Add callbacks supporting generation and retrieval of supplemental data entries, facil...
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         0,
144         SSL3_HM_HEADER_LENGTH,
145         ssl3_set_handshake_header,
146         ssl3_handshake_write
147         };
148
149 SSL3_ENC_METHOD TLSv1_1_enc_data={
150         tls1_enc,
151         tls1_mac,
152         tls1_setup_key_block,
153         tls1_generate_master_secret,
154         tls1_change_cipher_state,
155         tls1_final_finish_mac,
156         TLS1_FINISH_MAC_LENGTH,
157         tls1_cert_verify_mac,
158         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
159         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
160         tls1_alert_code,
161         tls1_export_keying_material,
162         SSL_ENC_FLAG_EXPLICIT_IV,
163         SSL3_HM_HEADER_LENGTH,
164         ssl3_set_handshake_header,
165         ssl3_handshake_write
166         };
167
168 SSL3_ENC_METHOD TLSv1_2_enc_data={
169         tls1_enc,
170         tls1_mac,
171         tls1_setup_key_block,
172         tls1_generate_master_secret,
173         tls1_change_cipher_state,
174         tls1_final_finish_mac,
175         TLS1_FINISH_MAC_LENGTH,
176         tls1_cert_verify_mac,
177         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
178         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
179         tls1_alert_code,
180         tls1_export_keying_material,
181         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
182                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
183         SSL3_HM_HEADER_LENGTH,
184         ssl3_set_handshake_header,
185         ssl3_handshake_write
186         };
187
188 long tls1_default_timeout(void)
189         {
190         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
191          * is way too long for http, the cache would over fill */
192         return(60*60*2);
193         }
194
195 int tls1_new(SSL *s)
196         {
197         if (!ssl3_new(s)) return(0);
198         s->method->ssl_clear(s);
199         return(1);
200         }
201
202 void tls1_free(SSL *s)
203         {
204 #ifndef OPENSSL_NO_TLSEXT
205         if (s->tlsext_session_ticket)
206                 {
207                 OPENSSL_free(s->tlsext_session_ticket);
208                 }
209 #endif /* OPENSSL_NO_TLSEXT */
210         ssl3_free(s);
211         }
212
213 void tls1_clear(SSL *s)
214         {
215         ssl3_clear(s);
216         s->version = s->method->version;
217         }
218
219 #ifndef OPENSSL_NO_EC
220
221 static int nid_list[] =
222         {
223                 NID_sect163k1, /* sect163k1 (1) */
224                 NID_sect163r1, /* sect163r1 (2) */
225                 NID_sect163r2, /* sect163r2 (3) */
226                 NID_sect193r1, /* sect193r1 (4) */ 
227                 NID_sect193r2, /* sect193r2 (5) */ 
228                 NID_sect233k1, /* sect233k1 (6) */
229                 NID_sect233r1, /* sect233r1 (7) */ 
230                 NID_sect239k1, /* sect239k1 (8) */ 
231                 NID_sect283k1, /* sect283k1 (9) */
232                 NID_sect283r1, /* sect283r1 (10) */ 
233                 NID_sect409k1, /* sect409k1 (11) */ 
234                 NID_sect409r1, /* sect409r1 (12) */
235                 NID_sect571k1, /* sect571k1 (13) */ 
236                 NID_sect571r1, /* sect571r1 (14) */ 
237                 NID_secp160k1, /* secp160k1 (15) */
238                 NID_secp160r1, /* secp160r1 (16) */ 
239                 NID_secp160r2, /* secp160r2 (17) */ 
240                 NID_secp192k1, /* secp192k1 (18) */
241                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
242                 NID_secp224k1, /* secp224k1 (20) */ 
243                 NID_secp224r1, /* secp224r1 (21) */
244                 NID_secp256k1, /* secp256k1 (22) */ 
245                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
246                 NID_secp384r1, /* secp384r1 (24) */
247                 NID_secp521r1  /* secp521r1 (25) */     
248         };
249
250
251 static const unsigned char ecformats_default[] = 
252         {
253         TLSEXT_ECPOINTFORMAT_uncompressed,
254         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
255         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
256         };
257
258 static const unsigned char eccurves_default[] =
259         {
260                 0,14, /* sect571r1 (14) */ 
261                 0,13, /* sect571k1 (13) */ 
262                 0,25, /* secp521r1 (25) */      
263                 0,11, /* sect409k1 (11) */ 
264                 0,12, /* sect409r1 (12) */
265                 0,24, /* secp384r1 (24) */
266                 0,9,  /* sect283k1 (9) */
267                 0,10, /* sect283r1 (10) */ 
268                 0,22, /* secp256k1 (22) */ 
269                 0,23, /* secp256r1 (23) */ 
270                 0,8,  /* sect239k1 (8) */ 
271                 0,6,  /* sect233k1 (6) */
272                 0,7,  /* sect233r1 (7) */ 
273                 0,20, /* secp224k1 (20) */ 
274                 0,21, /* secp224r1 (21) */
275                 0,4,  /* sect193r1 (4) */ 
276                 0,5,  /* sect193r2 (5) */ 
277                 0,18, /* secp192k1 (18) */
278                 0,19, /* secp192r1 (19) */ 
279                 0,1,  /* sect163k1 (1) */
280                 0,2,  /* sect163r1 (2) */
281                 0,3,  /* sect163r2 (3) */
282                 0,15, /* secp160k1 (15) */
283                 0,16, /* secp160r1 (16) */ 
284                 0,17, /* secp160r2 (17) */ 
285         };
286
287 static const unsigned char suiteb_curves[] =
288         {
289                 0, TLSEXT_curve_P_256,
290                 0, TLSEXT_curve_P_384
291         };
292
293 int tls1_ec_curve_id2nid(int curve_id)
294         {
295         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
296         if ((curve_id < 1) || ((unsigned int)curve_id >
297                                 sizeof(nid_list)/sizeof(nid_list[0])))
298                 return 0;
299         return nid_list[curve_id-1];
300         }
301
302 int tls1_ec_nid2curve_id(int nid)
303         {
304         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
305         switch (nid)
306                 {
307         case NID_sect163k1: /* sect163k1 (1) */
308                 return 1;
309         case NID_sect163r1: /* sect163r1 (2) */
310                 return 2;
311         case NID_sect163r2: /* sect163r2 (3) */
312                 return 3;
313         case NID_sect193r1: /* sect193r1 (4) */ 
314                 return 4;
315         case NID_sect193r2: /* sect193r2 (5) */ 
316                 return 5;
317         case NID_sect233k1: /* sect233k1 (6) */
318                 return 6;
319         case NID_sect233r1: /* sect233r1 (7) */ 
320                 return 7;
321         case NID_sect239k1: /* sect239k1 (8) */ 
322                 return 8;
323         case NID_sect283k1: /* sect283k1 (9) */
324                 return 9;
325         case NID_sect283r1: /* sect283r1 (10) */ 
326                 return 10;
327         case NID_sect409k1: /* sect409k1 (11) */ 
328                 return 11;
329         case NID_sect409r1: /* sect409r1 (12) */
330                 return 12;
331         case NID_sect571k1: /* sect571k1 (13) */ 
332                 return 13;
333         case NID_sect571r1: /* sect571r1 (14) */ 
334                 return 14;
335         case NID_secp160k1: /* secp160k1 (15) */
336                 return 15;
337         case NID_secp160r1: /* secp160r1 (16) */ 
338                 return 16;
339         case NID_secp160r2: /* secp160r2 (17) */ 
340                 return 17;
341         case NID_secp192k1: /* secp192k1 (18) */
342                 return 18;
343         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
344                 return 19;
345         case NID_secp224k1: /* secp224k1 (20) */ 
346                 return 20;
347         case NID_secp224r1: /* secp224r1 (21) */
348                 return 21;
349         case NID_secp256k1: /* secp256k1 (22) */ 
350                 return 22;
351         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
352                 return 23;
353         case NID_secp384r1: /* secp384r1 (24) */
354                 return 24;
355         case NID_secp521r1:  /* secp521r1 (25) */       
356                 return 25;
357         default:
358                 return 0;
359                 }
360         }
361 /* Get curves list, if "sess" is set return client curves otherwise
362  * preferred list
363  */
364 static void tls1_get_curvelist(SSL *s, int sess,
365                                         const unsigned char **pcurves,
366                                         size_t *pcurveslen)
367         {
368         if (sess)
369                 {
370                 *pcurves = s->session->tlsext_ellipticcurvelist;
371                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
372                 return;
373                 }
374         /* For Suite B mode only include P-256, P-384 */
375         switch (tls1_suiteb(s))
376                 {
377         case SSL_CERT_FLAG_SUITEB_128_LOS:
378                 *pcurves = suiteb_curves;
379                 *pcurveslen = sizeof(suiteb_curves);
380                 break;
381
382         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
383                 *pcurves = suiteb_curves;
384                 *pcurveslen = 2;
385                 break;
386
387         case SSL_CERT_FLAG_SUITEB_192_LOS:
388                 *pcurves = suiteb_curves + 2;
389                 *pcurveslen = 2;
390                 break;
391         default:
392                 *pcurves = s->tlsext_ellipticcurvelist;
393                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
394                 }
395         if (!*pcurves)
396                 {
397                 *pcurves = eccurves_default;
398                 *pcurveslen = sizeof(eccurves_default);
399                 }
400         }
401 /* Check a curve is one of our preferences */
402 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
403         {
404         const unsigned char *curves;
405         size_t curveslen, i;
406         unsigned int suiteb_flags = tls1_suiteb(s);
407         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
408                 return 0;
409         /* Check curve matches Suite B preferences */
410         if (suiteb_flags)
411                 {
412                 unsigned long cid = s->s3->tmp.new_cipher->id;
413                 if (p[1])
414                         return 0;
415                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
416                         {
417                         if (p[2] != TLSEXT_curve_P_256)
418                                 return 0;
419                         }
420                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
421                         {
422                         if (p[2] != TLSEXT_curve_P_384)
423                                 return 0;
424                         }
425                 else    /* Should never happen */
426                         return 0;
427                 }
428         tls1_get_curvelist(s, 0, &curves, &curveslen);
429         for (i = 0; i < curveslen; i += 2, curves += 2)
430                 {
431                 if (p[1] == curves[0] && p[2] == curves[1])
432                         return 1;
433                 }
434         return 0;
435         }
436
437 /* Return nth shared curve. If nmatch == -1 return number of
438  * matches. For nmatch == -2 return the NID of the curve to use for
439  * an EC tmp key.
440  */
441
442 int tls1_shared_curve(SSL *s, int nmatch)
443         {
444         const unsigned char *pref, *supp;
445         size_t preflen, supplen, i, j;
446         int k;
447         /* Can't do anything on client side */
448         if (s->server == 0)
449                 return -1;
450         if (nmatch == -2)
451                 {
452                 if (tls1_suiteb(s))
453                         {
454                         /* For Suite B ciphersuite determines curve: we 
455                          * already know these are acceptable due to previous
456                          * checks.
457                          */
458                         unsigned long cid = s->s3->tmp.new_cipher->id;
459                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
460                                 return NID_X9_62_prime256v1; /* P-256 */
461                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
462                                 return NID_secp384r1; /* P-384 */
463                         /* Should never happen */
464                         return NID_undef;
465                         }
466                 /* If not Suite B just return first preference shared curve */
467                 nmatch = 0;
468                 }
469         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
470                                 &supp, &supplen);
471         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
472                                 &pref, &preflen);
473         preflen /= 2;
474         supplen /= 2;
475         k = 0;
476         for (i = 0; i < preflen; i++, pref+=2)
477                 {
478                 const unsigned char *tsupp = supp;
479                 for (j = 0; j < supplen; j++, tsupp+=2)
480                         {
481                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
482                                 {
483                                 if (nmatch == k)
484                                         {
485                                         int id = (pref[0] << 8) | pref[1];
486                                         return tls1_ec_curve_id2nid(id);
487                                         }
488                                 k++;
489                                 }
490                         }
491                 }
492         if (nmatch == -1)
493                 return k;
494         return 0;
495         }
496
497 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
498                         int *curves, size_t ncurves)
499         {
500         unsigned char *clist, *p;
501         size_t i;
502         /* Bitmap of curves included to detect duplicates: only works
503          * while curve ids < 32 
504          */
505         unsigned long dup_list = 0;
506         clist = OPENSSL_malloc(ncurves * 2);
507         if (!clist)
508                 return 0;
509         for (i = 0, p = clist; i < ncurves; i++)
510                 {
511                 unsigned long idmask;
512                 int id;
513                 id = tls1_ec_nid2curve_id(curves[i]);
514                 idmask = 1L << id;
515                 if (!id || (dup_list & idmask))
516                         {
517                         OPENSSL_free(clist);
518                         return 0;
519                         }
520                 dup_list |= idmask;
521                 s2n(id, p);
522                 }
523         if (*pext)
524                 OPENSSL_free(*pext);
525         *pext = clist;
526         *pextlen = ncurves * 2;
527         return 1;
528         }
529
530 #define MAX_CURVELIST   25
531
532 typedef struct
533         {
534         size_t nidcnt;
535         int nid_arr[MAX_CURVELIST];
536         } nid_cb_st;
537
538 static int nid_cb(const char *elem, int len, void *arg)
539         {
540         nid_cb_st *narg = arg;
541         size_t i;
542         int nid;
543         char etmp[20];
544         if (narg->nidcnt == MAX_CURVELIST)
545                 return 0;
546         if (len > (int)(sizeof(etmp) - 1))
547                 return 0;
548         memcpy(etmp, elem, len);
549         etmp[len] = 0;
550         nid = EC_curve_nist2nid(etmp);
551         if (nid == NID_undef)
552                 nid = OBJ_sn2nid(etmp);
553         if (nid == NID_undef)
554                 nid = OBJ_ln2nid(etmp);
555         if (nid == NID_undef)
556                 return 0;
557         for (i = 0; i < narg->nidcnt; i++)
558                 if (narg->nid_arr[i] == nid)
559                         return 0;
560         narg->nid_arr[narg->nidcnt++] = nid;
561         return 1;
562         }
563 /* Set curves based on a colon separate list */
564 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
565                                 const char *str)
566         {
567         nid_cb_st ncb;
568         ncb.nidcnt = 0;
569         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
570                 return 0;
571         if (pext == NULL)
572                 return 1;
573         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
574         }
575 /* For an EC key set TLS id and required compression based on parameters */
576 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
577                                 EC_KEY *ec)
578         {
579         int is_prime, id;
580         const EC_GROUP *grp;
581         const EC_POINT *pt;
582         const EC_METHOD *meth;
583         if (!ec)
584                 return 0;
585         /* Determine if it is a prime field */
586         grp = EC_KEY_get0_group(ec);
587         pt = EC_KEY_get0_public_key(ec);
588         if (!grp || !pt)
589                 return 0;
590         meth = EC_GROUP_method_of(grp);
591         if (!meth)
592                 return 0;
593         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
594                 is_prime = 1;
595         else
596                 is_prime = 0;
597         /* Determine curve ID */
598         id = EC_GROUP_get_curve_name(grp);
599         id = tls1_ec_nid2curve_id(id);
600         /* If we have an ID set it, otherwise set arbitrary explicit curve */
601         if (id)
602                 {
603                 curve_id[0] = 0;
604                 curve_id[1] = (unsigned char)id;
605                 }
606         else
607                 {
608                 curve_id[0] = 0xff;
609                 if (is_prime)
610                         curve_id[1] = 0x01;
611                 else
612                         curve_id[1] = 0x02;
613                 }
614         if (comp_id)
615                 {
616                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
617                         {
618                         if (is_prime)
619                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
620                         else
621                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
622                         }
623                 else
624                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
625                 }
626         return 1;
627         }
628 /* Check an EC key is compatible with extensions */
629 static int tls1_check_ec_key(SSL *s,
630                         unsigned char *curve_id, unsigned char *comp_id)
631         {
632         const unsigned char *p;
633         size_t plen, i;
634         int j;
635         /* If point formats extension present check it, otherwise everything
636          * is supported (see RFC4492).
637          */
638         if (comp_id && s->session->tlsext_ecpointformatlist)
639                 {
640                 p = s->session->tlsext_ecpointformatlist;
641                 plen = s->session->tlsext_ecpointformatlist_length;
642                 for (i = 0; i < plen; i++, p++)
643                         {
644                         if (*comp_id == *p)
645                                 break;
646                         }
647                 if (i == plen)
648                         return 0;
649                 }
650         if (!curve_id)
651                 return 1;
652         /* Check curve is consistent with client and server preferences */
653         for (j = 0; j <= 1; j++)
654                 {
655                 tls1_get_curvelist(s, j, &p, &plen);
656                 for (i = 0; i < plen; i+=2, p+=2)
657                         {
658                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
659                                 break;
660                         }
661                 if (i == plen)
662                         return 0;
663                 /* For clients can only check sent curve list */
664                 if (!s->server)
665                         return 1;
666                 }
667         return 1;
668         }
669
670 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
671                                         size_t *pformatslen)
672         {
673         /* If we have a custom point format list use it otherwise
674          * use default */
675         if (s->tlsext_ecpointformatlist)
676                 {
677                 *pformats = s->tlsext_ecpointformatlist;
678                 *pformatslen = s->tlsext_ecpointformatlist_length;
679                 }
680         else
681                 {
682                 *pformats = ecformats_default;
683                 /* For Suite B we don't support char2 fields */
684                 if (tls1_suiteb(s))
685                         *pformatslen = sizeof(ecformats_default) - 1;
686                 else
687                         *pformatslen = sizeof(ecformats_default);
688                 }
689         }
690
691 /* Check cert parameters compatible with extensions: currently just checks
692  * EC certificates have compatible curves and compression.
693  */
694 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
695         {
696         unsigned char comp_id, curve_id[2];
697         EVP_PKEY *pkey;
698         int rv;
699         pkey = X509_get_pubkey(x);
700         if (!pkey)
701                 return 0;
702         /* If not EC nothing to do */
703         if (pkey->type != EVP_PKEY_EC)
704                 {
705                 EVP_PKEY_free(pkey);
706                 return 1;
707                 }
708         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
709         EVP_PKEY_free(pkey);
710         if (!rv)
711                 return 0;
712         /* Can't check curve_id for client certs as we don't have a
713          * supported curves extension.
714          */
715         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
716         if (!rv)
717                 return 0;
718         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
719          * SHA384+P-384, adjust digest if necessary.
720          */
721         if (set_ee_md && tls1_suiteb(s))
722                 {
723                 int check_md;
724                 size_t i;
725                 CERT *c = s->cert;
726                 if (curve_id[0])
727                         return 0;
728                 /* Check to see we have necessary signing algorithm */
729                 if (curve_id[1] == TLSEXT_curve_P_256)
730                         check_md = NID_ecdsa_with_SHA256;
731                 else if (curve_id[1] == TLSEXT_curve_P_384)
732                         check_md = NID_ecdsa_with_SHA384;
733                 else
734                         return 0; /* Should never happen */
735                 for (i = 0; i < c->shared_sigalgslen; i++)
736                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
737                                 break;
738                 if (i == c->shared_sigalgslen)
739                         return 0;
740                 if (set_ee_md == 2)
741                         {
742                         if (check_md == NID_ecdsa_with_SHA256)
743                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
744                         else
745                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
746                         }
747                 }
748         return rv;
749         }
750 /* Check EC temporary key is compatible with client extensions */
751 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
752         {
753         unsigned char curve_id[2];
754         EC_KEY *ec = s->cert->ecdh_tmp;
755 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
756         /* Allow any curve: not just those peer supports */
757         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
758                 return 1;
759 #endif
760         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
761          * no other curves permitted.
762          */
763         if (tls1_suiteb(s))
764                 {
765                 /* Curve to check determined by ciphersuite */
766                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
767                         curve_id[1] = TLSEXT_curve_P_256;
768                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
769                         curve_id[1] = TLSEXT_curve_P_384;
770                 else
771                         return 0;
772                 curve_id[0] = 0;
773                 /* Check this curve is acceptable */
774                 if (!tls1_check_ec_key(s, curve_id, NULL))
775                         return 0;
776                 /* If auto or setting curve from callback assume OK */
777                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
778                         return 1;
779                 /* Otherwise check curve is acceptable */
780                 else 
781                         {
782                         unsigned char curve_tmp[2];
783                         if (!ec)
784                                 return 0;
785                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
786                                 return 0;
787                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
788                                 return 1;
789                         return 0;
790                         }
791                         
792                 }
793         if (s->cert->ecdh_tmp_auto)
794                 {
795                 /* Need a shared curve */
796                 if (tls1_shared_curve(s, 0))
797                         return 1;
798                 else return 0;
799                 }
800         if (!ec)
801                 {
802                 if (s->cert->ecdh_tmp_cb)
803                         return 1;
804                 else
805                         return 0;
806                 }
807         if (!tls1_set_ec_id(curve_id, NULL, ec))
808                 return 0;
809 /* Set this to allow use of invalid curves for testing */
810 #if 0
811         return 1;
812 #else
813         return tls1_check_ec_key(s, curve_id, NULL);
814 #endif
815         }
816
817 #else
818
819 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
820         {
821         return 1;
822         }
823
824 #endif /* OPENSSL_NO_EC */
825
826 #ifndef OPENSSL_NO_TLSEXT
827
828 /* List of supported signature algorithms and hashes. Should make this
829  * customisable at some point, for now include everything we support.
830  */
831
832 #ifdef OPENSSL_NO_RSA
833 #define tlsext_sigalg_rsa(md) /* */
834 #else
835 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
836 #endif
837
838 #ifdef OPENSSL_NO_DSA
839 #define tlsext_sigalg_dsa(md) /* */
840 #else
841 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
842 #endif
843
844 #ifdef OPENSSL_NO_ECDSA
845 #define tlsext_sigalg_ecdsa(md) /* */
846 #else
847 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
848 #endif
849
850 #define tlsext_sigalg(md) \
851                 tlsext_sigalg_rsa(md) \
852                 tlsext_sigalg_dsa(md) \
853                 tlsext_sigalg_ecdsa(md)
854
855 static unsigned char tls12_sigalgs[] = {
856 #ifndef OPENSSL_NO_SHA512
857         tlsext_sigalg(TLSEXT_hash_sha512)
858         tlsext_sigalg(TLSEXT_hash_sha384)
859 #endif
860 #ifndef OPENSSL_NO_SHA256
861         tlsext_sigalg(TLSEXT_hash_sha256)
862         tlsext_sigalg(TLSEXT_hash_sha224)
863 #endif
864 #ifndef OPENSSL_NO_SHA
865         tlsext_sigalg(TLSEXT_hash_sha1)
866 #endif
867 #ifndef OPENSSL_NO_MD5
868         tlsext_sigalg_rsa(TLSEXT_hash_md5)
869 #endif
870 };
871 #ifndef OPENSSL_NO_ECDSA
872 static unsigned char suiteb_sigalgs[] = {
873         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
874         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
875 };
876 #endif
877 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
878         {
879         /* If Suite B mode use Suite B sigalgs only, ignore any other
880          * preferences.
881          */
882 #ifndef OPENSSL_NO_EC
883         switch (tls1_suiteb(s))
884                 {
885         case SSL_CERT_FLAG_SUITEB_128_LOS:
886                 *psigs = suiteb_sigalgs;
887                 return sizeof(suiteb_sigalgs);
888
889         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
890                 *psigs = suiteb_sigalgs;
891                 return 2;
892
893         case SSL_CERT_FLAG_SUITEB_192_LOS:
894                 *psigs = suiteb_sigalgs + 2;
895                 return 2;
896                 }
897 #endif
898         /* If server use client authentication sigalgs if not NULL */
899         if (s->server && s->cert->client_sigalgs)
900                 {
901                 *psigs = s->cert->client_sigalgs;
902                 return s->cert->client_sigalgslen;
903                 }
904         else if (s->cert->conf_sigalgs)
905                 {
906                 *psigs = s->cert->conf_sigalgs;
907                 return s->cert->conf_sigalgslen;
908                 }
909         else
910                 {
911                 *psigs = tls12_sigalgs;
912 #ifdef OPENSSL_FIPS
913                 /* If FIPS mode don't include MD5 which is last */
914                 if (FIPS_mode())
915                         return sizeof(tls12_sigalgs) - 2;
916                 else
917 #endif
918                         return sizeof(tls12_sigalgs);
919                 }
920         }
921 /* Check signature algorithm is consistent with sent supported signature
922  * algorithms and if so return relevant digest.
923  */
924 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
925                                 const unsigned char *sig, EVP_PKEY *pkey)
926         {
927         const unsigned char *sent_sigs;
928         size_t sent_sigslen, i;
929         int sigalg = tls12_get_sigid(pkey);
930         /* Should never happen */
931         if (sigalg == -1)
932                 return -1;
933         /* Check key type is consistent with signature */
934         if (sigalg != (int)sig[1])
935                 {
936                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
937                 return 0;
938                 }
939 #ifndef OPENSSL_NO_EC
940         if (pkey->type == EVP_PKEY_EC)
941                 {
942                 unsigned char curve_id[2], comp_id;
943                 /* Check compression and curve matches extensions */
944                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
945                         return 0;
946                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
947                         {
948                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
949                         return 0;
950                         }
951                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
952                 if (tls1_suiteb(s))
953                         {
954                         if (curve_id[0])
955                                 return 0;
956                         if (curve_id[1] == TLSEXT_curve_P_256)
957                                 {
958                                 if (sig[0] != TLSEXT_hash_sha256)
959                                         {
960                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
961                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
962                                         return 0;
963                                         }
964                                 }
965                         else if (curve_id[1] == TLSEXT_curve_P_384)
966                                 {
967                                 if (sig[0] != TLSEXT_hash_sha384)
968                                         {
969                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
970                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
971                                         return 0;
972                                         }
973                                 }
974                         else
975                                 return 0;
976                         }
977                 }
978         else if (tls1_suiteb(s))
979                 return 0;
980 #endif
981
982         /* Check signature matches a type we sent */
983         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
984         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
985                 {
986                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
987                         break;
988                 }
989         /* Allow fallback to SHA1 if not strict mode */
990         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
991                 {
992                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
993                 return 0;
994                 }
995         *pmd = tls12_get_hash(sig[0]);
996         if (*pmd == NULL)
997                 {
998                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
999                 return 0;
1000                 }
1001         /* Store the digest used so applications can retrieve it if they
1002          * wish.
1003          */
1004         if (s->session && s->session->sess_cert)
1005                 s->session->sess_cert->peer_key->digest = *pmd;
1006         return 1;
1007         }
1008 /* Get a mask of disabled algorithms: an algorithm is disabled
1009  * if it isn't supported or doesn't appear in supported signature
1010  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1011  * session and not global settings.
1012  * 
1013  */
1014 void ssl_set_client_disabled(SSL *s)
1015         {
1016         CERT *c = s->cert;
1017         const unsigned char *sigalgs;
1018         size_t i, sigalgslen;
1019         int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1020         c->mask_a = 0;
1021         c->mask_k = 0;
1022         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1023         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1024                 c->mask_ssl = SSL_TLSV1_2;
1025         else
1026                 c->mask_ssl = 0;
1027         /* Now go through all signature algorithms seeing if we support
1028          * any for RSA, DSA, ECDSA. Do this for all versions not just
1029          * TLS 1.2.
1030          */
1031         sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1032         for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1033                 {
1034                 switch(sigalgs[1])
1035                         {
1036 #ifndef OPENSSL_NO_RSA
1037                 case TLSEXT_signature_rsa:
1038                         have_rsa = 1;
1039                         break;
1040 #endif
1041 #ifndef OPENSSL_NO_DSA
1042                 case TLSEXT_signature_dsa:
1043                         have_dsa = 1;
1044                         break;
1045 #endif
1046 #ifndef OPENSSL_NO_ECDSA
1047                 case TLSEXT_signature_ecdsa:
1048                         have_ecdsa = 1;
1049                         break;
1050 #endif
1051                         }
1052                 }
1053         /* Disable auth and static DH if we don't include any appropriate
1054          * signature algorithms.
1055          */
1056         if (!have_rsa)
1057                 {
1058                 c->mask_a |= SSL_aRSA;
1059                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1060                 }
1061         if (!have_dsa)
1062                 {
1063                 c->mask_a |= SSL_aDSS;
1064                 c->mask_k |= SSL_kDHd;
1065                 }
1066         if (!have_ecdsa)
1067                 {
1068                 c->mask_a |= SSL_aECDSA;
1069                 c->mask_k |= SSL_kECDHe;
1070                 }
1071 #ifndef OPENSSL_NO_KRB5
1072         if (!kssl_tgt_is_available(s->kssl_ctx))
1073                 {
1074                 c->mask_a |= SSL_aKRB5;
1075                 c->mask_k |= SSL_kKRB5;
1076                 }
1077 #endif
1078 #ifndef OPENSSL_NO_PSK
1079         /* with PSK there must be client callback set */
1080         if (!s->psk_client_callback)
1081                 {
1082                 c->mask_a |= SSL_aPSK;
1083                 c->mask_k |= SSL_kPSK;
1084                 }
1085 #endif /* OPENSSL_NO_PSK */
1086         c->valid = 1;
1087         }
1088
1089 /* byte_compare is a compare function for qsort(3) that compares bytes. */
1090 static int byte_compare(const void *in_a, const void *in_b)
1091         {
1092         unsigned char a = *((const unsigned char*) in_a);
1093         unsigned char b = *((const unsigned char*) in_b);
1094
1095         if (a > b)
1096                 return 1;
1097         else if (a < b)
1098                 return -1;
1099         return 0;
1100 }
1101
1102 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1103         {
1104         int extdatalen=0;
1105         unsigned char *ret = p;
1106 #ifndef OPENSSL_NO_EC
1107         /* See if we support any ECC ciphersuites */
1108         int using_ecc = 0;
1109         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1110                 {
1111                 int i;
1112                 unsigned long alg_k, alg_a;
1113                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1114
1115                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1116                         {
1117                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1118
1119                         alg_k = c->algorithm_mkey;
1120                         alg_a = c->algorithm_auth;
1121                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1122                                 || (alg_a & SSL_aECDSA)))
1123                                 {
1124                                 using_ecc = 1;
1125                                 break;
1126                                 }
1127                         }
1128                 }
1129 #endif
1130
1131         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1132         if (s->client_version == SSL3_VERSION
1133                                         && !s->s3->send_connection_binding)
1134                 return p;
1135
1136         ret+=2;
1137
1138         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1139
1140         if (s->tlsext_hostname != NULL)
1141                 { 
1142                 /* Add TLS extension servername to the Client Hello message */
1143                 unsigned long size_str;
1144                 long lenmax; 
1145
1146                 /* check for enough space.
1147                    4 for the servername type and entension length
1148                    2 for servernamelist length
1149                    1 for the hostname type
1150                    2 for hostname length
1151                    + hostname length 
1152                 */
1153                    
1154                 if ((lenmax = limit - ret - 9) < 0 
1155                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1156                         return NULL;
1157                         
1158                 /* extension type and length */
1159                 s2n(TLSEXT_TYPE_server_name,ret); 
1160                 s2n(size_str+5,ret);
1161                 
1162                 /* length of servername list */
1163                 s2n(size_str+3,ret);
1164         
1165                 /* hostname type, length and hostname */
1166                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1167                 s2n(size_str,ret);
1168                 memcpy(ret, s->tlsext_hostname, size_str);
1169                 ret+=size_str;
1170                 }
1171
1172         /* Add RI if renegotiating */
1173         if (s->renegotiate)
1174           {
1175           int el;
1176           
1177           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1178               {
1179               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1180               return NULL;
1181               }
1182
1183           if((limit - p - 4 - el) < 0) return NULL;
1184           
1185           s2n(TLSEXT_TYPE_renegotiate,ret);
1186           s2n(el,ret);
1187
1188           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1189               {
1190               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1191               return NULL;
1192               }
1193
1194           ret += el;
1195         }
1196
1197 #ifndef OPENSSL_NO_SRP
1198         /* Add SRP username if there is one */
1199         if (s->srp_ctx.login != NULL)
1200                 { /* Add TLS extension SRP username to the Client Hello message */
1201
1202                 int login_len = strlen(s->srp_ctx.login);       
1203                 if (login_len > 255 || login_len == 0)
1204                         {
1205                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1206                         return NULL;
1207                         } 
1208
1209                 /* check for enough space.
1210                    4 for the srp type type and entension length
1211                    1 for the srp user identity
1212                    + srp user identity length 
1213                 */
1214                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1215
1216                 /* fill in the extension */
1217                 s2n(TLSEXT_TYPE_srp,ret);
1218                 s2n(login_len+1,ret);
1219                 (*ret++) = (unsigned char) login_len;
1220                 memcpy(ret, s->srp_ctx.login, login_len);
1221                 ret+=login_len;
1222                 }
1223 #endif
1224
1225 #ifndef OPENSSL_NO_EC
1226         if (using_ecc)
1227                 {
1228                 /* Add TLS extension ECPointFormats to the ClientHello message */
1229                 long lenmax; 
1230                 const unsigned char *plist;
1231                 size_t plistlen;
1232
1233                 tls1_get_formatlist(s, &plist, &plistlen);
1234
1235                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1236                 if (plistlen > (size_t)lenmax) return NULL;
1237                 if (plistlen > 255)
1238                         {
1239                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1240                         return NULL;
1241                         }
1242                 
1243                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1244                 s2n(plistlen + 1,ret);
1245                 *(ret++) = (unsigned char)plistlen ;
1246                 memcpy(ret, plist, plistlen);
1247                 ret+=plistlen;
1248
1249                 /* Add TLS extension EllipticCurves to the ClientHello message */
1250                 plist = s->tlsext_ellipticcurvelist;
1251                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1252
1253                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1254                 if (plistlen > (size_t)lenmax) return NULL;
1255                 if (plistlen > 65532)
1256                         {
1257                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1258                         return NULL;
1259                         }
1260                 
1261                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1262                 s2n(plistlen + 2, ret);
1263
1264                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1265                  * elliptic_curve_list, but the examples use two bytes.
1266                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1267                  * resolves this to two bytes.
1268                  */
1269                 s2n(plistlen, ret);
1270                 memcpy(ret, plist, plistlen);
1271                 ret+=plistlen;
1272                 }
1273 #endif /* OPENSSL_NO_EC */
1274
1275         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1276                 {
1277                 int ticklen;
1278                 if (!s->new_session && s->session && s->session->tlsext_tick)
1279                         ticklen = s->session->tlsext_ticklen;
1280                 else if (s->session && s->tlsext_session_ticket &&
1281                          s->tlsext_session_ticket->data)
1282                         {
1283                         ticklen = s->tlsext_session_ticket->length;
1284                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1285                         if (!s->session->tlsext_tick)
1286                                 return NULL;
1287                         memcpy(s->session->tlsext_tick,
1288                                s->tlsext_session_ticket->data,
1289                                ticklen);
1290                         s->session->tlsext_ticklen = ticklen;
1291                         }
1292                 else
1293                         ticklen = 0;
1294                 if (ticklen == 0 && s->tlsext_session_ticket &&
1295                     s->tlsext_session_ticket->data == NULL)
1296                         goto skip_ext;
1297                 /* Check for enough room 2 for extension type, 2 for len
1298                  * rest for ticket
1299                  */
1300                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1301                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1302                 s2n(ticklen,ret);
1303                 if (ticklen)
1304                         {
1305                         memcpy(ret, s->session->tlsext_tick, ticklen);
1306                         ret += ticklen;
1307                         }
1308                 }
1309                 skip_ext:
1310
1311         if (SSL_USE_SIGALGS(s))
1312                 {
1313                 size_t salglen;
1314                 const unsigned char *salg;
1315                 salglen = tls12_get_psigalgs(s, &salg);
1316                 if ((size_t)(limit - ret) < salglen + 6)
1317                         return NULL; 
1318                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1319                 s2n(salglen + 2, ret);
1320                 s2n(salglen, ret);
1321                 memcpy(ret, salg, salglen);
1322                 ret += salglen;
1323                 }
1324
1325 #ifdef TLSEXT_TYPE_opaque_prf_input
1326         if (s->s3->client_opaque_prf_input != NULL)
1327                 {
1328                 size_t col = s->s3->client_opaque_prf_input_len;
1329                 
1330                 if ((long)(limit - ret - 6 - col < 0))
1331                         return NULL;
1332                 if (col > 0xFFFD) /* can't happen */
1333                         return NULL;
1334
1335                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1336                 s2n(col + 2, ret);
1337                 s2n(col, ret);
1338                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1339                 ret += col;
1340                 }
1341 #endif
1342
1343         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1344                 {
1345                 int i;
1346                 long extlen, idlen, itmp;
1347                 OCSP_RESPID *id;
1348
1349                 idlen = 0;
1350                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1351                         {
1352                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1353                         itmp = i2d_OCSP_RESPID(id, NULL);
1354                         if (itmp <= 0)
1355                                 return NULL;
1356                         idlen += itmp + 2;
1357                         }
1358
1359                 if (s->tlsext_ocsp_exts)
1360                         {
1361                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1362                         if (extlen < 0)
1363                                 return NULL;
1364                         }
1365                 else
1366                         extlen = 0;
1367                         
1368                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1369                 s2n(TLSEXT_TYPE_status_request, ret);
1370                 if (extlen + idlen > 0xFFF0)
1371                         return NULL;
1372                 s2n(extlen + idlen + 5, ret);
1373                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1374                 s2n(idlen, ret);
1375                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1376                         {
1377                         /* save position of id len */
1378                         unsigned char *q = ret;
1379                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1380                         /* skip over id len */
1381                         ret += 2;
1382                         itmp = i2d_OCSP_RESPID(id, &ret);
1383                         /* write id len */
1384                         s2n(itmp, q);
1385                         }
1386                 s2n(extlen, ret);
1387                 if (extlen > 0)
1388                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1389                 }
1390
1391 #ifndef OPENSSL_NO_HEARTBEATS
1392         /* Add Heartbeat extension */
1393         s2n(TLSEXT_TYPE_heartbeat,ret);
1394         s2n(1,ret);
1395         /* Set mode:
1396          * 1: peer may send requests
1397          * 2: peer not allowed to send requests
1398          */
1399         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1400                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1401         else
1402                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1403 #endif
1404
1405 #ifndef OPENSSL_NO_NEXTPROTONEG
1406         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1407                 {
1408                 /* The client advertises an emtpy extension to indicate its
1409                  * support for Next Protocol Negotiation */
1410                 if (limit - ret - 4 < 0)
1411                         return NULL;
1412                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1413                 s2n(0,ret);
1414                 }
1415 #endif
1416
1417         if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
1418                 {
1419                 if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1420                         return NULL;
1421                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1422                 s2n(2 + s->alpn_client_proto_list_len,ret);
1423                 s2n(s->alpn_client_proto_list_len,ret);
1424                 memcpy(ret, s->alpn_client_proto_list,
1425                        s->alpn_client_proto_list_len);
1426                 ret += s->alpn_client_proto_list_len;
1427                 }
1428
1429         if(SSL_get_srtp_profiles(s))
1430                 {
1431                 int el;
1432
1433                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1434                 
1435                 if((limit - p - 4 - el) < 0) return NULL;
1436
1437                 s2n(TLSEXT_TYPE_use_srtp,ret);
1438                 s2n(el,ret);
1439
1440                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1441                         {
1442                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1443                         return NULL;
1444                         }
1445                 ret += el;
1446                 }
1447
1448         /* Add custom TLS Extensions to ClientHello */
1449         if (s->ctx->custom_cli_ext_records_count)
1450                 {
1451                 size_t i;
1452                 custom_cli_ext_record* record;
1453
1454                 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1455                         {
1456                         const unsigned char* out = NULL;
1457                         unsigned short outlen = 0;
1458
1459                         record = &s->ctx->custom_cli_ext_records[i];
1460                         /* NULL callback sends empty extension */ 
1461                         /* -1 from callback omits extension */
1462                         if (record->fn1)
1463                                 {
1464                                 int cb_retval = 0;
1465                                 cb_retval = record->fn1(s, record->ext_type,
1466                                                         &out, &outlen,
1467                                                         record->arg);
1468                                 if (cb_retval == 0)
1469                                         return NULL; /* error */
1470                                 if (cb_retval == -1)
1471                                         continue; /* skip this extension */
1472                                 }
1473                         if (limit < ret + 4 + outlen)
1474                                 return NULL;
1475                         s2n(record->ext_type, ret);
1476                         s2n(outlen, ret);
1477                         memcpy(ret, out, outlen);
1478                         ret += outlen;
1479                         }
1480                 }
1481
1482         if ((extdatalen = ret-p-2) == 0)
1483                 return p;
1484
1485         s2n(extdatalen,p);
1486         return ret;
1487         }
1488
1489 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1490         {
1491         int extdatalen=0;
1492         unsigned char *ret = p;
1493 #ifndef OPENSSL_NO_NEXTPROTONEG
1494         int next_proto_neg_seen;
1495 #endif
1496 #ifndef OPENSSL_NO_EC
1497         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1498         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1499         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1500         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1501 #endif
1502         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1503         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1504                 return p;
1505         
1506         ret+=2;
1507         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1508
1509         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1510                 { 
1511                 if ((long)(limit - ret - 4) < 0) return NULL; 
1512
1513                 s2n(TLSEXT_TYPE_server_name,ret);
1514                 s2n(0,ret);
1515                 }
1516
1517         if(s->s3->send_connection_binding)
1518         {
1519           int el;
1520           
1521           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1522               {
1523               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1524               return NULL;
1525               }
1526
1527           if((limit - p - 4 - el) < 0) return NULL;
1528           
1529           s2n(TLSEXT_TYPE_renegotiate,ret);
1530           s2n(el,ret);
1531
1532           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1533               {
1534               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1535               return NULL;
1536               }
1537
1538           ret += el;
1539         }
1540
1541 #ifndef OPENSSL_NO_EC
1542         if (using_ecc)
1543                 {
1544                 const unsigned char *plist;
1545                 size_t plistlen;
1546                 /* Add TLS extension ECPointFormats to the ServerHello message */
1547                 long lenmax; 
1548
1549                 tls1_get_formatlist(s, &plist, &plistlen);
1550
1551                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1552                 if (plistlen > (size_t)lenmax) return NULL;
1553                 if (plistlen > 255)
1554                         {
1555                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1556                         return NULL;
1557                         }
1558                 
1559                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1560                 s2n(plistlen + 1,ret);
1561                 *(ret++) = (unsigned char) plistlen;
1562                 memcpy(ret, plist, plistlen);
1563                 ret+=plistlen;
1564
1565                 }
1566         /* Currently the server should not respond with a SupportedCurves extension */
1567 #endif /* OPENSSL_NO_EC */
1568
1569         if (s->tlsext_ticket_expected
1570                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1571                 { 
1572                 if ((long)(limit - ret - 4) < 0) return NULL; 
1573                 s2n(TLSEXT_TYPE_session_ticket,ret);
1574                 s2n(0,ret);
1575                 }
1576
1577         if (s->tlsext_status_expected)
1578                 { 
1579                 if ((long)(limit - ret - 4) < 0) return NULL; 
1580                 s2n(TLSEXT_TYPE_status_request,ret);
1581                 s2n(0,ret);
1582                 }
1583
1584 #ifdef TLSEXT_TYPE_opaque_prf_input
1585         if (s->s3->server_opaque_prf_input != NULL)
1586                 {
1587                 size_t sol = s->s3->server_opaque_prf_input_len;
1588                 
1589                 if ((long)(limit - ret - 6 - sol) < 0)
1590                         return NULL;
1591                 if (sol > 0xFFFD) /* can't happen */
1592                         return NULL;
1593
1594                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1595                 s2n(sol + 2, ret);
1596                 s2n(sol, ret);
1597                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1598                 ret += sol;
1599                 }
1600 #endif
1601
1602         if(s->srtp_profile)
1603                 {
1604                 int el;
1605
1606                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1607                 
1608                 if((limit - p - 4 - el) < 0) return NULL;
1609
1610                 s2n(TLSEXT_TYPE_use_srtp,ret);
1611                 s2n(el,ret);
1612
1613                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1614                         {
1615                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1616                         return NULL;
1617                         }
1618                 ret+=el;
1619                 }
1620
1621         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1622                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1623                 { const unsigned char cryptopro_ext[36] = {
1624                         0xfd, 0xe8, /*65000*/
1625                         0x00, 0x20, /*32 bytes length*/
1626                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1627                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1628                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1629                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1630                         if (limit-ret<36) return NULL;
1631                         memcpy(ret,cryptopro_ext,36);
1632                         ret+=36;
1633
1634                 }
1635
1636 #ifndef OPENSSL_NO_HEARTBEATS
1637         /* Add Heartbeat extension if we've received one */
1638         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1639                 {
1640                 s2n(TLSEXT_TYPE_heartbeat,ret);
1641                 s2n(1,ret);
1642                 /* Set mode:
1643                  * 1: peer may send requests
1644                  * 2: peer not allowed to send requests
1645                  */
1646                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1647                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1648                 else
1649                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1650
1651                 }
1652 #endif
1653
1654 #ifndef OPENSSL_NO_NEXTPROTONEG
1655         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1656         s->s3->next_proto_neg_seen = 0;
1657         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1658                 {
1659                 const unsigned char *npa;
1660                 unsigned int npalen;
1661                 int r;
1662
1663                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1664                 if (r == SSL_TLSEXT_ERR_OK)
1665                         {
1666                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1667                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1668                         s2n(npalen,ret);
1669                         memcpy(ret, npa, npalen);
1670                         ret += npalen;
1671                         s->s3->next_proto_neg_seen = 1;
1672                         }
1673                 }
1674 #endif
1675
1676         /* If custom types were sent in ClientHello, add ServerHello responses */
1677         if (s->s3->tlsext_custom_types_count)
1678                 {
1679                 size_t i;
1680
1681                 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1682                         {
1683                         size_t j;
1684                         custom_srv_ext_record *record;
1685
1686                         for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1687                                 {
1688                                 record = &s->ctx->custom_srv_ext_records[j];
1689                                 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1690                                         {
1691                                         const unsigned char *out = NULL;
1692                                         unsigned short outlen = 0;
1693                                         int cb_retval = 0;
1694
1695                                         /* NULL callback or -1 omits extension */
1696                                         if (!record->fn2)
1697                                                 break;
1698                                         cb_retval = record->fn2(s, record->ext_type,
1699                                                                 &out, &outlen,
1700                                                                 record->arg);
1701                                         if (cb_retval == 0)
1702                                                 return NULL; /* error */
1703                                         if (cb_retval == -1)
1704                                                 break; /* skip this extension */
1705                                         if (limit < ret + 4 + outlen)
1706                                                 return NULL;
1707                                         s2n(record->ext_type, ret);
1708                                         s2n(outlen, ret);
1709                                         memcpy(ret, out, outlen);
1710                                         ret += outlen;
1711                                         break;
1712                                         }
1713                                 }
1714                         }
1715                 }
1716
1717         if (s->s3->alpn_selected)
1718                 {
1719                 const unsigned char *selected = s->s3->alpn_selected;
1720                 unsigned len = s->s3->alpn_selected_len;
1721
1722                 if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1723                         return NULL;
1724                 s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
1725                 s2n(3 + len,ret);
1726                 s2n(1 + len,ret);
1727                 *ret++ = len;
1728                 memcpy(ret, selected, len);
1729                 ret += len;
1730                 }
1731
1732         if ((extdatalen = ret-p-2)== 0) 
1733                 return p;
1734
1735         s2n(extdatalen,p);
1736         return ret;
1737         }
1738
1739 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
1740  * ClientHello.
1741  *   data: the contents of the extension, not including the type and length.
1742  *   data_len: the number of bytes in |data|
1743  *   al: a pointer to the alert value to send in the event of a non-zero
1744  *       return.
1745  *
1746  *   returns: 0 on success. */
1747 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1748                                          unsigned data_len, int *al)
1749         {
1750         unsigned i;
1751         unsigned proto_len;
1752         const unsigned char *selected;
1753         unsigned char selected_len;
1754         int r;
1755
1756         if (s->ctx->alpn_select_cb == NULL)
1757                 return 0;
1758
1759         if (data_len < 2)
1760                 goto parse_error;
1761
1762         /* data should contain a uint16 length followed by a series of 8-bit,
1763          * length-prefixed strings. */
1764         i = ((unsigned) data[0]) << 8 |
1765             ((unsigned) data[1]);
1766         data_len -= 2;
1767         data += 2;
1768         if (data_len != i)
1769                 goto parse_error;
1770
1771         if (data_len < 2)
1772                 goto parse_error;
1773
1774         for (i = 0; i < data_len;)
1775                 {
1776                 proto_len = data[i];
1777                 i++;
1778
1779                 if (proto_len == 0)
1780                         goto parse_error;
1781
1782                 if (i + proto_len < i || i + proto_len > data_len)
1783                         goto parse_error;
1784
1785                 i += proto_len;
1786                 }
1787
1788         r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
1789                                    s->ctx->alpn_select_cb_arg);
1790         if (r == SSL_TLSEXT_ERR_OK) {
1791                 if (s->s3->alpn_selected)
1792                         OPENSSL_free(s->s3->alpn_selected);
1793                 s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1794                 if (!s->s3->alpn_selected)
1795                         {
1796                         *al = SSL_AD_INTERNAL_ERROR;
1797                         return -1;
1798                         }
1799                 memcpy(s->s3->alpn_selected, selected, selected_len);
1800                 s->s3->alpn_selected_len = selected_len;
1801         }
1802         return 0;
1803
1804 parse_error:
1805         *al = SSL_AD_DECODE_ERROR;
1806         return -1;
1807         }
1808
1809 #ifndef OPENSSL_NO_EC
1810 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
1811  * SecureTransport using the TLS extension block in |d|, of length |n|.
1812  * Safari, since 10.6, sends exactly these extensions, in this order:
1813  *   SNI,
1814  *   elliptic_curves
1815  *   ec_point_formats
1816  *
1817  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1818  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1819  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1820  * 10.8..10.8.3 (which don't work).
1821  */
1822 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
1823         unsigned short type, size;
1824         static const unsigned char kSafariExtensionsBlock[] = {
1825                 0x00, 0x0a,  /* elliptic_curves extension */
1826                 0x00, 0x08,  /* 8 bytes */
1827                 0x00, 0x06,  /* 6 bytes of curve ids */
1828                 0x00, 0x17,  /* P-256 */
1829                 0x00, 0x18,  /* P-384 */
1830                 0x00, 0x19,  /* P-521 */
1831
1832                 0x00, 0x0b,  /* ec_point_formats */
1833                 0x00, 0x02,  /* 2 bytes */
1834                 0x01,        /* 1 point format */
1835                 0x00,        /* uncompressed */
1836         };
1837
1838         /* The following is only present in TLS 1.2 */
1839         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1840                 0x00, 0x0d,  /* signature_algorithms */
1841                 0x00, 0x0c,  /* 12 bytes */
1842                 0x00, 0x0a,  /* 10 bytes */
1843                 0x05, 0x01,  /* SHA-384/RSA */
1844                 0x04, 0x01,  /* SHA-256/RSA */
1845                 0x02, 0x01,  /* SHA-1/RSA */
1846                 0x04, 0x03,  /* SHA-256/ECDSA */
1847                 0x02, 0x03,  /* SHA-1/ECDSA */
1848         };
1849
1850         if (data >= (d+n-2))
1851                 return;
1852         data += 2;
1853
1854         if (data > (d+n-4))
1855                 return;
1856         n2s(data,type);
1857         n2s(data,size);
1858
1859         if (type != TLSEXT_TYPE_server_name)
1860                 return;
1861
1862         if (data+size > d+n)
1863                 return;
1864         data += size;
1865
1866         if (TLS1_get_version(s) >= TLS1_2_VERSION)
1867                 {
1868                 const size_t len1 = sizeof(kSafariExtensionsBlock);
1869                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1870
1871                 if (data + len1 + len2 != d+n)
1872                         return;
1873                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1874                         return;
1875                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1876                         return;
1877                 }
1878         else
1879                 {
1880                 const size_t len = sizeof(kSafariExtensionsBlock);
1881
1882                 if (data + len != d+n)
1883                         return;
1884                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1885                         return;
1886                 }
1887
1888         s->s3->is_probably_safari = 1;
1889 }
1890 #endif  /* OPENSSL_NO_EC */
1891
1892 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1893         {       
1894         unsigned short type;
1895         unsigned short size;
1896         unsigned short len;
1897         unsigned char *data = *p;
1898         int renegotiate_seen = 0;
1899         size_t i;
1900
1901         s->servername_done = 0;
1902         s->tlsext_status_type = -1;
1903 #ifndef OPENSSL_NO_NEXTPROTONEG
1904         s->s3->next_proto_neg_seen = 0;
1905 #endif
1906
1907         if (s->s3->alpn_selected)
1908                 {
1909                 OPENSSL_free(s->s3->alpn_selected);
1910                 s->s3->alpn_selected = NULL;
1911                 }
1912
1913         /* Clear observed custom extensions */
1914         s->s3->tlsext_custom_types_count = 0;
1915         if (s->s3->tlsext_custom_types != NULL)
1916                 {
1917                 OPENSSL_free(s->s3->tlsext_custom_types);
1918                 s->s3->tlsext_custom_types = NULL;
1919                 }               
1920
1921 #ifndef OPENSSL_NO_HEARTBEATS
1922         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1923                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1924 #endif
1925
1926 #ifndef OPENSSL_NO_EC
1927         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1928                 ssl_check_for_safari(s, data, d, n);
1929 #endif  /* OPENSSL_NO_EC */
1930
1931         /* Clear any signature algorithms extension received */
1932         if (s->cert->peer_sigalgs)
1933                 {
1934                 OPENSSL_free(s->cert->peer_sigalgs);
1935                 s->cert->peer_sigalgs = NULL;
1936                 }
1937         /* Clear any shared sigtnature algorithms */
1938         if (s->cert->shared_sigalgs)
1939                 {
1940                 OPENSSL_free(s->cert->shared_sigalgs);
1941                 s->cert->shared_sigalgs = NULL;
1942                 }
1943         /* Clear certificate digests and validity flags */
1944         for (i = 0; i < SSL_PKEY_NUM; i++)
1945                 {
1946                 s->cert->pkeys[i].digest = NULL;
1947                 s->cert->pkeys[i].valid_flags = 0;
1948                 }
1949
1950         if (data >= (d+n-2))
1951                 goto ri_check;
1952         n2s(data,len);
1953
1954         if (data > (d+n-len)) 
1955                 goto ri_check;
1956
1957         while (data <= (d+n-4))
1958                 {
1959                 n2s(data,type);
1960                 n2s(data,size);
1961
1962                 if (data+size > (d+n))
1963                         goto ri_check;
1964 #if 0
1965                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1966 #endif
1967                 if (s->tlsext_debug_cb)
1968                         s->tlsext_debug_cb(s, 0, type, data, size,
1969                                                 s->tlsext_debug_arg);
1970 /* The servername extension is treated as follows:
1971
1972    - Only the hostname type is supported with a maximum length of 255.
1973    - The servername is rejected if too long or if it contains zeros,
1974      in which case an fatal alert is generated.
1975    - The servername field is maintained together with the session cache.
1976    - When a session is resumed, the servername call back invoked in order
1977      to allow the application to position itself to the right context. 
1978    - The servername is acknowledged if it is new for a session or when 
1979      it is identical to a previously used for the same session. 
1980      Applications can control the behaviour.  They can at any time
1981      set a 'desirable' servername for a new SSL object. This can be the
1982      case for example with HTTPS when a Host: header field is received and
1983      a renegotiation is requested. In this case, a possible servername
1984      presented in the new client hello is only acknowledged if it matches
1985      the value of the Host: field. 
1986    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1987      if they provide for changing an explicit servername context for the session,
1988      i.e. when the session has been established with a servername extension. 
1989    - On session reconnect, the servername extension may be absent. 
1990
1991 */      
1992
1993                 if (type == TLSEXT_TYPE_server_name)
1994                         {
1995                         unsigned char *sdata;
1996                         int servname_type;
1997                         int dsize; 
1998                 
1999                         if (size < 2) 
2000                                 {
2001                                 *al = SSL_AD_DECODE_ERROR;
2002                                 return 0;
2003                                 }
2004                         n2s(data,dsize);  
2005                         size -= 2;
2006                         if (dsize > size  ) 
2007                                 {
2008                                 *al = SSL_AD_DECODE_ERROR;
2009                                 return 0;
2010                                 } 
2011
2012                         sdata = data;
2013                         while (dsize > 3) 
2014                                 {
2015                                 servname_type = *(sdata++); 
2016                                 n2s(sdata,len);
2017                                 dsize -= 3;
2018
2019                                 if (len > dsize) 
2020                                         {
2021                                         *al = SSL_AD_DECODE_ERROR;
2022                                         return 0;
2023                                         }
2024                                 if (s->servername_done == 0)
2025                                 switch (servname_type)
2026                                         {
2027                                 case TLSEXT_NAMETYPE_host_name:
2028                                         if (!s->hit)
2029                                                 {
2030                                                 if(s->session->tlsext_hostname)
2031                                                         {
2032                                                         *al = SSL_AD_DECODE_ERROR;
2033                                                         return 0;
2034                                                         }
2035                                                 if (len > TLSEXT_MAXLEN_host_name)
2036                                                         {
2037                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2038                                                         return 0;
2039                                                         }
2040                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
2041                                                         {
2042                                                         *al = TLS1_AD_INTERNAL_ERROR;
2043                                                         return 0;
2044                                                         }
2045                                                 memcpy(s->session->tlsext_hostname, sdata, len);
2046                                                 s->session->tlsext_hostname[len]='\0';
2047                                                 if (strlen(s->session->tlsext_hostname) != len) {
2048                                                         OPENSSL_free(s->session->tlsext_hostname);
2049                                                         s->session->tlsext_hostname = NULL;
2050                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
2051                                                         return 0;
2052                                                 }
2053                                                 s->servername_done = 1; 
2054
2055                                                 }
2056                                         else 
2057                                                 s->servername_done = s->session->tlsext_hostname
2058                                                         && strlen(s->session->tlsext_hostname) == len 
2059                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
2060                                         
2061                                         break;
2062
2063                                 default:
2064                                         break;
2065                                         }
2066                                  
2067                                 dsize -= len;
2068                                 }
2069                         if (dsize != 0) 
2070                                 {
2071                                 *al = SSL_AD_DECODE_ERROR;
2072                                 return 0;
2073                                 }
2074
2075                         }
2076 #ifndef OPENSSL_NO_SRP
2077                 else if (type == TLSEXT_TYPE_srp)
2078                         {
2079                         if (size <= 0 || ((len = data[0])) != (size -1))
2080                                 {
2081                                 *al = SSL_AD_DECODE_ERROR;
2082                                 return 0;
2083                                 }
2084                         if (s->srp_ctx.login != NULL)
2085                                 {
2086                                 *al = SSL_AD_DECODE_ERROR;
2087                                 return 0;
2088                                 }
2089                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
2090                                 return -1;
2091                         memcpy(s->srp_ctx.login, &data[1], len);
2092                         s->srp_ctx.login[len]='\0';
2093   
2094                         if (strlen(s->srp_ctx.login) != len) 
2095                                 {
2096                                 *al = SSL_AD_DECODE_ERROR;
2097                                 return 0;
2098                                 }
2099                         }
2100 #endif
2101
2102 #ifndef OPENSSL_NO_EC
2103                 else if (type == TLSEXT_TYPE_ec_point_formats)
2104                         {
2105                         unsigned char *sdata = data;
2106                         int ecpointformatlist_length = *(sdata++);
2107
2108                         if (ecpointformatlist_length != size - 1 || 
2109                                 ecpointformatlist_length < 1)
2110                                 {
2111                                 *al = TLS1_AD_DECODE_ERROR;
2112                                 return 0;
2113                                 }
2114                         if (!s->hit)
2115                                 {
2116                                 if(s->session->tlsext_ecpointformatlist)
2117                                         {
2118                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2119                                         s->session->tlsext_ecpointformatlist = NULL;
2120                                         }
2121                                 s->session->tlsext_ecpointformatlist_length = 0;
2122                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2123                                         {
2124                                         *al = TLS1_AD_INTERNAL_ERROR;
2125                                         return 0;
2126                                         }
2127                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2128                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2129                                 }
2130 #if 0
2131                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2132                         sdata = s->session->tlsext_ecpointformatlist;
2133                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2134                                 fprintf(stderr,"%i ",*(sdata++));
2135                         fprintf(stderr,"\n");
2136 #endif
2137                         }
2138                 else if (type == TLSEXT_TYPE_elliptic_curves)
2139                         {
2140                         unsigned char *sdata = data;
2141                         int ellipticcurvelist_length = (*(sdata++) << 8);
2142                         ellipticcurvelist_length += (*(sdata++));
2143
2144                         if (ellipticcurvelist_length != size - 2 ||
2145                                 ellipticcurvelist_length < 1)
2146                                 {
2147                                 *al = TLS1_AD_DECODE_ERROR;
2148                                 return 0;
2149                                 }
2150                         if (!s->hit)
2151                                 {
2152                                 if(s->session->tlsext_ellipticcurvelist)
2153                                         {
2154                                         *al = TLS1_AD_DECODE_ERROR;
2155                                         return 0;
2156                                         }
2157                                 s->session->tlsext_ellipticcurvelist_length = 0;
2158                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2159                                         {
2160                                         *al = TLS1_AD_INTERNAL_ERROR;
2161                                         return 0;
2162                                         }
2163                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2164                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2165                                 }
2166 #if 0
2167                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2168                         sdata = s->session->tlsext_ellipticcurvelist;
2169                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2170                                 fprintf(stderr,"%i ",*(sdata++));
2171                         fprintf(stderr,"\n");
2172 #endif
2173                         }
2174 #endif /* OPENSSL_NO_EC */
2175 #ifdef TLSEXT_TYPE_opaque_prf_input
2176                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2177                         {
2178                         unsigned char *sdata = data;
2179
2180                         if (size < 2)
2181                                 {
2182                                 *al = SSL_AD_DECODE_ERROR;
2183                                 return 0;
2184                                 }
2185                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2186                         if (s->s3->client_opaque_prf_input_len != size - 2)
2187                                 {
2188                                 *al = SSL_AD_DECODE_ERROR;
2189                                 return 0;
2190                                 }
2191
2192                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2193                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2194                         if (s->s3->client_opaque_prf_input_len == 0)
2195                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2196                         else
2197                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2198                         if (s->s3->client_opaque_prf_input == NULL)
2199                                 {
2200                                 *al = TLS1_AD_INTERNAL_ERROR;
2201                                 return 0;
2202                                 }
2203                         }
2204 #endif
2205                 else if (type == TLSEXT_TYPE_session_ticket)
2206                         {
2207                         if (s->tls_session_ticket_ext_cb &&
2208                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2209                                 {
2210                                 *al = TLS1_AD_INTERNAL_ERROR;
2211                                 return 0;
2212                                 }
2213                         }
2214                 else if (type == TLSEXT_TYPE_renegotiate)
2215                         {
2216                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2217                                 return 0;
2218                         renegotiate_seen = 1;
2219                         }
2220                 else if (type == TLSEXT_TYPE_signature_algorithms)
2221                         {
2222                         int dsize;
2223                         if (s->cert->peer_sigalgs || size < 2) 
2224                                 {
2225                                 *al = SSL_AD_DECODE_ERROR;
2226                                 return 0;
2227                                 }
2228                         n2s(data,dsize);
2229                         size -= 2;
2230                         if (dsize != size || dsize & 1 || !dsize) 
2231                                 {
2232                                 *al = SSL_AD_DECODE_ERROR;
2233                                 return 0;
2234                                 }
2235                         if (!tls1_process_sigalgs(s, data, dsize))
2236                                 {
2237                                 *al = SSL_AD_DECODE_ERROR;
2238                                 return 0;
2239                                 }
2240                         /* If sigalgs received and no shared algorithms fatal
2241                          * error.
2242                          */
2243                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2244                                 {
2245                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2246                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2247                                 *al = SSL_AD_ILLEGAL_PARAMETER;
2248                                 return 0;
2249                                 }
2250                         }
2251                 else if (type == TLSEXT_TYPE_status_request
2252                          && s->ctx->tlsext_status_cb)
2253                         {
2254                 
2255                         if (size < 5) 
2256                                 {
2257                                 *al = SSL_AD_DECODE_ERROR;
2258                                 return 0;
2259                                 }
2260
2261                         s->tlsext_status_type = *data++;
2262                         size--;
2263                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2264                                 {
2265                                 const unsigned char *sdata;
2266                                 int dsize;
2267                                 /* Read in responder_id_list */
2268                                 n2s(data,dsize);
2269                                 size -= 2;
2270                                 if (dsize > size  ) 
2271                                         {
2272                                         *al = SSL_AD_DECODE_ERROR;
2273                                         return 0;
2274                                         }
2275                                 while (dsize > 0)
2276                                         {
2277                                         OCSP_RESPID *id;
2278                                         int idsize;
2279                                         if (dsize < 4)
2280                                                 {
2281                                                 *al = SSL_AD_DECODE_ERROR;
2282                                                 return 0;
2283                                                 }
2284                                         n2s(data, idsize);
2285                                         dsize -= 2 + idsize;
2286                                         size -= 2 + idsize;
2287                                         if (dsize < 0)
2288                                                 {
2289                                                 *al = SSL_AD_DECODE_ERROR;
2290                                                 return 0;
2291                                                 }
2292                                         sdata = data;
2293                                         data += idsize;
2294                                         id = d2i_OCSP_RESPID(NULL,
2295                                                                 &sdata, idsize);
2296                                         if (!id)
2297                                                 {
2298                                                 *al = SSL_AD_DECODE_ERROR;
2299                                                 return 0;
2300                                                 }
2301                                         if (data != sdata)
2302                                                 {
2303                                                 OCSP_RESPID_free(id);
2304                                                 *al = SSL_AD_DECODE_ERROR;
2305                                                 return 0;
2306                                                 }
2307                                         if (!s->tlsext_ocsp_ids
2308                                                 && !(s->tlsext_ocsp_ids =
2309                                                 sk_OCSP_RESPID_new_null()))
2310                                                 {
2311                                                 OCSP_RESPID_free(id);
2312                                                 *al = SSL_AD_INTERNAL_ERROR;
2313                                                 return 0;
2314                                                 }
2315                                         if (!sk_OCSP_RESPID_push(
2316                                                         s->tlsext_ocsp_ids, id))
2317                                                 {
2318                                                 OCSP_RESPID_free(id);
2319                                                 *al = SSL_AD_INTERNAL_ERROR;
2320                                                 return 0;
2321                                                 }
2322                                         }
2323
2324                                 /* Read in request_extensions */
2325                                 if (size < 2)
2326                                         {
2327                                         *al = SSL_AD_DECODE_ERROR;
2328                                         return 0;
2329                                         }
2330                                 n2s(data,dsize);
2331                                 size -= 2;
2332                                 if (dsize != size)
2333                                         {
2334                                         *al = SSL_AD_DECODE_ERROR;
2335                                         return 0;
2336                                         }
2337                                 sdata = data;
2338                                 if (dsize > 0)
2339                                         {
2340                                         if (s->tlsext_ocsp_exts)
2341                                                 {
2342                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2343                                                                            X509_EXTENSION_free);
2344                                                 }
2345
2346                                         s->tlsext_ocsp_exts =
2347                                                 d2i_X509_EXTENSIONS(NULL,
2348                                                         &sdata, dsize);
2349                                         if (!s->tlsext_ocsp_exts
2350                                                 || (data + dsize != sdata))
2351                                                 {
2352                                                 *al = SSL_AD_DECODE_ERROR;
2353                                                 return 0;
2354                                                 }
2355                                         }
2356                                 }
2357                                 /* We don't know what to do with any other type
2358                                 * so ignore it.
2359                                 */
2360                                 else
2361                                         s->tlsext_status_type = -1;
2362                         }
2363 #ifndef OPENSSL_NO_HEARTBEATS
2364                 else if (type == TLSEXT_TYPE_heartbeat)
2365                         {
2366                         switch(data[0])
2367                                 {
2368                                 case 0x01:      /* Client allows us to send HB requests */
2369                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2370                                                         break;
2371                                 case 0x02:      /* Client doesn't accept HB requests */
2372                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2373                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2374                                                         break;
2375                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2376                                                         return 0;
2377                                 }
2378                         }
2379 #endif
2380 #ifndef OPENSSL_NO_NEXTPROTONEG
2381                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2382                          s->s3->tmp.finish_md_len == 0 &&
2383                          s->s3->alpn_selected == NULL)
2384                         {
2385                         /* We shouldn't accept this extension on a
2386                          * renegotiation.
2387                          *
2388                          * s->new_session will be set on renegotiation, but we
2389                          * probably shouldn't rely that it couldn't be set on
2390                          * the initial renegotation too in certain cases (when
2391                          * there's some other reason to disallow resuming an
2392                          * earlier session -- the current code won't be doing
2393                          * anything like that, but this might change).
2394
2395                          * A valid sign that there's been a previous handshake
2396                          * in this connection is if s->s3->tmp.finish_md_len >
2397                          * 0.  (We are talking about a check that will happen
2398                          * in the Hello protocol round, well before a new
2399                          * Finished message could have been computed.) */
2400                         s->s3->next_proto_neg_seen = 1;
2401                         }
2402 #endif
2403
2404                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2405                          s->ctx->alpn_select_cb &&
2406                          s->s3->tmp.finish_md_len == 0)
2407                         {
2408                         if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2409                                 return 0;
2410                         /* ALPN takes precedence over NPN. */
2411                         s->s3->next_proto_neg_seen = 0;
2412                         }
2413
2414                 /* session ticket processed earlier */
2415                 else if (type == TLSEXT_TYPE_use_srtp)
2416                         {
2417                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2418                                                               al))
2419                                 return 0;
2420                         }
2421                 /* If this ClientHello extension was unhandled and this is 
2422                  * a nonresumed connection, check whether the extension is a 
2423                  * custom TLS Extension (has a custom_srv_ext_record), and if
2424                  * so call the callback and record the extension number so that
2425                  * an appropriate ServerHello may be later returned.
2426                  */
2427                 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2428                         {
2429                         custom_srv_ext_record *record;
2430
2431                         for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2432                                 {
2433                                 record = &s->ctx->custom_srv_ext_records[i];
2434                                 if (type == record->ext_type)
2435                                         {
2436                                         size_t j;
2437
2438                                         /* Error on duplicate TLS Extensions */
2439                                         for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2440                                                 {
2441                                                 if (type == s->s3->tlsext_custom_types[j])
2442                                                         {
2443                                                         *al = TLS1_AD_DECODE_ERROR;
2444                                                         return 0;
2445                                                         }
2446                                                 }
2447
2448                                         /* NULL callback still notes the extension */ 
2449                                         if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2450                                                 return 0;
2451                                                 
2452                                         /* Add the (non-duplicated) entry */
2453                                         s->s3->tlsext_custom_types_count++;
2454                                         s->s3->tlsext_custom_types = OPENSSL_realloc(
2455                                                         s->s3->tlsext_custom_types,
2456                                                         s->s3->tlsext_custom_types_count * 2);
2457                                         if (s->s3->tlsext_custom_types == NULL)
2458                                                 {
2459                                                 s->s3->tlsext_custom_types = 0;
2460                                                 *al = TLS1_AD_INTERNAL_ERROR;
2461                                                 return 0;
2462                                                 }
2463                                         s->s3->tlsext_custom_types[
2464                                                         s->s3->tlsext_custom_types_count - 1] = type;
2465                                         }                                               
2466                                 }
2467                         }
2468
2469                 data+=size;
2470                 }
2471
2472         *p = data;
2473
2474         ri_check:
2475
2476         /* Need RI if renegotiating */
2477
2478         if (!renegotiate_seen && s->renegotiate &&
2479                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2480                 {
2481                 *al = SSL_AD_HANDSHAKE_FAILURE;
2482                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2483                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2484                 return 0;
2485                 }
2486         /* If no signature algorithms extension set default values */
2487         if (!s->cert->peer_sigalgs)
2488                 ssl_cert_set_default_md(s->cert);
2489
2490         return 1;
2491         }
2492
2493 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2494         {
2495         int al = -1;
2496         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2497                 {
2498                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2499                 return 0;
2500                 }
2501
2502         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2503                 {
2504                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2505                 return 0;
2506                 }
2507         return 1;
2508 }
2509
2510 #ifndef OPENSSL_NO_NEXTPROTONEG
2511 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2512  * elements of zero length are allowed and the set of elements must exactly fill
2513  * the length of the block. */
2514 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2515         {
2516         unsigned int off = 0;
2517
2518         while (off < len)
2519                 {
2520                 if (d[off] == 0)
2521                         return 0;
2522                 off += d[off];
2523                 off++;
2524                 }
2525
2526         return off == len;
2527         }
2528 #endif
2529
2530 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2531         {
2532         unsigned short length;
2533         unsigned short type;
2534         unsigned short size;
2535         unsigned char *data = *p;
2536         int tlsext_servername = 0;
2537         int renegotiate_seen = 0;
2538
2539 #ifndef OPENSSL_NO_NEXTPROTONEG
2540         s->s3->next_proto_neg_seen = 0;
2541 #endif
2542
2543         if (s->s3->alpn_selected)
2544                 {
2545                 OPENSSL_free(s->s3->alpn_selected);
2546                 s->s3->alpn_selected = NULL;
2547                 }
2548
2549 #ifndef OPENSSL_NO_HEARTBEATS
2550         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2551                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2552 #endif
2553
2554         if (data >= (d+n-2))
2555                 goto ri_check;
2556
2557         n2s(data,length);
2558         if (data+length != d+n)
2559                 {
2560                 *al = SSL_AD_DECODE_ERROR;
2561                 return 0;
2562                 }
2563
2564         while(data <= (d+n-4))
2565                 {
2566                 n2s(data,type);
2567                 n2s(data,size);
2568
2569                 if (data+size > (d+n))
2570                         goto ri_check;
2571
2572                 if (s->tlsext_debug_cb)
2573                         s->tlsext_debug_cb(s, 1, type, data, size,
2574                                                 s->tlsext_debug_arg);
2575
2576                 if (type == TLSEXT_TYPE_server_name)
2577                         {
2578                         if (s->tlsext_hostname == NULL || size > 0)
2579                                 {
2580                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2581                                 return 0;
2582                                 }
2583                         tlsext_servername = 1;   
2584                         }
2585
2586 #ifndef OPENSSL_NO_EC
2587                 else if (type == TLSEXT_TYPE_ec_point_formats)
2588                         {
2589                         unsigned char *sdata = data;
2590                         int ecpointformatlist_length = *(sdata++);
2591
2592                         if (ecpointformatlist_length != size - 1)
2593                                 {
2594                                 *al = TLS1_AD_DECODE_ERROR;
2595                                 return 0;
2596                                 }
2597                         s->session->tlsext_ecpointformatlist_length = 0;
2598                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2599                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2600                                 {
2601                                 *al = TLS1_AD_INTERNAL_ERROR;
2602                                 return 0;
2603                                 }
2604                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2605                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2606 #if 0
2607                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2608                         sdata = s->session->tlsext_ecpointformatlist;
2609                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2610                                 fprintf(stderr,"%i ",*(sdata++));
2611                         fprintf(stderr,"\n");
2612 #endif
2613                         }
2614 #endif /* OPENSSL_NO_EC */
2615
2616                 else if (type == TLSEXT_TYPE_session_ticket)
2617                         {
2618                         if (s->tls_session_ticket_ext_cb &&
2619                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2620                                 {
2621                                 *al = TLS1_AD_INTERNAL_ERROR;
2622                                 return 0;
2623                                 }
2624                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2625                                 || (size > 0))
2626                                 {
2627                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2628                                 return 0;
2629                                 }
2630                         s->tlsext_ticket_expected = 1;
2631                         }
2632 #ifdef TLSEXT_TYPE_opaque_prf_input
2633                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2634                         {
2635                         unsigned char *sdata = data;
2636
2637                         if (size < 2)
2638                                 {
2639                                 *al = SSL_AD_DECODE_ERROR;
2640                                 return 0;
2641                                 }
2642                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2643                         if (s->s3->server_opaque_prf_input_len != size - 2)
2644                                 {
2645                                 *al = SSL_AD_DECODE_ERROR;
2646                                 return 0;
2647                                 }
2648                         
2649                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2650                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2651                         if (s->s3->server_opaque_prf_input_len == 0)
2652                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2653                         else
2654                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2655
2656                         if (s->s3->server_opaque_prf_input == NULL)
2657                                 {
2658                                 *al = TLS1_AD_INTERNAL_ERROR;
2659                                 return 0;
2660                                 }
2661                         }
2662 #endif
2663                 else if (type == TLSEXT_TYPE_status_request)
2664                         {
2665                         /* MUST be empty and only sent if we've requested
2666                          * a status request message.
2667                          */ 
2668                         if ((s->tlsext_status_type == -1) || (size > 0))
2669                                 {
2670                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2671                                 return 0;
2672                                 }
2673                         /* Set flag to expect CertificateStatus message */
2674                         s->tlsext_status_expected = 1;
2675                         }
2676 #ifndef OPENSSL_NO_NEXTPROTONEG
2677                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2678                          s->s3->tmp.finish_md_len == 0)
2679                         {
2680                         unsigned char *selected;
2681                         unsigned char selected_len;
2682
2683                         /* We must have requested it. */
2684                         if (s->ctx->next_proto_select_cb == NULL)
2685                                 {
2686                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2687                                 return 0;
2688                                 }
2689                         /* The data must be valid */
2690                         if (!ssl_next_proto_validate(data, size))
2691                                 {
2692                                 *al = TLS1_AD_DECODE_ERROR;
2693                                 return 0;
2694                                 }
2695                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2696                                 {
2697                                 *al = TLS1_AD_INTERNAL_ERROR;
2698                                 return 0;
2699                                 }
2700                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2701                         if (!s->next_proto_negotiated)
2702                                 {
2703                                 *al = TLS1_AD_INTERNAL_ERROR;
2704                                 return 0;
2705                                 }
2706                         memcpy(s->next_proto_negotiated, selected, selected_len);
2707                         s->next_proto_negotiated_len = selected_len;
2708                         s->s3->next_proto_neg_seen = 1;
2709                         }
2710 #endif
2711
2712                 else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
2713                         {
2714                         unsigned len;
2715
2716                         /* We must have requested it. */
2717                         if (s->alpn_client_proto_list == NULL)
2718                                 {
2719                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2720                                 return 0;
2721                                 }
2722                         if (size < 4)
2723                                 {
2724                                 *al = TLS1_AD_DECODE_ERROR;
2725                                 return 0;
2726                                 }
2727                         /* The extension data consists of:
2728                          *   uint16 list_length
2729                          *   uint8 proto_length;
2730                          *   uint8 proto[proto_length]; */
2731                         len = data[0];
2732                         len <<= 8;
2733                         len |= data[1];
2734                         if (len != (unsigned) size - 2)
2735                                 {
2736                                 *al = TLS1_AD_DECODE_ERROR;
2737                                 return 0;
2738                                 }
2739                         len = data[2];
2740                         if (len != (unsigned) size - 3)
2741                                 {
2742                                 *al = TLS1_AD_DECODE_ERROR;
2743                                 return 0;
2744                                 }
2745                         if (s->s3->alpn_selected)
2746                                 OPENSSL_free(s->s3->alpn_selected);
2747                         s->s3->alpn_selected = OPENSSL_malloc(len);
2748                         if (!s->s3->alpn_selected)
2749                                 {
2750                                 *al = TLS1_AD_INTERNAL_ERROR;
2751                                 return 0;
2752                                 }
2753                         memcpy(s->s3->alpn_selected, data + 3, len);
2754                         s->s3->alpn_selected_len = len;
2755                         }
2756
2757                 else if (type == TLSEXT_TYPE_renegotiate)
2758                         {
2759                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2760                                 return 0;
2761                         renegotiate_seen = 1;
2762                         }
2763 #ifndef OPENSSL_NO_HEARTBEATS
2764                 else if (type == TLSEXT_TYPE_heartbeat)
2765                         {
2766                         switch(data[0])
2767                                 {
2768                                 case 0x01:      /* Server allows us to send HB requests */
2769                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2770                                                         break;
2771                                 case 0x02:      /* Server doesn't accept HB requests */
2772                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2773                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2774                                                         break;
2775                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2776                                                         return 0;
2777                                 }
2778                         }
2779 #endif
2780                 else if (type == TLSEXT_TYPE_use_srtp)
2781                         {
2782                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2783                                                               al))
2784                                 return 0;
2785                         }
2786                 /* If this extension type was not otherwise handled, but 
2787                  * matches a custom_cli_ext_record, then send it to the c
2788                  * callback */
2789                 else if (s->ctx->custom_cli_ext_records_count)
2790                         {
2791                         size_t i;
2792                         custom_cli_ext_record* record;
2793
2794                         for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2795                                 {
2796                                 record = &s->ctx->custom_cli_ext_records[i];
2797                                 if (record->ext_type == type)
2798                                         {
2799                                         if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2800                                                 return 0;
2801                                         break;
2802                                         }
2803                                 }                       
2804                         }
2805  
2806                 data += size;
2807                 }
2808
2809         if (data != d+n)
2810                 {
2811                 *al = SSL_AD_DECODE_ERROR;
2812                 return 0;
2813                 }
2814
2815         if (!s->hit && tlsext_servername == 1)
2816                 {
2817                 if (s->tlsext_hostname)
2818                         {
2819                         if (s->session->tlsext_hostname == NULL)
2820                                 {
2821                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2822                                 if (!s->session->tlsext_hostname)
2823                                         {
2824                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2825                                         return 0;
2826                                         }
2827                                 }
2828                         else 
2829                                 {
2830                                 *al = SSL_AD_DECODE_ERROR;
2831                                 return 0;
2832                                 }
2833                         }
2834                 }
2835
2836         *p = data;
2837
2838         ri_check:
2839
2840         /* Determine if we need to see RI. Strictly speaking if we want to
2841          * avoid an attack we should *always* see RI even on initial server
2842          * hello because the client doesn't see any renegotiation during an
2843          * attack. However this would mean we could not connect to any server
2844          * which doesn't support RI so for the immediate future tolerate RI
2845          * absence on initial connect only.
2846          */
2847         if (!renegotiate_seen
2848                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2849                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2850                 {
2851                 *al = SSL_AD_HANDSHAKE_FAILURE;
2852                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2853                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2854                 return 0;
2855                 }
2856
2857         return 1;
2858         }
2859
2860
2861 int ssl_prepare_clienthello_tlsext(SSL *s)
2862         {
2863
2864 #ifdef TLSEXT_TYPE_opaque_prf_input
2865         {
2866                 int r = 1;
2867         
2868                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2869                         {
2870                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2871                         if (!r)
2872                                 return -1;
2873                         }
2874
2875                 if (s->tlsext_opaque_prf_input != NULL)
2876                         {
2877                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2878                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2879
2880                         if (s->tlsext_opaque_prf_input_len == 0)
2881                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2882                         else
2883                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2884                         if (s->s3->client_opaque_prf_input == NULL)
2885                                 {
2886                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2887                                 return -1;
2888                                 }
2889                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2890                         }
2891
2892                 if (r == 2)
2893                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2894                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2895         }
2896 #endif
2897
2898         return 1;
2899         }
2900
2901 int ssl_prepare_serverhello_tlsext(SSL *s)
2902         {
2903         return 1;
2904         }
2905
2906 static int ssl_check_clienthello_tlsext_early(SSL *s)
2907         {
2908         int ret=SSL_TLSEXT_ERR_NOACK;
2909         int al = SSL_AD_UNRECOGNIZED_NAME;
2910
2911 #ifndef OPENSSL_NO_EC
2912         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2913          * ssl3_choose_cipher in s3_lib.c.
2914          */
2915         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2916          * ssl3_choose_cipher in s3_lib.c.
2917          */
2918 #endif
2919
2920         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2921                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2922         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2923                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2924
2925 #ifdef TLSEXT_TYPE_opaque_prf_input
2926         {
2927                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2928                  * but we might be sending an alert in response to the client hello,
2929                  * so this has to happen here in
2930                  * ssl_check_clienthello_tlsext_early(). */
2931
2932                 int r = 1;
2933         
2934                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2935                         {
2936                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2937                         if (!r)
2938                                 {
2939                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2940                                 al = SSL_AD_INTERNAL_ERROR;
2941                                 goto err;
2942                                 }
2943                         }
2944
2945                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2946                         OPENSSL_free(s->s3->server_opaque_prf_input);
2947                 s->s3->server_opaque_prf_input = NULL;
2948
2949                 if (s->tlsext_opaque_prf_input != NULL)
2950                         {
2951                         if (s->s3->client_opaque_prf_input != NULL &&
2952                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2953                                 {
2954                                 /* can only use this extension if we have a server opaque PRF input
2955                                  * of the same length as the client opaque PRF input! */
2956
2957                                 if (s->tlsext_opaque_prf_input_len == 0)
2958                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2959                                 else
2960                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2961                                 if (s->s3->server_opaque_prf_input == NULL)
2962                                         {
2963                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2964                                         al = SSL_AD_INTERNAL_ERROR;
2965                                         goto err;
2966                                         }
2967                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2968                                 }
2969                         }
2970
2971                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2972                         {
2973                         /* The callback wants to enforce use of the extension,
2974                          * but we can't do that with the client opaque PRF input;
2975                          * abort the handshake.
2976                          */
2977                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2978                         al = SSL_AD_HANDSHAKE_FAILURE;
2979                         }
2980         }
2981
2982  err:
2983 #endif
2984         switch (ret)
2985                 {
2986                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2987                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2988                         return -1;
2989
2990                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2991                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2992                         return 1; 
2993                                         
2994                 case SSL_TLSEXT_ERR_NOACK:
2995                         s->servername_done=0;
2996                         default:
2997                 return 1;
2998                 }
2999         }
3000
3001 int ssl_check_clienthello_tlsext_late(SSL *s)
3002         {
3003         int ret = SSL_TLSEXT_ERR_OK;
3004         int al;
3005
3006         /* If status request then ask callback what to do.
3007          * Note: this must be called after servername callbacks in case
3008          * the certificate has changed, and must be called after the cipher
3009          * has been chosen because this may influence which certificate is sent
3010          */
3011         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
3012                 {
3013                 int r;
3014                 CERT_PKEY *certpkey;
3015                 certpkey = ssl_get_server_send_pkey(s);
3016                 /* If no certificate can't return certificate status */
3017                 if (certpkey == NULL)
3018                         {
3019                         s->tlsext_status_expected = 0;
3020                         return 1;
3021                         }
3022                 /* Set current certificate to one we will use so
3023                  * SSL_get_certificate et al can pick it up.
3024                  */
3025                 s->cert->key = certpkey;
3026                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3027                 switch (r)
3028                         {
3029                         /* We don't want to send a status request response */
3030                         case SSL_TLSEXT_ERR_NOACK:
3031                                 s->tlsext_status_expected = 0;
3032                                 break;
3033                         /* status request response should be sent */
3034                         case SSL_TLSEXT_ERR_OK:
3035                                 if (s->tlsext_ocsp_resp)
3036                                         s->tlsext_status_expected = 1;
3037                                 else
3038                                         s->tlsext_status_expected = 0;
3039                                 break;
3040                         /* something bad happened */
3041                         case SSL_TLSEXT_ERR_ALERT_FATAL:
3042                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3043                                 al = SSL_AD_INTERNAL_ERROR;
3044                                 goto err;
3045                         }
3046                 }
3047         else
3048                 s->tlsext_status_expected = 0;
3049
3050  err:
3051         switch (ret)
3052                 {
3053                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3054                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3055                         return -1;
3056
3057                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3058                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3059                         return 1; 
3060
3061                 default:
3062                         return 1;
3063                 }
3064         }
3065
3066 int ssl_check_serverhello_tlsext(SSL *s)
3067         {
3068         int ret=SSL_TLSEXT_ERR_NOACK;
3069         int al = SSL_AD_UNRECOGNIZED_NAME;
3070
3071 #ifndef OPENSSL_NO_EC
3072         /* If we are client and using an elliptic curve cryptography cipher
3073          * suite, then if server returns an EC point formats lists extension
3074          * it must contain uncompressed.
3075          */
3076         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3077         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3078         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
3079             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
3080             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3081                 {
3082                 /* we are using an ECC cipher */
3083                 size_t i;
3084                 unsigned char *list;
3085                 int found_uncompressed = 0;
3086                 list = s->session->tlsext_ecpointformatlist;
3087                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3088                         {
3089                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3090                                 {
3091                                 found_uncompressed = 1;
3092                                 break;
3093                                 }
3094                         }
3095                 if (!found_uncompressed)
3096                         {
3097                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3098                         return -1;
3099                         }
3100                 }
3101         ret = SSL_TLSEXT_ERR_OK;
3102 #endif /* OPENSSL_NO_EC */
3103
3104         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
3105                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3106         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
3107                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3108
3109 #ifdef TLSEXT_TYPE_opaque_prf_input
3110         if (s->s3->server_opaque_prf_input_len > 0)
3111                 {
3112                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3113                  * So first verify that we really have a value from the server too. */
3114
3115                 if (s->s3->server_opaque_prf_input == NULL)
3116                         {
3117                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3118                         al = SSL_AD_HANDSHAKE_FAILURE;
3119                         }
3120                 
3121                 /* Anytime the server *has* sent an opaque PRF input, we need to check
3122                  * that we have a client opaque PRF input of the same size. */
3123                 if (s->s3->client_opaque_prf_input == NULL ||
3124                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3125                         {
3126                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3127                         al = SSL_AD_ILLEGAL_PARAMETER;
3128                         }
3129                 }
3130 #endif
3131
3132         /* If we've requested certificate status and we wont get one
3133          * tell the callback
3134          */
3135         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3136                         && s->ctx && s->ctx->tlsext_status_cb)
3137                 {
3138                 int r;
3139                 /* Set resp to NULL, resplen to -1 so callback knows
3140                  * there is no response.
3141                  */
3142                 if (s->tlsext_ocsp_resp)
3143                         {
3144                         OPENSSL_free(s->tlsext_ocsp_resp);
3145                         s->tlsext_ocsp_resp = NULL;
3146                         }
3147                 s->tlsext_ocsp_resplen = -1;
3148                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3149                 if (r == 0)
3150                         {
3151                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3152                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3153                         }
3154                 if (r < 0)
3155                         {
3156                         al = SSL_AD_INTERNAL_ERROR;
3157                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3158                         }
3159                 }
3160
3161         switch (ret)
3162                 {
3163                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3164                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3165                         return -1;
3166
3167                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3168                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3169                         return 1; 
3170                                         
3171                 case SSL_TLSEXT_ERR_NOACK:
3172                         s->servername_done=0;
3173                         default:
3174                 return 1;
3175                 }
3176         }
3177
3178 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
3179         {
3180         int al = -1;
3181         if (s->version < SSL3_VERSION)
3182                 return 1;
3183         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
3184                 {
3185                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3186                 return 0;
3187                 }
3188
3189         if (ssl_check_serverhello_tlsext(s) <= 0) 
3190                 {
3191                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3192                 return 0;
3193                 }
3194         return 1;
3195 }
3196
3197 /* Since the server cache lookup is done early on in the processing of the
3198  * ClientHello, and other operations depend on the result, we need to handle
3199  * any TLS session ticket extension at the same time.
3200  *
3201  *   session_id: points at the session ID in the ClientHello. This code will
3202  *       read past the end of this in order to parse out the session ticket
3203  *       extension, if any.
3204  *   len: the length of the session ID.
3205  *   limit: a pointer to the first byte after the ClientHello.
3206  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3207  *       point to the resulting session.
3208  *
3209  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3210  * ciphersuite, in which case we have no use for session tickets and one will
3211  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3212  *
3213  * Returns:
3214  *   -1: fatal error, either from parsing or decrypting the ticket.
3215  *    0: no ticket was found (or was ignored, based on settings).
3216  *    1: a zero length extension was found, indicating that the client supports
3217  *       session tickets but doesn't currently have one to offer.
3218  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3219  *       couldn't be decrypted because of a non-fatal error.
3220  *    3: a ticket was successfully decrypted and *ret was set.
3221  *
3222  * Side effects:
3223  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3224  *   a new session ticket to the client because the client indicated support
3225  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3226  *   a session ticket or we couldn't use the one it gave us, or if
3227  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3228  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3229  */
3230 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3231                         const unsigned char *limit, SSL_SESSION **ret)
3232         {
3233         /* Point after session ID in client hello */
3234         const unsigned char *p = session_id + len;
3235         unsigned short i;
3236
3237         *ret = NULL;
3238         s->tlsext_ticket_expected = 0;
3239
3240         /* If tickets disabled behave as if no ticket present
3241          * to permit stateful resumption.
3242          */
3243         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3244                 return 0;
3245         if ((s->version <= SSL3_VERSION) || !limit)
3246                 return 0;
3247         if (p >= limit)
3248                 return -1;
3249         /* Skip past DTLS cookie */
3250         if (SSL_IS_DTLS(s))
3251                 {
3252                 i = *(p++);
3253                 p+= i;
3254                 if (p >= limit)
3255                         return -1;
3256                 }
3257         /* Skip past cipher list */
3258         n2s(p, i);
3259         p+= i;
3260         if (p >= limit)
3261                 return -1;
3262         /* Skip past compression algorithm list */
3263         i = *(p++);
3264         p += i;
3265         if (p > limit)
3266                 return -1;
3267         /* Now at start of extensions */
3268         if ((p + 2) >= limit)
3269                 return 0;
3270         n2s(p, i);
3271         while ((p + 4) <= limit)
3272                 {
3273                 unsigned short type, size;
3274                 n2s(p, type);
3275                 n2s(p, size);
3276                 if (p + size > limit)
3277                         return 0;
3278                 if (type == TLSEXT_TYPE_session_ticket)
3279                         {
3280                         int r;
3281                         if (size == 0)
3282                                 {
3283                                 /* The client will accept a ticket but doesn't
3284                                  * currently have one. */
3285                                 s->tlsext_ticket_expected = 1;
3286                                 return 1;
3287                                 }
3288                         if (s->tls_session_secret_cb)
3289                                 {
3290                                 /* Indicate that the ticket couldn't be
3291                                  * decrypted rather than generating the session
3292                                  * from ticket now, trigger abbreviated
3293                                  * handshake based on external mechanism to
3294                                  * calculate the master secret later. */
3295                                 return 2;
3296                                 }
3297                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3298                         switch (r)
3299                                 {
3300                                 case 2: /* ticket couldn't be decrypted */
3301                                         s->tlsext_ticket_expected = 1;
3302                                         return 2;
3303                                 case 3: /* ticket was decrypted */
3304                                         return r;
3305                                 case 4: /* ticket decrypted but need to renew */
3306                                         s->tlsext_ticket_expected = 1;
3307                                         return 3;
3308                                 default: /* fatal error */
3309                                         return -1;
3310                                 }
3311                         }
3312                 p += size;
3313                 }
3314         return 0;
3315         }
3316
3317 /* tls_decrypt_ticket attempts to decrypt a session ticket.
3318  *
3319  *   etick: points to the body of the session ticket extension.
3320  *   eticklen: the length of the session tickets extenion.
3321  *   sess_id: points at the session ID.
3322  *   sesslen: the length of the session ID.
3323  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3324  *       point to the resulting session.
3325  *
3326  * Returns:
3327  *   -1: fatal error, either from parsing or decrypting the ticket.
3328  *    2: the ticket couldn't be decrypted.
3329  *    3: a ticket was successfully decrypted and *psess was set.
3330  *    4: same as 3, but the ticket needs to be renewed.
3331  */
3332 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3333                                 const unsigned char *sess_id, int sesslen,
3334                                 SSL_SESSION **psess)
3335         {
3336         SSL_SESSION *sess;
3337         unsigned char *sdec;
3338         const unsigned char *p;
3339         int slen, mlen, renew_ticket = 0;
3340         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3341         HMAC_CTX hctx;
3342         EVP_CIPHER_CTX ctx;
3343         SSL_CTX *tctx = s->initial_ctx;
3344         /* Need at least keyname + iv + some encrypted data */
3345         if (eticklen < 48)
3346                 return 2;
3347         /* Initialize session ticket encryption and HMAC contexts */
3348         HMAC_CTX_init(&hctx);
3349         EVP_CIPHER_CTX_init(&ctx);
3350         if (tctx->tlsext_ticket_key_cb)
3351                 {
3352                 unsigned char *nctick = (unsigned char *)etick;
3353                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3354                                                         &ctx, &hctx, 0);
3355                 if (rv < 0)
3356                         return -1;
3357                 if (rv == 0)
3358                         return 2;
3359                 if (rv == 2)
3360                         renew_ticket = 1;
3361                 }
3362         else
3363                 {
3364                 /* Check key name matches */
3365                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3366                         return 2;
3367                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3368                                         tlsext_tick_md(), NULL);
3369                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3370                                 tctx->tlsext_tick_aes_key, etick + 16);
3371                 }
3372         /* Attempt to process session ticket, first conduct sanity and
3373          * integrity checks on ticket.
3374          */
3375         mlen = HMAC_size(&hctx);
3376         if (mlen < 0)
3377                 {
3378                 EVP_CIPHER_CTX_cleanup(&ctx);
3379                 return -1;
3380                 }
3381         eticklen -= mlen;
3382         /* Check HMAC of encrypted ticket */
3383         HMAC_Update(&hctx, etick, eticklen);
3384         HMAC_Final(&hctx, tick_hmac, NULL);
3385         HMAC_CTX_cleanup(&hctx);
3386         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3387                 return 2;
3388         /* Attempt to decrypt session data */
3389         /* Move p after IV to start of encrypted ticket, update length */
3390         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3391         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3392         sdec = OPENSSL_malloc(eticklen);
3393         if (!sdec)
3394                 {
3395                 EVP_CIPHER_CTX_cleanup(&ctx);
3396                 return -1;
3397                 }
3398         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3399         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3400                 return 2;
3401         slen += mlen;
3402         EVP_CIPHER_CTX_cleanup(&ctx);
3403         p = sdec;
3404
3405         sess = d2i_SSL_SESSION(NULL, &p, slen);
3406         OPENSSL_free(sdec);
3407         if (sess)
3408                 {
3409                 /* The session ID, if non-empty, is used by some clients to
3410                  * detect that the ticket has been accepted. So we copy it to
3411                  * the session structure. If it is empty set length to zero
3412                  * as required by standard.
3413                  */
3414                 if (sesslen)
3415                         memcpy(sess->session_id, sess_id, sesslen);
3416                 sess->session_id_length = sesslen;
3417                 *psess = sess;
3418                 if (renew_ticket)
3419                         return 4;
3420                 else
3421                         return 3;
3422                 }
3423         ERR_clear_error();
3424         /* For session parse failure, indicate that we need to send a new
3425          * ticket. */
3426         return 2;
3427         }
3428
3429 /* Tables to translate from NIDs to TLS v1.2 ids */
3430
3431 typedef struct 
3432         {
3433         int nid;
3434         int id;
3435         } tls12_lookup;
3436
3437 static tls12_lookup tls12_md[] = {
3438         {NID_md5, TLSEXT_hash_md5},
3439         {NID_sha1, TLSEXT_hash_sha1},
3440         {NID_sha224, TLSEXT_hash_sha224},
3441         {NID_sha256, TLSEXT_hash_sha256},
3442         {NID_sha384, TLSEXT_hash_sha384},
3443         {NID_sha512, TLSEXT_hash_sha512}
3444 };
3445
3446 static tls12_lookup tls12_sig[] = {
3447         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3448         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3449         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3450 };
3451
3452 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3453         {
3454         size_t i;
3455         for (i = 0; i < tlen; i++)
3456                 {
3457                 if (table[i].nid == nid)
3458                         return table[i].id;
3459                 }
3460         return -1;
3461         }
3462
3463 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3464         {
3465         size_t i;
3466         for (i = 0; i < tlen; i++)
3467                 {
3468                 if ((table[i].id) == id)
3469                         return table[i].nid;
3470                 }
3471         return NID_undef;
3472         }
3473
3474 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3475         {
3476         int sig_id, md_id;
3477         if (!md)
3478                 return 0;
3479         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3480                                 sizeof(tls12_md)/sizeof(tls12_lookup));
3481         if (md_id == -1)
3482                 return 0;
3483         sig_id = tls12_get_sigid(pk);
3484         if (sig_id == -1)
3485                 return 0;
3486         p[0] = (unsigned char)md_id;
3487         p[1] = (unsigned char)sig_id;
3488         return 1;
3489         }
3490
3491 int tls12_get_sigid(const EVP_PKEY *pk)
3492         {
3493         return tls12_find_id(pk->type, tls12_sig,
3494                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3495         }
3496
3497 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3498         {
3499         switch(hash_alg)
3500                 {
3501 #ifndef OPENSSL_NO_MD5
3502                 case TLSEXT_hash_md5:
3503 #ifdef OPENSSL_FIPS
3504                 if (FIPS_mode())
3505                         return NULL;
3506 #endif
3507                 return EVP_md5();
3508 #endif
3509 #ifndef OPENSSL_NO_SHA
3510                 case TLSEXT_hash_sha1:
3511                 return EVP_sha1();
3512 #endif
3513 #ifndef OPENSSL_NO_SHA256
3514                 case TLSEXT_hash_sha224:
3515                 return EVP_sha224();