a732200c519353d9c1775105fc2ae8cf431547fe
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157 #ifndef OPENSSL_NO_TLSEXT
158         if (s->tlsext_session_ticket)
159                 {
160                 OPENSSL_free(s->tlsext_session_ticket);
161                 }
162 #endif /* OPENSSL_NO_TLSEXT */
163         ssl3_free(s);
164         }
165
166 void tls1_clear(SSL *s)
167         {
168         ssl3_clear(s);
169         s->version = s->method->version;
170         }
171
172 #ifndef OPENSSL_NO_EC
173 static int nid_list[] =
174         {
175                 NID_sect163k1, /* sect163k1 (1) */
176                 NID_sect163r1, /* sect163r1 (2) */
177                 NID_sect163r2, /* sect163r2 (3) */
178                 NID_sect193r1, /* sect193r1 (4) */ 
179                 NID_sect193r2, /* sect193r2 (5) */ 
180                 NID_sect233k1, /* sect233k1 (6) */
181                 NID_sect233r1, /* sect233r1 (7) */ 
182                 NID_sect239k1, /* sect239k1 (8) */ 
183                 NID_sect283k1, /* sect283k1 (9) */
184                 NID_sect283r1, /* sect283r1 (10) */ 
185                 NID_sect409k1, /* sect409k1 (11) */ 
186                 NID_sect409r1, /* sect409r1 (12) */
187                 NID_sect571k1, /* sect571k1 (13) */ 
188                 NID_sect571r1, /* sect571r1 (14) */ 
189                 NID_secp160k1, /* secp160k1 (15) */
190                 NID_secp160r1, /* secp160r1 (16) */ 
191                 NID_secp160r2, /* secp160r2 (17) */ 
192                 NID_secp192k1, /* secp192k1 (18) */
193                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
194                 NID_secp224k1, /* secp224k1 (20) */ 
195                 NID_secp224r1, /* secp224r1 (21) */
196                 NID_secp256k1, /* secp256k1 (22) */ 
197                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
198                 NID_secp384r1, /* secp384r1 (24) */
199                 NID_secp521r1  /* secp521r1 (25) */     
200         };
201         
202 int tls1_ec_curve_id2nid(int curve_id)
203         {
204         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
205         if ((curve_id < 1) || ((unsigned int)curve_id >
206                                 sizeof(nid_list)/sizeof(nid_list[0])))
207                 return 0;
208         return nid_list[curve_id-1];
209         }
210
211 int tls1_ec_nid2curve_id(int nid)
212         {
213         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214         switch (nid)
215                 {
216         case NID_sect163k1: /* sect163k1 (1) */
217                 return 1;
218         case NID_sect163r1: /* sect163r1 (2) */
219                 return 2;
220         case NID_sect163r2: /* sect163r2 (3) */
221                 return 3;
222         case NID_sect193r1: /* sect193r1 (4) */ 
223                 return 4;
224         case NID_sect193r2: /* sect193r2 (5) */ 
225                 return 5;
226         case NID_sect233k1: /* sect233k1 (6) */
227                 return 6;
228         case NID_sect233r1: /* sect233r1 (7) */ 
229                 return 7;
230         case NID_sect239k1: /* sect239k1 (8) */ 
231                 return 8;
232         case NID_sect283k1: /* sect283k1 (9) */
233                 return 9;
234         case NID_sect283r1: /* sect283r1 (10) */ 
235                 return 10;
236         case NID_sect409k1: /* sect409k1 (11) */ 
237                 return 11;
238         case NID_sect409r1: /* sect409r1 (12) */
239                 return 12;
240         case NID_sect571k1: /* sect571k1 (13) */ 
241                 return 13;
242         case NID_sect571r1: /* sect571r1 (14) */ 
243                 return 14;
244         case NID_secp160k1: /* secp160k1 (15) */
245                 return 15;
246         case NID_secp160r1: /* secp160r1 (16) */ 
247                 return 16;
248         case NID_secp160r2: /* secp160r2 (17) */ 
249                 return 17;
250         case NID_secp192k1: /* secp192k1 (18) */
251                 return 18;
252         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
253                 return 19;
254         case NID_secp224k1: /* secp224k1 (20) */ 
255                 return 20;
256         case NID_secp224r1: /* secp224r1 (21) */
257                 return 21;
258         case NID_secp256k1: /* secp256k1 (22) */ 
259                 return 22;
260         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
261                 return 23;
262         case NID_secp384r1: /* secp384r1 (24) */
263                 return 24;
264         case NID_secp521r1:  /* secp521r1 (25) */       
265                 return 25;
266         default:
267                 return 0;
268                 }
269         }
270 #endif /* OPENSSL_NO_EC */
271
272 #ifndef OPENSSL_NO_TLSEXT
273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274         {
275         int extdatalen=0;
276         unsigned char *ret = p;
277
278         /* don't add extensions for SSLv3 unless doing secure renegotiation */
279         if (s->client_version == SSL3_VERSION
280                                         && !s->s3->send_connection_binding)
281                 return p;
282
283         ret+=2;
284
285         if (ret>=limit) return NULL; /* this really never occurs, but ... */
286
287         if (s->tlsext_hostname != NULL)
288                 { 
289                 /* Add TLS extension servername to the Client Hello message */
290                 unsigned long size_str;
291                 long lenmax; 
292
293                 /* check for enough space.
294                    4 for the servername type and entension length
295                    2 for servernamelist length
296                    1 for the hostname type
297                    2 for hostname length
298                    + hostname length 
299                 */
300                    
301                 if ((lenmax = limit - ret - 9) < 0 
302                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
303                         return NULL;
304                         
305                 /* extension type and length */
306                 s2n(TLSEXT_TYPE_server_name,ret); 
307                 s2n(size_str+5,ret);
308                 
309                 /* length of servername list */
310                 s2n(size_str+3,ret);
311         
312                 /* hostname type, length and hostname */
313                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
314                 s2n(size_str,ret);
315                 memcpy(ret, s->tlsext_hostname, size_str);
316                 ret+=size_str;
317                 }
318
319         /* Add RI if renegotiating */
320         if (s->renegotiate)
321           {
322           int el;
323           
324           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
325               {
326               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
327               return NULL;
328               }
329
330           if((limit - p - 4 - el) < 0) return NULL;
331           
332           s2n(TLSEXT_TYPE_renegotiate,ret);
333           s2n(el,ret);
334
335           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
336               {
337               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338               return NULL;
339               }
340
341           ret += el;
342         }
343
344 #ifndef OPENSSL_NO_SRP
345 #define MIN(x,y) (((x)<(y))?(x):(y))
346         /* we add SRP username the first time only if we have one! */
347         if (s->srp_ctx.login != NULL)
348                 {/* Add TLS extension SRP username to the Client Hello message */
349                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
350                 long lenmax; 
351
352                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
353                 if (login_len > lenmax) return NULL;
354                 if (login_len > 255)
355                         {
356                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
357                         return NULL;
358                         }
359                 s2n(TLSEXT_TYPE_srp,ret);
360                 s2n(login_len+1,ret);
361
362                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
363                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
364                 ret+=login_len;
365                 }
366 #endif
367
368 #ifndef OPENSSL_NO_EC
369         if (s->tlsext_ecpointformatlist != NULL &&
370             s->version != DTLS1_VERSION)
371                 {
372                 /* Add TLS extension ECPointFormats to the ClientHello message */
373                 long lenmax; 
374
375                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
376                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
377                 if (s->tlsext_ecpointformatlist_length > 255)
378                         {
379                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
380                         return NULL;
381                         }
382                 
383                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
384                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
385                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
386                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
387                 ret+=s->tlsext_ecpointformatlist_length;
388                 }
389         if (s->tlsext_ellipticcurvelist != NULL &&
390             s->version != DTLS1_VERSION)
391                 {
392                 /* Add TLS extension EllipticCurves to the ClientHello message */
393                 long lenmax; 
394
395                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
396                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
397                 if (s->tlsext_ellipticcurvelist_length > 65532)
398                         {
399                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
400                         return NULL;
401                         }
402                 
403                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
404                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
405
406                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
407                  * elliptic_curve_list, but the examples use two bytes.
408                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
409                  * resolves this to two bytes.
410                  */
411                 s2n(s->tlsext_ellipticcurvelist_length, ret);
412                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
413                 ret+=s->tlsext_ellipticcurvelist_length;
414                 }
415 #endif /* OPENSSL_NO_EC */
416
417         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
418                 {
419                 int ticklen;
420                 if (!s->new_session && s->session && s->session->tlsext_tick)
421                         ticklen = s->session->tlsext_ticklen;
422                 else if (s->session && s->tlsext_session_ticket &&
423                          s->tlsext_session_ticket->data)
424                         {
425                         ticklen = s->tlsext_session_ticket->length;
426                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
427                         if (!s->session->tlsext_tick)
428                                 return NULL;
429                         memcpy(s->session->tlsext_tick,
430                                s->tlsext_session_ticket->data,
431                                ticklen);
432                         s->session->tlsext_ticklen = ticklen;
433                         }
434                 else
435                         ticklen = 0;
436                 if (ticklen == 0 && s->tlsext_session_ticket &&
437                     s->tlsext_session_ticket->data == NULL)
438                         goto skip_ext;
439                 /* Check for enough room 2 for extension type, 2 for len
440                  * rest for ticket
441                  */
442                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
443                 s2n(TLSEXT_TYPE_session_ticket,ret); 
444                 s2n(ticklen,ret);
445                 if (ticklen)
446                         {
447                         memcpy(ret, s->session->tlsext_tick, ticklen);
448                         ret += ticklen;
449                         }
450                 }
451                 skip_ext:
452
453 #ifdef TLSEXT_TYPE_opaque_prf_input
454         if (s->s3->client_opaque_prf_input != NULL &&
455             s->version != DTLS1_VERSION)
456                 {
457                 size_t col = s->s3->client_opaque_prf_input_len;
458                 
459                 if ((long)(limit - ret - 6 - col < 0))
460                         return NULL;
461                 if (col > 0xFFFD) /* can't happen */
462                         return NULL;
463
464                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
465                 s2n(col + 2, ret);
466                 s2n(col, ret);
467                 memcpy(ret, s->s3->client_opaque_prf_input, col);
468                 ret += col;
469                 }
470 #endif
471
472         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
473             s->version != DTLS1_VERSION)
474                 {
475                 int i;
476                 long extlen, idlen, itmp;
477                 OCSP_RESPID *id;
478
479                 idlen = 0;
480                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
481                         {
482                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
483                         itmp = i2d_OCSP_RESPID(id, NULL);
484                         if (itmp <= 0)
485                                 return NULL;
486                         idlen += itmp + 2;
487                         }
488
489                 if (s->tlsext_ocsp_exts)
490                         {
491                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
492                         if (extlen < 0)
493                                 return NULL;
494                         }
495                 else
496                         extlen = 0;
497                         
498                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
499                 s2n(TLSEXT_TYPE_status_request, ret);
500                 if (extlen + idlen > 0xFFF0)
501                         return NULL;
502                 s2n(extlen + idlen + 5, ret);
503                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
504                 s2n(idlen, ret);
505                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
506                         {
507                         /* save position of id len */
508                         unsigned char *q = ret;
509                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
510                         /* skip over id len */
511                         ret += 2;
512                         itmp = i2d_OCSP_RESPID(id, &ret);
513                         /* write id len */
514                         s2n(itmp, q);
515                         }
516                 s2n(extlen, ret);
517                 if (extlen > 0)
518                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
519                 }
520
521 #ifndef OPENSSL_NO_NEXTPROTONEG
522         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
523                 {
524                 /* The client advertises an emtpy extension to indicate its
525                  * support for Next Protocol Negotiation */
526                 if (limit - ret - 4 < 0)
527                         return NULL;
528                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
529                 s2n(0,ret);
530                 }
531 #endif
532
533         if ((extdatalen = ret-p-2)== 0) 
534                 return p;
535
536         s2n(extdatalen,p);
537         return ret;
538         }
539
540 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
541         {
542         int extdatalen=0;
543         unsigned char *ret = p;
544 #ifndef OPENSSL_NO_NEXTPROTONEG
545         int next_proto_neg_seen;
546 #endif
547
548         /* don't add extensions for SSLv3, unless doing secure renegotiation */
549         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
550                 return p;
551         
552         ret+=2;
553         if (ret>=limit) return NULL; /* this really never occurs, but ... */
554
555         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
556                 { 
557                 if ((long)(limit - ret - 4) < 0) return NULL; 
558
559                 s2n(TLSEXT_TYPE_server_name,ret);
560                 s2n(0,ret);
561                 }
562
563         if(s->s3->send_connection_binding)
564         {
565           int el;
566           
567           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
568               {
569               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
570               return NULL;
571               }
572
573           if((limit - p - 4 - el) < 0) return NULL;
574           
575           s2n(TLSEXT_TYPE_renegotiate,ret);
576           s2n(el,ret);
577
578           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
579               {
580               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
581               return NULL;
582               }
583
584           ret += el;
585         }
586
587 #ifndef OPENSSL_NO_EC
588         if (s->tlsext_ecpointformatlist != NULL &&
589             s->version != DTLS1_VERSION)
590                 {
591                 /* Add TLS extension ECPointFormats to the ServerHello message */
592                 long lenmax; 
593
594                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
595                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
596                 if (s->tlsext_ecpointformatlist_length > 255)
597                         {
598                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
599                         return NULL;
600                         }
601                 
602                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
603                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
604                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
605                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
606                 ret+=s->tlsext_ecpointformatlist_length;
607
608                 }
609         /* Currently the server should not respond with a SupportedCurves extension */
610 #endif /* OPENSSL_NO_EC */
611
612         if (s->tlsext_ticket_expected
613                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
614                 { 
615                 if ((long)(limit - ret - 4) < 0) return NULL; 
616                 s2n(TLSEXT_TYPE_session_ticket,ret);
617                 s2n(0,ret);
618                 }
619
620         if (s->tlsext_status_expected)
621                 { 
622                 if ((long)(limit - ret - 4) < 0) return NULL; 
623                 s2n(TLSEXT_TYPE_status_request,ret);
624                 s2n(0,ret);
625                 }
626
627 #ifdef TLSEXT_TYPE_opaque_prf_input
628         if (s->s3->server_opaque_prf_input != NULL &&
629             s->version != DTLS1_VERSION)
630                 {
631                 size_t sol = s->s3->server_opaque_prf_input_len;
632                 
633                 if ((long)(limit - ret - 6 - sol) < 0)
634                         return NULL;
635                 if (sol > 0xFFFD) /* can't happen */
636                         return NULL;
637
638                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
639                 s2n(sol + 2, ret);
640                 s2n(sol, ret);
641                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
642                 ret += sol;
643                 }
644 #endif
645         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
646                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
647                 { const unsigned char cryptopro_ext[36] = {
648                         0xfd, 0xe8, /*65000*/
649                         0x00, 0x20, /*32 bytes length*/
650                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
651                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
652                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
653                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
654                         if (limit-ret<36) return NULL;
655                         memcpy(ret,cryptopro_ext,36);
656                         ret+=36;
657
658                 }
659
660 #ifndef OPENSSL_NO_NEXTPROTONEG
661         next_proto_neg_seen = s->s3->next_proto_neg_seen;
662         s->s3->next_proto_neg_seen = 0;
663         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
664                 {
665                 const unsigned char *npa;
666                 unsigned int npalen;
667                 int r;
668
669                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
670                 if (r == SSL_TLSEXT_ERR_OK)
671                         {
672                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
673                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
674                         s2n(npalen,ret);
675                         memcpy(ret, npa, npalen);
676                         ret += npalen;
677                         s->s3->next_proto_neg_seen = 1;
678                         }
679                 }
680 #endif
681
682         if ((extdatalen = ret-p-2)== 0) 
683                 return p;
684
685         s2n(extdatalen,p);
686         return ret;
687         }
688
689 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
690         {
691         unsigned short type;
692         unsigned short size;
693         unsigned short len;
694         unsigned char *data = *p;
695         int renegotiate_seen = 0;
696
697         s->servername_done = 0;
698         s->tlsext_status_type = -1;
699
700         if (data >= (d+n-2))
701                 goto ri_check;
702         n2s(data,len);
703
704         if (data > (d+n-len)) 
705                 goto ri_check;
706
707         while (data <= (d+n-4))
708                 {
709                 n2s(data,type);
710                 n2s(data,size);
711
712                 if (data+size > (d+n))
713                         goto ri_check;
714 #if 0
715                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
716 #endif
717                 if (s->tlsext_debug_cb)
718                         s->tlsext_debug_cb(s, 0, type, data, size,
719                                                 s->tlsext_debug_arg);
720 /* The servername extension is treated as follows:
721
722    - Only the hostname type is supported with a maximum length of 255.
723    - The servername is rejected if too long or if it contains zeros,
724      in which case an fatal alert is generated.
725    - The servername field is maintained together with the session cache.
726    - When a session is resumed, the servername call back invoked in order
727      to allow the application to position itself to the right context. 
728    - The servername is acknowledged if it is new for a session or when 
729      it is identical to a previously used for the same session. 
730      Applications can control the behaviour.  They can at any time
731      set a 'desirable' servername for a new SSL object. This can be the
732      case for example with HTTPS when a Host: header field is received and
733      a renegotiation is requested. In this case, a possible servername
734      presented in the new client hello is only acknowledged if it matches
735      the value of the Host: field. 
736    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
737      if they provide for changing an explicit servername context for the session,
738      i.e. when the session has been established with a servername extension. 
739    - On session reconnect, the servername extension may be absent. 
740
741 */      
742
743                 if (type == TLSEXT_TYPE_server_name)
744                         {
745                         unsigned char *sdata;
746                         int servname_type;
747                         int dsize; 
748                 
749                         if (size < 2) 
750                                 {
751                                 *al = SSL_AD_DECODE_ERROR;
752                                 return 0;
753                                 }
754                         n2s(data,dsize);  
755                         size -= 2;
756                         if (dsize > size  ) 
757                                 {
758                                 *al = SSL_AD_DECODE_ERROR;
759                                 return 0;
760                                 } 
761
762                         sdata = data;
763                         while (dsize > 3) 
764                                 {
765                                 servname_type = *(sdata++); 
766                                 n2s(sdata,len);
767                                 dsize -= 3;
768
769                                 if (len > dsize) 
770                                         {
771                                         *al = SSL_AD_DECODE_ERROR;
772                                         return 0;
773                                         }
774                                 if (s->servername_done == 0)
775                                 switch (servname_type)
776                                         {
777                                 case TLSEXT_NAMETYPE_host_name:
778                                         if (!s->hit)
779                                                 {
780                                                 if(s->session->tlsext_hostname)
781                                                         {
782                                                         *al = SSL_AD_DECODE_ERROR;
783                                                         return 0;
784                                                         }
785                                                 if (len > TLSEXT_MAXLEN_host_name)
786                                                         {
787                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
788                                                         return 0;
789                                                         }
790                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
791                                                         {
792                                                         *al = TLS1_AD_INTERNAL_ERROR;
793                                                         return 0;
794                                                         }
795                                                 memcpy(s->session->tlsext_hostname, sdata, len);
796                                                 s->session->tlsext_hostname[len]='\0';
797                                                 if (strlen(s->session->tlsext_hostname) != len) {
798                                                         OPENSSL_free(s->session->tlsext_hostname);
799                                                         s->session->tlsext_hostname = NULL;
800                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
801                                                         return 0;
802                                                 }
803                                                 s->servername_done = 1; 
804
805                                                 }
806                                         else 
807                                                 s->servername_done = s->session->tlsext_hostname
808                                                         && strlen(s->session->tlsext_hostname) == len 
809                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
810                                         
811                                         break;
812
813                                 default:
814                                         break;
815                                         }
816                                  
817                                 dsize -= len;
818                                 }
819                         if (dsize != 0) 
820                                 {
821                                 *al = SSL_AD_DECODE_ERROR;
822                                 return 0;
823                                 }
824
825                         }
826 #ifndef OPENSSL_NO_SRP
827                 else if (type == TLSEXT_TYPE_srp)
828                         {
829                         if (size > 0)
830                                 {
831                                 len = data[0];
832                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
833                                         return -1;
834                                 memcpy(s->srp_ctx.login, &data[1], len);
835                                 s->srp_ctx.login[len]='\0';  
836                                 }
837                         }
838 #endif
839
840 #ifndef OPENSSL_NO_EC
841                 else if (type == TLSEXT_TYPE_ec_point_formats &&
842                      s->version != DTLS1_VERSION)
843                         {
844                         unsigned char *sdata = data;
845                         int ecpointformatlist_length = *(sdata++);
846
847                         if (ecpointformatlist_length != size - 1)
848                                 {
849                                 *al = TLS1_AD_DECODE_ERROR;
850                                 return 0;
851                                 }
852                         if (!s->hit)
853                                 {
854                                 if(s->session->tlsext_ecpointformatlist)
855                                         {
856                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
857                                         s->session->tlsext_ecpointformatlist = NULL;
858                                         }
859                                 s->session->tlsext_ecpointformatlist_length = 0;
860                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
861                                         {
862                                         *al = TLS1_AD_INTERNAL_ERROR;
863                                         return 0;
864                                         }
865                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
866                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
867                                 }
868 #if 0
869                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
870                         sdata = s->session->tlsext_ecpointformatlist;
871                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
872                                 fprintf(stderr,"%i ",*(sdata++));
873                         fprintf(stderr,"\n");
874 #endif
875                         }
876                 else if (type == TLSEXT_TYPE_elliptic_curves &&
877                      s->version != DTLS1_VERSION)
878                         {
879                         unsigned char *sdata = data;
880                         int ellipticcurvelist_length = (*(sdata++) << 8);
881                         ellipticcurvelist_length += (*(sdata++));
882
883                         if (ellipticcurvelist_length != size - 2)
884                                 {
885                                 *al = TLS1_AD_DECODE_ERROR;
886                                 return 0;
887                                 }
888                         if (!s->hit)
889                                 {
890                                 if(s->session->tlsext_ellipticcurvelist)
891                                         {
892                                         *al = TLS1_AD_DECODE_ERROR;
893                                         return 0;
894                                         }
895                                 s->session->tlsext_ellipticcurvelist_length = 0;
896                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
897                                         {
898                                         *al = TLS1_AD_INTERNAL_ERROR;
899                                         return 0;
900                                         }
901                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
902                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
903                                 }
904 #if 0
905                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
906                         sdata = s->session->tlsext_ellipticcurvelist;
907                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
908                                 fprintf(stderr,"%i ",*(sdata++));
909                         fprintf(stderr,"\n");
910 #endif
911                         }
912 #endif /* OPENSSL_NO_EC */
913 #ifdef TLSEXT_TYPE_opaque_prf_input
914                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
915                      s->version != DTLS1_VERSION)
916                         {
917                         unsigned char *sdata = data;
918
919                         if (size < 2)
920                                 {
921                                 *al = SSL_AD_DECODE_ERROR;
922                                 return 0;
923                                 }
924                         n2s(sdata, s->s3->client_opaque_prf_input_len);
925                         if (s->s3->client_opaque_prf_input_len != size - 2)
926                                 {
927                                 *al = SSL_AD_DECODE_ERROR;
928                                 return 0;
929                                 }
930
931                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
932                                 OPENSSL_free(s->s3->client_opaque_prf_input);
933                         if (s->s3->client_opaque_prf_input_len == 0)
934                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
935                         else
936                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
937                         if (s->s3->client_opaque_prf_input == NULL)
938                                 {
939                                 *al = TLS1_AD_INTERNAL_ERROR;
940                                 return 0;
941                                 }
942                         }
943 #endif
944                 else if (type == TLSEXT_TYPE_session_ticket)
945                         {
946                         if (s->tls_session_ticket_ext_cb &&
947                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
948                                 {
949                                 *al = TLS1_AD_INTERNAL_ERROR;
950                                 return 0;
951                                 }
952                         }
953                 else if (type == TLSEXT_TYPE_renegotiate)
954                         {
955                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
956                                 return 0;
957                         renegotiate_seen = 1;
958                         }
959                 else if (type == TLSEXT_TYPE_status_request &&
960                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
961                         {
962                 
963                         if (size < 5) 
964                                 {
965                                 *al = SSL_AD_DECODE_ERROR;
966                                 return 0;
967                                 }
968
969                         s->tlsext_status_type = *data++;
970                         size--;
971                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
972                                 {
973                                 const unsigned char *sdata;
974                                 int dsize;
975                                 /* Read in responder_id_list */
976                                 n2s(data,dsize);
977                                 size -= 2;
978                                 if (dsize > size  ) 
979                                         {
980                                         *al = SSL_AD_DECODE_ERROR;
981                                         return 0;
982                                         }
983                                 while (dsize > 0)
984                                         {
985                                         OCSP_RESPID *id;
986                                         int idsize;
987                                         if (dsize < 4)
988                                                 {
989                                                 *al = SSL_AD_DECODE_ERROR;
990                                                 return 0;
991                                                 }
992                                         n2s(data, idsize);
993                                         dsize -= 2 + idsize;
994                                         size -= 2 + idsize;
995                                         if (dsize < 0)
996                                                 {
997                                                 *al = SSL_AD_DECODE_ERROR;
998                                                 return 0;
999                                                 }
1000                                         sdata = data;
1001                                         data += idsize;
1002                                         id = d2i_OCSP_RESPID(NULL,
1003                                                                 &sdata, idsize);
1004                                         if (!id)
1005                                                 {
1006                                                 *al = SSL_AD_DECODE_ERROR;
1007                                                 return 0;
1008                                                 }
1009                                         if (data != sdata)
1010                                                 {
1011                                                 OCSP_RESPID_free(id);
1012                                                 *al = SSL_AD_DECODE_ERROR;
1013                                                 return 0;
1014                                                 }
1015                                         if (!s->tlsext_ocsp_ids
1016                                                 && !(s->tlsext_ocsp_ids =
1017                                                 sk_OCSP_RESPID_new_null()))
1018                                                 {
1019                                                 OCSP_RESPID_free(id);
1020                                                 *al = SSL_AD_INTERNAL_ERROR;
1021                                                 return 0;
1022                                                 }
1023                                         if (!sk_OCSP_RESPID_push(
1024                                                         s->tlsext_ocsp_ids, id))
1025                                                 {
1026                                                 OCSP_RESPID_free(id);
1027                                                 *al = SSL_AD_INTERNAL_ERROR;
1028                                                 return 0;
1029                                                 }
1030                                         }
1031
1032                                 /* Read in request_extensions */
1033                                 if (size < 2)
1034                                         {
1035                                         *al = SSL_AD_DECODE_ERROR;
1036                                         return 0;
1037                                         }
1038                                 n2s(data,dsize);
1039                                 size -= 2;
1040                                 if (dsize != size)
1041                                         {
1042                                         *al = SSL_AD_DECODE_ERROR;
1043                                         return 0;
1044                                         }
1045                                 sdata = data;
1046                                 if (dsize > 0)
1047                                         {
1048                                         s->tlsext_ocsp_exts =
1049                                                 d2i_X509_EXTENSIONS(NULL,
1050                                                         &sdata, dsize);
1051                                         if (!s->tlsext_ocsp_exts
1052                                                 || (data + dsize != sdata))
1053                                                 {
1054                                                 *al = SSL_AD_DECODE_ERROR;
1055                                                 return 0;
1056                                                 }
1057                                         }
1058                                 }
1059                                 /* We don't know what to do with any other type
1060                                 * so ignore it.
1061                                 */
1062                                 else
1063                                         s->tlsext_status_type = -1;
1064                         }
1065 #ifndef OPENSSL_NO_NEXTPROTONEG
1066                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1067                          s->s3->tmp.finish_md_len == 0)
1068                         {
1069                         /* We shouldn't accept this extension on a
1070                          * renegotiation.
1071                          *
1072                          * s->new_session will be set on renegotiation, but we
1073                          * probably shouldn't rely that it couldn't be set on
1074                          * the initial renegotation too in certain cases (when
1075                          * there's some other reason to disallow resuming an
1076                          * earlier session -- the current code won't be doing
1077                          * anything like that, but this might change).
1078
1079                          * A valid sign that there's been a previous handshake
1080                          * in this connection is if s->s3->tmp.finish_md_len >
1081                          * 0.  (We are talking about a check that will happen
1082                          * in the Hello protocol round, well before a new
1083                          * Finished message could have been computed.) */
1084                         s->s3->next_proto_neg_seen = 1;
1085                         }
1086 #endif
1087
1088                 /* session ticket processed earlier */
1089                 data+=size;
1090                 }
1091                                 
1092         *p = data;
1093
1094         ri_check:
1095
1096         /* Need RI if renegotiating */
1097
1098         if (!renegotiate_seen && s->renegotiate &&
1099                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1100                 {
1101                 *al = SSL_AD_HANDSHAKE_FAILURE;
1102                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1103                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1104                 return 0;
1105                 }
1106
1107         return 1;
1108         }
1109
1110 #ifndef OPENSSL_NO_NEXTPROTONEG
1111 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1112  * elements of zero length are allowed and the set of elements must exactly fill
1113  * the length of the block. */
1114 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1115         {
1116         unsigned int off = 0;
1117
1118         while (off < len)
1119                 {
1120                 if (d[off] == 0)
1121                         return 0;
1122                 off += d[off];
1123                 off++;
1124                 }
1125
1126         return off == len;
1127         }
1128 #endif
1129
1130 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1131         {
1132         unsigned short length;
1133         unsigned short type;
1134         unsigned short size;
1135         unsigned char *data = *p;
1136         int tlsext_servername = 0;
1137         int renegotiate_seen = 0;
1138
1139         if (data >= (d+n-2))
1140                 goto ri_check;
1141
1142         n2s(data,length);
1143         if (data+length != d+n)
1144                 {
1145                 *al = SSL_AD_DECODE_ERROR;
1146                 return 0;
1147                 }
1148
1149         while(data <= (d+n-4))
1150                 {
1151                 n2s(data,type);
1152                 n2s(data,size);
1153
1154                 if (data+size > (d+n))
1155                         goto ri_check;
1156
1157                 if (s->tlsext_debug_cb)
1158                         s->tlsext_debug_cb(s, 1, type, data, size,
1159                                                 s->tlsext_debug_arg);
1160
1161                 if (type == TLSEXT_TYPE_server_name)
1162                         {
1163                         if (s->tlsext_hostname == NULL || size > 0)
1164                                 {
1165                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1166                                 return 0;
1167                                 }
1168                         tlsext_servername = 1;   
1169                         }
1170
1171 #ifndef OPENSSL_NO_EC
1172                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1173                      s->version != DTLS1_VERSION)
1174                         {
1175                         unsigned char *sdata = data;
1176                         int ecpointformatlist_length = *(sdata++);
1177
1178                         if (ecpointformatlist_length != size - 1)
1179                                 {
1180                                 *al = TLS1_AD_DECODE_ERROR;
1181                                 return 0;
1182                                 }
1183                         s->session->tlsext_ecpointformatlist_length = 0;
1184                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1185                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1186                                 {
1187                                 *al = TLS1_AD_INTERNAL_ERROR;
1188                                 return 0;
1189                                 }
1190                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1191                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1192 #if 0
1193                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1194                         sdata = s->session->tlsext_ecpointformatlist;
1195                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1196                                 fprintf(stderr,"%i ",*(sdata++));
1197                         fprintf(stderr,"\n");
1198 #endif
1199                         }
1200 #endif /* OPENSSL_NO_EC */
1201
1202                 else if (type == TLSEXT_TYPE_session_ticket)
1203                         {
1204                         if (s->tls_session_ticket_ext_cb &&
1205                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1206                                 {
1207                                 *al = TLS1_AD_INTERNAL_ERROR;
1208                                 return 0;
1209                                 }
1210                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1211                                 || (size > 0))
1212                                 {
1213                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1214                                 return 0;
1215                                 }
1216                         s->tlsext_ticket_expected = 1;
1217                         }
1218 #ifdef TLSEXT_TYPE_opaque_prf_input
1219                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1220                      s->version != DTLS1_VERSION)
1221                         {
1222                         unsigned char *sdata = data;
1223
1224                         if (size < 2)
1225                                 {
1226                                 *al = SSL_AD_DECODE_ERROR;
1227                                 return 0;
1228                                 }
1229                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1230                         if (s->s3->server_opaque_prf_input_len != size - 2)
1231                                 {
1232                                 *al = SSL_AD_DECODE_ERROR;
1233                                 return 0;
1234                                 }
1235                         
1236                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1237                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1238                         if (s->s3->server_opaque_prf_input_len == 0)
1239                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1240                         else
1241                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1242
1243                         if (s->s3->server_opaque_prf_input == NULL)
1244                                 {
1245                                 *al = TLS1_AD_INTERNAL_ERROR;
1246                                 return 0;
1247                                 }
1248                         }
1249 #endif
1250                 else if (type == TLSEXT_TYPE_status_request &&
1251                          s->version != DTLS1_VERSION)
1252                         {
1253                         /* MUST be empty and only sent if we've requested
1254                          * a status request message.
1255                          */ 
1256                         if ((s->tlsext_status_type == -1) || (size > 0))
1257                                 {
1258                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1259                                 return 0;
1260                                 }
1261                         /* Set flag to expect CertificateStatus message */
1262                         s->tlsext_status_expected = 1;
1263                         }
1264 #ifndef OPENSSL_NO_NEXTPROTONEG
1265                 else if (type == TLSEXT_TYPE_next_proto_neg)
1266                         {
1267                         unsigned char *selected;
1268                         unsigned char selected_len;
1269
1270                         /* We must have requested it. */
1271                         if ((s->ctx->next_proto_select_cb == NULL))
1272                                 {
1273                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1274                                 return 0;
1275                                 }
1276                         /* The data must be valid */
1277                         if (!ssl_next_proto_validate(data, size))
1278                                 {
1279                                 *al = TLS1_AD_DECODE_ERROR;
1280                                 return 0;
1281                                 }
1282                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1283                                 {
1284                                 *al = TLS1_AD_INTERNAL_ERROR;
1285                                 return 0;
1286                                 }
1287                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1288                         if (!s->next_proto_negotiated)
1289                                 {
1290                                 *al = TLS1_AD_INTERNAL_ERROR;
1291                                 return 0;
1292                                 }
1293                         memcpy(s->next_proto_negotiated, selected, selected_len);
1294                         s->next_proto_negotiated_len = selected_len;
1295                         }
1296 #endif
1297                 else if (type == TLSEXT_TYPE_renegotiate)
1298                         {
1299                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1300                                 return 0;
1301                         renegotiate_seen = 1;
1302                         }
1303                 data+=size;             
1304                 }
1305
1306         if (data != d+n)
1307                 {
1308                 *al = SSL_AD_DECODE_ERROR;
1309                 return 0;
1310                 }
1311
1312         if (!s->hit && tlsext_servername == 1)
1313                 {
1314                 if (s->tlsext_hostname)
1315                         {
1316                         if (s->session->tlsext_hostname == NULL)
1317                                 {
1318                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1319                                 if (!s->session->tlsext_hostname)
1320                                         {
1321                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1322                                         return 0;
1323                                         }
1324                                 }
1325                         else 
1326                                 {
1327                                 *al = SSL_AD_DECODE_ERROR;
1328                                 return 0;
1329                                 }
1330                         }
1331                 }
1332
1333         *p = data;
1334
1335         ri_check:
1336
1337         /* Determine if we need to see RI. Strictly speaking if we want to
1338          * avoid an attack we should *always* see RI even on initial server
1339          * hello because the client doesn't see any renegotiation during an
1340          * attack. However this would mean we could not connect to any server
1341          * which doesn't support RI so for the immediate future tolerate RI
1342          * absence on initial connect only.
1343          */
1344         if (!renegotiate_seen
1345                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1346                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1347                 {
1348                 *al = SSL_AD_HANDSHAKE_FAILURE;
1349                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1350                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1351                 return 0;
1352                 }
1353
1354         return 1;
1355         }
1356
1357
1358 int ssl_prepare_clienthello_tlsext(SSL *s)
1359         {
1360 #ifndef OPENSSL_NO_EC
1361         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1362          * and elliptic curves we support.
1363          */
1364         int using_ecc = 0;
1365         int i;
1366         unsigned char *j;
1367         unsigned long alg_k, alg_a;
1368         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1369
1370         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1371                 {
1372                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1373
1374                 alg_k = c->algorithm_mkey;
1375                 alg_a = c->algorithm_auth;
1376                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1377                         {
1378                         using_ecc = 1;
1379                         break;
1380                         }
1381                 }
1382         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1383         if (using_ecc)
1384                 {
1385                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1386                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1387                         {
1388                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1389                         return -1;
1390                         }
1391                 s->tlsext_ecpointformatlist_length = 3;
1392                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1393                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1394                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1395
1396                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1397                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1398                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1399                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1400                         {
1401                         s->tlsext_ellipticcurvelist_length = 0;
1402                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1403                         return -1;
1404                         }
1405                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1406                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1407                         s2n(i,j);
1408                 }
1409 #endif /* OPENSSL_NO_EC */
1410
1411 #ifdef TLSEXT_TYPE_opaque_prf_input
1412         {
1413                 int r = 1;
1414         
1415                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1416                         {
1417                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1418                         if (!r)
1419                                 return -1;
1420                         }
1421
1422                 if (s->tlsext_opaque_prf_input != NULL)
1423                         {
1424                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1425                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1426
1427                         if (s->tlsext_opaque_prf_input_len == 0)
1428                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1429                         else
1430                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1431                         if (s->s3->client_opaque_prf_input == NULL)
1432                                 {
1433                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1434                                 return -1;
1435                                 }
1436                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1437                         }
1438
1439                 if (r == 2)
1440                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1441                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1442         }
1443 #endif
1444
1445         return 1;
1446         }
1447
1448 int ssl_prepare_serverhello_tlsext(SSL *s)
1449         {
1450 #ifndef OPENSSL_NO_EC
1451         /* If we are server and using an ECC cipher suite, send the point formats we support 
1452          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1453          * supposed to send an EllipticCurves extension.
1454          */
1455
1456         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1457         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1458         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1459         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1460         
1461         if (using_ecc)
1462                 {
1463                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1464                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1465                         {
1466                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1467                         return -1;
1468                         }
1469                 s->tlsext_ecpointformatlist_length = 3;
1470                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1471                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1472                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1473                 }
1474 #endif /* OPENSSL_NO_EC */
1475
1476         return 1;
1477         }
1478
1479 int ssl_check_clienthello_tlsext(SSL *s)
1480         {
1481         int ret=SSL_TLSEXT_ERR_NOACK;
1482         int al = SSL_AD_UNRECOGNIZED_NAME;
1483
1484 #ifndef OPENSSL_NO_EC
1485         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1486          * ssl3_choose_cipher in s3_lib.c.
1487          */
1488         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1489          * ssl3_choose_cipher in s3_lib.c.
1490          */
1491 #endif
1492
1493         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1494                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1495         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1496                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1497
1498         /* If status request then ask callback what to do.
1499          * Note: this must be called after servername callbacks in case 
1500          * the certificate has changed.
1501          */
1502         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1503                 {
1504                 int r;
1505                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1506                 switch (r)
1507                         {
1508                         /* We don't want to send a status request response */
1509                         case SSL_TLSEXT_ERR_NOACK:
1510                                 s->tlsext_status_expected = 0;
1511                                 break;
1512                         /* status request response should be sent */
1513                         case SSL_TLSEXT_ERR_OK:
1514                                 if (s->tlsext_ocsp_resp)
1515                                         s->tlsext_status_expected = 1;
1516                                 else
1517                                         s->tlsext_status_expected = 0;
1518                                 break;
1519                         /* something bad happened */
1520                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1521                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1522                                 al = SSL_AD_INTERNAL_ERROR;
1523                                 goto err;
1524                         }
1525                 }
1526         else
1527                 s->tlsext_status_expected = 0;
1528
1529 #ifdef TLSEXT_TYPE_opaque_prf_input
1530         {
1531                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1532                  * but we might be sending an alert in response to the client hello,
1533                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1534
1535                 int r = 1;
1536         
1537                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1538                         {
1539                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1540                         if (!r)
1541                                 {
1542                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1543                                 al = SSL_AD_INTERNAL_ERROR;
1544                                 goto err;
1545                                 }
1546                         }
1547
1548                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1549                         OPENSSL_free(s->s3->server_opaque_prf_input);
1550                 s->s3->server_opaque_prf_input = NULL;
1551
1552                 if (s->tlsext_opaque_prf_input != NULL)
1553                         {
1554                         if (s->s3->client_opaque_prf_input != NULL &&
1555                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1556                                 {
1557                                 /* can only use this extension if we have a server opaque PRF input
1558                                  * of the same length as the client opaque PRF input! */
1559
1560                                 if (s->tlsext_opaque_prf_input_len == 0)
1561                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1562                                 else
1563                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1564                                 if (s->s3->server_opaque_prf_input == NULL)
1565                                         {
1566                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1567                                         al = SSL_AD_INTERNAL_ERROR;
1568                                         goto err;
1569                                         }
1570                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1571                                 }
1572                         }
1573
1574                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1575                         {
1576                         /* The callback wants to enforce use of the extension,
1577                          * but we can't do that with the client opaque PRF input;
1578                          * abort the handshake.
1579                          */
1580                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1581                         al = SSL_AD_HANDSHAKE_FAILURE;
1582                         }
1583         }
1584
1585 #endif
1586  err:
1587         switch (ret)
1588                 {
1589                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1590                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1591                         return -1;
1592
1593                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1594                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1595                         return 1; 
1596                                         
1597                 case SSL_TLSEXT_ERR_NOACK:
1598                         s->servername_done=0;
1599                         default:
1600                 return 1;
1601                 }
1602         }
1603
1604 int ssl_check_serverhello_tlsext(SSL *s)
1605         {
1606         int ret=SSL_TLSEXT_ERR_NOACK;
1607         int al = SSL_AD_UNRECOGNIZED_NAME;
1608
1609 #ifndef OPENSSL_NO_EC
1610         /* If we are client and using an elliptic curve cryptography cipher
1611          * suite, then if server returns an EC point formats lists extension
1612          * it must contain uncompressed.
1613          */
1614         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1615         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1616         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1617             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1618             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1619                 {
1620                 /* we are using an ECC cipher */
1621                 size_t i;
1622                 unsigned char *list;
1623                 int found_uncompressed = 0;
1624                 list = s->session->tlsext_ecpointformatlist;
1625                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1626                         {
1627                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1628                                 {
1629                                 found_uncompressed = 1;
1630                                 break;
1631                                 }
1632                         }
1633                 if (!found_uncompressed)
1634                         {
1635                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1636                         return -1;
1637                         }
1638                 }
1639         ret = SSL_TLSEXT_ERR_OK;
1640 #endif /* OPENSSL_NO_EC */
1641
1642         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1643                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1644         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1645                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1646
1647 #ifdef TLSEXT_TYPE_opaque_prf_input
1648         if (s->s3->server_opaque_prf_input_len > 0)
1649                 {
1650                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1651                  * So first verify that we really have a value from the server too. */
1652
1653                 if (s->s3->server_opaque_prf_input == NULL)
1654                         {
1655                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1656                         al = SSL_AD_HANDSHAKE_FAILURE;
1657                         }
1658                 
1659                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1660                  * that we have a client opaque PRF input of the same size. */
1661                 if (s->s3->client_opaque_prf_input == NULL ||
1662                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1663                         {
1664                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1665                         al = SSL_AD_ILLEGAL_PARAMETER;
1666                         }
1667                 }
1668 #endif
1669
1670         /* If we've requested certificate status and we wont get one
1671          * tell the callback
1672          */
1673         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1674                         && s->ctx && s->ctx->tlsext_status_cb)
1675                 {
1676                 int r;
1677                 /* Set resp to NULL, resplen to -1 so callback knows
1678                  * there is no response.
1679                  */
1680                 if (s->tlsext_ocsp_resp)
1681                         {
1682                         OPENSSL_free(s->tlsext_ocsp_resp);
1683                         s->tlsext_ocsp_resp = NULL;
1684                         }
1685                 s->tlsext_ocsp_resplen = -1;
1686                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1687                 if (r == 0)
1688                         {
1689                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1690                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1691                         }
1692                 if (r < 0)
1693                         {
1694                         al = SSL_AD_INTERNAL_ERROR;
1695                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1696                         }
1697                 }
1698
1699         switch (ret)
1700                 {
1701                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1702                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1703                         return -1;
1704
1705                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1706                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1707                         return 1; 
1708                                         
1709                 case SSL_TLSEXT_ERR_NOACK:
1710                         s->servername_done=0;
1711                         default:
1712                 return 1;
1713                 }
1714         }
1715
1716 /* Since the server cache lookup is done early on in the processing of client
1717  * hello and other operations depend on the result we need to handle any TLS
1718  * session ticket extension at the same time.
1719  */
1720
1721 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1722                                 const unsigned char *limit, SSL_SESSION **ret)
1723         {
1724         /* Point after session ID in client hello */
1725         const unsigned char *p = session_id + len;
1726         unsigned short i;
1727
1728         /* If tickets disabled behave as if no ticket present
1729          * to permit stateful resumption.
1730          */
1731         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1732                 return 1;
1733
1734         if ((s->version <= SSL3_VERSION) || !limit)
1735                 return 1;
1736         if (p >= limit)
1737                 return -1;
1738         /* Skip past DTLS cookie */
1739         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1740                 {
1741                 i = *(p++);
1742                 p+= i;
1743                 if (p >= limit)
1744                         return -1;
1745                 }
1746         /* Skip past cipher list */
1747         n2s(p, i);
1748         p+= i;
1749         if (p >= limit)
1750                 return -1;
1751         /* Skip past compression algorithm list */
1752         i = *(p++);
1753         p += i;
1754         if (p > limit)
1755                 return -1;
1756         /* Now at start of extensions */
1757         if ((p + 2) >= limit)
1758                 return 1;
1759         n2s(p, i);
1760         while ((p + 4) <= limit)
1761                 {
1762                 unsigned short type, size;
1763                 n2s(p, type);
1764                 n2s(p, size);
1765                 if (p + size > limit)
1766                         return 1;
1767                 if (type == TLSEXT_TYPE_session_ticket)
1768                         {
1769                         /* If tickets disabled indicate cache miss which will
1770                          * trigger a full handshake
1771                          */
1772                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1773                                 return 1;
1774                         /* If zero length note client will accept a ticket
1775                          * and indicate cache miss to trigger full handshake
1776                          */
1777                         if (size == 0)
1778                                 {
1779                                 s->tlsext_ticket_expected = 1;
1780                                 return 0;       /* Cache miss */
1781                                 }
1782                         if (s->tls_session_secret_cb)
1783                                 {
1784                                 /* Indicate cache miss here and instead of
1785                                  * generating the session from ticket now,
1786                                  * trigger abbreviated handshake based on
1787                                  * external mechanism to calculate the master
1788                                  * secret later. */
1789                                 return 0;
1790                                 }
1791                         return tls_decrypt_ticket(s, p, size, session_id, len,
1792                                                                         ret);
1793                         }
1794                 p += size;
1795                 }
1796         return 1;
1797         }
1798
1799 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1800                                 const unsigned char *sess_id, int sesslen,
1801                                 SSL_SESSION **psess)
1802         {
1803         SSL_SESSION *sess;
1804         unsigned char *sdec;
1805         const unsigned char *p;
1806         int slen, mlen, renew_ticket = 0;
1807         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1808         HMAC_CTX hctx;
1809         EVP_CIPHER_CTX ctx;
1810         SSL_CTX *tctx = s->initial_ctx;
1811         /* Need at least keyname + iv + some encrypted data */
1812         if (eticklen < 48)
1813                 goto tickerr;
1814         /* Initialize session ticket encryption and HMAC contexts */
1815         HMAC_CTX_init(&hctx);
1816         EVP_CIPHER_CTX_init(&ctx);
1817         if (tctx->tlsext_ticket_key_cb)
1818                 {
1819                 unsigned char *nctick = (unsigned char *)etick;
1820                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1821                                                         &ctx, &hctx, 0);
1822                 if (rv < 0)
1823                         return -1;
1824                 if (rv == 0)
1825                         goto tickerr;
1826                 if (rv == 2)
1827                         renew_ticket = 1;
1828                 }
1829         else
1830                 {
1831                 /* Check key name matches */
1832                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1833                         goto tickerr;
1834                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1835                                         tlsext_tick_md(), NULL);
1836                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1837                                 tctx->tlsext_tick_aes_key, etick + 16);
1838                 }
1839         /* Attempt to process session ticket, first conduct sanity and
1840          * integrity checks on ticket.
1841          */
1842         mlen = HMAC_size(&hctx);
1843         if (mlen < 0)
1844                 {
1845                 EVP_CIPHER_CTX_cleanup(&ctx);
1846                 return -1;
1847                 }
1848         eticklen -= mlen;
1849         /* Check HMAC of encrypted ticket */
1850         HMAC_Update(&hctx, etick, eticklen);
1851         HMAC_Final(&hctx, tick_hmac, NULL);
1852         HMAC_CTX_cleanup(&hctx);
1853         if (memcmp(tick_hmac, etick + eticklen, mlen))
1854                 goto tickerr;
1855         /* Attempt to decrypt session data */
1856         /* Move p after IV to start of encrypted ticket, update length */
1857         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1858         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1859         sdec = OPENSSL_malloc(eticklen);
1860         if (!sdec)
1861                 {
1862                 EVP_CIPHER_CTX_cleanup(&ctx);
1863                 return -1;
1864                 }
1865         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1866         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1867                 goto tickerr;
1868         slen += mlen;
1869         EVP_CIPHER_CTX_cleanup(&ctx);
1870         p = sdec;
1871                 
1872         sess = d2i_SSL_SESSION(NULL, &p, slen);
1873         OPENSSL_free(sdec);
1874         if (sess)
1875                 {
1876                 /* The session ID if non-empty is used by some clients to
1877                  * detect that the ticket has been accepted. So we copy it to
1878                  * the session structure. If it is empty set length to zero
1879                  * as required by standard.
1880                  */
1881                 if (sesslen)
1882                         memcpy(sess->session_id, sess_id, sesslen);
1883                 sess->session_id_length = sesslen;
1884                 *psess = sess;
1885                 s->tlsext_ticket_expected = renew_ticket;
1886                 return 1;
1887                 }
1888         /* If session decrypt failure indicate a cache miss and set state to
1889          * send a new ticket
1890          */
1891         tickerr:        
1892         s->tlsext_ticket_expected = 1;
1893         return 0;
1894         }
1895
1896 #endif