;
1638                                                 return 0;
1639                                                 }
1640                                         sdata = data;
1641                                         data += idsize;
1642                                         id = d2i_OCSP_RESPID(NULL,
1643                                                                 &sdata, idsize);
1644                                         if (!id)
1645                                                 {
1646                                                 *al = SSL_AD_DECODE_ERROR;
1647                                                 return 0;
1648                                                 }
1649                                         if (data != sdata)
1650                                                 {
1651                                                 OCSP_RESPID_free(id);
1652                                                 *al = SSL_AD_DECODE_ERROR;
1653                                                 return 0;
1654                                                 }
1655                                         if (!s->tlsext_ocsp_ids
1656                                                 && !(s->tlsext_ocsp_ids =
1657                                                 sk_OCSP_RESPID_new_null()))
1658                                                 {
1659                                                 OCSP_RESPID_free(id);
1660                                                 *al = SSL_AD_INTERNAL_ERROR;
1661                                                 return 0;
1662                                                 }
1663                                         if (!sk_OCSP_RESPID_push(
1664                                                         s->tlsext_ocsp_ids, id))
1665                                                 {
1666                                                 OCSP_RESPID_free(id);
1667                                                 *al = SSL_AD_INTERNAL_ERROR;
1668                                                 return 0;
1669                                                 }
1670                                         }
1671
1672                                 /* Read in request_extensions */
1673                                 if (size < 2)
1674                                         {
1675                                         *al = SSL_AD_DECODE_ERROR;
1676                                         return 0;
1677                                         }
1678                                 n2s(data,dsize);
1679                                 size -= 2;
1680                                 if (dsize != size)
1681                                         {
1682                                         *al = SSL_AD_DECODE_ERROR;
1683                                         return 0;
1684                                         }
1685                                 sdata = data;
1686                                 if (dsize > 0)
1687                                         {
1688                                         if (s->tlsext_ocsp_exts)
1689                                                 {
1690                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1691                                                                            X509_EXTENSION_free);
1692                                                 }
1693
1694                                         s->tlsext_ocsp_exts =
1695                                                 d2i_X509_EXTENSIONS(NULL,
1696                                                         &sdata, dsize);
1697                                         if (!s->tlsext_ocsp_exts
1698                                                 || (data + dsize != sdata))
1699                                                 {
1700                                                 *al = SSL_AD_DECODE_ERROR;
1701                                                 return 0;
1702                                                 }
1703                                         }
1704                                 }
1705                                 /* We don't know what to do with any other type
1706                                 * so ignore it.
1707                                 */
1708                                 else
1709                                         s->tlsext_status_type = -1;
1710                         }
1711 #ifndef OPENSSL_NO_HEARTBEATS
1712                 else if (type == TLSEXT_TYPE_heartbeat)
1713                         {
1714                         switch(data[0])
1715                                 {
1716                                 case 0x01:      /* Client allows us to send HB requests */
1717                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1718                                                         break;
1719                                 case 0x02:      /* Client doesn't accept HB requests */
1720                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1721                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1722                                                         break;
1723                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1724                                                         return 0;
1725                                 }
1726                         }
1727 #endif
1728 #ifndef OPENSSL_NO_NEXTPROTONEG
1729                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1730                          s->s3->tmp.finish_md_len == 0)
1731                         {
1732                         /* We shouldn't accept this extension on a
1733                          * renegotiation.
1734                          *
1735                          * s->new_session will be set on renegotiation, but we
1736                          * probably shouldn't rely that it couldn't be set on
1737                          * the initial renegotation too in certain cases (when
1738                          * there's some other reason to disallow resuming an
1739                          * earlier session -- the current code won't be doing
1740                          * anything like that, but this might change).
1741
1742                          * A valid sign that there's been a previous handshake
1743                          * in this connection is if s->s3->tmp.finish_md_len >
1744                          * 0.  (We are talking about a check that will happen
1745                          * in the Hello protocol round, well before a new
1746                          * Finished message could have been computed.) */
1747                         s->s3->next_proto_neg_seen = 1;
1748                         }
1749 #endif
1750
1751                 /* session ticket processed earlier */
1752                 else if (type == TLSEXT_TYPE_use_srtp)
1753                         {
1754                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1755                                                               al))
1756                                 return 0;
1757                         }
1758
1759                 else if (type == TLSEXT_TYPE_server_authz)
1760                         {
1761                         unsigned char *sdata = data;
1762                         unsigned char server_authz_dataformatlist_length;
1763
1764                         if (size == 0)
1765                                 {
1766                                 *al = TLS1_AD_DECODE_ERROR;
1767                                 return 0;
1768                                 }
1769
1770                         server_authz_dataformatlist_length = *(sdata++);
1771
1772                         if (server_authz_dataformatlist_length != size - 1)
1773                                 {
1774                                 *al = TLS1_AD_DECODE_ERROR;
1775                                 return 0;
1776                                 }
1777
1778                         /* Successful session resumption uses the same authz
1779                          * information as the original session so we ignore this
1780                          * in the case of a session resumption. */
1781                         if (!s->hit)
1782                                 {
1783                                 size_t i;
1784                                 s->s3->tlsext_authz_client_types =
1785                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1786                                 if (!s->s3->tlsext_authz_client_types)
1787                                         {
1788                                         *al = TLS1_AD_INTERNAL_ERROR;
1789                                         return 0;
1790                                         }
1791
1792                                 s->s3->tlsext_authz_client_types_len =
1793                                         server_authz_dataformatlist_length;
1794                                 memcpy(s->s3->tlsext_authz_client_types,
1795                                        sdata,
1796                                        server_authz_dataformatlist_length);
1797
1798                                 /* Sort the types in order to check for duplicates. */
1799                                 qsort(s->s3->tlsext_authz_client_types,
1800                                       server_authz_dataformatlist_length,
1801                                       1 /* element size */,
1802                                       byte_compare);
1803
1804                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1805                                         {
1806                                         if (i > 0 &&
1807                                             s->s3->tlsext_authz_client_types[i] ==
1808                                               s->s3->tlsext_authz_client_types[i-1])
1809                                                 {
1810                                                 *al = TLS1_AD_DECODE_ERROR;
1811                                                 return 0;
1812                                                 }
1813                                         }
1814                                 }
1815                         }
1816
1817                 data+=size;
1818                 }
1819
1820         *p = data;
1821
1822         ri_check:
1823
1824         /* Need RI if renegotiating */
1825
1826         if (!renegotiate_seen && s->renegotiate &&
1827                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1828                 {
1829                 *al = SSL_AD_HANDSHAKE_FAILURE;
1830                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1831                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1832                 return 0;
1833                 }
1834
1835         return 1;
1836         }
1837
1838 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1839         {
1840         int al = -1;
1841         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1842                 {
1843                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1844                 return 0;
1845                 }
1846
1847         if (ssl_check_clienthello_tlsext(s) <= 0) 
1848                 {
1849                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1850                 return 0;
1851                 }
1852         return 1;
1853 }
1854
1855 #ifndef OPENSSL_NO_NEXTPROTONEG
1856 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1857  * elements of zero length are allowed and the set of elements must exactly fill
1858  * the length of the block. */
1859 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1860         {
1861         unsigned int off = 0;
1862
1863         while (off < len)
1864                 {
1865                 if (d[off] == 0)
1866                         return 0;
1867                 off += d[off];
1868                 off++;
1869                 }
1870
1871         return off == len;
1872         }
1873 #endif
1874
1875 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1876         {
1877         unsigned short length;
1878         unsigned short type;
1879         unsigned short size;
1880         unsigned char *data = *p;
1881         int tlsext_servername = 0;
1882         int renegotiate_seen = 0;
1883
1884 #ifndef OPENSSL_NO_NEXTPROTONEG
1885         s->s3->next_proto_neg_seen = 0;
1886 #endif
1887
1888 #ifndef OPENSSL_NO_HEARTBEATS
1889         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1890                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1891 #endif
1892
1893         if (data >= (d+n-2))
1894                 goto ri_check;
1895
1896         n2s(data,length);
1897         if (data+length != d+n)
1898                 {
1899                 *al = SSL_AD_DECODE_ERROR;
1900                 return 0;
1901                 }
1902
1903         while(data <= (d+n-4))
1904                 {
1905                 n2s(data,type);
1906                 n2s(data,size);
1907
1908                 if (data+size > (d+n))
1909                         goto ri_check;
1910
1911                 if (s->tlsext_debug_cb)
1912                         s->tlsext_debug_cb(s, 1, type, data, size,
1913                                                 s->tlsext_debug_arg);
1914
1915                 if (type == TLSEXT_TYPE_server_name)
1916                         {
1917                         if (s->tlsext_hostname == NULL || size > 0)
1918                                 {
1919                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1920                                 return 0;
1921                                 }
1922                         tlsext_servername = 1;   
1923                         }
1924
1925 #ifndef OPENSSL_NO_EC
1926                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1927                      s->version != DTLS1_VERSION)
1928                         {
1929                         unsigned char *sdata = data;
1930                         int ecpointformatlist_length = *(sdata++);
1931
1932                         if (ecpointformatlist_length != size - 1)
1933                                 {
1934                                 *al = TLS1_AD_DECODE_ERROR;
1935                                 return 0;
1936                                 }
1937                         s->session->tlsext_ecpointformatlist_length = 0;
1938                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1939                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1940                                 {
1941                                 *al = TLS1_AD_INTERNAL_ERROR;
1942                                 return 0;
1943                                 }
1944                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1945                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1946 #if 0
1947                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1948                         sdata = s->session->tlsext_ecpointformatlist;
1949                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1950                                 fprintf(stderr,"%i ",*(sdata++));
1951                         fprintf(stderr,"\n");
1952 #endif
1953                         }
1954 #endif /* OPENSSL_NO_EC */
1955
1956                 else if (type == TLSEXT_TYPE_session_ticket)
1957                         {
1958                         if (s->tls_session_ticket_ext_cb &&
1959                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1960                                 {
1961                                 *al = TLS1_AD_INTERNAL_ERROR;
1962                                 return 0;
1963                                 }
1964                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1965                                 || (size > 0))
1966                                 {
1967                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1968                                 return 0;
1969                                 }
1970                         s->tlsext_ticket_expected = 1;
1971                         }
1972 #ifdef TLSEXT_TYPE_opaque_prf_input
1973                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1974                      s->version != DTLS1_VERSION)
1975                         {
1976                         unsigned char *sdata = data;
1977
1978                         if (size < 2)
1979                                 {
1980                                 *al = SSL_AD_DECODE_ERROR;
1981                                 return 0;
1982                                 }
1983                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1984                         if (s->s3->server_opaque_prf_input_len != size - 2)
1985                                 {
1986                                 *al = SSL_AD_DECODE_ERROR;
1987                                 return 0;
1988                                 }
1989                         
1990                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1991                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1992                         if (s->s3->server_opaque_prf_input_len == 0)
1993                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1994                         else
1995                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1996
1997                         if (s->s3->server_opaque_prf_input == NULL)
1998                                 {
1999                                 *al = TLS1_AD_INTERNAL_ERROR;
2000                                 return 0;
2001                                 }
2002                         }
2003 #endif
2004                 else if (type == TLSEXT_TYPE_status_request &&
2005                          s->version != DTLS1_VERSION)
2006                         {
2007                         /* MUST be empty and only sent if we've requested
2008                          * a status request message.
2009                          */ 
2010                         if ((s->tlsext_status_type == -1) || (size > 0))
2011                                 {
2012                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2013                                 return 0;
2014                                 }
2015                         /* Set flag to expect CertificateStatus message */
2016                         s->tlsext_status_expected = 1;
2017                         }
2018 #ifndef OPENSSL_NO_NEXTPROTONEG
2019                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2020                          s->s3->tmp.finish_md_len == 0)
2021                         {
2022                         unsigned char *selected;
2023                         unsigned char selected_len;
2024
2025                         /* We must have requested it. */
2026                         if ((s->ctx->next_proto_select_cb == NULL))
2027                                 {
2028                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2029                                 return 0;
2030                                 }
2031                         /* The data must be valid */
2032                         if (!ssl_next_proto_validate(data, size))
2033                                 {
2034                                 *al = TLS1_AD_DECODE_ERROR;
2035                                 return 0;
2036                                 }
2037                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2038                                 {
2039                                 *al = TLS1_AD_INTERNAL_ERROR;
2040                                 return 0;
2041                                 }
2042                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2043                         if (!s->next_proto_negotiated)
2044                                 {
2045                                 *al = TLS1_AD_INTERNAL_ERROR;
2046                                 return 0;
2047                                 }
2048                         memcpy(s->next_proto_negotiated, selected, selected_len);
2049                         s->next_proto_negotiated_len = selected_len;
2050                         s->s3->next_proto_neg_seen = 1;
2051                         }
2052 #endif
2053                 else if (type == TLSEXT_TYPE_renegotiate)
2054                         {
2055                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2056                                 return 0;
2057                         renegotiate_seen = 1;
2058                         }
2059 #ifndef OPENSSL_NO_HEARTBEATS
2060                 else if (type == TLSEXT_TYPE_heartbeat)
2061                         {
2062                         switch(data[0])
2063                                 {
2064                                 case 0x01:      /* Server allows us to send HB requests */
2065                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2066                                                         break;
2067                                 case 0x02:      /* Server doesn't accept HB requests */
2068                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2069                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2070                                                         break;
2071                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2072                                                         return 0;
2073                                 }
2074                         }
2075 #endif
2076                 else if (type == TLSEXT_TYPE_use_srtp)
2077                         {
2078                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2079                                                               al))
2080                                 return 0;
2081                         }
2082
2083                 else if (type == TLSEXT_TYPE_server_authz)
2084                         {
2085                         /* We only support audit proofs. It's an error to send
2086                          * an authz hello extension if the client
2087                          * didn't request a proof. */
2088                         unsigned char *sdata = data;
2089                         unsigned char server_authz_dataformatlist_length;
2090
2091                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2092                                 {
2093                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2094                                 return 0;
2095                                 }
2096
2097                         if (!size)
2098                                 {
2099                                 *al = TLS1_AD_DECODE_ERROR;
2100                                 return 0;
2101                                 }
2102
2103                         server_authz_dataformatlist_length = *(sdata++);
2104                         if (server_authz_dataformatlist_length != size - 1)
2105                                 {
2106                                 *al = TLS1_AD_DECODE_ERROR;
2107                                 return 0;
2108                                 }
2109
2110                         /* We only support audit proofs, so a legal ServerHello
2111                          * authz list contains exactly one entry. */
2112                         if (server_authz_dataformatlist_length != 1 ||
2113                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2114                                 {
2115                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2116                                 return 0;
2117                                 }
2118
2119                         s->s3->tlsext_authz_server_promised = 1;
2120                         }
2121  
2122                 data += size;
2123                 }
2124
2125         if (data != d+n)
2126                 {
2127                 *al = SSL_AD_DECODE_ERROR;
2128                 return 0;
2129                 }
2130
2131         if (!s->hit && tlsext_servername == 1)
2132                 {
2133                 if (s->tlsext_hostname)
2134                         {
2135                         if (s->session->tlsext_hostname == NULL)
2136                                 {
2137                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2138                                 if (!s->session->tlsext_hostname)
2139                                         {
2140                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2141                                         return 0;
2142                                         }
2143                                 }
2144                         else 
2145                                 {
2146                                 *al = SSL_AD_DECODE_ERROR;
2147                                 return 0;
2148                                 }
2149                         }
2150                 }
2151
2152         *p = data;
2153
2154         ri_check:
2155
2156         /* Determine if we need to see RI. Strictly speaking if we want to
2157          * avoid an attack we should *always* see RI even on initial server
2158          * hello because the client doesn't see any renegotiation during an
2159          * attack. However this would mean we could not connect to any server
2160          * which doesn't support RI so for the immediate future tolerate RI
2161          * absence on initial connect only.
2162          */
2163         if (!renegotiate_seen
2164                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2165                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2166                 {
2167                 *al = SSL_AD_HANDSHAKE_FAILURE;
2168                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2169                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2170                 return 0;
2171                 }
2172
2173         return 1;
2174         }
2175
2176
2177 int ssl_prepare_clienthello_tlsext(SSL *s)
2178         {
2179
2180 #ifdef TLSEXT_TYPE_opaque_prf_input
2181         {
2182                 int r = 1;
2183         
2184                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2185                         {
2186                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2187                         if (!r)
2188                                 return -1;
2189                         }
2190
2191                 if (s->tlsext_opaque_prf_input != NULL)
2192                         {
2193                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2194                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2195
2196                         if (s->tlsext_opaque_prf_input_len == 0)
2197                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2198                         else
2199                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2200                         if (s->s3->client_opaque_prf_input == NULL)
2201                                 {
2202                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2203                                 return -1;
2204                                 }
2205                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2206                         }
2207
2208                 if (r == 2)
2209                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2210                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2211         }
2212 #endif
2213
2214         return 1;
2215         }
2216
2217 int ssl_prepare_serverhello_tlsext(SSL *s)
2218         {
2219 #ifndef OPENSSL_NO_EC
2220         /* If we are server and using an ECC cipher suite, send the point formats we support 
2221          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2222          * supposed to send an EllipticCurves extension.
2223          */
2224
2225         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2226         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2227         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2228         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2229         
2230         if (using_ecc)
2231                 {
2232                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2233                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2234                         {
2235                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2236                         return -1;
2237                         }
2238                 s->tlsext_ecpointformatlist_length = 3;
2239                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2240                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2241                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2242                 }
2243 #endif /* OPENSSL_NO_EC */
2244
2245         return 1;
2246         }
2247
2248 static int ssl_check_clienthello_tlsext(SSL *s)
2249         {
2250         int ret=SSL_TLSEXT_ERR_NOACK;
2251         int al = SSL_AD_UNRECOGNIZED_NAME;
2252
2253 #ifndef OPENSSL_NO_EC
2254         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2255          * ssl3_choose_cipher in s3_lib.c.
2256          */
2257         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2258          * ssl3_choose_cipher in s3_lib.c.
2259          */
2260 #endif
2261
2262         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2263                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2264         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2265                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2266
2267         /* If status request then ask callback what to do.
2268          * Note: this must be called after servername callbacks in case 
2269          * the certificate has changed.
2270          */
2271         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2272                 {
2273                 int r;
2274                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2275                 switch (r)
2276                         {
2277                         /* We don't want to send a status request response */
2278                         case SSL_TLSEXT_ERR_NOACK:
2279                                 s->tlsext_status_expected = 0;
2280                                 break;
2281                         /* status request response should be sent */
2282                         case SSL_TLSEXT_ERR_OK:
2283                                 if (s->tlsext_ocsp_resp)
2284                                         s->tlsext_status_expected = 1;
2285                                 else
2286                                         s->tlsext_status_expected = 0;
2287                                 break;
2288                         /* something bad happened */
2289                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2290                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2291                                 al = SSL_AD_INTERNAL_ERROR;
2292                                 goto err;
2293                         }
2294                 }
2295         else
2296                 s->tlsext_status_expected = 0;
2297
2298 #ifdef TLSEXT_TYPE_opaque_prf_input
2299         {
2300                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2301                  * but we might be sending an alert in response to the client hello,
2302                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2303
2304                 int r = 1;
2305         
2306                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2307                         {
2308                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2309                         if (!r)
2310                                 {
2311                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2312                                 al = SSL_AD_INTERNAL_ERROR;
2313                                 goto err;
2314                                 }
2315                         }
2316
2317                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2318                         OPENSSL_free(s->s3->server_opaque_prf_input);
2319                 s->s3->server_opaque_prf_input = NULL;
2320
2321                 if (s->tlsext_opaque_prf_input != NULL)
2322                         {
2323                         if (s->s3->client_opaque_prf_input != NULL &&
2324                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2325                                 {
2326                                 /* can only use this extension if we have a server opaque PRF input
2327                                  * of the same length as the client opaque PRF input! */
2328
2329                                 if (s->tlsext_opaque_prf_input_len == 0)
2330                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2331                                 else
2332                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2333                                 if (s->s3->server_opaque_prf_input == NULL)
2334                                         {
2335                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2336                                         al = SSL_AD_INTERNAL_ERROR;
2337                                         goto err;
2338                                         }
2339                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2340                                 }
2341                         }
2342
2343                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2344                         {
2345                         /* The callback wants to enforce use of the extension,
2346                          * but we can't do that with the client opaque PRF input;
2347                          * abort the handshake.
2348                          */
2349                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2350                         al = SSL_AD_HANDSHAKE_FAILURE;
2351                         }
2352         }
2353
2354 #endif
2355  err:
2356         switch (ret)
2357                 {
2358                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2359                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2360                         return -1;
2361
2362                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2363                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2364                         return 1; 
2365                                         
2366                 case SSL_TLSEXT_ERR_NOACK:
2367                         s->servername_done=0;
2368                         default:
2369                 return 1;
2370                 }
2371         }
2372
2373 int ssl_check_serverhello_tlsext(SSL *s)
2374         {
2375         int ret=SSL_TLSEXT_ERR_NOACK;
2376         int al = SSL_AD_UNRECOGNIZED_NAME;
2377
2378 #ifndef OPENSSL_NO_EC
2379         /* If we are client and using an elliptic curve cryptography cipher
2380          * suite, then if server returns an EC point formats lists extension
2381          * it must contain uncompressed.
2382          */
2383         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2384         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2385         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2386             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2387             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2388                 {
2389                 /* we are using an ECC cipher */
2390                 size_t i;
2391                 unsigned char *list;
2392                 int found_uncompressed = 0;
2393                 list = s->session->tlsext_ecpointformatlist;
2394                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2395                         {
2396                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2397                                 {
2398                                 found_uncompressed = 1;
2399                                 break;
2400                                 }
2401                         }
2402                 if (!found_uncompressed)
2403                         {
2404                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2405                         return -1;
2406                         }
2407                 }
2408         ret = SSL_TLSEXT_ERR_OK;
2409 #endif /* OPENSSL_NO_EC */
2410
2411         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2412                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2413         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2414                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2415
2416 #ifdef TLSEXT_TYPE_opaque_prf_input
2417         if (s->s3->server_opaque_prf_input_len > 0)
2418                 {
2419                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2420                  * So first verify that we really have a value from the server too. */
2421
2422                 if (s->s3->server_opaque_prf_input == NULL)
2423                         {
2424                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2425                         al = SSL_AD_HANDSHAKE_FAILURE;
2426                         }
2427                 
2428                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2429                  * that we have a client opaque PRF input of the same size. */
2430                 if (s->s3->client_opaque_prf_input == NULL ||
2431                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2432                         {
2433                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2434                         al = SSL_AD_ILLEGAL_PARAMETER;
2435                         }
2436                 }
2437 #endif
2438
2439         /* If we've requested certificate status and we wont get one
2440          * tell the callback
2441          */
2442         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2443                         && s->ctx && s->ctx->tlsext_status_cb)
2444                 {
2445                 int r;
2446                 /* Set resp to NULL, resplen to -1 so callback knows
2447                  * there is no response.
2448                  */
2449                 if (s->tlsext_ocsp_resp)
2450                         {
2451                         OPENSSL_free(s->tlsext_ocsp_resp);
2452                         s->tlsext_ocsp_resp = NULL;
2453                         }
2454                 s->tlsext_ocsp_resplen = -1;
2455                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2456                 if (r == 0)
2457                         {
2458                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2459                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2460                         }
2461                 if (r < 0)
2462                         {
2463                         al = SSL_AD_INTERNAL_ERROR;
2464                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2465                         }
2466                 }
2467
2468         switch (ret)
2469                 {
2470                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2471                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2472                         return -1;
2473
2474                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2475                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2476                         return 1; 
2477                                         
2478                 case SSL_TLSEXT_ERR_NOACK:
2479                         s->servername_done=0;
2480                         default:
2481                 return 1;
2482                 }
2483         }
2484
2485 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2486         {
2487         int al = -1;
2488         if (s->version < SSL3_VERSION)
2489                 return 1;
2490         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2491                 {
2492                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2493                 return 0;
2494                 }
2495
2496         if (ssl_check_serverhello_tlsext(s) <= 0) 
2497                 {
2498                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2499                 return 0;
2500                 }
2501         return 1;
2502 }
2503
2504 /* Since the server cache lookup is done early on in the processing of the
2505  * ClientHello, and other operations depend on the result, we need to handle
2506  * any TLS session ticket extension at the same time.
2507  *
2508  *   session_id: points at the session ID in the ClientHello. This code will
2509  *       read past the end of this in order to parse out the session ticket
2510  *       extension, if any.
2511  *   len: the length of the session ID.
2512  *   limit: a pointer to the first byte after the ClientHello.
2513  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2514  *       point to the resulting session.
2515  *
2516  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2517  * ciphersuite, in which case we have no use for session tickets and one will
2518  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2519  *
2520  * Returns:
2521  *   -1: fatal error, either from parsing or decrypting the ticket.
2522  *    0: no ticket was found (or was ignored, based on settings).
2523  *    1: a zero length extension was found, indicating that the client supports
2524  *       session tickets but doesn't currently have one to offer.
2525  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2526  *       couldn't be decrypted because of a non-fatal error.
2527  *    3: a ticket was successfully decrypted and *ret was set.
2528  *
2529  * Side effects:
2530  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2531  *   a new session ticket to the client because the client indicated support
2532  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2533  *   a session ticket or we couldn't use the one it gave us, or if
2534  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2535  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2536  */
2537 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2538                         const unsigned char *limit, SSL_SESSION **ret)
2539         {
2540         /* Point after session ID in client hello */
2541         const unsigned char *p = session_id + len;
2542         unsigned short i;
2543
2544         *ret = NULL;
2545         s->tlsext_ticket_expected = 0;
2546
2547         /* If tickets disabled behave as if no ticket present
2548          * to permit stateful resumption.
2549          */
2550         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2551                 return 0;
2552         if ((s->version <= SSL3_VERSION) || !limit)
2553                 return 0;
2554         if (p >= limit)
2555                 return -1;
2556         /* Skip past DTLS cookie */
2557         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2558                 {
2559                 i = *(p++);
2560                 p+= i;
2561                 if (p >= limit)
2562                         return -1;
2563                 }
2564         /* Skip past cipher list */
2565         n2s(p, i);
2566         p+= i;
2567         if (p >= limit)
2568                 return -1;
2569         /* Skip past compression algorithm list */
2570         i = *(p++);
2571         p += i;
2572         if (p > limit)
2573                 return -1;
2574         /* Now at start of extensions */
2575         if ((p + 2) >= limit)
2576                 return 0;
2577         n2s(p, i);
2578         while ((p + 4) <= limit)
2579                 {
2580                 unsigned short type, size;
2581                 n2s(p, type);
2582                 n2s(p, size);
2583                 if (p + size > limit)
2584                         return 0;
2585                 if (type == TLSEXT_TYPE_session_ticket)
2586                         {
2587                         int r;
2588                         if (size == 0)
2589                                 {
2590                                 /* The client will accept a ticket but doesn't
2591                                  * currently have one. */
2592                                 s->tlsext_ticket_expected = 1;
2593                                 return 1;
2594                                 }
2595                         if (s->tls_session_secret_cb)
2596                                 {
2597                                 /* Indicate that the ticket couldn't be
2598                                  * decrypted rather than generating the session
2599                                  * from ticket now, trigger abbreviated
2600                                  * handshake based on external mechanism to
2601                                  * calculate the master secret later. */
2602                                 return 2;
2603                                 }
2604                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2605                         switch (r)
2606                                 {
2607                                 case 2: /* ticket couldn't be decrypted */
2608                                         s->tlsext_ticket_expected = 1;
2609                                         return 2;
2610                                 case 3: /* ticket was decrypted */
2611                                         return r;
2612                                 case 4: /* ticket decrypted but need to renew */
2613                                         s->tlsext_ticket_expected = 1;
2614                                         return 3;
2615                                 default: /* fatal error */
2616                                         return -1;
2617                                 }
2618                         }
2619                 p += size;
2620                 }
2621         return 0;
2622         }
2623
2624 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2625  *
2626  *   etick: points to the body of the session ticket extension.
2627  *   eticklen: the length of the session tickets extenion.
2628  *   sess_id: points at the session ID.
2629  *   sesslen: the length of the session ID.
2630  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2631  *       point to the resulting session.
2632  *
2633  * Returns:
2634  *   -1: fatal error, either from parsing or decrypting the ticket.
2635  *    2: the ticket couldn't be decrypted.
2636  *    3: a ticket was successfully decrypted and *psess was set.
2637  *    4: same as 3, but the ticket needs to be renewed.
2638  */
2639 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2640                                 const unsigned char *sess_id, int sesslen,
2641                                 SSL_SESSION **psess)
2642         {
2643         SSL_SESSION *sess;
2644         unsigned char *sdec;
2645         const unsigned char *p;
2646         int slen, mlen, renew_ticket = 0;
2647         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2648         HMAC_CTX hctx;
2649         EVP_CIPHER_CTX ctx;
2650         SSL_CTX *tctx = s->initial_ctx;
2651         /* Need at least keyname + iv + some encrypted data */
2652         if (eticklen < 48)
2653                 return 2;
2654         /* Initialize session ticket encryption and HMAC contexts */
2655         HMAC_CTX_init(&hctx);
2656         EVP_CIPHER_CTX_init(&ctx);
2657         if (tctx->tlsext_ticket_key_cb)
2658                 {
2659                 unsigned char *nctick = (unsigned char *)etick;
2660                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2661                                                         &ctx, &hctx, 0);
2662                 if (rv < 0)
2663                         return -1;
2664                 if (rv == 0)
2665                         return 2;
2666                 if (rv == 2)
2667                         renew_ticket = 1;
2668                 }
2669         else
2670                 {
2671                 /* Check key name matches */
2672                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2673                         return 2;
2674                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2675                                         tlsext_tick_md(), NULL);
2676                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2677                                 tctx->tlsext_tick_aes_key, etick + 16);
2678                 }
2679         /* Attempt to process session ticket, first conduct sanity and
2680          * integrity checks on ticket.
2681          */
2682         mlen = HMAC_size(&hctx);
2683         if (mlen < 0)
2684                 {
2685                 EVP_CIPHER_CTX_cleanup(&ctx);
2686                 return -1;
2687                 }
2688         eticklen -= mlen;
2689         /* Check HMAC of encrypted ticket */
2690         HMAC_Update(&hctx, etick, eticklen);
2691         HMAC_Final(&hctx, tick_hmac, NULL);
2692         HMAC_CTX_cleanup(&hctx);
2693         if (memcmp(tick_hmac, etick + eticklen, mlen))
2694                 return 2;
2695         /* Attempt to decrypt session data */
2696         /* Move p after IV to start of encrypted ticket, update length */
2697         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2698         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2699         sdec = OPENSSL_malloc(eticklen);
2700         if (!sdec)
2701                 {
2702                 EVP_CIPHER_CTX_cleanup(&ctx);
2703                 return -1;
2704                 }
2705         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2706         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2707                 return 2;
2708         slen += mlen;
2709         EVP_CIPHER_CTX_cleanup(&ctx);
2710         p = sdec;
2711
2712         sess = d2i_SSL_SESSION(NULL, &p, slen);
2713         OPENSSL_free(sdec);
2714         if (sess)
2715                 {
2716                 /* The session ID, if non-empty, is used by some clients to
2717                  * detect that the ticket has been accepted. So we copy it to
2718                  * the session structure. If it is empty set length to zero
2719                  * as required by standard.
2720                  */
2721                 if (sesslen)
2722                         memcpy(sess->session_id, sess_id, sesslen);
2723                 sess->session_id_length = sesslen;
2724                 *psess = sess;
2725                 if (renew_ticket)
2726                         return 4;
2727                 else
2728                         return 3;
2729                 }
2730         ERR_clear_error();
2731         /* For session parse failure, indicate that we need to send a new
2732          * ticket. */
2733         return 2;
2734         }
2735
2736 /* Tables to translate from NIDs to TLS v1.2 ids */
2737
2738 typedef struct 
2739         {
2740         int nid;
2741         int id;
2742         } tls12_lookup;
2743
2744 static tls12_lookup tls12_md[] = {
2745         {NID_md5, TLSEXT_hash_md5},
2746         {NID_sha1, TLSEXT_hash_sha1},
2747         {NID_sha224, TLSEXT_hash_sha224},
2748         {NID_sha256, TLSEXT_hash_sha256},
2749         {NID_sha384, TLSEXT_hash_sha384},
2750         {NID_sha512, TLSEXT_hash_sha512}
2751 };
2752
2753 static tls12_lookup tls12_sig[] = {
2754         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2755         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2756         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2757 };
2758
2759 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2760         {
2761         size_t i;
2762         for (i = 0; i < tlen; i++)
2763                 {
2764                 if (table[i].nid == nid)
2765                         return table[i].id;
2766                 }
2767         return -1;
2768         }
2769
2770 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2771         {
2772         size_t i;
2773         for (i = 0; i < tlen; i++)
2774                 {
2775                 if ((table[i].id) == id)
2776                         return table[i].nid;
2777                 }
2778         return NID_undef;
2779         }
2780
2781 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2782         {
2783         int sig_id, md_id;
2784         if (!md)
2785                 return 0;
2786         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2787                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2788         if (md_id == -1)
2789                 return 0;
2790         sig_id = tls12_get_sigid(pk);
2791         if (sig_id == -1)
2792                 return 0;
2793         p[0] = (unsigned char)md_id;
2794         p[1] = (unsigned char)sig_id;
2795         return 1;
2796         }
2797
2798 int tls12_get_sigid(const EVP_PKEY *pk)
2799         {
2800         return tls12_find_id(pk->type, tls12_sig,
2801                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2802         }
2803
2804 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2805         {
2806         switch(hash_alg)
2807                 {
2808 #ifndef OPENSSL_NO_MD5
2809                 case TLSEXT_hash_md5:
2810 #ifdef OPENSSL_FIPS
2811                 if (FIPS_mode())
2812                         return NULL;
2813 #endif
2814                 return EVP_md5();
2815 #endif
2816 #ifndef OPENSSL_NO_SHA
2817                 case TLSEXT_hash_sha1:
2818                 return EVP_sha1();
2819 #endif
2820 #ifndef OPENSSL_NO_SHA256
2821                 case TLSEXT_hash_sha224:
2822                 return EVP_sha224();
2823
2824                 case TLSEXT_hash_sha256:
2825                 return EVP_sha256();
2826 #endif
2827 #ifndef OPENSSL_NO_SHA512
2828                 case TLSEXT_hash_sha384:
2829                 return EVP_sha384();
2830
2831                 case TLSEXT_hash_sha512:
2832                 return EVP_sha512();
2833 #endif
2834                 default:
2835                 return NULL;
2836
2837                 }
2838         }
2839
2840 /* Set preferred digest for each key type */
2841
2842 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2843         {
2844         int i, idx;
2845         const EVP_MD *md;
2846         CERT *c = s->cert;
2847         TLS_SIGALGS *sigptr;
2848         /* Extension ignored for TLS versions below 1.2 */
2849         if (TLS1_get_version(s) < TLS1_2_VERSION)
2850                 return 1;
2851         /* Should never happen */
2852         if (!c)
2853                 return 0;
2854
2855         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2856         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2857         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2858         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2859
2860         if (c->sigalgs)
2861                 OPENSSL_free(c->sigalgs);
2862         c->sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS));
2863         if (!c->sigalgs)
2864                 return 0;
2865         c->sigalgslen = dsize/2;
2866
2867         for (i = 0, sigptr = c->sigalgs; i < dsize; i += 2, sigptr++)
2868                 {
2869                 sigptr->rhash = data[i];
2870                 sigptr->rsign = data[i + 1];
2871                 sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md,
2872                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2873                 sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig,
2874                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2875                 if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid,
2876                                                 sigptr->hash_nid,
2877                                                 sigptr->sign_nid))
2878                         sigptr->signandhash_nid = NID_undef;
2879                 switch(sigptr->rsign)
2880                         {
2881 #ifndef OPENSSL_NO_RSA
2882                         case TLSEXT_signature_rsa:
2883                         idx = SSL_PKEY_RSA_SIGN;
2884                         break;
2885 #endif
2886 #ifndef OPENSSL_NO_DSA
2887                         case TLSEXT_signature_dsa:
2888                         idx = SSL_PKEY_DSA_SIGN;
2889                         break;
2890 #endif
2891 #ifndef OPENSSL_NO_ECDSA
2892                         case TLSEXT_signature_ecdsa:
2893                         idx = SSL_PKEY_ECC;
2894                         break;
2895 #endif
2896                         default:
2897                         continue;
2898                         }
2899
2900                 if (c->pkeys[idx].digest == NULL)
2901                         {
2902                         md = tls12_get_hash(sigptr->rhash);
2903                         if (md)
2904                                 {
2905                                 c->pkeys[idx].digest = md;
2906                                 if (idx == SSL_PKEY_RSA_SIGN)
2907                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2908                                 }
2909                         }
2910
2911                 }
2912
2913
2914         /* Set any remaining keys to default values. NOTE: if alg is not
2915          * supported it stays as NULL.
2916          */
2917 #ifndef OPENSSL_NO_DSA
2918         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2919                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2920 #endif
2921 #ifndef OPENSSL_NO_RSA
2922         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2923                 {
2924                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2925                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2926                 }
2927 #endif
2928 #ifndef OPENSSL_NO_ECDSA
2929         if (!c->pkeys[SSL_PKEY_ECC].digest)
2930                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2931 #endif
2932         return 1;
2933         }
2934
2935 #endif
2936
2937 int SSL_get_sigalgs(SSL *s, int idx,
2938                         int *psign, int *phash, int *psignandhash,
2939                         unsigned char *rsig, unsigned char *rhash)
2940         {
2941         if (s->cert->sigalgs == NULL)
2942                 return 0;
2943         if (idx >= 0)
2944                 {
2945                 TLS_SIGALGS *psig;
2946                 if (idx >= (int)s->cert->sigalgslen)
2947                         return 0;
2948                 psig = s->cert->sigalgs + idx;
2949                 if (psign)
2950                         *psign = psig->sign_nid;
2951                 if (phash)
2952                         *phash = psig->hash_nid;
2953                 if (psignandhash)
2954                         *psignandhash = psig->signandhash_nid;
2955                 if (rsig)
2956                         *rsig = psig->rsign;
2957                 if (rhash)
2958                         *rhash = psig->rhash;
2959                 }
2960         return s->cert->sigalgslen;
2961         }
2962         
2963
2964 #ifndef OPENSSL_NO_HEARTBEATS
2965 int
2966 tls1_process_heartbeat(SSL *s)
2967         {
2968         unsigned char *p = &s->s3->rrec.data[0], *pl;
2969         unsigned short hbtype;
2970         unsigned int payload;
2971         unsigned int padding = 16; /* Use minimum padding */
2972
2973         /* Read type and payload length first */
2974         hbtype = *p++;
2975         n2s(p, payload);
2976         pl = p;
2977
2978         if (s->msg_callback)
2979                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2980                         &s->s3->rrec.data[0], s->s3->rrec.length,
2981                         s, s->msg_callback_arg);
2982
2983         if (hbtype == TLS1_HB_REQUEST)
2984                 {
2985                 unsigned char *buffer, *bp;
2986                 int r;
2987
2988                 /* Allocate memory for the response, size is 1 bytes
2989                  * message type, plus 2 bytes payload length, plus
2990                  * payload, plus padding
2991                  */
2992                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2993                 bp = buffer;
2994                 
2995                 /* Enter response type, length and copy payload */
2996                 *bp++ = TLS1_HB_RESPONSE;
2997                 s2n(payload, bp);
2998                 memcpy(bp, pl, payload);
2999                 bp += payload;
3000                 /* Random padding */
3001                 RAND_pseudo_bytes(bp, padding);
3002
3003                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3004
3005                 if (r >= 0 && s->msg_callback)
3006                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3007                                 buffer, 3 + payload + padding,
3008                                 s, s->msg_callback_arg);
3009
3010                 OPENSSL_free(buffer);
3011
3012                 if (r < 0)
3013                         return r;
3014                 }
3015         else if (hbtype == TLS1_HB_RESPONSE)
3016                 {
3017                 unsigned int seq;
3018                 
3019                 /* We only send sequence numbers (2 bytes unsigned int),
3020                  * and 16 random bytes, so we just try to read the
3021                  * sequence number */
3022                 n2s(pl, seq);
3023                 
3024                 if (payload == 18 && seq == s->tlsext_hb_seq)
3025                         {
3026                         s->tlsext_hb_seq++;
3027                         s->tlsext_hb_pending = 0;
3028                         }
3029                 }
3030
3031         return 0;
3032         }
3033
3034 int
3035 tls1_heartbeat(SSL *s)
3036         {
3037         unsigned char *buf, *p;
3038         int ret;
3039         unsigned int payload = 18; /* Sequence number + random bytes */
3040         unsigned int padding = 16; /* Use minimum padding */
3041
3042         /* Only send if peer supports and accepts HB requests... */
3043         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3044             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3045                 {
3046                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3047                 return -1;
3048                 }
3049
3050         /* ...and there is none in flight yet... */
3051         if (s->tlsext_hb_pending)
3052                 {
3053                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3054                 return -1;
3055                 }
3056                 
3057         /* ...and no handshake in progress. */
3058         if (SSL_in_init(s) || s->in_handshake)
3059                 {
3060                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3061                 return -1;
3062                 }
3063                 
3064         /* Check if padding is too long, payload and padding
3065          * must not exceed 2^14 - 3 = 16381 bytes in total.
3066          */
3067         OPENSSL_assert(payload + padding <= 16381);
3068
3069         /* Create HeartBeat message, we just use a sequence number
3070          * as payload to distuingish different messages and add
3071          * some random stuff.
3072          *  - Message Type, 1 byte
3073          *  - Payload Length, 2 bytes (unsigned int)
3074          *  - Payload, the sequence number (2 bytes uint)
3075          *  - Payload, random bytes (16 bytes uint)
3076          *  - Padding
3077          */
3078         buf = OPENSSL_malloc(1 + 2 + payload + padding);
3079         p = buf;
3080         /* Message Type */
3081         *p++ = TLS1_HB_REQUEST;
3082         /* Payload length (18 bytes here) */
3083         s2n(payload, p);
3084         /* Sequence number */
3085         s2n(s->tlsext_hb_seq, p);
3086         /* 16 random bytes */
3087         RAND_pseudo_bytes(p, 16);
3088         p += 16;
3089         /* Random padding */
3090         RAND_pseudo_bytes(p, padding);
3091
3092         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3093         if (ret >= 0)
3094                 {
3095                 if (s->msg_callback)
3096                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3097                                 buf, 3 + payload + padding,
3098                                 s, s->msg_callback_arg);
3099
3100                 s->tlsext_hb_pending = 1;
3101                 }
3102                 
3103         OPENSSL_free(buf);
3104
3105         return ret;
3106         }
3107 #endif