If we're going to return errors (no matter how stupid), then we should
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         };
140
141 long tls1_default_timeout(void)
142         {
143         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
144          * is way too long for http, the cache would over fill */
145         return(60*60*2);
146         }
147
148 int tls1_new(SSL *s)
149         {
150         if (!ssl3_new(s)) return(0);
151         s->method->ssl_clear(s);
152         return(1);
153         }
154
155 void tls1_free(SSL *s)
156         {
157 #ifndef OPENSSL_NO_TLSEXT
158         if (s->tlsext_session_ticket)
159                 {
160                 OPENSSL_free(s->tlsext_session_ticket);
161                 }
162 #endif /* OPENSSL_NO_TLSEXT */
163         ssl3_free(s);
164         }
165
166 void tls1_clear(SSL *s)
167         {
168         ssl3_clear(s);
169         s->version=TLS1_VERSION;
170         }
171
172 #ifndef OPENSSL_NO_EC
173 static int nid_list[] =
174         {
175                 NID_sect163k1, /* sect163k1 (1) */
176                 NID_sect163r1, /* sect163r1 (2) */
177                 NID_sect163r2, /* sect163r2 (3) */
178                 NID_sect193r1, /* sect193r1 (4) */ 
179                 NID_sect193r2, /* sect193r2 (5) */ 
180                 NID_sect233k1, /* sect233k1 (6) */
181                 NID_sect233r1, /* sect233r1 (7) */ 
182                 NID_sect239k1, /* sect239k1 (8) */ 
183                 NID_sect283k1, /* sect283k1 (9) */
184                 NID_sect283r1, /* sect283r1 (10) */ 
185                 NID_sect409k1, /* sect409k1 (11) */ 
186                 NID_sect409r1, /* sect409r1 (12) */
187                 NID_sect571k1, /* sect571k1 (13) */ 
188                 NID_sect571r1, /* sect571r1 (14) */ 
189                 NID_secp160k1, /* secp160k1 (15) */
190                 NID_secp160r1, /* secp160r1 (16) */ 
191                 NID_secp160r2, /* secp160r2 (17) */ 
192                 NID_secp192k1, /* secp192k1 (18) */
193                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
194                 NID_secp224k1, /* secp224k1 (20) */ 
195                 NID_secp224r1, /* secp224r1 (21) */
196                 NID_secp256k1, /* secp256k1 (22) */ 
197                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
198                 NID_secp384r1, /* secp384r1 (24) */
199                 NID_secp521r1  /* secp521r1 (25) */     
200         };
201         
202 int tls1_ec_curve_id2nid(int curve_id)
203         {
204         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
205         if ((curve_id < 1) || ((unsigned int)curve_id >
206                                 sizeof(nid_list)/sizeof(nid_list[0])))
207                 return 0;
208         return nid_list[curve_id-1];
209         }
210
211 int tls1_ec_nid2curve_id(int nid)
212         {
213         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
214         switch (nid)
215                 {
216         case NID_sect163k1: /* sect163k1 (1) */
217                 return 1;
218         case NID_sect163r1: /* sect163r1 (2) */
219                 return 2;
220         case NID_sect163r2: /* sect163r2 (3) */
221                 return 3;
222         case NID_sect193r1: /* sect193r1 (4) */ 
223                 return 4;
224         case NID_sect193r2: /* sect193r2 (5) */ 
225                 return 5;
226         case NID_sect233k1: /* sect233k1 (6) */
227                 return 6;
228         case NID_sect233r1: /* sect233r1 (7) */ 
229                 return 7;
230         case NID_sect239k1: /* sect239k1 (8) */ 
231                 return 8;
232         case NID_sect283k1: /* sect283k1 (9) */
233                 return 9;
234         case NID_sect283r1: /* sect283r1 (10) */ 
235                 return 10;
236         case NID_sect409k1: /* sect409k1 (11) */ 
237                 return 11;
238         case NID_sect409r1: /* sect409r1 (12) */
239                 return 12;
240         case NID_sect571k1: /* sect571k1 (13) */ 
241                 return 13;
242         case NID_sect571r1: /* sect571r1 (14) */ 
243                 return 14;
244         case NID_secp160k1: /* secp160k1 (15) */
245                 return 15;
246         case NID_secp160r1: /* secp160r1 (16) */ 
247                 return 16;
248         case NID_secp160r2: /* secp160r2 (17) */ 
249                 return 17;
250         case NID_secp192k1: /* secp192k1 (18) */
251                 return 18;
252         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
253                 return 19;
254         case NID_secp224k1: /* secp224k1 (20) */ 
255                 return 20;
256         case NID_secp224r1: /* secp224r1 (21) */
257                 return 21;
258         case NID_secp256k1: /* secp256k1 (22) */ 
259                 return 22;
260         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
261                 return 23;
262         case NID_secp384r1: /* secp384r1 (24) */
263                 return 24;
264         case NID_secp521r1:  /* secp521r1 (25) */       
265                 return 25;
266         default:
267                 return 0;
268                 }
269         }
270 #endif /* OPENSSL_NO_EC */
271
272 #ifndef OPENSSL_NO_TLSEXT
273 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274         {
275         int extdatalen=0;
276         unsigned char *ret = p;
277
278         ret+=2;
279
280         if (ret>=limit) return NULL; /* this really never occurs, but ... */
281
282         if (s->tlsext_hostname != NULL)
283                 { 
284                 /* Add TLS extension servername to the Client Hello message */
285                 unsigned long size_str;
286                 long lenmax; 
287
288                 /* check for enough space.
289                    4 for the servername type and entension length
290                    2 for servernamelist length
291                    1 for the hostname type
292                    2 for hostname length
293                    + hostname length 
294                 */
295                    
296                 if ((lenmax = limit - ret - 9) < 0 
297                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
298                         return NULL;
299                         
300                 /* extension type and length */
301                 s2n(TLSEXT_TYPE_server_name,ret); 
302                 s2n(size_str+5,ret);
303                 
304                 /* length of servername list */
305                 s2n(size_str+3,ret);
306         
307                 /* hostname type, length and hostname */
308                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
309                 s2n(size_str,ret);
310                 memcpy(ret, s->tlsext_hostname, size_str);
311                 ret+=size_str;
312                 }
313
314 #ifndef OPENSSL_NO_EC
315         if (s->tlsext_ecpointformatlist != NULL)
316                 {
317                 /* Add TLS extension ECPointFormats to the ClientHello message */
318                 long lenmax; 
319
320                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
321                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
322                 if (s->tlsext_ecpointformatlist_length > 255)
323                         {
324                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
325                         return NULL;
326                         }
327                 
328                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
329                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
330                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
331                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
332                 ret+=s->tlsext_ecpointformatlist_length;
333                 }
334         if (s->tlsext_ellipticcurvelist != NULL)
335                 {
336                 /* Add TLS extension EllipticCurves to the ClientHello message */
337                 long lenmax; 
338
339                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
340                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
341                 if (s->tlsext_ellipticcurvelist_length > 65532)
342                         {
343                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
344                         return NULL;
345                         }
346                 
347                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
348                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
349
350                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
351                  * elliptic_curve_list, but the examples use two bytes.
352                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
353                  * resolves this to two bytes.
354                  */
355                 s2n(s->tlsext_ellipticcurvelist_length, ret);
356                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
357                 ret+=s->tlsext_ellipticcurvelist_length;
358                 }
359 #endif /* OPENSSL_NO_EC */
360
361         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
362                 {
363                 int ticklen;
364                 if (s->session && s->session->tlsext_tick)
365                         ticklen = s->session->tlsext_ticklen;
366                 else if (s->session && s->tlsext_session_ticket &&
367                          s->tlsext_session_ticket->data)
368                         {
369                         ticklen = s->tlsext_session_ticket->length;
370                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
371                         if (!s->session->tlsext_tick)
372                                 return NULL;
373                         memcpy(s->session->tlsext_tick,
374                                s->tlsext_session_ticket->data,
375                                ticklen);
376                         s->session->tlsext_ticklen = ticklen;
377                         }
378                 else
379                         ticklen = 0;
380                 if (ticklen == 0 && s->tlsext_session_ticket &&
381                     s->tlsext_session_ticket->data == NULL)
382                         goto skip_ext;
383                 /* Check for enough room 2 for extension type, 2 for len
384                  * rest for ticket
385                  */
386                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
387                 s2n(TLSEXT_TYPE_session_ticket,ret); 
388                 s2n(ticklen,ret);
389                 if (ticklen)
390                         {
391                         memcpy(ret, s->session->tlsext_tick, ticklen);
392                         ret += ticklen;
393                         }
394                 }
395                 skip_ext:
396
397 #ifdef TLSEXT_TYPE_opaque_prf_input
398         if (s->s3->client_opaque_prf_input != NULL)
399                 {
400                 size_t col = s->s3->client_opaque_prf_input_len;
401                 
402                 if ((long)(limit - ret - 6 - col < 0))
403                         return NULL;
404                 if (col > 0xFFFD) /* can't happen */
405                         return NULL;
406
407                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
408                 s2n(col + 2, ret);
409                 s2n(col, ret);
410                 memcpy(ret, s->s3->client_opaque_prf_input, col);
411                 ret += col;
412                 }
413 #endif
414
415         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
416                 {
417                 int i;
418                 long extlen, idlen, itmp;
419                 OCSP_RESPID *id;
420
421                 idlen = 0;
422                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
423                         {
424                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
425                         itmp = i2d_OCSP_RESPID(id, NULL);
426                         if (itmp <= 0)
427                                 return NULL;
428                         idlen += itmp + 2;
429                         }
430
431                 if (s->tlsext_ocsp_exts)
432                         {
433                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
434                         if (extlen < 0)
435                                 return NULL;
436                         }
437                 else
438                         extlen = 0;
439                         
440                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
441                 s2n(TLSEXT_TYPE_status_request, ret);
442                 if (extlen + idlen > 0xFFF0)
443                         return NULL;
444                 s2n(extlen + idlen + 5, ret);
445                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
446                 s2n(idlen, ret);
447                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
448                         {
449                         /* save position of id len */
450                         unsigned char *q = ret;
451                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
452                         /* skip over id len */
453                         ret += 2;
454                         itmp = i2d_OCSP_RESPID(id, &ret);
455                         /* write id len */
456                         s2n(itmp, q);
457                         }
458                 s2n(extlen, ret);
459                 if (extlen > 0)
460                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
461                 }
462
463         if ((extdatalen = ret-p-2)== 0) 
464                 return p;
465
466         s2n(extdatalen,p);
467         return ret;
468         }
469
470 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
471         {
472         int extdatalen=0;
473         unsigned char *ret = p;
474
475         ret+=2;
476         if (ret>=limit) return NULL; /* this really never occurs, but ... */
477
478         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
479                 { 
480                 if ((long)(limit - ret - 4) < 0) return NULL; 
481
482                 s2n(TLSEXT_TYPE_server_name,ret);
483                 s2n(0,ret);
484                 }
485 #ifndef OPENSSL_NO_EC
486         if (s->tlsext_ecpointformatlist != NULL)
487                 {
488                 /* Add TLS extension ECPointFormats to the ServerHello message */
489                 long lenmax; 
490
491                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
492                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
493                 if (s->tlsext_ecpointformatlist_length > 255)
494                         {
495                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
496                         return NULL;
497                         }
498                 
499                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
500                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
501                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
502                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
503                 ret+=s->tlsext_ecpointformatlist_length;
504
505                 }
506         /* Currently the server should not respond with a SupportedCurves extension */
507 #endif /* OPENSSL_NO_EC */
508
509         if (s->tlsext_ticket_expected
510                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
511                 { 
512                 if ((long)(limit - ret - 4) < 0) return NULL; 
513                 s2n(TLSEXT_TYPE_session_ticket,ret);
514                 s2n(0,ret);
515                 }
516
517         if (s->tlsext_status_expected)
518                 { 
519                 if ((long)(limit - ret - 4) < 0) return NULL; 
520                 s2n(TLSEXT_TYPE_status_request,ret);
521                 s2n(0,ret);
522                 }
523
524 #ifdef TLSEXT_TYPE_opaque_prf_input
525         if (s->s3->server_opaque_prf_input != NULL)
526                 {
527                 size_t sol = s->s3->server_opaque_prf_input_len;
528                 
529                 if ((long)(limit - ret - 6 - sol) < 0)
530                         return NULL;
531                 if (sol > 0xFFFD) /* can't happen */
532                         return NULL;
533
534                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
535                 s2n(sol + 2, ret);
536                 s2n(sol, ret);
537                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
538                 ret += sol;
539                 }
540 #endif
541         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
542                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
543                 { const unsigned char cryptopro_ext[36] = {
544                         0xfd, 0xe8, /*65000*/
545                         0x00, 0x20, /*32 bytes length*/
546                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
547                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
548                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
549                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
550                         if (limit-ret<36) return NULL;
551                         memcpy(ret,cryptopro_ext,36);
552                         ret+=36;
553
554                 }
555
556         if ((extdatalen = ret-p-2)== 0) 
557                 return p;
558
559         s2n(extdatalen,p);
560         return ret;
561         }
562
563 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
564         {
565         unsigned short type;
566         unsigned short size;
567         unsigned short len;
568         unsigned char *data = *p;
569         s->servername_done = 0;
570         s->tlsext_status_type = -1;
571
572         if (data >= (d+n-2))
573                 return 1;
574         n2s(data,len);
575
576         if (data > (d+n-len)) 
577                 return 1;
578
579         while (data <= (d+n-4))
580                 {
581                 n2s(data,type);
582                 n2s(data,size);
583
584                 if (data+size > (d+n))
585                         return 1;
586 #if 0
587                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
588 #endif
589                 if (s->tlsext_debug_cb)
590                         s->tlsext_debug_cb(s, 0, type, data, size,
591                                                 s->tlsext_debug_arg);
592 /* The servername extension is treated as follows:
593
594    - Only the hostname type is supported with a maximum length of 255.
595    - The servername is rejected if too long or if it contains zeros,
596      in which case an fatal alert is generated.
597    - The servername field is maintained together with the session cache.
598    - When a session is resumed, the servername call back invoked in order
599      to allow the application to position itself to the right context. 
600    - The servername is acknowledged if it is new for a session or when 
601      it is identical to a previously used for the same session. 
602      Applications can control the behaviour.  They can at any time
603      set a 'desirable' servername for a new SSL object. This can be the
604      case for example with HTTPS when a Host: header field is received and
605      a renegotiation is requested. In this case, a possible servername
606      presented in the new client hello is only acknowledged if it matches
607      the value of the Host: field. 
608    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
609      if they provide for changing an explicit servername context for the session,
610      i.e. when the session has been established with a servername extension. 
611    - On session reconnect, the servername extension may be absent. 
612
613 */      
614
615                 if (type == TLSEXT_TYPE_server_name)
616                         {
617                         unsigned char *sdata;
618                         int servname_type;
619                         int dsize; 
620                 
621                         if (size < 2) 
622                                 {
623                                 *al = SSL_AD_DECODE_ERROR;
624                                 return 0;
625                                 }
626                         n2s(data,dsize);  
627                         size -= 2;
628                         if (dsize > size  ) 
629                                 {
630                                 *al = SSL_AD_DECODE_ERROR;
631                                 return 0;
632                                 } 
633
634                         sdata = data;
635                         while (dsize > 3) 
636                                 {
637                                 servname_type = *(sdata++); 
638                                 n2s(sdata,len);
639                                 dsize -= 3;
640
641                                 if (len > dsize) 
642                                         {
643                                         *al = SSL_AD_DECODE_ERROR;
644                                         return 0;
645                                         }
646                                 if (s->servername_done == 0)
647                                 switch (servname_type)
648                                         {
649                                 case TLSEXT_NAMETYPE_host_name:
650                                         if (s->session->tlsext_hostname == NULL)
651                                                 {
652                                                 if (len > TLSEXT_MAXLEN_host_name || 
653                                                         ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
654                                                         {
655                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
656                                                         return 0;
657                                                         }
658                                                 memcpy(s->session->tlsext_hostname, sdata, len);
659                                                 s->session->tlsext_hostname[len]='\0';
660                                                 if (strlen(s->session->tlsext_hostname) != len) {
661                                                         OPENSSL_free(s->session->tlsext_hostname);
662                                                         s->session->tlsext_hostname = NULL;
663                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
664                                                         return 0;
665                                                 }
666                                                 s->servername_done = 1; 
667
668                                                 }
669                                         else 
670                                                 s->servername_done = strlen(s->session->tlsext_hostname) == len 
671                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
672                                         
673                                         break;
674
675                                 default:
676                                         break;
677                                         }
678                                  
679                                 dsize -= len;
680                                 }
681                         if (dsize != 0) 
682                                 {
683                                 *al = SSL_AD_DECODE_ERROR;
684                                 return 0;
685                                 }
686
687                         }
688
689 #ifndef OPENSSL_NO_EC
690                 else if (type == TLSEXT_TYPE_ec_point_formats)
691                         {
692                         unsigned char *sdata = data;
693                         int ecpointformatlist_length = *(sdata++);
694
695                         if (ecpointformatlist_length != size - 1)
696                                 {
697                                 *al = TLS1_AD_DECODE_ERROR;
698                                 return 0;
699                                 }
700                         s->session->tlsext_ecpointformatlist_length = 0;
701                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
702                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
703                                 {
704                                 *al = TLS1_AD_INTERNAL_ERROR;
705                                 return 0;
706                                 }
707                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
708                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
709 #if 0
710                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
711                         sdata = s->session->tlsext_ecpointformatlist;
712                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
713                                 fprintf(stderr,"%i ",*(sdata++));
714                         fprintf(stderr,"\n");
715 #endif
716                         }
717                 else if (type == TLSEXT_TYPE_elliptic_curves)
718                         {
719                         unsigned char *sdata = data;
720                         int ellipticcurvelist_length = (*(sdata++) << 8);
721                         ellipticcurvelist_length += (*(sdata++));
722
723                         if (ellipticcurvelist_length != size - 2)
724                                 {
725                                 *al = TLS1_AD_DECODE_ERROR;
726                                 return 0;
727                                 }
728                         s->session->tlsext_ellipticcurvelist_length = 0;
729                         if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
730                         if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
731                                 {
732                                 *al = TLS1_AD_INTERNAL_ERROR;
733                                 return 0;
734                                 }
735                         s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
736                         memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
737 #if 0
738                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
739                         sdata = s->session->tlsext_ellipticcurvelist;
740                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
741                                 fprintf(stderr,"%i ",*(sdata++));
742                         fprintf(stderr,"\n");
743 #endif
744                         }
745 #endif /* OPENSSL_NO_EC */
746 #ifdef TLSEXT_TYPE_opaque_prf_input
747                 else if (type == TLSEXT_TYPE_opaque_prf_input)
748                         {
749                         unsigned char *sdata = data;
750
751                         if (size < 2)
752                                 {
753                                 *al = SSL_AD_DECODE_ERROR;
754                                 return 0;
755                                 }
756                         n2s(sdata, s->s3->client_opaque_prf_input_len);
757                         if (s->s3->client_opaque_prf_input_len != size - 2)
758                                 {
759                                 *al = SSL_AD_DECODE_ERROR;
760                                 return 0;
761                                 }
762
763                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
764                                 OPENSSL_free(s->s3->client_opaque_prf_input);
765                         if (s->s3->client_opaque_prf_input_len == 0)
766                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
767                         else
768                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
769                         if (s->s3->client_opaque_prf_input == NULL)
770                                 {
771                                 *al = TLS1_AD_INTERNAL_ERROR;
772                                 return 0;
773                                 }
774                         }
775 #endif
776                 else if (type == TLSEXT_TYPE_session_ticket)
777                         {
778                         if (s->tls_session_ticket_ext_cb &&
779                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
780                                 {
781                                 *al = TLS1_AD_INTERNAL_ERROR;
782                                 return 0;
783                                 }
784                         }
785                 else if (type == TLSEXT_TYPE_status_request
786                                                 && s->ctx->tlsext_status_cb)
787                         {
788                 
789                         if (size < 5) 
790                                 {
791                                 *al = SSL_AD_DECODE_ERROR;
792                                 return 0;
793                                 }
794
795                         s->tlsext_status_type = *data++;
796                         size--;
797                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
798                                 {
799                                 const unsigned char *sdata;
800                                 int dsize;
801                                 /* Read in responder_id_list */
802                                 n2s(data,dsize);
803                                 size -= 2;
804                                 if (dsize > size  ) 
805                                         {
806                                         *al = SSL_AD_DECODE_ERROR;
807                                         return 0;
808                                         }
809                                 while (dsize > 0)
810                                         {
811                                         OCSP_RESPID *id;
812                                         int idsize;
813                                         if (dsize < 4)
814                                                 {
815                                                 *al = SSL_AD_DECODE_ERROR;
816                                                 return 0;
817                                                 }
818                                         n2s(data, idsize);
819                                         dsize -= 2 + idsize;
820                                         if (dsize < 0)
821                                                 {
822                                                 *al = SSL_AD_DECODE_ERROR;
823                                                 return 0;
824                                                 }
825                                         sdata = data;
826                                         data += idsize;
827                                         id = d2i_OCSP_RESPID(NULL,
828                                                                 &sdata, idsize);
829                                         if (!id)
830                                                 {
831                                                 *al = SSL_AD_DECODE_ERROR;
832                                                 return 0;
833                                                 }
834                                         if (data != sdata)
835                                                 {
836                                                 OCSP_RESPID_free(id);
837                                                 *al = SSL_AD_DECODE_ERROR;
838                                                 return 0;
839                                                 }
840                                         if (!s->tlsext_ocsp_ids
841                                                 && !(s->tlsext_ocsp_ids =
842                                                 sk_OCSP_RESPID_new_null()))
843                                                 {
844                                                 OCSP_RESPID_free(id);
845                                                 *al = SSL_AD_INTERNAL_ERROR;
846                                                 return 0;
847                                                 }
848                                         if (!sk_OCSP_RESPID_push(
849                                                         s->tlsext_ocsp_ids, id))
850                                                 {
851                                                 OCSP_RESPID_free(id);
852                                                 *al = SSL_AD_INTERNAL_ERROR;
853                                                 return 0;
854                                                 }
855                                         }
856
857                                 /* Read in request_extensions */
858                                 n2s(data,dsize);
859                                 size -= 2;
860                                 if (dsize > size) 
861                                         {
862                                         *al = SSL_AD_DECODE_ERROR;
863                                         return 0;
864                                         }
865                                 sdata = data;
866                                 if (dsize > 0)
867                                         {
868                                         s->tlsext_ocsp_exts =
869                                                 d2i_X509_EXTENSIONS(NULL,
870                                                         &sdata, dsize);
871                                         if (!s->tlsext_ocsp_exts
872                                                 || (data + dsize != sdata))
873                                                 {
874                                                 *al = SSL_AD_DECODE_ERROR;
875                                                 return 0;
876                                                 }
877                                         }
878                                 }
879                                 /* We don't know what to do with any other type
880                                 * so ignore it.
881                                 */
882                                 else
883                                         s->tlsext_status_type = -1;
884                         }
885
886                 /* session ticket processed earlier */
887                 data+=size;
888                 }
889                                 
890         *p = data;
891         return 1;
892         }
893
894 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
895         {
896         unsigned short type;
897         unsigned short size;
898         unsigned short len;  
899         unsigned char *data = *p;
900
901         int tlsext_servername = 0;
902
903         if (data >= (d+n-2))
904                 return 1;
905
906         n2s(data,len);
907
908         while(data <= (d+n-4))
909                 {
910                 n2s(data,type);
911                 n2s(data,size);
912
913                 if (data+size > (d+n))
914                         return 1;
915
916                 if (s->tlsext_debug_cb)
917                         s->tlsext_debug_cb(s, 1, type, data, size,
918                                                 s->tlsext_debug_arg);
919
920                 if (type == TLSEXT_TYPE_server_name)
921                         {
922                         if (s->tlsext_hostname == NULL || size > 0)
923                                 {
924                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
925                                 return 0;
926                                 }
927                         tlsext_servername = 1;   
928                         }
929
930 #ifndef OPENSSL_NO_EC
931                 else if (type == TLSEXT_TYPE_ec_point_formats)
932                         {
933                         unsigned char *sdata = data;
934                         int ecpointformatlist_length = *(sdata++);
935
936                         if (ecpointformatlist_length != size - 1)
937                                 {
938                                 *al = TLS1_AD_DECODE_ERROR;
939                                 return 0;
940                                 }
941                         s->session->tlsext_ecpointformatlist_length = 0;
942                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
943                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
944                                 {
945                                 *al = TLS1_AD_INTERNAL_ERROR;
946                                 return 0;
947                                 }
948                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
949                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
950 #if 0
951                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
952                         sdata = s->session->tlsext_ecpointformatlist;
953                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
954                                 fprintf(stderr,"%i ",*(sdata++));
955                         fprintf(stderr,"\n");
956 #endif
957                         }
958 #endif /* OPENSSL_NO_EC */
959
960                 else if (type == TLSEXT_TYPE_session_ticket)
961                         {
962                         if (s->tls_session_ticket_ext_cb &&
963                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
964                                 {
965                                 *al = TLS1_AD_INTERNAL_ERROR;
966                                 return 0;
967                                 }
968                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
969                                 || (size > 0))
970                                 {
971                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
972                                 return 0;
973                                 }
974                         s->tlsext_ticket_expected = 1;
975                         }
976 #ifdef TLSEXT_TYPE_opaque_prf_input
977                 else if (type == TLSEXT_TYPE_opaque_prf_input)
978                         {
979                         unsigned char *sdata = data;
980
981                         if (size < 2)
982                                 {
983                                 *al = SSL_AD_DECODE_ERROR;
984                                 return 0;
985                                 }
986                         n2s(sdata, s->s3->server_opaque_prf_input_len);
987                         if (s->s3->server_opaque_prf_input_len != size - 2)
988                                 {
989                                 *al = SSL_AD_DECODE_ERROR;
990                                 return 0;
991                                 }
992                         
993                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
994                                 OPENSSL_free(s->s3->server_opaque_prf_input);
995                         if (s->s3->server_opaque_prf_input_len == 0)
996                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
997                         else
998                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
999
1000                         if (s->s3->server_opaque_prf_input == NULL)
1001                                 {
1002                                 *al = TLS1_AD_INTERNAL_ERROR;
1003                                 return 0;
1004                                 }
1005                         }
1006 #endif
1007                 else if (type == TLSEXT_TYPE_status_request)
1008                         {
1009                         /* MUST be empty and only sent if we've requested
1010                          * a status request message.
1011                          */ 
1012                         if ((s->tlsext_status_type == -1) || (size > 0))
1013                                 {
1014                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1015                                 return 0;
1016                                 }
1017                         /* Set flag to expect CertificateStatus message */
1018                         s->tlsext_status_expected = 1;
1019                         }
1020
1021                 data+=size;             
1022                 }
1023
1024         if (data != d+n)
1025                 {
1026                 *al = SSL_AD_DECODE_ERROR;
1027                 return 0;
1028                 }
1029
1030         if (!s->hit && tlsext_servername == 1)
1031                 {
1032                 if (s->tlsext_hostname)
1033                         {
1034                         if (s->session->tlsext_hostname == NULL)
1035                                 {
1036                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1037                                 if (!s->session->tlsext_hostname)
1038                                         {
1039                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1040                                         return 0;
1041                                         }
1042                                 }
1043                         else 
1044                                 {
1045                                 *al = SSL_AD_DECODE_ERROR;
1046                                 return 0;
1047                                 }
1048                         }
1049                 }
1050
1051         *p = data;
1052         return 1;
1053         }
1054
1055
1056 int ssl_prepare_clienthello_tlsext(SSL *s)
1057         {
1058 #ifndef OPENSSL_NO_EC
1059         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1060          * and elliptic curves we support.
1061          */
1062         int using_ecc = 0;
1063         int i;
1064         unsigned char *j;
1065         unsigned long alg_k, alg_a;
1066         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1067
1068         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1069                 {
1070                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1071
1072                 alg_k = c->algorithm_mkey;
1073                 alg_a = c->algorithm_auth;
1074                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1075                         {
1076                         using_ecc = 1;
1077                         break;
1078                         }
1079                 }
1080         using_ecc = using_ecc && (s->version == TLS1_VERSION);
1081         if (using_ecc)
1082                 {
1083                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1084                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1085                         {
1086                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1087                         return -1;
1088                         }
1089                 s->tlsext_ecpointformatlist_length = 3;
1090                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1091                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1092                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1093
1094                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1095                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1096                 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2;
1097                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1098                         {
1099                         s->tlsext_ellipticcurvelist_length = 0;
1100                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1101                         return -1;
1102                         }
1103                 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <=
1104                                 sizeof(nid_list)/sizeof(nid_list[0]); i++)
1105                         s2n(i,j);
1106                 }
1107 #endif /* OPENSSL_NO_EC */
1108
1109 #ifdef TLSEXT_TYPE_opaque_prf_input
1110         {
1111                 int r = 1;
1112         
1113                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1114                         {
1115                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1116                         if (!r)
1117                                 return -1;
1118                         }
1119
1120                 if (s->tlsext_opaque_prf_input != NULL)
1121                         {
1122                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1123                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1124
1125                         if (s->tlsext_opaque_prf_input_len == 0)
1126                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1127                         else
1128                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1129                         if (s->s3->client_opaque_prf_input == NULL)
1130                                 {
1131                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1132                                 return -1;
1133                                 }
1134                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1135                         }
1136
1137                 if (r == 2)
1138                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1139                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1140         }
1141 #endif
1142
1143         return 1;
1144         }
1145
1146 int ssl_prepare_serverhello_tlsext(SSL *s)
1147         {
1148 #ifndef OPENSSL_NO_EC
1149         /* If we are server and using an ECC cipher suite, send the point formats we support 
1150          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1151          * supposed to send an EllipticCurves extension.
1152          */
1153
1154         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1155         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1156         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1157         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1158         
1159         if (using_ecc)
1160                 {
1161                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1162                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1163                         {
1164                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1165                         return -1;
1166                         }
1167                 s->tlsext_ecpointformatlist_length = 3;
1168                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1169                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1170                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1171                 }
1172 #endif /* OPENSSL_NO_EC */
1173
1174         return 1;
1175         }
1176
1177 int ssl_check_clienthello_tlsext(SSL *s)
1178         {
1179         int ret=SSL_TLSEXT_ERR_NOACK;
1180         int al = SSL_AD_UNRECOGNIZED_NAME;
1181
1182 #ifndef OPENSSL_NO_EC
1183         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1184          * ssl3_choose_cipher in s3_lib.c.
1185          */
1186         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1187          * ssl3_choose_cipher in s3_lib.c.
1188          */
1189 #endif
1190
1191         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1192                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1193         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1194                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1195
1196         /* If status request then ask callback what to do.
1197          * Note: this must be called after servername callbacks in case 
1198          * the certificate has changed.
1199          */
1200         if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
1201                 {
1202                 int r;
1203                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1204                 switch (r)
1205                         {
1206                         /* We don't want to send a status request response */
1207                         case SSL_TLSEXT_ERR_NOACK:
1208                                 s->tlsext_status_expected = 0;
1209                                 break;
1210                         /* status request response should be sent */
1211                         case SSL_TLSEXT_ERR_OK:
1212                                 if (s->tlsext_ocsp_resp)
1213                                         s->tlsext_status_expected = 1;
1214                                 else
1215                                         s->tlsext_status_expected = 0;
1216                                 break;
1217                         /* something bad happened */
1218                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1219                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1220                                 al = SSL_AD_INTERNAL_ERROR;
1221                                 goto err;
1222                         }
1223                 }
1224         else
1225                 s->tlsext_status_expected = 0;
1226
1227 #ifdef TLSEXT_TYPE_opaque_prf_input
1228         {
1229                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1230                  * but we might be sending an alert in response to the client hello,
1231                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1232
1233                 int r = 1;
1234         
1235                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1236                         {
1237                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1238                         if (!r)
1239                                 {
1240                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1241                                 al = SSL_AD_INTERNAL_ERROR;
1242                                 goto err;
1243                                 }
1244                         }
1245
1246                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1247                         OPENSSL_free(s->s3->server_opaque_prf_input);
1248                 s->s3->server_opaque_prf_input = NULL;
1249
1250                 if (s->tlsext_opaque_prf_input != NULL)
1251                         {
1252                         if (s->s3->client_opaque_prf_input != NULL &&
1253                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1254                                 {
1255                                 /* can only use this extension if we have a server opaque PRF input
1256                                  * of the same length as the client opaque PRF input! */
1257
1258                                 if (s->tlsext_opaque_prf_input_len == 0)
1259                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1260                                 else
1261                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1262                                 if (s->s3->server_opaque_prf_input == NULL)
1263                                         {
1264                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1265                                         al = SSL_AD_INTERNAL_ERROR;
1266                                         goto err;
1267                                         }
1268                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1269                                 }
1270                         }
1271
1272                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1273                         {
1274                         /* The callback wants to enforce use of the extension,
1275                          * but we can't do that with the client opaque PRF input;
1276                          * abort the handshake.
1277                          */
1278                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1279                         al = SSL_AD_HANDSHAKE_FAILURE;
1280                         }
1281         }
1282
1283 #endif
1284  err:
1285         switch (ret)
1286                 {
1287                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1288                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1289                         return -1;
1290
1291                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1292                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1293                         return 1; 
1294                                         
1295                 case SSL_TLSEXT_ERR_NOACK:
1296                         s->servername_done=0;
1297                         default:
1298                 return 1;
1299                 }
1300         }
1301
1302 int ssl_check_serverhello_tlsext(SSL *s)
1303         {
1304         int ret=SSL_TLSEXT_ERR_NOACK;
1305         int al = SSL_AD_UNRECOGNIZED_NAME;
1306
1307 #ifndef OPENSSL_NO_EC
1308         /* If we are client and using an elliptic curve cryptography cipher suite, then server
1309          * must return a an EC point formats lists containing uncompressed.
1310          */
1311         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1312         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1313         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1314             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1315                 {
1316                 /* we are using an ECC cipher */
1317                 size_t i;
1318                 unsigned char *list;
1319                 int found_uncompressed = 0;
1320                 if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0))
1321                         {
1322                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1323                         return -1;
1324                         }
1325                 list = s->session->tlsext_ecpointformatlist;
1326                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1327                         {
1328                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1329                                 {
1330                                 found_uncompressed = 1;
1331                                 break;
1332                                 }
1333                         }
1334                 if (!found_uncompressed)
1335                         {
1336                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1337                         return -1;
1338                         }
1339                 }
1340         ret = SSL_TLSEXT_ERR_OK;
1341 #endif /* OPENSSL_NO_EC */
1342
1343         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1344                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1345         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1346                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1347
1348 #ifdef TLSEXT_TYPE_opaque_prf_input
1349         if (s->s3->server_opaque_prf_input_len > 0)
1350                 {
1351                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1352                  * So first verify that we really have a value from the server too. */
1353
1354                 if (s->s3->server_opaque_prf_input == NULL)
1355                         {
1356                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1357                         al = SSL_AD_HANDSHAKE_FAILURE;
1358                         }
1359                 
1360                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1361                  * that we have a client opaque PRF input of the same size. */
1362                 if (s->s3->client_opaque_prf_input == NULL ||
1363                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1364                         {
1365                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1366                         al = SSL_AD_ILLEGAL_PARAMETER;
1367                         }
1368                 }
1369 #endif
1370
1371         /* If we've requested certificate status and we wont get one
1372          * tell the callback
1373          */
1374         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1375                         && s->ctx->tlsext_status_cb)
1376                 {
1377                 int r;
1378                 /* Set resp to NULL, resplen to -1 so callback knows
1379                  * there is no response.
1380                  */
1381                 if (s->tlsext_ocsp_resp)
1382                         {
1383                         OPENSSL_free(s->tlsext_ocsp_resp);
1384                         s->tlsext_ocsp_resp = NULL;
1385                         }
1386                 s->tlsext_ocsp_resplen = -1;
1387                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1388                 if (r == 0)
1389                         {
1390                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1391                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1392                         }
1393                 if (r < 0)
1394                         {
1395                         al = SSL_AD_INTERNAL_ERROR;
1396                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1397                         }
1398                 }
1399
1400         switch (ret)
1401                 {
1402                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1403                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1404                         return -1;
1405
1406                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1407                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1408                         return 1; 
1409                                         
1410                 case SSL_TLSEXT_ERR_NOACK:
1411                         s->servername_done=0;
1412                         default:
1413                 return 1;
1414                 }
1415         }
1416
1417 /* Since the server cache lookup is done early on in the processing of client
1418  * hello and other operations depend on the result we need to handle any TLS
1419  * session ticket extension at the same time.
1420  */
1421
1422 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1423                                 const unsigned char *limit, SSL_SESSION **ret)
1424         {
1425         /* Point after session ID in client hello */
1426         const unsigned char *p = session_id + len;
1427         unsigned short i;
1428
1429         /* If tickets disabled behave as if no ticket present
1430          * to permit stateful resumption.
1431          */
1432         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1433                 return 1;
1434
1435         if ((s->version <= SSL3_VERSION) || !limit)
1436                 return 1;
1437         if (p >= limit)
1438                 return -1;
1439         /* Skip past cipher list */
1440         n2s(p, i);
1441         p+= i;
1442         if (p >= limit)
1443                 return -1;
1444         /* Skip past compression algorithm list */
1445         i = *(p++);
1446         p += i;
1447         if (p > limit)
1448                 return -1;
1449         /* Now at start of extensions */
1450         if ((p + 2) >= limit)
1451                 return 1;
1452         n2s(p, i);
1453         while ((p + 4) <= limit)
1454                 {
1455                 unsigned short type, size;
1456                 n2s(p, type);
1457                 n2s(p, size);
1458                 if (p + size > limit)
1459                         return 1;
1460                 if (type == TLSEXT_TYPE_session_ticket)
1461                         {
1462                         /* If tickets disabled indicate cache miss which will
1463                          * trigger a full handshake
1464                          */
1465                         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1466                                 return 1;
1467                         /* If zero length note client will accept a ticket
1468                          * and indicate cache miss to trigger full handshake
1469                          */
1470                         if (size == 0)
1471                                 {
1472                                 s->tlsext_ticket_expected = 1;
1473                                 return 0;       /* Cache miss */
1474                                 }
1475                         if (s->tls_session_secret_cb)
1476                                 {
1477                                 /* Indicate cache miss here and instead of
1478                                  * generating the session from ticket now,
1479                                  * trigger abbreviated handshake based on
1480                                  * external mechanism to calculate the master
1481                                  * secret later. */
1482                                 return 0;
1483                                 }
1484                         return tls_decrypt_ticket(s, p, size, session_id, len,
1485                                                                         ret);
1486                         }
1487                 p += size;
1488                 }
1489         return 1;
1490         }
1491
1492 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1493                                 const unsigned char *sess_id, int sesslen,
1494                                 SSL_SESSION **psess)
1495         {
1496         SSL_SESSION *sess;
1497         unsigned char *sdec;
1498         const unsigned char *p;
1499         int slen, mlen, renew_ticket = 0;
1500         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
1501         HMAC_CTX hctx;
1502         EVP_CIPHER_CTX ctx;
1503         /* Need at least keyname + iv + some encrypted data */
1504         if (eticklen < 48)
1505                 goto tickerr;
1506         /* Initialize session ticket encryption and HMAC contexts */
1507         HMAC_CTX_init(&hctx);
1508         EVP_CIPHER_CTX_init(&ctx);
1509         if (s->ctx->tlsext_ticket_key_cb)
1510                 {
1511                 unsigned char *nctick = (unsigned char *)etick;
1512                 int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
1513                                                         &ctx, &hctx, 0);
1514                 if (rv < 0)
1515                         return -1;
1516                 if (rv == 0)
1517                         goto tickerr;
1518                 if (rv == 2)
1519                         renew_ticket = 1;
1520                 }
1521         else
1522                 {
1523                 /* Check key name matches */
1524                 if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))
1525                         goto tickerr;
1526                 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
1527                                         tlsext_tick_md(), NULL);
1528                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1529                                 s->ctx->tlsext_tick_aes_key, etick + 16);
1530                 }
1531         /* Attempt to process session ticket, first conduct sanity and
1532          * integrity checks on ticket.
1533          */
1534         mlen = HMAC_size(&hctx);
1535         if (mlen < 0)
1536                 {
1537                 EVP_CIPHER_CTX_cleanup(&ctx);
1538                 return -1;
1539                 }
1540         eticklen -= mlen;
1541         /* Check HMAC of encrypted ticket */
1542         HMAC_Update(&hctx, etick, eticklen);
1543         HMAC_Final(&hctx, tick_hmac, NULL);
1544         HMAC_CTX_cleanup(&hctx);
1545         if (memcmp(tick_hmac, etick + eticklen, mlen))
1546                 goto tickerr;
1547         /* Attempt to decrypt session data */
1548         /* Move p after IV to start of encrypted ticket, update length */
1549         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1550         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
1551         sdec = OPENSSL_malloc(eticklen);
1552         if (!sdec)
1553                 {
1554                 EVP_CIPHER_CTX_cleanup(&ctx);
1555                 return -1;
1556                 }
1557         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1558         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1559                 goto tickerr;
1560         slen += mlen;
1561         EVP_CIPHER_CTX_cleanup(&ctx);
1562         p = sdec;
1563                 
1564         sess = d2i_SSL_SESSION(NULL, &p, slen);
1565         OPENSSL_free(sdec);
1566         if (sess)
1567                 {
1568                 /* The session ID if non-empty is used by some clients to
1569                  * detect that the ticket has been accepted. So we copy it to
1570                  * the session structure. If it is empty set length to zero
1571                  * as required by standard.
1572                  */
1573                 if (sesslen)
1574                         memcpy(sess->session_id, sess_id, sesslen);
1575                 sess->session_id_length = sesslen;
1576                 *psess = sess;
1577                 s->tlsext_ticket_expected = renew_ticket;
1578                 return 1;
1579                 }
1580         /* If session decrypt failure indicate a cache miss and set state to
1581          * send a new ticket
1582          */
1583         tickerr:        
1584         s->tlsext_ticket_expected = 1;
1585         return 0;
1586         }
1587
1588 #endif