bde52b126b3d79426048d750e0db9d21227a40af
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157         ssl3_free(s);
158         }
159
160 void tls1_clear(SSL *s)
161         {
162         ssl3_clear(s);
163         s->version=TLS1_VERSION;
164         }
165
166 #ifndef OPENSSL_NO_EC
167 static int nid_list[] =
168         {
169                 NID_sect163k1, /* sect163k1 (1) */
170                 NID_sect163r1, /* sect163r1 (2) */
171                 NID_sect163r2, /* sect163r2 (3) */
172                 NID_sect193r1, /* sect193r1 (4) */ 
173                 NID_sect193r2, /* sect193r2 (5) */ 
174                 NID_sect233k1, /* sect233k1 (6) */
175                 NID_sect233r1, /* sect233r1 (7) */ 
176                 NID_sect239k1, /* sect239k1 (8) */ 
177                 NID_sect283k1, /* sect283k1 (9) */
178                 NID_sect283r1, /* sect283r1 (10) */ 
179                 NID_sect409k1, /* sect409k1 (11) */ 
180                 NID_sect409r1, /* sect409r1 (12) */
181                 NID_sect571k1, /* sect571k1 (13) */ 
182                 NID_sect571r1, /* sect571r1 (14) */ 
183                 NID_secp160k1, /* secp160k1 (15) */
184                 NID_secp160r1, /* secp160r1 (16) */ 
185                 NID_secp160r2, /* secp160r2 (17) */ 
186                 NID_secp192k1, /* secp192k1 (18) */
187                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
188                 NID_secp224k1, /* secp224k1 (20) */ 
189                 NID_secp224r1, /* secp224r1 (21) */
190                 NID_secp256k1, /* secp256k1 (22) */ 
191                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
192                 NID_secp384r1, /* secp384r1 (24) */
193                 NID_secp521r1  /* secp521r1 (25) */     
194         };
195         
196 int tls1_ec_curve_id2nid(int curve_id)
197         {
198         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
199         if ((curve_id < 1) || ((unsigned int)curve_id >
200                                 sizeof(nid_list)/sizeof(nid_list[0])))
201                 return 0;
202         return nid_list[curve_id-1];
203         }
204
205 int tls1_ec_nid2curve_id(int nid)
206         {
207         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
208         switch (nid)
209                 {
210         case NID_sect163k1: /* sect163k1 (1) */
211                 return 1;
212         case NID_sect163r1: /* sect163r1 (2) */
213                 return 2;
214         case NID_sect163r2: /* sect163r2 (3) */
215                 return 3;
216         case NID_sect193r1: /* sect193r1 (4) */ 
217                 return 4;
218         case NID_sect193r2: /* sect193r2 (5) */ 
219                 return 5;
220         case NID_sect233k1: /* sect233k1 (6) */
221                 return 6;
222         case NID_sect233r1: /* sect233r1 (7) */ 
223                 return 7;
224         case NID_sect239k1: /* sect239k1 (8) */ 
225                 return 8;
226         case NID_sect283k1: /* sect283k1 (9) */
227                 return 9;
228         case NID_sect283r1: /* sect283r1 (10) */ 
229                 return 10;
230         case NID_sect409k1: /* sect409k1 (11) */ 
231                 return 11;
232         case NID_sect409r1: /* sect409r1 (12) */
233                 return 12;
234         case NID_sect571k1: /* sect571k1 (13) */ 
235                 return 13;
236         case NID_sect571r1: /* sect571r1 (14) */ 
237                 return 14;
238         case NID_secp160k1: /* secp160k1 (15) */
239                 return 15;
240         case NID_secp160r1: /* secp160r1 (16) */ 
241                 return 16;
242         case NID_secp160r2: /* secp160r2 (17) */ 
243                 return 17;
244         case NID_secp192k1: /* secp192k1 (18) */
245                 return 18;
246         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
247                 return 19;
248         case NID_secp224k1: /* secp224k1 (20) */ 
249                 return 20;
250         case NID_secp224r1: /* secp224r1 (21) */
251                 return 21;
252         case NID_secp256k1: /* secp256k1 (22) */ 
253                 return 22;
254         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
255                 return 23;
256         case NID_secp384r1: /* secp384r1 (24) */
257                 return 24;
258         case NID_secp521r1:  /* secp521r1 (25) */       
259                 return 25;
260         default:
261                 return 0;
262                 }
263         }
264 #endif /* OPENSSL_NO_EC */
265
266 #ifndef OPENSSL_NO_TLSEXT
267 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
268         {
269         int extdatalen=0;
270         unsigned char *ret = p;
271
272         ret+=2;
273
274         if (ret>=limit) return NULL; /* this really never occurs, but ... */
275
276         if (s->tlsext_hostname != NULL)
277                 { 
278                 /* Add TLS extension servername to the Client Hello message */
279                 unsigned long size_str;
280                 long lenmax; 
281
282                 /* check for enough space.
283                    4 for the servername type and entension length
284                    2 for servernamelist length
285                    1 for the hostname type
286                    2 for hostname length
287                    + hostname length 
288                 */
289                    
290                 if ((lenmax = limit - ret - 9) < 0 
291                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
292                         return NULL;
293                         
294                 /* extension type and length */
295                 s2n(TLSEXT_TYPE_server_name,ret); 
296                 s2n(size_str+5,ret);
297                 
298                 /* length of servername list */
299                 s2n(size_str+3,ret);
300         
301                 /* hostname type, length and hostname */
302                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
303                 s2n(size_str,ret);
304                 memcpy(ret, s->tlsext_hostname, size_str);
305                 ret+=size_str;
306                 }
307
308 #ifndef OPENSSL_NO_EC
309         if (s->tlsext_ecpointformatlist != NULL)
310                 {
311                 /* Add TLS extension ECPointFormats to the ClientHello message */
312                 long lenmax; 
313
314                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
315                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
316                 if (s->tlsext_ecpointformatlist_length > 255)
317                         {
318                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
319                         return NULL;
320                         }
321                 
322                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
323                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
324                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
325                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
326                 ret+=s->tlsext_ecpointformatlist_length;
327                 }
328         if (s->tlsext_ellipticcurvelist != NULL)
329                 {
330                 /* Add TLS extension EllipticCurves to the ClientHello message */
331                 long lenmax; 
332
333                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
334                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
335                 if (s->tlsext_ellipticcurvelist_length > 65532)
336                         {
337                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
338                         return NULL;
339                         }
340                 
341                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
342                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
343
344                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
345                  * elliptic_curve_list, but the examples use two bytes.
346                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
347                  * resolves this to two bytes.
348                  */
349                 s2n(s->tlsext_ellipticcurvelist_length, ret);
350                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
351                 ret+=s->tlsext_ellipticcurvelist_length;
352                 }
353 #endif /* OPENSSL_NO_EC */
354
355         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
356                 {
357                 int ticklen;
358                 if (s->session && s->session->tlsext_tick)
359                         ticklen = s->session->tlsext_ticklen;
360                 else
361                         ticklen = 0;
362                 /* Check for enough room 2 for extension type, 2 for len
363                  * rest for ticket
364                  */
365                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
366                 s2n(TLSEXT_TYPE_session_ticket,ret); 
367                 s2n(ticklen,ret);
368                 if (ticklen)
369                         {
370                         memcpy(ret, s->session->tlsext_tick, ticklen);
371                         ret += ticklen;
372                         }
373                 }
374
375 #ifdef TLSEXT_TYPE_opaque_prf_input
376         if (s->s3->client_opaque_prf_input != NULL)
377                 {
378                 size_t col = s->s3->client_opaque_prf_input_len;
379                 
380                 if ((long)(limit - ret - 6 - col < 0))
381                         return NULL;
382                 if (col > 0xFFFD) /* can't happen */
383                         return NULL;
384
385                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
386                 s2n(col + 2, ret);
387                 s2n(col, ret);
388                 memcpy(ret, s->s3->client_opaque_prf_input, col);
389                 ret += col;
390                 }
391 #endif
392
393         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
394                 {
395                 int i;
396                 long extlen, idlen, itmp;
397                 OCSP_RESPID *id;
398
399                 idlen = 0;
400                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
401                         {
402                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
403                         itmp = i2d_OCSP_RESPID(id, NULL);
404                         if (itmp <= 0)
405                                 return NULL;
406                         idlen += itmp + 2;
407                         }
408
409                 if (s->tlsext_ocsp_exts)
410                         {
411                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
412                         if (extlen < 0)
413                                 return NULL;
414                         }
415                 else
416                         extlen = 0;
417                         
418                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
419                 s2n(TLSEXT_TYPE_status_request, ret);
420                 if (extlen + idlen > 0xFFF0)
421                         return NULL;
422                 s2n(extlen + idlen + 5, ret);
423                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
424                 s2n(idlen, ret);
425                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
426                         {
427                         /* save position of id len */
428                         unsigned char *q = ret;
429                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
430                         /* skip over id len */
431                         ret += 2;
432                         itmp = i2d_OCSP_RESPID(id, &ret);
433                         /* write id len */
434                         s2n(itmp, q);
435                         }
436                 s2n(extlen, ret);
437                 if (extlen > 0)
438                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
439                 }
440
441         if ((extdatalen = ret-p-2)== 0) 
442                 return p;
443
444         s2n(extdatalen,p);
445         return ret;
446         }
447
448 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
449         {
450         int extdatalen=0;
451         unsigned char *ret = p;
452
453         ret+=2;
454         if (ret>=limit) return NULL; /* this really never occurs, but ... */
455
456         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
457                 { 
458                 if ((long)(limit - ret - 4) < 0) return NULL; 
459
460                 s2n(TLSEXT_TYPE_server_name,ret);
461                 s2n(0,ret);
462                 }
463 #ifndef OPENSSL_NO_EC
464         if (s->tlsext_ecpointformatlist != NULL)
465                 {
466                 /* Add TLS extension ECPointFormats to the ServerHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482
483                 }
484         /* Currently the server should not respond with a SupportedCurves extension */
485 #endif /* OPENSSL_NO_EC */
486
487         if (s->tlsext_ticket_expected
488                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
489                 { 
490                 if ((long)(limit - ret - 4) < 0) return NULL; 
491                 s2n(TLSEXT_TYPE_session_ticket,ret);
492                 s2n(0,ret);
493                 }
494
495         if (s->tlsext_status_expected)
496                 { 
497                 if ((long)(limit - ret - 4) < 0) return NULL; 
498                 s2n(TLSEXT_TYPE_status_request,ret);
499                 s2n(0,ret);
500                 }
501
502 #ifdef TLSEXT_TYPE_opaque_prf_input
503         if (s->s3->server_opaque_prf_input != NULL)
504                 {
505                 size_t sol = s->s3->server_opaque_prf_input_len;
506                 
507                 if ((long)(limit - ret - 6 - sol) < 0)
508                         return NULL;
509                 if (sol > 0xFFFD) /* can't happen */
510                         return NULL;
511
512                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
513                 s2n(sol + 2, ret);
514                 s2n(sol, ret);
515                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
516                 ret += sol;
517                 }
518 #endif
519         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
520                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
521                 { const unsigned char cryptopro_ext[36] = {
522                         0xfd, 0xe8, /*65000*/
523                         0x00, 0x20, /*32 bytes length*/
524                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
525                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
526                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
527                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
528                         if (limit-ret<36) return NULL;
529                         memcpy(ret,cryptopro_ext,36);
530                         ret+=36;
531
532                 }
533
534         if ((extdatalen = ret-p-2)== 0) 
535                 return p;
536
537         s2n(extdatalen,p);
538         return ret;
539         }
540
541 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
542         {
543         unsigned short type;
544         unsigned short size;
545         unsigned short len;
546         unsigned char *data = *p;
547         s->servername_done = 0;
548         s->tlsext_status_type = -1;
549
550         if (data >= (d+n-2))
551                 return 1;
552         n2s(data,len);
553
554         if (data > (d+n-len)) 
555                 return 1;
556
557         while (data <= (d+n-4))
558                 {
559                 n2s(data,type);
560                 n2s(data,size);
561
562                 if (data+size > (d+n))
563                         return 1;
564 #if 0
565                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
566 #endif
567                 if (s->tlsext_debug_cb)
568                         s->tlsext_debug_cb(s, 0, type, data, size,
569                                                 s->tlsext_debug_arg);
570 /* The servername extension is treated as follows:
571
572    - Only the hostname type is supported with a maximum length of 255.
573    - The servername is rejected if too long or if it contains zeros,
574      in which case an fatal alert is generated.
575    - The servername field is maintained together with the session cache.
576    - When a session is resumed, the servername call back invoked in order
577      to allow the application to position itself to the right context. 
578    - The servername is acknowledged if it is new for a session or when 
579      it is identical to a previously used for the same session. 
580      Applications can control the behaviour.  They can at any time
581      set a 'desirable' servername for a new SSL object. This can be the
582      case for example with HTTPS when a Host: header field is received and
583      a renegotiation is requested. In this case, a possible servername
584      presented in the new client hello is only acknowledged if it matches
585      the value of the Host: field. 
586    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
587      if they provide for changing an explicit servername context for the session,
588      i.e. when the session has been established with a servername extension. 
589    - On session reconnect, the servername extension may be absent. 
590
591 */      
592
593                 if (type == TLSEXT_TYPE_server_name)
594                         {
595                         unsigned char *sdata;
596                         int servname_type;
597                         int dsize; 
598                 
599                         if (size < 2) 
600                                 {
601                                 *al = SSL_AD_DECODE_ERROR;
602                                 return 0;
603                                 }
604                         n2s(data,dsize);  
605                         size -= 2;
606                         if (dsize > size  ) 
607                                 {
608                                 *al = SSL_AD_DECODE_ERROR;
609                                 return 0;
610                                 } 
611
612                         sdata = data;
613                         while (dsize > 3) 
614                                 {
615                                 servname_type = *(sdata++); 
616                                 n2s(sdata,len);
617                                 dsize -= 3;
618
619                                 if (len > dsize) 
620                                         {
621                                         *al = SSL_AD_DECODE_ERROR;
622                                         return 0;
623                                         }
624                                 if (s->servername_done == 0)
625                                 switch (servname_type)
626                                         {
627                                 case TLSEXT_NAMETYPE_host_name:
628                                         if (s->session->tlsext_hostname == NULL)
629                                                 {
630                                                 if (len > TLSEXT_MAXLEN_host_name || 
631                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
632                                                         {
633                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
634                                                         return 0;
635                                                         }
636                                                 memcpy(s->session->tlsext_hostname, sdata, len);
637                                                 s->session->tlsext_hostname[len]='\0';
638                                                 if (strlen(s->session->tlsext_hostname) != len) {
639                                                         OPENSSL_free(s->session->tlsext_hostname);
640                                                         s->session->tlsext_hostname = NULL;
641                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
642                                                         return 0;
643                                                 }
644                                                 s->servername_done = 1; 
645
646                                                 }
647                                         else 
648                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
649                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
650                                         
651                                         break;
652
653                                 default:
654                                         break;
655                                         }
656                                  
657                                 dsize -= len;
658                                 }
659                         if (dsize != 0) 
660                                 {
661                                 *al = SSL_AD_DECODE_ERROR;
662                                 return 0;
663                                 }
664
665                         }
666
667 #ifndef OPENSSL_NO_EC
668                 else if (type == TLSEXT_TYPE_ec_point_formats)
669                         {
670                         unsigned char *sdata = data;
671                         int ecpointformatlist_length = *(sdata++);
672
673                         if (ecpointformatlist_length != size - 1)
674                                 {
675                                 *al = TLS1_AD_DECODE_ERROR;
676                                 return 0;
677                                 }
678                         s->session->tlsext_ecpointformatlist_length = 0;
679                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
680                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
681                                 {
682                                 *al = TLS1_AD_INTERNAL_ERROR;
683                                 return 0;
684                                 }
685                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
686                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
687 #if 0
688                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
689                         sdata = s->session->tlsext_ecpointformatlist;
690                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
691                                 fprintf(stderr,"%i ",*(sdata++));
692                         fprintf(stderr,"\n");
693 #endif
694                         }
695                 else if (type == TLSEXT_TYPE_elliptic_curves)
696                         {
697                         unsigned char *sdata = data;
698                         int ellipticcurvelist_length = (*(sdata++) << 8);
699                         ellipticcurvelist_length += (*(sdata++));
700
701                         if (ellipticcurvelist_length != size - 2)
702                                 {
703                                 *al = TLS1_AD_DECODE_ERROR;
704                                 return 0;
705                                 }
706                         s->session->tlsext_ellipticcurvelist_length = 0;
707                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
708                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
709                                 {
710                                 *al = TLS1_AD_INTERNAL_ERROR;
711                                 return 0;
712                                 }
713                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
714                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
715 #if 0
716                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
717                         sdata = s->session->tlsext_ellipticcurvelist;
718                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
719                                 fprintf(stderr,"%i ",*(sdata++));
720                         fprintf(stderr,"\n");
721 #endif
722                         }
723 #endif /* OPENSSL_NO_EC */
724 #ifdef TLSEXT_TYPE_opaque_prf_input
725                 else if (type == TLSEXT_TYPE_opaque_prf_input)
726                         {
727                         unsigned char *sdata = data;
728
729                         if (size < 2)
730                                 {
731                                 *al = SSL_AD_DECODE_ERROR;
732                                 return 0;
733                                 }
734                         n2s(sdata, s->s3->client_opaque_prf_input_len);
735                         if (s->s3->client_opaque_prf_input_len != size - 2)
736                                 {
737                                 *al = SSL_AD_DECODE_ERROR;
738                                 return 0;
739                                 }
740
741                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
742                                 OPENSSL_free(s->s3->client_opaque_prf_input);
743                         if (s->s3->client_opaque_prf_input_len == 0)
744                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
745                         else
746                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
747                         if (s->s3->client_opaque_prf_input == NULL)
748                                 {
749                                 *al = TLS1_AD_INTERNAL_ERROR;
750                                 return 0;
751                                 }
752                         }
753 #endif
754                 else if (type == TLSEXT_TYPE_status_request
755                                                 && s->ctx->tlsext_status_cb)
756                         {
757                 
758                         if (size < 5) 
759                                 {
760                                 *al = SSL_AD_DECODE_ERROR;
761                                 return 0;
762                                 }
763
764                         s->tlsext_status_type = *data++;
765                         size--;
766                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
767                                 {
768                                 const unsigned char *sdata;
769                                 int dsize;
770                                 /* Read in responder_id_list */
771                                 n2s(data,dsize);
772                                 size -= 2;
773                                 if (dsize > size  ) 
774                                         {
775                                         *al = SSL_AD_DECODE_ERROR;
776                                         return 0;
777                                         }
778                                 while (dsize > 0)
779                                         {
780                                         OCSP_RESPID *id;
781                                         int idsize;
782                                         if (dsize < 4)
783                                                 {
784                                                 *al = SSL_AD_DECODE_ERROR;
785                                                 return 0;
786                                                 }
787                                         n2s(data, idsize);
788                                         dsize -= 2 + idsize;
789                                         if (dsize < 0)
790                                                 {
791                                                 *al = SSL_AD_DECODE_ERROR;
792                                                 return 0;
793                                                 }
794                                         sdata = data;
795                                         data += idsize;
796                                         id = d2i_OCSP_RESPID(NULL,
797                                                                 &sdata, idsize);
798                                         if (!id)
799                                                 {
800                                                 *al = SSL_AD_DECODE_ERROR;
801                                                 return 0;
802                                                 }
803                                         if (data != sdata)
804                                                 {
805                                                 OCSP_RESPID_free(id);
806                                                 *al = SSL_AD_DECODE_ERROR;
807                                                 return 0;
808                                                 }
809                                         if (!s->tlsext_ocsp_ids
810                                                 && !(s->tlsext_ocsp_ids =
811                                                 sk_OCSP_RESPID_new_null()))
812                                                 {
813                                                 OCSP_RESPID_free(id);
814                                                 *al = SSL_AD_INTERNAL_ERROR;
815                                                 return 0;
816                                                 }
817                                         if (!sk_OCSP_RESPID_push(
818                                                         s->tlsext_ocsp_ids, id))
819                                                 {
820                                                 OCSP_RESPID_free(id);
821                                                 *al = SSL_AD_INTERNAL_ERROR;
822                                                 return 0;
823                                                 }
824                                         }
825
826                                 /* Read in request_extensions */
827                                 n2s(data,dsize);
828                                 size -= 2;
829                                 if (dsize > size) 
830                                         {
831                                         *al = SSL_AD_DECODE_ERROR;
832                                         return 0;
833                                         }
834                                 sdata = data;
835                                 if (dsize > 0)
836                                         {
837                                         s->tlsext_ocsp_exts =
838                                                 d2i_X509_EXTENSIONS(NULL,
839                                                         &sdata, dsize);
840                                         if (!s->tlsext_ocsp_exts
841                                                 || (data + dsize != sdata))
842                                                 {
843                                                 *al = SSL_AD_DECODE_ERROR;
844                                                 return 0;
845                                                 }
846                                         }
847                                 }
848                                 /* We don't know what to do with any other type
849                                 * so ignore it.
850                                 */
851                                 else
852                                         s->tlsext_status_type = -1;
853                         }
854
855                 /* session ticket processed earlier */
856                 data+=size;
857                 }
858                                 
859         *p = data;
860         return 1;
861         }
862
863 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
864         {
865         unsigned short type;
866         unsigned short size;
867         unsigned short len;  
868         unsigned char *data = *p;
869
870         int tlsext_servername = 0;
871
872         if (data >= (d+n-2))
873                 return 1;
874
875         n2s(data,len);
876
877         while(data <= (d+n-4))
878                 {
879                 n2s(data,type);
880                 n2s(data,size);
881
882                 if (data+size > (d+n))
883                         return 1;
884
885                 if (s->tlsext_debug_cb)
886                         s->tlsext_debug_cb(s, 1, type, data, size,
887                                                 s->tlsext_debug_arg);
888
889                 if (type == TLSEXT_TYPE_server_name)
890                         {
891                         if (s->tlsext_hostname == NULL || size > 0)
892                                 {
893                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
894                                 return 0;
895                                 }
896                         tlsext_servername = 1;   
897                         }
898
899 #ifndef OPENSSL_NO_EC
900                 else if (type == TLSEXT_TYPE_ec_point_formats)
901                         {
902                         unsigned char *sdata = data;
903                         int ecpointformatlist_length = *(sdata++);
904
905                         if (ecpointformatlist_length != size - 1)
906                                 {
907                                 *al = TLS1_AD_DECODE_ERROR;
908                                 return 0;
909                                 }
910                         s->session->tlsext_ecpointformatlist_length = 0;
911                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
912                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
913                                 {
914                                 *al = TLS1_AD_INTERNAL_ERROR;
915                                 return 0;
916                                 }
917                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
918                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
919 #if 0
920                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
921                         sdata = s->session->tlsext_ecpointformatlist;
922                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
923                                 fprintf(stderr,"%i ",*(sdata++));
924                         fprintf(stderr,"\n");
925 #endif
926                         }
927 #endif /* OPENSSL_NO_EC */
928
929                 else if (type == TLSEXT_TYPE_session_ticket)
930                         {
931                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
932                                 || (size > 0))
933                                 {
934                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
935                                 return 0;
936                                 }
937                         s->tlsext_ticket_expected = 1;
938                         }
939 #ifdef TLSEXT_TYPE_opaque_prf_input
940                 else if (type == TLSEXT_TYPE_opaque_prf_input)
941                         {
942                         unsigned char *sdata = data;
943
944                         if (size < 2)
945                                 {
946                                 *al = SSL_AD_DECODE_ERROR;
947                                 return 0;
948                                 }
949                         n2s(sdata, s->s3->server_opaque_prf_input_len);
950                         if (s->s3->server_opaque_prf_input_len != size - 2)
951                                 {
952                                 *al = SSL_AD_DECODE_ERROR;
953                                 return 0;
954                                 }
955                         
956                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
957                                 OPENSSL_free(s->s3->server_opaque_prf_input);
958                         if (s->s3->server_opaque_prf_input_len == 0)
959                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
960                         else
961                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
962
963                         if (s->s3->server_opaque_prf_input == NULL)
964                                 {
965                                 *al = TLS1_AD_INTERNAL_ERROR;
966                                 return 0;
967                                 }
968                         }
969 #endif
970                 else if (type == TLSEXT_TYPE_status_request)
971                         {
972                         /* MUST be empty and only sent if we've requested
973                          * a status request message.
974                          */ 
975                         if ((s->tlsext_status_type == -1) || (size > 0))
976                                 {
977                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
978                                 return 0;
979                                 }
980                         /* Set flag to expect CertificateStatus message */
981                         s->tlsext_status_expected = 1;
982                         }
983
984                 data+=size;             
985                 }
986
987         if (data != d+n)
988                 {
989                 *al = SSL_AD_DECODE_ERROR;
990                 return 0;
991                 }
992
993         if (!s->hit && tlsext_servername == 1)
994                 {
995                 if (s->tlsext_hostname)
996                         {
997                         if (s->session->tlsext_hostname == NULL)
998                                 {
999                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1000                                 if (!s->session->tlsext_hostname)
1001                                         {
1002                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1003                                         return 0;
1004                                         }
1005                                 }
1006                         else 
1007                                 {
1008                                 *al = SSL_AD_DECODE_ERROR;
1009                                 return 0;
1010                                 }
1011                         }
1012                 }
1013
1014         *p = data;
1015         return 1;
1016         }
1017
1018
1019 int ssl_prepare_clienthello_tlsext(SSL *s)
1020         {
1021 #ifndef OPENSSL_NO_EC
1022         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1023          * and elliptic curves we support.
1024          */
1025         int using_ecc = 0;
1026         int i;
1027         unsigned char *j;
1028         unsigned long alg_k, alg_a;
1029         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1030
1031         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1032                 {
1033                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1034
1035                 alg_k = c->algorithm_mkey;
1036                 alg_a = c->algorithm_auth;
1037                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1038                         {
1039                         using_ecc = 1;
1040                         break;
1041                         }
1042                 }
1043         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1044         if (using_ecc)
1045                 {
1046                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1047                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1048                         {
1049                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1050                         return -1;
1051                         }
1052                 s->tlsext_ecpointformatlist_length = 3;
1053                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1054                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1055                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1056
1057                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1058                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1059                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1060                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1061                         {
1062                         s->tlsext_ellipticcurvelist_length = 0;
1063                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1064                         return -1;
1065                         }
1066                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1067                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1068                         s2n(i,j);
1069                 }
1070 #endif /* OPENSSL_NO_EC */
1071
1072 #ifdef TLSEXT_TYPE_opaque_prf_input
1073         {
1074                 int r = 1;
1075         
1076                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1077                         {
1078                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1079                         if (!r)
1080                                 return -1;
1081                         }
1082
1083                 if (s->tlsext_opaque_prf_input != NULL)
1084                         {
1085                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1086                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1087
1088                         if (s->tlsext_opaque_prf_input_len == 0)
1089                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1090                         else
1091                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1092                         if (s->s3->client_opaque_prf_input == NULL)
1093                                 {
1094                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1095                                 return -1;
1096                                 }
1097                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1098                         }
1099
1100                 if (r == 2)
1101                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1102                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1103         }
1104 #endif
1105
1106         return 1;
1107         }
1108
1109 int ssl_prepare_serverhello_tlsext(SSL *s)
1110         {
1111 #ifndef OPENSSL_NO_EC
1112         /* If we are server and using an ECC cipher suite, send the point formats we support 
1113          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1114          * supposed to send an EllipticCurves extension.
1115          */
1116
1117         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1118         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1119         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1120         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1121         
1122         if (using_ecc)
1123                 {
1124                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1125                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1126                         {
1127                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1128                         return -1;
1129                         }
1130                 s->tlsext_ecpointformatlist_length = 3;
1131                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1132                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1133                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1134                 }
1135 #endif /* OPENSSL_NO_EC */
1136
1137         return 1;
1138         }
1139
1140 int ssl_check_clienthello_tlsext(SSL *s)
1141         {
1142         int ret=SSL_TLSEXT_ERR_NOACK;
1143         int al = SSL_AD_UNRECOGNIZED_NAME;
1144
1145 #ifndef OPENSSL_NO_EC
1146         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1147          * ssl3_choose_cipher in s3_lib.c.
1148          */
1149         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1150          * ssl3_choose_cipher in s3_lib.c.
1151          */
1152 #endif
1153
1154         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1155                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1156         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1157                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1158
1159         /* If status request then ask callback what to do.
1160          * Note: this must be called after servername callbacks in case 
1161          * the certificate has changed.
1162          */
1163         if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1164                 {
1165                 int r;
1166                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1167                 switch (r)
1168                         {
1169                         /* We don't want to send a status request response */
1170                         case SSL_TLSEXT_ERR_NOACK:
1171                                 s->tlsext_status_expected = 0;
1172                                 break;
1173                         /* status request response should be sent */
1174                         case SSL_TLSEXT_ERR_OK:
1175                                 if (s->tlsext_ocsp_resp)
1176                                         s->tlsext_status_expected = 1;
1177                                 else
1178                                         s->tlsext_status_expected = 0;
1179                                 break;
1180                         /* something bad happened */
1181                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1182                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1183                                 al = SSL_AD_INTERNAL_ERROR;
1184                                 goto err;
1185                         }
1186                 }
1187         else
1188                 s->tlsext_status_expected = 0;
1189
1190 #ifdef TLSEXT_TYPE_opaque_prf_input
1191         {
1192                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1193                  * but we might be sending an alert in response to the client hello,
1194                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1195
1196                 int r = 1;
1197         
1198                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1199                         {
1200                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1201                         if (!r)
1202                                 {
1203                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1204                                 al = SSL_AD_INTERNAL_ERROR;
1205                                 goto err;
1206                                 }
1207                         }
1208
1209                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1210                         OPENSSL_free(s->s3->server_opaque_prf_input);
1211                 s->s3->server_opaque_prf_input = NULL;
1212
1213                 if (s->tlsext_opaque_prf_input != NULL)
1214                         {
1215                         if (s->s3->client_opaque_prf_input != NULL &&
1216                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1217                                 {
1218                                 /* can only use this extension if we have a server opaque PRF input
1219                                  * of the same length as the client opaque PRF input! */
1220
1221                                 if (s->tlsext_opaque_prf_input_len == 0)
1222                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1223                                 else
1224                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1225                                 if (s->s3->server_opaque_prf_input == NULL)
1226                                         {
1227                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1228                                         al = SSL_AD_INTERNAL_ERROR;
1229                                         goto err;
1230                                         }
1231                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1232                                 }
1233                         }
1234
1235                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1236                         {
1237                         /* The callback wants to enforce use of the extension,
1238                          * but we can't do that with the client opaque PRF input;
1239                          * abort the handshake.
1240                          */
1241                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1242                         al = SSL_AD_HANDSHAKE_FAILURE;
1243                         }
1244         }
1245
1246 #endif
1247  err:
1248         switch (ret)
1249                 {
1250                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1251                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1252                         return -1;
1253
1254                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1255                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1256                         return 1; 
1257                                         
1258                 case SSL_TLSEXT_ERR_NOACK:
1259                         s->servername_done=0;
1260                         default:
1261                 return 1;
1262                 }
1263         }
1264
1265 int ssl_check_serverhello_tlsext(SSL *s)
1266         {
1267         int ret=SSL_TLSEXT_ERR_NOACK;
1268         int al = SSL_AD_UNRECOGNIZED_NAME;
1269
1270 #ifndef OPENSSL_NO_EC
1271         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1272          * must return a an EC point formats lists containing uncompressed.
1273          */
1274         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1275         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1276         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1277             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1278                 {
1279                 /* we are using an ECC cipher */
1280                 size_t i;
1281                 unsigned char *list;
1282                 int found_uncompressed = 0;
1283                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1284                         {
1285                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1286                         return -1;
1287                         }
1288                 list = s->session->tlsext_ecpointformatlist;
1289                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1290                         {
1291                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1292                                 {
1293                                 found_uncompressed = 1;
1294                                 break;
1295                                 }
1296                         }
1297                 if (!found_uncompressed)
1298                         {
1299                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1300                         return -1;
1301                         }
1302                 }
1303         ret = SSL_TLSEXT_ERR_OK;
1304 #endif /* OPENSSL_NO_EC */
1305
1306         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1307                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1308         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1309                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1310
1311 #ifdef TLSEXT_TYPE_opaque_prf_input
1312         if (s->s3->server_opaque_prf_input_len > 0)
1313                 {
1314                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1315                  * So first verify that we really have a value from the server too. */
1316
1317                 if (s->s3->server_opaque_prf_input == NULL)
1318                         {
1319                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1320                         al = SSL_AD_HANDSHAKE_FAILURE;
1321                         }
1322                 
1323                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1324                  * that we have a client opaque PRF input of the same size. */
1325                 if (s->s3->client_opaque_prf_input == NULL ||
1326                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1327                         {
1328                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1329                         al = SSL_AD_ILLEGAL_PARAMETER;
1330                         }
1331                 }
1332 #endif
1333
1334         /* If we've requested certificate status and we wont get one
1335          * tell the callback
1336          */
1337         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1338                         && s->ctx->tlsext_status_cb)
1339                 {
1340                 int r;
1341                 /* Set resp to NULL, resplen to -1 so callback knows
1342                  * there is no response.
1343                  */
1344                 if (s->tlsext_ocsp_resp)
1345                         {
1346                         OPENSSL_free(s->tlsext_ocsp_resp);
1347                         s->tlsext_ocsp_resp = NULL;
1348                         }
1349                 s->tlsext_ocsp_resplen = -1;
1350                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1351                 if (r == 0)
1352                         {
1353                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1354                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1355                         }
1356                 if (r < 0)
1357                         {
1358                         al = SSL_AD_INTERNAL_ERROR;
1359                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1360                         }
1361                 }
1362
1363         switch (ret)
1364                 {
1365                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1366                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1367                         return -1;
1368
1369                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1370                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1371                         return 1; 
1372                                         
1373                 case SSL_TLSEXT_ERR_NOACK:
1374                         s->servername_done=0;
1375                         default:
1376                 return 1;
1377                 }
1378         }
1379
1380 /* Since the server cache lookup is done early on in the processing of client
1381  * hello and other operations depend on the result we need to handle any TLS
1382  * session ticket extension at the same time.
1383  */
1384
1385 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1386                                 const unsigned char *limit, SSL_SESSION **ret)
1387         {
1388         /* Point after session ID in client hello */
1389         const unsigned char *p = session_id + len;
1390         unsigned short i;
1391         if ((s->version <= SSL3_VERSION) || !limit)
1392                 return 1;
1393         if (p >= limit)
1394                 return -1;
1395         /* Skip past cipher list */
1396         n2s(p, i);
1397         p+= i;
1398         if (p >= limit)
1399                 return -1;
1400         /* Skip past compression algorithm list */
1401         i = *(p++);
1402         p += i;
1403         if (p > limit)
1404                 return -1;
1405         /* Now at start of extensions */
1406         if ((p + 2) >= limit)
1407                 return 1;
1408         n2s(p, i);
1409         while ((p + 4) <= limit)
1410                 {
1411                 unsigned short type, size;
1412                 n2s(p, type);
1413                 n2s(p, size);
1414                 if (p + size > limit)
1415                         return 1;
1416                 if (type == TLSEXT_TYPE_session_ticket)
1417                         {
1418                         /* If tickets disabled indicate cache miss which will
1419                          * trigger a full handshake
1420                          */
1421                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1422                                 return 0;
1423                         /* If zero length not client will accept a ticket
1424                          * and indicate cache miss to trigger full handshake
1425                          */
1426                         if (size == 0)
1427                                 {
1428                                 s->tlsext_ticket_expected = 1;
1429                                 return 0;       /* Cache miss */
1430                                 }
1431                         return tls_decrypt_ticket(s, p, size, session_id, len,
1432                                                                         ret);
1433                         }
1434                 p += size;
1435                 }
1436         return 1;
1437         }
1438
1439 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1440                                 const unsigned char *sess_id, int sesslen,
1441                                 SSL_SESSION **psess)
1442         {
1443         SSL_SESSION *sess;
1444         unsigned char *sdec;
1445         const unsigned char *p;
1446         int slen, mlen, renew_ticket = 0;
1447         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1448         HMAC_CTX hctx;
1449         EVP_CIPHER_CTX ctx;
1450         /* Need at least keyname + iv + some encrypted data */
1451         if (eticklen < 48)
1452                 goto tickerr;
1453         /* Initialize session ticket encryption and HMAC contexts */
1454         HMAC_CTX_init(&hctx);
1455         EVP_CIPHER_CTX_init(&ctx);
1456         if (s->ctx->tlsext_ticket_key_cb)
1457                 {
1458                 unsigned char *nctick = (unsigned char *)etick;
1459                 int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1460                                                         &ctx, &hctx, 0);
1461                 if (rv < 0)
1462                         return -1;
1463                 if (rv == 0)
1464                         goto tickerr;
1465                 if (rv == 2)
1466                         renew_ticket = 1;
1467                 }
1468         else
1469                 {
1470                 /* Check key name matches */
1471                 if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1472                         goto tickerr;
1473                 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1474                                         tlsext_tick_md(), NULL);
1475                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1476                                 s->ctx->tlsext_tick_aes_key, etick + 16);
1477                 }
1478         /* Attempt to process session ticket, first conduct sanity and
1479          * integrity checks on ticket.
1480          */
1481         mlen = HMAC_size(&hctx);
1482         eticklen -= mlen;
1483         /* Check HMAC of encrypted ticket */
1484         HMAC_Update(&hctx, etick, eticklen);
1485         HMAC_Final(&hctx, tick_hmac, NULL);
1486         HMAC_CTX_cleanup(&hctx);
1487         if (memcmp(tick_hmac, etick + eticklen, mlen))
1488                 goto tickerr;
1489         /* Attempt to decrypt session data */
1490         /* Move p after IV to start of encrypted ticket, update length */
1491         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1492         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1493         sdec = OPENSSL_malloc(eticklen);
1494         if (!sdec)
1495                 {
1496                 EVP_CIPHER_CTX_cleanup(&ctx);
1497                 return -1;
1498                 }
1499         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1500         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1501                 goto tickerr;
1502         slen += mlen;
1503         EVP_CIPHER_CTX_cleanup(&ctx);
1504         p = sdec;
1505                 
1506         sess = d2i_SSL_SESSION(NULL, &p, slen);
1507         OPENSSL_free(sdec);
1508         if (sess)
1509                 {
1510                 /* The session ID if non-empty is used by some clients to
1511                  * detect that the ticket has been accepted. So we copy it to
1512                  * the session structure. If it is empty set length to zero
1513                  * as required by standard.
1514                  */
1515                 if (sesslen)
1516                         memcpy(sess->session_id, sess_id, sesslen);
1517                 sess->session_id_length = sesslen;
1518                 *psess = sess;
1519                 s->tlsext_ticket_expected = renew_ticket;
1520                 return 1;
1521                 }
1522         /* If session decrypt failure indicate a cache miss and set state to
1523          * send a new ticket
1524          */
1525         tickerr:        
1526         s->tlsext_ticket_expected = 1;
1527         return 0;
1528         }
1529
1530 #endif