Cleanup of custom extension stuff.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext_early(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         0,
144         SSL3_HM_HEADER_LENGTH,
145         ssl3_set_handshake_header,
146         ssl3_handshake_write
147         };
148
149 SSL3_ENC_METHOD TLSv1_1_enc_data={
150         tls1_enc,
151         tls1_mac,
152         tls1_setup_key_block,
153         tls1_generate_master_secret,
154         tls1_change_cipher_state,
155         tls1_final_finish_mac,
156         TLS1_FINISH_MAC_LENGTH,
157         tls1_cert_verify_mac,
158         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
159         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
160         tls1_alert_code,
161         tls1_export_keying_material,
162         SSL_ENC_FLAG_EXPLICIT_IV,
163         SSL3_HM_HEADER_LENGTH,
164         ssl3_set_handshake_header,
165         ssl3_handshake_write
166         };
167
168 SSL3_ENC_METHOD TLSv1_2_enc_data={
169         tls1_enc,
170         tls1_mac,
171         tls1_setup_key_block,
172         tls1_generate_master_secret,
173         tls1_change_cipher_state,
174         tls1_final_finish_mac,
175         TLS1_FINISH_MAC_LENGTH,
176         tls1_cert_verify_mac,
177         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
178         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
179         tls1_alert_code,
180         tls1_export_keying_material,
181         SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
182                 |SSL_ENC_FLAG_TLS1_2_CIPHERS,
183         SSL3_HM_HEADER_LENGTH,
184         ssl3_set_handshake_header,
185         ssl3_handshake_write
186         };
187
188 long tls1_default_timeout(void)
189         {
190         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
191          * is way too long for http, the cache would over fill */
192         return(60*60*2);
193         }
194
195 int tls1_new(SSL *s)
196         {
197         if (!ssl3_new(s)) return(0);
198         s->method->ssl_clear(s);
199         return(1);
200         }
201
202 void tls1_free(SSL *s)
203         {
204 #ifndef OPENSSL_NO_TLSEXT
205         if (s->tlsext_session_ticket)
206                 {
207                 OPENSSL_free(s->tlsext_session_ticket);
208                 }
209 #endif /* OPENSSL_NO_TLSEXT */
210         ssl3_free(s);
211         }
212
213 void tls1_clear(SSL *s)
214         {
215         ssl3_clear(s);
216         s->version = s->method->version;
217         }
218
219 #ifndef OPENSSL_NO_EC
220
221 static int nid_list[] =
222         {
223                 NID_sect163k1, /* sect163k1 (1) */
224                 NID_sect163r1, /* sect163r1 (2) */
225                 NID_sect163r2, /* sect163r2 (3) */
226                 NID_sect193r1, /* sect193r1 (4) */ 
227                 NID_sect193r2, /* sect193r2 (5) */ 
228                 NID_sect233k1, /* sect233k1 (6) */
229                 NID_sect233r1, /* sect233r1 (7) */ 
230                 NID_sect239k1, /* sect239k1 (8) */ 
231                 NID_sect283k1, /* sect283k1 (9) */
232                 NID_sect283r1, /* sect283r1 (10) */ 
233                 NID_sect409k1, /* sect409k1 (11) */ 
234                 NID_sect409r1, /* sect409r1 (12) */
235                 NID_sect571k1, /* sect571k1 (13) */ 
236                 NID_sect571r1, /* sect571r1 (14) */ 
237                 NID_secp160k1, /* secp160k1 (15) */
238                 NID_secp160r1, /* secp160r1 (16) */ 
239                 NID_secp160r2, /* secp160r2 (17) */ 
240                 NID_secp192k1, /* secp192k1 (18) */
241                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
242                 NID_secp224k1, /* secp224k1 (20) */ 
243                 NID_secp224r1, /* secp224r1 (21) */
244                 NID_secp256k1, /* secp256k1 (22) */ 
245                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
246                 NID_secp384r1, /* secp384r1 (24) */
247                 NID_secp521r1  /* secp521r1 (25) */     
248         };
249
250
251 static const unsigned char ecformats_default[] = 
252         {
253         TLSEXT_ECPOINTFORMAT_uncompressed,
254         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
255         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
256         };
257
258 static const unsigned char eccurves_default[] =
259         {
260                 0,14, /* sect571r1 (14) */ 
261                 0,13, /* sect571k1 (13) */ 
262                 0,25, /* secp521r1 (25) */      
263                 0,11, /* sect409k1 (11) */ 
264                 0,12, /* sect409r1 (12) */
265                 0,24, /* secp384r1 (24) */
266                 0,9,  /* sect283k1 (9) */
267                 0,10, /* sect283r1 (10) */ 
268                 0,22, /* secp256k1 (22) */ 
269                 0,23, /* secp256r1 (23) */ 
270                 0,8,  /* sect239k1 (8) */ 
271                 0,6,  /* sect233k1 (6) */
272                 0,7,  /* sect233r1 (7) */ 
273                 0,20, /* secp224k1 (20) */ 
274                 0,21, /* secp224r1 (21) */
275                 0,4,  /* sect193r1 (4) */ 
276                 0,5,  /* sect193r2 (5) */ 
277                 0,18, /* secp192k1 (18) */
278                 0,19, /* secp192r1 (19) */ 
279                 0,1,  /* sect163k1 (1) */
280                 0,2,  /* sect163r1 (2) */
281                 0,3,  /* sect163r2 (3) */
282                 0,15, /* secp160k1 (15) */
283                 0,16, /* secp160r1 (16) */ 
284                 0,17, /* secp160r2 (17) */ 
285         };
286
287 static const unsigned char suiteb_curves[] =
288         {
289                 0, TLSEXT_curve_P_256,
290                 0, TLSEXT_curve_P_384
291         };
292
293 int tls1_ec_curve_id2nid(int curve_id)
294         {
295         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
296         if ((curve_id < 1) || ((unsigned int)curve_id >
297                                 sizeof(nid_list)/sizeof(nid_list[0])))
298                 return 0;
299         return nid_list[curve_id-1];
300         }
301
302 int tls1_ec_nid2curve_id(int nid)
303         {
304         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
305         switch (nid)
306                 {
307         case NID_sect163k1: /* sect163k1 (1) */
308                 return 1;
309         case NID_sect163r1: /* sect163r1 (2) */
310                 return 2;
311         case NID_sect163r2: /* sect163r2 (3) */
312                 return 3;
313         case NID_sect193r1: /* sect193r1 (4) */ 
314                 return 4;
315         case NID_sect193r2: /* sect193r2 (5) */ 
316                 return 5;
317         case NID_sect233k1: /* sect233k1 (6) */
318                 return 6;
319         case NID_sect233r1: /* sect233r1 (7) */ 
320                 return 7;
321         case NID_sect239k1: /* sect239k1 (8) */ 
322                 return 8;
323         case NID_sect283k1: /* sect283k1 (9) */
324                 return 9;
325         case NID_sect283r1: /* sect283r1 (10) */ 
326                 return 10;
327         case NID_sect409k1: /* sect409k1 (11) */ 
328                 return 11;
329         case NID_sect409r1: /* sect409r1 (12) */
330                 return 12;
331         case NID_sect571k1: /* sect571k1 (13) */ 
332                 return 13;
333         case NID_sect571r1: /* sect571r1 (14) */ 
334                 return 14;
335         case NID_secp160k1: /* secp160k1 (15) */
336                 return 15;
337         case NID_secp160r1: /* secp160r1 (16) */ 
338                 return 16;
339         case NID_secp160r2: /* secp160r2 (17) */ 
340                 return 17;
341         case NID_secp192k1: /* secp192k1 (18) */
342                 return 18;
343         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
344                 return 19;
345         case NID_secp224k1: /* secp224k1 (20) */ 
346                 return 20;
347         case NID_secp224r1: /* secp224r1 (21) */
348                 return 21;
349         case NID_secp256k1: /* secp256k1 (22) */ 
350                 return 22;
351         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
352                 return 23;
353         case NID_secp384r1: /* secp384r1 (24) */
354                 return 24;
355         case NID_secp521r1:  /* secp521r1 (25) */       
356                 return 25;
357         default:
358                 return 0;
359                 }
360         }
361 /* Get curves list, if "sess" is set return client curves otherwise
362  * preferred list
363  */
364 static void tls1_get_curvelist(SSL *s, int sess,
365                                         const unsigned char **pcurves,
366                                         size_t *pcurveslen)
367         {
368         if (sess)
369                 {
370                 *pcurves = s->session->tlsext_ellipticcurvelist;
371                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
372                 return;
373                 }
374         /* For Suite B mode only include P-256, P-384 */
375         switch (tls1_suiteb(s))
376                 {
377         case SSL_CERT_FLAG_SUITEB_128_LOS:
378                 *pcurves = suiteb_curves;
379                 *pcurveslen = sizeof(suiteb_curves);
380                 break;
381
382         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
383                 *pcurves = suiteb_curves;
384                 *pcurveslen = 2;
385                 break;
386
387         case SSL_CERT_FLAG_SUITEB_192_LOS:
388                 *pcurves = suiteb_curves + 2;
389                 *pcurveslen = 2;
390                 break;
391         default:
392                 *pcurves = s->tlsext_ellipticcurvelist;
393                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
394                 }
395         if (!*pcurves)
396                 {
397                 *pcurves = eccurves_default;
398                 *pcurveslen = sizeof(eccurves_default);
399                 }
400         }
401 /* Check a curve is one of our preferences */
402 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
403         {
404         const unsigned char *curves;
405         size_t curveslen, i;
406         unsigned int suiteb_flags = tls1_suiteb(s);
407         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
408                 return 0;
409         /* Check curve matches Suite B preferences */
410         if (suiteb_flags)
411                 {
412                 unsigned long cid = s->s3->tmp.new_cipher->id;
413                 if (p[1])
414                         return 0;
415                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
416                         {
417                         if (p[2] != TLSEXT_curve_P_256)
418                                 return 0;
419                         }
420                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
421                         {
422                         if (p[2] != TLSEXT_curve_P_384)
423                                 return 0;
424                         }
425                 else    /* Should never happen */
426                         return 0;
427                 }
428         tls1_get_curvelist(s, 0, &curves, &curveslen);
429         for (i = 0; i < curveslen; i += 2, curves += 2)
430                 {
431                 if (p[1] == curves[0] && p[2] == curves[1])
432                         return 1;
433                 }
434         return 0;
435         }
436
437 /* Return nth shared curve. If nmatch == -1 return number of
438  * matches. For nmatch == -2 return the NID of the curve to use for
439  * an EC tmp key.
440  */
441
442 int tls1_shared_curve(SSL *s, int nmatch)
443         {
444         const unsigned char *pref, *supp;
445         size_t preflen, supplen, i, j;
446         int k;
447         /* Can't do anything on client side */
448         if (s->server == 0)
449                 return -1;
450         if (nmatch == -2)
451                 {
452                 if (tls1_suiteb(s))
453                         {
454                         /* For Suite B ciphersuite determines curve: we 
455                          * already know these are acceptable due to previous
456                          * checks.
457                          */
458                         unsigned long cid = s->s3->tmp.new_cipher->id;
459                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
460                                 return NID_X9_62_prime256v1; /* P-256 */
461                         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
462                                 return NID_secp384r1; /* P-384 */
463                         /* Should never happen */
464                         return NID_undef;
465                         }
466                 /* If not Suite B just return first preference shared curve */
467                 nmatch = 0;
468                 }
469         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
470                                 &supp, &supplen);
471         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
472                                 &pref, &preflen);
473         preflen /= 2;
474         supplen /= 2;
475         k = 0;
476         for (i = 0; i < preflen; i++, pref+=2)
477                 {
478                 const unsigned char *tsupp = supp;
479                 for (j = 0; j < supplen; j++, tsupp+=2)
480                         {
481                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
482                                 {
483                                 if (nmatch == k)
484                                         {
485                                         int id = (pref[0] << 8) | pref[1];
486                                         return tls1_ec_curve_id2nid(id);
487                                         }
488                                 k++;
489                                 }
490                         }
491                 }
492         if (nmatch == -1)
493                 return k;
494         return 0;
495         }
496
497 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
498                         int *curves, size_t ncurves)
499         {
500         unsigned char *clist, *p;
501         size_t i;
502         /* Bitmap of curves included to detect duplicates: only works
503          * while curve ids < 32 
504          */
505         unsigned long dup_list = 0;
506         clist = OPENSSL_malloc(ncurves * 2);
507         if (!clist)
508                 return 0;
509         for (i = 0, p = clist; i < ncurves; i++)
510                 {
511                 unsigned long idmask;
512                 int id;
513                 id = tls1_ec_nid2curve_id(curves[i]);
514                 idmask = 1L << id;
515                 if (!id || (dup_list & idmask))
516                         {
517                         OPENSSL_free(clist);
518                         return 0;
519                         }
520                 dup_list |= idmask;
521                 s2n(id, p);
522                 }
523         if (*pext)
524                 OPENSSL_free(*pext);
525         *pext = clist;
526         *pextlen = ncurves * 2;
527         return 1;
528         }
529
530 #define MAX_CURVELIST   25
531
532 typedef struct
533         {
534         size_t nidcnt;
535         int nid_arr[MAX_CURVELIST];
536         } nid_cb_st;
537
538 static int nid_cb(const char *elem, int len, void *arg)
539         {
540         nid_cb_st *narg = arg;
541         size_t i;
542         int nid;
543         char etmp[20];
544         if (narg->nidcnt == MAX_CURVELIST)
545                 return 0;
546         if (len > (int)(sizeof(etmp) - 1))
547                 return 0;
548         memcpy(etmp, elem, len);
549         etmp[len] = 0;
550         nid = EC_curve_nist2nid(etmp);
551         if (nid == NID_undef)
552                 nid = OBJ_sn2nid(etmp);
553         if (nid == NID_undef)
554                 nid = OBJ_ln2nid(etmp);
555         if (nid == NID_undef)
556                 return 0;
557         for (i = 0; i < narg->nidcnt; i++)
558                 if (narg->nid_arr[i] == nid)
559                         return 0;
560         narg->nid_arr[narg->nidcnt++] = nid;
561         return 1;
562         }
563 /* Set curves based on a colon separate list */
564 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
565                                 const char *str)
566         {
567         nid_cb_st ncb;
568         ncb.nidcnt = 0;
569         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
570                 return 0;
571         if (pext == NULL)
572                 return 1;
573         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
574         }
575 /* For an EC key set TLS id and required compression based on parameters */
576 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
577                                 EC_KEY *ec)
578         {
579         int is_prime, id;
580         const EC_GROUP *grp;
581         const EC_POINT *pt;
582         const EC_METHOD *meth;
583         if (!ec)
584                 return 0;
585         /* Determine if it is a prime field */
586         grp = EC_KEY_get0_group(ec);
587         pt = EC_KEY_get0_public_key(ec);
588         if (!grp || !pt)
589                 return 0;
590         meth = EC_GROUP_method_of(grp);
591         if (!meth)
592                 return 0;
593         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
594                 is_prime = 1;
595         else
596                 is_prime = 0;
597         /* Determine curve ID */
598         id = EC_GROUP_get_curve_name(grp);
599         id = tls1_ec_nid2curve_id(id);
600         /* If we have an ID set it, otherwise set arbitrary explicit curve */
601         if (id)
602                 {
603                 curve_id[0] = 0;
604                 curve_id[1] = (unsigned char)id;
605                 }
606         else
607                 {
608                 curve_id[0] = 0xff;
609                 if (is_prime)
610                         curve_id[1] = 0x01;
611                 else
612                         curve_id[1] = 0x02;
613                 }
614         if (comp_id)
615                 {
616                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
617                         {
618                         if (is_prime)
619                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
620                         else
621                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
622                         }
623                 else
624                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
625                 }
626         return 1;
627         }
628 /* Check an EC key is compatible with extensions */
629 static int tls1_check_ec_key(SSL *s,
630                         unsigned char *curve_id, unsigned char *comp_id)
631         {
632         const unsigned char *p;
633         size_t plen, i;
634         int j;
635         /* If point formats extension present check it, otherwise everything
636          * is supported (see RFC4492).
637          */
638         if (comp_id && s->session->tlsext_ecpointformatlist)
639                 {
640                 p = s->session->tlsext_ecpointformatlist;
641                 plen = s->session->tlsext_ecpointformatlist_length;
642                 for (i = 0; i < plen; i++, p++)
643                         {
644                         if (*comp_id == *p)
645                                 break;
646                         }
647                 if (i == plen)
648                         return 0;
649                 }
650         if (!curve_id)
651                 return 1;
652         /* Check curve is consistent with client and server preferences */
653         for (j = 0; j <= 1; j++)
654                 {
655                 tls1_get_curvelist(s, j, &p, &plen);
656                 for (i = 0; i < plen; i+=2, p+=2)
657                         {
658                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
659                                 break;
660                         }
661                 if (i == plen)
662                         return 0;
663                 /* For clients can only check sent curve list */
664                 if (!s->server)
665                         return 1;
666                 }
667         return 1;
668         }
669
670 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
671                                         size_t *pformatslen)
672         {
673         /* If we have a custom point format list use it otherwise
674          * use default */
675         if (s->tlsext_ecpointformatlist)
676                 {
677                 *pformats = s->tlsext_ecpointformatlist;
678                 *pformatslen = s->tlsext_ecpointformatlist_length;
679                 }
680         else
681                 {
682                 *pformats = ecformats_default;
683                 /* For Suite B we don't support char2 fields */
684                 if (tls1_suiteb(s))
685                         *pformatslen = sizeof(ecformats_default) - 1;
686                 else
687                         *pformatslen = sizeof(ecformats_default);
688                 }
689         }
690
691 /* Check cert parameters compatible with extensions: currently just checks
692  * EC certificates have compatible curves and compression.
693  */
694 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
695         {
696         unsigned char comp_id, curve_id[2];
697         EVP_PKEY *pkey;
698         int rv;
699         pkey = X509_get_pubkey(x);
700         if (!pkey)
701                 return 0;
702         /* If not EC nothing to do */
703         if (pkey->type != EVP_PKEY_EC)
704                 {
705                 EVP_PKEY_free(pkey);
706                 return 1;
707                 }
708         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
709         EVP_PKEY_free(pkey);
710         if (!rv)
711                 return 0;
712         /* Can't check curve_id for client certs as we don't have a
713          * supported curves extension.
714          */
715         rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
716         if (!rv)
717                 return 0;
718         /* Special case for suite B. We *MUST* sign using SHA256+P-256 or
719          * SHA384+P-384, adjust digest if necessary.
720          */
721         if (set_ee_md && tls1_suiteb(s))
722                 {
723                 int check_md;
724                 size_t i;
725                 CERT *c = s->cert;
726                 if (curve_id[0])
727                         return 0;
728                 /* Check to see we have necessary signing algorithm */
729                 if (curve_id[1] == TLSEXT_curve_P_256)
730                         check_md = NID_ecdsa_with_SHA256;
731                 else if (curve_id[1] == TLSEXT_curve_P_384)
732                         check_md = NID_ecdsa_with_SHA384;
733                 else
734                         return 0; /* Should never happen */
735                 for (i = 0; i < c->shared_sigalgslen; i++)
736                         if (check_md == c->shared_sigalgs[i].signandhash_nid)
737                                 break;
738                 if (i == c->shared_sigalgslen)
739                         return 0;
740                 if (set_ee_md == 2)
741                         {
742                         if (check_md == NID_ecdsa_with_SHA256)
743                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
744                         else
745                                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
746                         }
747                 }
748         return rv;
749         }
750 /* Check EC temporary key is compatible with client extensions */
751 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
752         {
753         unsigned char curve_id[2];
754         EC_KEY *ec = s->cert->ecdh_tmp;
755 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
756         /* Allow any curve: not just those peer supports */
757         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
758                 return 1;
759 #endif
760         /* If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384,
761          * no other curves permitted.
762          */
763         if (tls1_suiteb(s))
764                 {
765                 /* Curve to check determined by ciphersuite */
766                 if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
767                         curve_id[1] = TLSEXT_curve_P_256;
768                 else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
769                         curve_id[1] = TLSEXT_curve_P_384;
770                 else
771                         return 0;
772                 curve_id[0] = 0;
773                 /* Check this curve is acceptable */
774                 if (!tls1_check_ec_key(s, curve_id, NULL))
775                         return 0;
776                 /* If auto or setting curve from callback assume OK */
777                 if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
778                         return 1;
779                 /* Otherwise check curve is acceptable */
780                 else 
781                         {
782                         unsigned char curve_tmp[2];
783                         if (!ec)
784                                 return 0;
785                         if (!tls1_set_ec_id(curve_tmp, NULL, ec))
786                                 return 0;
787                         if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
788                                 return 1;
789                         return 0;
790                         }
791                         
792                 }
793         if (s->cert->ecdh_tmp_auto)
794                 {
795                 /* Need a shared curve */
796                 if (tls1_shared_curve(s, 0))
797                         return 1;
798                 else return 0;
799                 }
800         if (!ec)
801                 {
802                 if (s->cert->ecdh_tmp_cb)
803                         return 1;
804                 else
805                         return 0;
806                 }
807         if (!tls1_set_ec_id(curve_id, NULL, ec))
808                 return 0;
809 /* Set this to allow use of invalid curves for testing */
810 #if 0
811         return 1;
812 #else
813         return tls1_check_ec_key(s, curve_id, NULL);
814 #endif
815         }
816
817 #endif /* OPENSSL_NO_EC */
818
819 #ifndef OPENSSL_NO_TLSEXT
820
821 /* List of supported signature algorithms and hashes. Should make this
822  * customisable at some point, for now include everything we support.
823  */
824
825 #ifdef OPENSSL_NO_RSA
826 #define tlsext_sigalg_rsa(md) /* */
827 #else
828 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
829 #endif
830
831 #ifdef OPENSSL_NO_DSA
832 #define tlsext_sigalg_dsa(md) /* */
833 #else
834 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
835 #endif
836
837 #ifdef OPENSSL_NO_ECDSA
838 #define tlsext_sigalg_ecdsa(md) /* */
839 #else
840 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
841 #endif
842
843 #define tlsext_sigalg(md) \
844                 tlsext_sigalg_rsa(md) \
845                 tlsext_sigalg_dsa(md) \
846                 tlsext_sigalg_ecdsa(md)
847
848 static unsigned char tls12_sigalgs[] = {
849 #ifndef OPENSSL_NO_SHA512
850         tlsext_sigalg(TLSEXT_hash_sha512)
851         tlsext_sigalg(TLSEXT_hash_sha384)
852 #endif
853 #ifndef OPENSSL_NO_SHA256
854         tlsext_sigalg(TLSEXT_hash_sha256)
855         tlsext_sigalg(TLSEXT_hash_sha224)
856 #endif
857 #ifndef OPENSSL_NO_SHA
858         tlsext_sigalg(TLSEXT_hash_sha1)
859 #endif
860 #ifndef OPENSSL_NO_MD5
861         tlsext_sigalg_rsa(TLSEXT_hash_md5)
862 #endif
863 };
864
865 static unsigned char suiteb_sigalgs[] = {
866         tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
867         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
868 };
869
870 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
871         {
872         /* If Suite B mode use Suite B sigalgs only, ignore any other
873          * preferences.
874          */
875         switch (tls1_suiteb(s))
876                 {
877         case SSL_CERT_FLAG_SUITEB_128_LOS:
878                 *psigs = suiteb_sigalgs;
879                 return sizeof(suiteb_sigalgs);
880
881         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
882                 *psigs = suiteb_sigalgs;
883                 return 2;
884
885         case SSL_CERT_FLAG_SUITEB_192_LOS:
886                 *psigs = suiteb_sigalgs + 2;
887                 return 2;
888                 }
889
890         /* If server use client authentication sigalgs if not NULL */
891         if (s->server && s->cert->client_sigalgs)
892                 {
893                 *psigs = s->cert->client_sigalgs;
894                 return s->cert->client_sigalgslen;
895                 }
896         else if (s->cert->conf_sigalgs)
897                 {
898                 *psigs = s->cert->conf_sigalgs;
899                 return s->cert->conf_sigalgslen;
900                 }
901         else
902                 {
903                 *psigs = tls12_sigalgs;
904 #ifdef OPENSSL_FIPS
905                 /* If FIPS mode don't include MD5 which is last */
906                 if (FIPS_mode())
907                         return sizeof(tls12_sigalgs) - 2;
908                 else
909 #endif
910                         return sizeof(tls12_sigalgs);
911                 }
912         }
913 /* Check signature algorithm is consistent with sent supported signature
914  * algorithms and if so return relevant digest.
915  */
916 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
917                                 const unsigned char *sig, EVP_PKEY *pkey)
918         {
919         const unsigned char *sent_sigs;
920         size_t sent_sigslen, i;
921         int sigalg = tls12_get_sigid(pkey);
922         /* Should never happen */
923         if (sigalg == -1)
924                 return -1;
925         /* Check key type is consistent with signature */
926         if (sigalg != (int)sig[1])
927                 {
928                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
929                 return 0;
930                 }
931         if (pkey->type == EVP_PKEY_EC)
932                 {
933                 unsigned char curve_id[2], comp_id;
934                 /* Check compression and curve matches extensions */
935                 if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
936                         return 0;
937                 if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id))
938                         {
939                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_CURVE);
940                         return 0;
941                         }
942                 /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
943                 if (tls1_suiteb(s))
944                         {
945                         if (curve_id[0])
946                                 return 0;
947                         if (curve_id[1] == TLSEXT_curve_P_256)
948                                 {
949                                 if (sig[0] != TLSEXT_hash_sha256)
950                                         {
951                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
952                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
953                                         return 0;
954                                         }
955                                 }
956                         else if (curve_id[1] == TLSEXT_curve_P_384)
957                                 {
958                                 if (sig[0] != TLSEXT_hash_sha384)
959                                         {
960                                         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
961                                                 SSL_R_ILLEGAL_SUITEB_DIGEST);
962                                         return 0;
963                                         }
964                                 }
965                         else
966                                 return 0;
967                         }
968                 }
969         else if (tls1_suiteb(s))
970                 return 0;
971
972         /* Check signature matches a type we sent */
973         sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
974         for (i = 0; i < sent_sigslen; i+=2, sent_sigs+=2)
975                 {
976                 if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
977                         break;
978                 }
979         /* Allow fallback to SHA1 if not strict mode */
980         if (i == sent_sigslen && (sig[0] != TLSEXT_hash_sha1 || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT))
981                 {
982                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_WRONG_SIGNATURE_TYPE);
983                 return 0;
984                 }
985         *pmd = tls12_get_hash(sig[0]);
986         if (*pmd == NULL)
987                 {
988                 SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,SSL_R_UNKNOWN_DIGEST);
989                 return 0;
990                 }
991         /* Store the digest used so applications can retrieve it if they
992          * wish.
993          */
994         if (s->session && s->session->sess_cert)
995                 s->session->sess_cert->peer_key->digest = *pmd;
996         return 1;
997         }
998 /* Get a mask of disabled algorithms: an algorithm is disabled
999  * if it isn't supported or doesn't appear in supported signature
1000  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
1001  * session and not global settings.
1002  * 
1003  */
1004 void ssl_set_client_disabled(SSL *s)
1005         {
1006         CERT *c = s->cert;
1007         const unsigned char *sigalgs;
1008         size_t i, sigalgslen;
1009         int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1010         c->mask_a = 0;
1011         c->mask_k = 0;
1012         /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1013         if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1014                 c->mask_ssl = SSL_TLSV1_2;
1015         else
1016                 c->mask_ssl = 0;
1017         /* Now go through all signature algorithms seeing if we support
1018          * any for RSA, DSA, ECDSA. Do this for all versions not just
1019          * TLS 1.2.
1020          */
1021         sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1022         for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
1023                 {
1024                 switch(sigalgs[1])
1025                         {
1026 #ifndef OPENSSL_NO_RSA
1027                 case TLSEXT_signature_rsa:
1028                         have_rsa = 1;
1029                         break;
1030 #endif
1031 #ifndef OPENSSL_NO_DSA
1032                 case TLSEXT_signature_dsa:
1033                         have_dsa = 1;
1034                         break;
1035 #endif
1036 #ifndef OPENSSL_NO_ECDSA
1037                 case TLSEXT_signature_ecdsa:
1038                         have_ecdsa = 1;
1039                         break;
1040 #endif
1041                         }
1042                 }
1043         /* Disable auth and static DH if we don't include any appropriate
1044          * signature algorithms.
1045          */
1046         if (!have_rsa)
1047                 {
1048                 c->mask_a |= SSL_aRSA;
1049                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
1050                 }
1051         if (!have_dsa)
1052                 {
1053                 c->mask_a |= SSL_aDSS;
1054                 c->mask_k |= SSL_kDHd;
1055                 }
1056         if (!have_ecdsa)
1057                 {
1058                 c->mask_a |= SSL_aECDSA;
1059                 c->mask_k |= SSL_kECDHe;
1060                 }
1061 #ifndef OPENSSL_NO_KRB5
1062         if (!kssl_tgt_is_available(s->kssl_ctx))
1063                 {
1064                 c->mask_a |= SSL_aKRB5;
1065                 c->mask_k |= SSL_kKRB5;
1066                 }
1067 #endif
1068 #ifndef OPENSSL_NO_PSK
1069         /* with PSK there must be client callback set */
1070         if (!s->psk_client_callback)
1071                 {
1072                 c->mask_a |= SSL_aPSK;
1073                 c->mask_k |= SSL_kPSK;
1074                 }
1075 #endif /* OPENSSL_NO_PSK */
1076         c->valid = 1;
1077         }
1078
1079 /* byte_compare is a compare function for qsort(3) that compares bytes. */
1080 static int byte_compare(const void *in_a, const void *in_b)
1081         {
1082         unsigned char a = *((const unsigned char*) in_a);
1083         unsigned char b = *((const unsigned char*) in_b);
1084
1085         if (a > b)
1086                 return 1;
1087         else if (a < b)
1088                 return -1;
1089         return 0;
1090 }
1091
1092 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1093         {
1094         int extdatalen=0;
1095         unsigned char *ret = p;
1096 #ifndef OPENSSL_NO_EC
1097         /* See if we support any ECC ciphersuites */
1098         int using_ecc = 0;
1099         if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s))
1100                 {
1101                 int i;
1102                 unsigned long alg_k, alg_a;
1103                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1104
1105                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1106                         {
1107                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1108
1109                         alg_k = c->algorithm_mkey;
1110                         alg_a = c->algorithm_auth;
1111                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
1112                                 || (alg_a & SSL_aECDSA)))
1113                                 {
1114                                 using_ecc = 1;
1115                                 break;
1116                                 }
1117                         }
1118                 }
1119 #endif
1120
1121         /* don't add extensions for SSLv3 unless doing secure renegotiation */
1122         if (s->client_version == SSL3_VERSION
1123                                         && !s->s3->send_connection_binding)
1124                 return p;
1125
1126         ret+=2;
1127
1128         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1129
1130         if (s->tlsext_hostname != NULL)
1131                 { 
1132                 /* Add TLS extension servername to the Client Hello message */
1133                 unsigned long size_str;
1134                 long lenmax; 
1135
1136                 /* check for enough space.
1137                    4 for the servername type and entension length
1138                    2 for servernamelist length
1139                    1 for the hostname type
1140                    2 for hostname length
1141                    + hostname length 
1142                 */
1143                    
1144                 if ((lenmax = limit - ret - 9) < 0 
1145                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
1146                         return NULL;
1147                         
1148                 /* extension type and length */
1149                 s2n(TLSEXT_TYPE_server_name,ret); 
1150                 s2n(size_str+5,ret);
1151                 
1152                 /* length of servername list */
1153                 s2n(size_str+3,ret);
1154         
1155                 /* hostname type, length and hostname */
1156                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
1157                 s2n(size_str,ret);
1158                 memcpy(ret, s->tlsext_hostname, size_str);
1159                 ret+=size_str;
1160                 }
1161
1162         /* Add RI if renegotiating */
1163         if (s->renegotiate)
1164           {
1165           int el;
1166           
1167           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
1168               {
1169               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1170               return NULL;
1171               }
1172
1173           if((limit - p - 4 - el) < 0) return NULL;
1174           
1175           s2n(TLSEXT_TYPE_renegotiate,ret);
1176           s2n(el,ret);
1177
1178           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
1179               {
1180               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1181               return NULL;
1182               }
1183
1184           ret += el;
1185         }
1186
1187 #ifndef OPENSSL_NO_SRP
1188         /* Add SRP username if there is one */
1189         if (s->srp_ctx.login != NULL)
1190                 { /* Add TLS extension SRP username to the Client Hello message */
1191
1192                 int login_len = strlen(s->srp_ctx.login);       
1193                 if (login_len > 255 || login_len == 0)
1194                         {
1195                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1196                         return NULL;
1197                         } 
1198
1199                 /* check for enough space.
1200                    4 for the srp type type and entension length
1201                    1 for the srp user identity
1202                    + srp user identity length 
1203                 */
1204                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
1205
1206                 /* fill in the extension */
1207                 s2n(TLSEXT_TYPE_srp,ret);
1208                 s2n(login_len+1,ret);
1209                 (*ret++) = (unsigned char) login_len;
1210                 memcpy(ret, s->srp_ctx.login, login_len);
1211                 ret+=login_len;
1212                 }
1213 #endif
1214
1215 #ifndef OPENSSL_NO_EC
1216         if (using_ecc)
1217                 {
1218                 /* Add TLS extension ECPointFormats to the ClientHello message */
1219                 long lenmax; 
1220                 const unsigned char *plist;
1221                 size_t plistlen;
1222
1223                 tls1_get_formatlist(s, &plist, &plistlen);
1224
1225                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1226                 if (plistlen > (size_t)lenmax) return NULL;
1227                 if (plistlen > 255)
1228                         {
1229                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1230                         return NULL;
1231                         }
1232                 
1233                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1234                 s2n(plistlen + 1,ret);
1235                 *(ret++) = (unsigned char)plistlen ;
1236                 memcpy(ret, plist, plistlen);
1237                 ret+=plistlen;
1238
1239                 /* Add TLS extension EllipticCurves to the ClientHello message */
1240                 plist = s->tlsext_ellipticcurvelist;
1241                 tls1_get_curvelist(s, 0, &plist, &plistlen);
1242
1243                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
1244                 if (plistlen > (size_t)lenmax) return NULL;
1245                 if (plistlen > 65532)
1246                         {
1247                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1248                         return NULL;
1249                         }
1250                 
1251                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
1252                 s2n(plistlen + 2, ret);
1253
1254                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
1255                  * elliptic_curve_list, but the examples use two bytes.
1256                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
1257                  * resolves this to two bytes.
1258                  */
1259                 s2n(plistlen, ret);
1260                 memcpy(ret, plist, plistlen);
1261                 ret+=plistlen;
1262                 }
1263 #endif /* OPENSSL_NO_EC */
1264
1265         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
1266                 {
1267                 int ticklen;
1268                 if (!s->new_session && s->session && s->session->tlsext_tick)
1269                         ticklen = s->session->tlsext_ticklen;
1270                 else if (s->session && s->tlsext_session_ticket &&
1271                          s->tlsext_session_ticket->data)
1272                         {
1273                         ticklen = s->tlsext_session_ticket->length;
1274                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1275                         if (!s->session->tlsext_tick)
1276                                 return NULL;
1277                         memcpy(s->session->tlsext_tick,
1278                                s->tlsext_session_ticket->data,
1279                                ticklen);
1280                         s->session->tlsext_ticklen = ticklen;
1281                         }
1282                 else
1283                         ticklen = 0;
1284                 if (ticklen == 0 && s->tlsext_session_ticket &&
1285                     s->tlsext_session_ticket->data == NULL)
1286                         goto skip_ext;
1287                 /* Check for enough room 2 for extension type, 2 for len
1288                  * rest for ticket
1289                  */
1290                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
1291                 s2n(TLSEXT_TYPE_session_ticket,ret); 
1292                 s2n(ticklen,ret);
1293                 if (ticklen)
1294                         {
1295                         memcpy(ret, s->session->tlsext_tick, ticklen);
1296                         ret += ticklen;
1297                         }
1298                 }
1299                 skip_ext:
1300
1301         if (SSL_USE_SIGALGS(s))
1302                 {
1303                 size_t salglen;
1304                 const unsigned char *salg;
1305                 salglen = tls12_get_psigalgs(s, &salg);
1306                 if ((size_t)(limit - ret) < salglen + 6)
1307                         return NULL; 
1308                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1309                 s2n(salglen + 2, ret);
1310                 s2n(salglen, ret);
1311                 memcpy(ret, salg, salglen);
1312                 ret += salglen;
1313                 }
1314
1315 #ifdef TLSEXT_TYPE_opaque_prf_input
1316         if (s->s3->client_opaque_prf_input != NULL)
1317                 {
1318                 size_t col = s->s3->client_opaque_prf_input_len;
1319                 
1320                 if ((long)(limit - ret - 6 - col < 0))
1321                         return NULL;
1322                 if (col > 0xFFFD) /* can't happen */
1323                         return NULL;
1324
1325                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1326                 s2n(col + 2, ret);
1327                 s2n(col, ret);
1328                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1329                 ret += col;
1330                 }
1331 #endif
1332
1333         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1334                 {
1335                 int i;
1336                 long extlen, idlen, itmp;
1337                 OCSP_RESPID *id;
1338
1339                 idlen = 0;
1340                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1341                         {
1342                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1343                         itmp = i2d_OCSP_RESPID(id, NULL);
1344                         if (itmp <= 0)
1345                                 return NULL;
1346                         idlen += itmp + 2;
1347                         }
1348
1349                 if (s->tlsext_ocsp_exts)
1350                         {
1351                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1352                         if (extlen < 0)
1353                                 return NULL;
1354                         }
1355                 else
1356                         extlen = 0;
1357                         
1358                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1359                 s2n(TLSEXT_TYPE_status_request, ret);
1360                 if (extlen + idlen > 0xFFF0)
1361                         return NULL;
1362                 s2n(extlen + idlen + 5, ret);
1363                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1364                 s2n(idlen, ret);
1365                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1366                         {
1367                         /* save position of id len */
1368                         unsigned char *q = ret;
1369                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1370                         /* skip over id len */
1371                         ret += 2;
1372                         itmp = i2d_OCSP_RESPID(id, &ret);
1373                         /* write id len */
1374                         s2n(itmp, q);
1375                         }
1376                 s2n(extlen, ret);
1377                 if (extlen > 0)
1378                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1379                 }
1380
1381 #ifndef OPENSSL_NO_HEARTBEATS
1382         /* Add Heartbeat extension */
1383         s2n(TLSEXT_TYPE_heartbeat,ret);
1384         s2n(1,ret);
1385         /* Set mode:
1386          * 1: peer may send requests
1387          * 2: peer not allowed to send requests
1388          */
1389         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1390                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1391         else
1392                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1393 #endif
1394
1395 #ifndef OPENSSL_NO_NEXTPROTONEG
1396         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1397                 {
1398                 /* The client advertises an emtpy extension to indicate its
1399                  * support for Next Protocol Negotiation */
1400                 if (limit - ret - 4 < 0)
1401                         return NULL;
1402                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1403                 s2n(0,ret);
1404                 }
1405 #endif
1406
1407         if(SSL_get_srtp_profiles(s))
1408                 {
1409                 int el;
1410
1411                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1412                 
1413                 if((limit - p - 4 - el) < 0) return NULL;
1414
1415                 s2n(TLSEXT_TYPE_use_srtp,ret);
1416                 s2n(el,ret);
1417
1418                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1419                         {
1420                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1421                         return NULL;
1422                         }
1423                 ret += el;
1424                 }
1425
1426         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1427         /* 2 bytes for extension type */
1428         /* 2 bytes for extension length */
1429         /* 1 byte for the list length */
1430         /* 1 byte for the list (we only support audit proofs) */
1431         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1432                 {
1433                 const unsigned short ext_len = 2;
1434                 const unsigned char list_len = 1;
1435
1436                 if (limit < ret + 6)
1437                         return NULL;
1438
1439                 s2n(TLSEXT_TYPE_server_authz, ret);
1440                 /* Extension length: 2 bytes */
1441                 s2n(ext_len, ret);
1442                 *(ret++) = list_len;
1443                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1444                 }
1445
1446         /* Add custom TLS Extensions to ClientHello */
1447         if (s->ctx->custom_cli_ext_records_count)
1448                 {
1449                 size_t i;
1450                 custom_cli_ext_record* record;
1451
1452                 for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
1453                         {
1454                         const unsigned char* out = NULL;
1455                         unsigned short outlen = 0;
1456
1457                         record = &s->ctx->custom_cli_ext_records[i];
1458                         /* NULL callback sends empty extension */ 
1459                         /* -1 from callback omits extension */
1460                         if (record->fn1)
1461                                 {
1462                                 int cb_retval = 0;
1463                                 cb_retval = record->fn1(s, record->ext_type,
1464                                                         &out, &outlen,
1465                                                         record->arg);
1466                                 if (cb_retval == 0)
1467                                         return NULL; /* error */
1468                                 if (cb_retval == -1)
1469                                         continue; /* skip this extension */
1470                                 }
1471                         if (limit < ret + 4 + outlen)
1472                                 return NULL;
1473                         s2n(record->ext_type, ret);
1474                         s2n(outlen, ret);
1475                         memcpy(ret, out, outlen);
1476                         ret += outlen;
1477                         }
1478                 }
1479
1480         if ((extdatalen = ret-p-2) == 0)
1481                 return p;
1482
1483         s2n(extdatalen,p);
1484         return ret;
1485         }
1486
1487 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1488         {
1489         int extdatalen=0;
1490         unsigned char *ret = p;
1491 #ifndef OPENSSL_NO_NEXTPROTONEG
1492         int next_proto_neg_seen;
1493 #endif
1494         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1495         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1496         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1497         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1498
1499         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1500         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1501                 return p;
1502         
1503         ret+=2;
1504         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1505
1506         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1507                 { 
1508                 if ((long)(limit - ret - 4) < 0) return NULL; 
1509
1510                 s2n(TLSEXT_TYPE_server_name,ret);
1511                 s2n(0,ret);
1512                 }
1513
1514         if(s->s3->send_connection_binding)
1515         {
1516           int el;
1517           
1518           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1519               {
1520               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1521               return NULL;
1522               }
1523
1524           if((limit - p - 4 - el) < 0) return NULL;
1525           
1526           s2n(TLSEXT_TYPE_renegotiate,ret);
1527           s2n(el,ret);
1528
1529           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1530               {
1531               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1532               return NULL;
1533               }
1534
1535           ret += el;
1536         }
1537
1538 #ifndef OPENSSL_NO_EC
1539         if (using_ecc)
1540                 {
1541                 const unsigned char *plist;
1542                 size_t plistlen;
1543                 /* Add TLS extension ECPointFormats to the ServerHello message */
1544                 long lenmax; 
1545
1546                 tls1_get_formatlist(s, &plist, &plistlen);
1547
1548                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1549                 if (plistlen > (size_t)lenmax) return NULL;
1550                 if (plistlen > 255)
1551                         {
1552                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1553                         return NULL;
1554                         }
1555                 
1556                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1557                 s2n(plistlen + 1,ret);
1558                 *(ret++) = (unsigned char) plistlen;
1559                 memcpy(ret, plist, plistlen);
1560                 ret+=plistlen;
1561
1562                 }
1563         /* Currently the server should not respond with a SupportedCurves extension */
1564 #endif /* OPENSSL_NO_EC */
1565
1566         if (s->tlsext_ticket_expected
1567                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1568                 { 
1569                 if ((long)(limit - ret - 4) < 0) return NULL; 
1570                 s2n(TLSEXT_TYPE_session_ticket,ret);
1571                 s2n(0,ret);
1572                 }
1573
1574         if (s->tlsext_status_expected)
1575                 { 
1576                 if ((long)(limit - ret - 4) < 0) return NULL; 
1577                 s2n(TLSEXT_TYPE_status_request,ret);
1578                 s2n(0,ret);
1579                 }
1580
1581 #ifdef TLSEXT_TYPE_opaque_prf_input
1582         if (s->s3->server_opaque_prf_input != NULL)
1583                 {
1584                 size_t sol = s->s3->server_opaque_prf_input_len;
1585                 
1586                 if ((long)(limit - ret - 6 - sol) < 0)
1587                         return NULL;
1588                 if (sol > 0xFFFD) /* can't happen */
1589                         return NULL;
1590
1591                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1592                 s2n(sol + 2, ret);
1593                 s2n(sol, ret);
1594                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1595                 ret += sol;
1596                 }
1597 #endif
1598
1599         if(s->srtp_profile)
1600                 {
1601                 int el;
1602
1603                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1604                 
1605                 if((limit - p - 4 - el) < 0) return NULL;
1606
1607                 s2n(TLSEXT_TYPE_use_srtp,ret);
1608                 s2n(el,ret);
1609
1610                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1611                         {
1612                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1613                         return NULL;
1614                         }
1615                 ret+=el;
1616                 }
1617
1618         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1619                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1620                 { const unsigned char cryptopro_ext[36] = {
1621                         0xfd, 0xe8, /*65000*/
1622                         0x00, 0x20, /*32 bytes length*/
1623                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1624                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1625                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1626                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1627                         if (limit-ret<36) return NULL;
1628                         memcpy(ret,cryptopro_ext,36);
1629                         ret+=36;
1630
1631                 }
1632
1633 #ifndef OPENSSL_NO_HEARTBEATS
1634         /* Add Heartbeat extension if we've received one */
1635         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1636                 {
1637                 s2n(TLSEXT_TYPE_heartbeat,ret);
1638                 s2n(1,ret);
1639                 /* Set mode:
1640                  * 1: peer may send requests
1641                  * 2: peer not allowed to send requests
1642                  */
1643                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1644                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1645                 else
1646                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1647
1648                 }
1649 #endif
1650
1651 #ifndef OPENSSL_NO_NEXTPROTONEG
1652         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1653         s->s3->next_proto_neg_seen = 0;
1654         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1655                 {
1656                 const unsigned char *npa;
1657                 unsigned int npalen;
1658                 int r;
1659
1660                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1661                 if (r == SSL_TLSEXT_ERR_OK)
1662                         {
1663                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1664                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1665                         s2n(npalen,ret);
1666                         memcpy(ret, npa, npalen);
1667                         ret += npalen;
1668                         s->s3->next_proto_neg_seen = 1;
1669                         }
1670                 }
1671 #endif
1672
1673         /* If the client supports authz then see whether we have any to offer
1674          * to it. */
1675         if (s->s3->tlsext_authz_client_types_len)
1676                 {
1677                 size_t authz_length;
1678                 /* By now we already know the new cipher, so we can look ahead
1679                  * to see whether the cert we are going to send
1680                  * has any authz data attached to it. */
1681                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1682                 const unsigned char* const orig_authz = authz;
1683                 size_t i;
1684                 unsigned authz_count = 0;
1685
1686                 /* The authz data contains a number of the following structures:
1687                  *      uint8_t authz_type
1688                  *      uint16_t length
1689                  *      uint8_t data[length]
1690                  *
1691                  * First we walk over it to find the number of authz elements. */
1692                 for (i = 0; i < authz_length; i++)
1693                         {
1694                         unsigned short length;
1695                         unsigned char type;
1696
1697                         type = *(authz++);
1698                         if (memchr(s->s3->tlsext_authz_client_types,
1699                                    type,
1700                                    s->s3->tlsext_authz_client_types_len) != NULL)
1701                                 authz_count++;
1702
1703                         n2s(authz, length);
1704                         /* n2s increments authz by 2 */
1705                         i += 2;
1706                         authz += length;
1707                         i += length;
1708                         }
1709
1710                 if (authz_count)
1711                         {
1712                         /* Add TLS extension server_authz to the ServerHello message
1713                          * 2 bytes for extension type
1714                          * 2 bytes for extension length
1715                          * 1 byte for the list length
1716                          * n bytes for the list */
1717                         const unsigned short ext_len = 1 + authz_count;
1718
1719                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1720                         s2n(TLSEXT_TYPE_server_authz, ret);
1721                         s2n(ext_len, ret);
1722                         *(ret++) = authz_count;
1723                         s->s3->tlsext_authz_promised_to_client = 1;
1724                         }
1725
1726                 authz = orig_authz;
1727                 for (i = 0; i < authz_length; i++)
1728                         {
1729                         unsigned short length;
1730                         unsigned char type;
1731
1732                         authz_count++;
1733                         type = *(authz++);
1734                         if (memchr(s->s3->tlsext_authz_client_types,
1735                                    type,
1736                                    s->s3->tlsext_authz_client_types_len) != NULL)
1737                                 *(ret++) = type;
1738                         n2s(authz, length);
1739                         /* n2s increments authz by 2 */
1740                         i += 2;
1741                         authz += length;
1742                         i += length;
1743                         }
1744                 }
1745
1746         /* If custom types were sent in ClientHello, add ServerHello responses */
1747         if (s->s3->tlsext_custom_types_count)
1748                 {
1749                 size_t i;
1750
1751                 for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
1752                         {
1753                         size_t j;
1754                         custom_srv_ext_record *record;
1755
1756                         for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
1757                                 {
1758                                 record = &s->ctx->custom_srv_ext_records[j];
1759                                 if (s->s3->tlsext_custom_types[i] == record->ext_type)
1760                                         {
1761                                         const unsigned char *out = NULL;
1762                                         unsigned short outlen = 0;
1763                                         int cb_retval = 0;
1764
1765                                         /* NULL callback or -1 omits extension */
1766                                         if (!record->fn2)
1767                                                 break;
1768                                         cb_retval = record->fn2(s, record->ext_type,
1769                                                                 &out, &outlen,
1770                                                                 record->arg);
1771                                         if (cb_retval == 0)
1772                                                 return NULL; /* error */
1773                                         if (cb_retval == -1)
1774                                                 break; /* skip this extension */
1775                                         if (limit < ret + 4 + outlen)
1776                                                 return NULL;
1777                                         s2n(record->ext_type, ret);
1778                                         s2n(outlen, ret);
1779                                         memcpy(ret, out, outlen);
1780                                         ret += outlen;
1781                                         break;
1782                                         }
1783                                 }
1784                         }
1785                 }
1786
1787         if ((extdatalen = ret-p-2)== 0) 
1788                 return p;
1789
1790         s2n(extdatalen,p);
1791         return ret;
1792         }
1793
1794 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1795         {       
1796         unsigned short type;
1797         unsigned short size;
1798         unsigned short len;
1799         unsigned char *data = *p;
1800         int renegotiate_seen = 0;
1801         size_t i;
1802
1803         s->servername_done = 0;
1804         s->tlsext_status_type = -1;
1805 #ifndef OPENSSL_NO_NEXTPROTONEG
1806         s->s3->next_proto_neg_seen = 0;
1807 #endif
1808
1809 #ifndef OPENSSL_NO_HEARTBEATS
1810         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1811                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1812 #endif
1813         /* Clear any signature algorithms extension received */
1814         if (s->cert->peer_sigalgs)
1815                 {
1816                 OPENSSL_free(s->cert->peer_sigalgs);
1817                 s->cert->peer_sigalgs = NULL;
1818                 }
1819         /* Clear any shared sigtnature algorithms */
1820         if (s->cert->shared_sigalgs)
1821                 {
1822                 OPENSSL_free(s->cert->shared_sigalgs);
1823                 s->cert->shared_sigalgs = NULL;
1824                 }
1825         /* Clear certificate digests and validity flags */
1826         for (i = 0; i < SSL_PKEY_NUM; i++)
1827                 {
1828                 s->cert->pkeys[i].digest = NULL;
1829                 s->cert->pkeys[i].valid_flags = 0;
1830                 }
1831
1832         if (data >= (d+n-2))
1833                 goto ri_check;
1834         n2s(data,len);
1835
1836         if (data > (d+n-len)) 
1837                 goto ri_check;
1838
1839         while (data <= (d+n-4))
1840                 {
1841                 n2s(data,type);
1842                 n2s(data,size);
1843
1844                 if (data+size > (d+n))
1845                         goto ri_check;
1846 #if 0
1847                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1848 #endif
1849                 if (s->tlsext_debug_cb)
1850                         s->tlsext_debug_cb(s, 0, type, data, size,
1851                                                 s->tlsext_debug_arg);
1852 /* The servername extension is treated as follows:
1853
1854    - Only the hostname type is supported with a maximum length of 255.
1855    - The servername is rejected if too long or if it contains zeros,
1856      in which case an fatal alert is generated.
1857    - The servername field is maintained together with the session cache.
1858    - When a session is resumed, the servername call back invoked in order
1859      to allow the application to position itself to the right context. 
1860    - The servername is acknowledged if it is new for a session or when 
1861      it is identical to a previously used for the same session. 
1862      Applications can control the behaviour.  They can at any time
1863      set a 'desirable' servername for a new SSL object. This can be the
1864      case for example with HTTPS when a Host: header field is received and
1865      a renegotiation is requested. In this case, a possible servername
1866      presented in the new client hello is only acknowledged if it matches
1867      the value of the Host: field. 
1868    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1869      if they provide for changing an explicit servername context for the session,
1870      i.e. when the session has been established with a servername extension. 
1871    - On session reconnect, the servername extension may be absent. 
1872
1873 */      
1874
1875                 if (type == TLSEXT_TYPE_server_name)
1876                         {
1877                         unsigned char *sdata;
1878                         int servname_type;
1879                         int dsize; 
1880                 
1881                         if (size < 2) 
1882                                 {
1883                                 *al = SSL_AD_DECODE_ERROR;
1884                                 return 0;
1885                                 }
1886                         n2s(data,dsize);  
1887                         size -= 2;
1888                         if (dsize > size  ) 
1889                                 {
1890                                 *al = SSL_AD_DECODE_ERROR;
1891                                 return 0;
1892                                 } 
1893
1894                         sdata = data;
1895                         while (dsize > 3) 
1896                                 {
1897                                 servname_type = *(sdata++); 
1898                                 n2s(sdata,len);
1899                                 dsize -= 3;
1900
1901                                 if (len > dsize) 
1902                                         {
1903                                         *al = SSL_AD_DECODE_ERROR;
1904                                         return 0;
1905                                         }
1906                                 if (s->servername_done == 0)
1907                                 switch (servname_type)
1908                                         {
1909                                 case TLSEXT_NAMETYPE_host_name:
1910                                         if (!s->hit)
1911                                                 {
1912                                                 if(s->session->tlsext_hostname)
1913                                                         {
1914                                                         *al = SSL_AD_DECODE_ERROR;
1915                                                         return 0;
1916                                                         }
1917                                                 if (len > TLSEXT_MAXLEN_host_name)
1918                                                         {
1919                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1920                                                         return 0;
1921                                                         }
1922                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1923                                                         {
1924                                                         *al = TLS1_AD_INTERNAL_ERROR;
1925                                                         return 0;
1926                                                         }
1927                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1928                                                 s->session->tlsext_hostname[len]='\0';
1929                                                 if (strlen(s->session->tlsext_hostname) != len) {
1930                                                         OPENSSL_free(s->session->tlsext_hostname);
1931                                                         s->session->tlsext_hostname = NULL;
1932                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1933                                                         return 0;
1934                                                 }
1935                                                 s->servername_done = 1; 
1936
1937                                                 }
1938                                         else 
1939                                                 s->servername_done = s->session->tlsext_hostname
1940                                                         && strlen(s->session->tlsext_hostname) == len 
1941                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1942                                         
1943                                         break;
1944
1945                                 default:
1946                                         break;
1947                                         }
1948                                  
1949                                 dsize -= len;
1950                                 }
1951                         if (dsize != 0) 
1952                                 {
1953                                 *al = SSL_AD_DECODE_ERROR;
1954                                 return 0;
1955                                 }
1956
1957                         }
1958 #ifndef OPENSSL_NO_SRP
1959                 else if (type == TLSEXT_TYPE_srp)
1960                         {
1961                         if (size <= 0 || ((len = data[0])) != (size -1))
1962                                 {
1963                                 *al = SSL_AD_DECODE_ERROR;
1964                                 return 0;
1965                                 }
1966                         if (s->srp_ctx.login != NULL)
1967                                 {
1968                                 *al = SSL_AD_DECODE_ERROR;
1969                                 return 0;
1970                                 }
1971                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1972                                 return -1;
1973                         memcpy(s->srp_ctx.login, &data[1], len);
1974                         s->srp_ctx.login[len]='\0';
1975   
1976                         if (strlen(s->srp_ctx.login) != len) 
1977                                 {
1978                                 *al = SSL_AD_DECODE_ERROR;
1979                                 return 0;
1980                                 }
1981                         }
1982 #endif
1983
1984 #ifndef OPENSSL_NO_EC
1985                 else if (type == TLSEXT_TYPE_ec_point_formats)
1986                         {
1987                         unsigned char *sdata = data;
1988                         int ecpointformatlist_length = *(sdata++);
1989
1990                         if (ecpointformatlist_length != size - 1 || 
1991                                 ecpointformatlist_length < 1)
1992                                 {
1993                                 *al = TLS1_AD_DECODE_ERROR;
1994                                 return 0;
1995                                 }
1996                         if (!s->hit)
1997                                 {
1998                                 if(s->session->tlsext_ecpointformatlist)
1999                                         {
2000                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
2001                                         s->session->tlsext_ecpointformatlist = NULL;
2002                                         }
2003                                 s->session->tlsext_ecpointformatlist_length = 0;
2004                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2005                                         {
2006                                         *al = TLS1_AD_INTERNAL_ERROR;
2007                                         return 0;
2008                                         }
2009                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2010                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2011                                 }
2012 #if 0
2013                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
2014                         sdata = s->session->tlsext_ecpointformatlist;
2015                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2016                                 fprintf(stderr,"%i ",*(sdata++));
2017                         fprintf(stderr,"\n");
2018 #endif
2019                         }
2020                 else if (type == TLSEXT_TYPE_elliptic_curves)
2021                         {
2022                         unsigned char *sdata = data;
2023                         int ellipticcurvelist_length = (*(sdata++) << 8);
2024                         ellipticcurvelist_length += (*(sdata++));
2025
2026                         if (ellipticcurvelist_length != size - 2 ||
2027                                 ellipticcurvelist_length < 1)
2028                                 {
2029                                 *al = TLS1_AD_DECODE_ERROR;
2030                                 return 0;
2031                                 }
2032                         if (!s->hit)
2033                                 {
2034                                 if(s->session->tlsext_ellipticcurvelist)
2035                                         {
2036                                         *al = TLS1_AD_DECODE_ERROR;
2037                                         return 0;
2038                                         }
2039                                 s->session->tlsext_ellipticcurvelist_length = 0;
2040                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
2041                                         {
2042                                         *al = TLS1_AD_INTERNAL_ERROR;
2043                                         return 0;
2044                                         }
2045                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
2046                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
2047                                 }
2048 #if 0
2049                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
2050                         sdata = s->session->tlsext_ellipticcurvelist;
2051                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2052                                 fprintf(stderr,"%i ",*(sdata++));
2053                         fprintf(stderr,"\n");
2054 #endif
2055                         }
2056 #endif /* OPENSSL_NO_EC */
2057 #ifdef TLSEXT_TYPE_opaque_prf_input
2058                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2059                         {
2060                         unsigned char *sdata = data;
2061
2062                         if (size < 2)
2063                                 {
2064                                 *al = SSL_AD_DECODE_ERROR;
2065                                 return 0;
2066                                 }
2067                         n2s(sdata, s->s3->client_opaque_prf_input_len);
2068                         if (s->s3->client_opaque_prf_input_len != size - 2)
2069                                 {
2070                                 *al = SSL_AD_DECODE_ERROR;
2071                                 return 0;
2072                                 }
2073
2074                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2075                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2076                         if (s->s3->client_opaque_prf_input_len == 0)
2077                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2078                         else
2079                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2080                         if (s->s3->client_opaque_prf_input == NULL)
2081                                 {
2082                                 *al = TLS1_AD_INTERNAL_ERROR;
2083                                 return 0;
2084                                 }
2085                         }
2086 #endif
2087                 else if (type == TLSEXT_TYPE_session_ticket)
2088                         {
2089                         if (s->tls_session_ticket_ext_cb &&
2090                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2091                                 {
2092                                 *al = TLS1_AD_INTERNAL_ERROR;
2093                                 return 0;
2094                                 }
2095                         }
2096                 else if (type == TLSEXT_TYPE_renegotiate)
2097                         {
2098                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2099                                 return 0;
2100                         renegotiate_seen = 1;
2101                         }
2102                 else if (type == TLSEXT_TYPE_signature_algorithms)
2103                         {
2104                         int dsize;
2105                         if (s->cert->peer_sigalgs || size < 2) 
2106                                 {
2107                                 *al = SSL_AD_DECODE_ERROR;
2108                                 return 0;
2109                                 }
2110                         n2s(data,dsize);
2111                         size -= 2;
2112                         if (dsize != size || dsize & 1 || !dsize) 
2113                                 {
2114                                 *al = SSL_AD_DECODE_ERROR;
2115                                 return 0;
2116                                 }
2117                         if (!tls1_process_sigalgs(s, data, dsize))
2118                                 {
2119                                 *al = SSL_AD_DECODE_ERROR;
2120                                 return 0;
2121                                 }
2122                         /* If sigalgs received and no shared algorithms fatal
2123                          * error.
2124                          */
2125                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
2126                                 {
2127                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2128                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
2129                                 *al = SSL_AD_ILLEGAL_PARAMETER;
2130                                 return 0;
2131                                 }
2132                         }
2133                 else if (type == TLSEXT_TYPE_status_request
2134                          && s->ctx->tlsext_status_cb)
2135                         {
2136                 
2137                         if (size < 5) 
2138                                 {
2139                                 *al = SSL_AD_DECODE_ERROR;
2140                                 return 0;
2141                                 }
2142
2143                         s->tlsext_status_type = *data++;
2144                         size--;
2145                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
2146                                 {
2147                                 const unsigned char *sdata;
2148                                 int dsize;
2149                                 /* Read in responder_id_list */
2150                                 n2s(data,dsize);
2151                                 size -= 2;
2152                                 if (dsize > size  ) 
2153                                         {
2154                                         *al = SSL_AD_DECODE_ERROR;
2155                                         return 0;
2156                                         }
2157                                 while (dsize > 0)
2158                                         {
2159                                         OCSP_RESPID *id;
2160                                         int idsize;
2161                                         if (dsize < 4)
2162                                                 {
2163                                                 *al = SSL_AD_DECODE_ERROR;
2164                                                 return 0;
2165                                                 }
2166                                         n2s(data, idsize);
2167                                         dsize -= 2 + idsize;
2168                                         size -= 2 + idsize;
2169                                         if (dsize < 0)
2170                                                 {
2171                                                 *al = SSL_AD_DECODE_ERROR;
2172                                                 return 0;
2173                                                 }
2174                                         sdata = data;
2175                                         data += idsize;
2176                                         id = d2i_OCSP_RESPID(NULL,
2177                                                                 &sdata, idsize);
2178                                         if (!id)
2179                                                 {
2180                                                 *al = SSL_AD_DECODE_ERROR;
2181                                                 return 0;
2182                                                 }
2183                                         if (data != sdata)
2184                                                 {
2185                                                 OCSP_RESPID_free(id);
2186                                                 *al = SSL_AD_DECODE_ERROR;
2187                                                 return 0;
2188                                                 }
2189                                         if (!s->tlsext_ocsp_ids
2190                                                 && !(s->tlsext_ocsp_ids =
2191                                                 sk_OCSP_RESPID_new_null()))
2192                                                 {
2193                                                 OCSP_RESPID_free(id);
2194                                                 *al = SSL_AD_INTERNAL_ERROR;
2195                                                 return 0;
2196                                                 }
2197                                         if (!sk_OCSP_RESPID_push(
2198                                                         s->tlsext_ocsp_ids, id))
2199                                                 {
2200                                                 OCSP_RESPID_free(id);
2201                                                 *al = SSL_AD_INTERNAL_ERROR;
2202                                                 return 0;
2203                                                 }
2204                                         }
2205
2206                                 /* Read in request_extensions */
2207                                 if (size < 2)
2208                                         {
2209                                         *al = SSL_AD_DECODE_ERROR;
2210                                         return 0;
2211                                         }
2212                                 n2s(data,dsize);
2213                                 size -= 2;
2214                                 if (dsize != size)
2215                                         {
2216                                         *al = SSL_AD_DECODE_ERROR;
2217                                         return 0;
2218                                         }
2219                                 sdata = data;
2220                                 if (dsize > 0)
2221                                         {
2222                                         if (s->tlsext_ocsp_exts)
2223                                                 {
2224                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2225                                                                            X509_EXTENSION_free);
2226                                                 }
2227
2228                                         s->tlsext_ocsp_exts =
2229                                                 d2i_X509_EXTENSIONS(NULL,
2230                                                         &sdata, dsize);
2231                                         if (!s->tlsext_ocsp_exts
2232                                                 || (data + dsize != sdata))
2233                                                 {
2234                                                 *al = SSL_AD_DECODE_ERROR;
2235                                                 return 0;
2236                                                 }
2237                                         }
2238                                 }
2239                                 /* We don't know what to do with any other type
2240                                 * so ignore it.
2241                                 */
2242                                 else
2243                                         s->tlsext_status_type = -1;
2244                         }
2245 #ifndef OPENSSL_NO_HEARTBEATS
2246                 else if (type == TLSEXT_TYPE_heartbeat)
2247                         {
2248                         switch(data[0])
2249                                 {
2250                                 case 0x01:      /* Client allows us to send HB requests */
2251                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2252                                                         break;
2253                                 case 0x02:      /* Client doesn't accept HB requests */
2254                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2255                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2256                                                         break;
2257                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2258                                                         return 0;
2259                                 }
2260                         }
2261 #endif
2262 #ifndef OPENSSL_NO_NEXTPROTONEG
2263                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2264                          s->s3->tmp.finish_md_len == 0)
2265                         {
2266                         /* We shouldn't accept this extension on a
2267                          * renegotiation.
2268                          *
2269                          * s->new_session will be set on renegotiation, but we
2270                          * probably shouldn't rely that it couldn't be set on
2271                          * the initial renegotation too in certain cases (when
2272                          * there's some other reason to disallow resuming an
2273                          * earlier session -- the current code won't be doing
2274                          * anything like that, but this might change).
2275
2276                          * A valid sign that there's been a previous handshake
2277                          * in this connection is if s->s3->tmp.finish_md_len >
2278                          * 0.  (We are talking about a check that will happen
2279                          * in the Hello protocol round, well before a new
2280                          * Finished message could have been computed.) */
2281                         s->s3->next_proto_neg_seen = 1;
2282                         }
2283 #endif
2284
2285                 /* session ticket processed earlier */
2286                 else if (type == TLSEXT_TYPE_use_srtp)
2287                         {
2288                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
2289                                                               al))
2290                                 return 0;
2291                         }
2292
2293                 else if (type == TLSEXT_TYPE_server_authz)
2294                         {
2295                         unsigned char *sdata = data;
2296                         unsigned char server_authz_dataformatlist_length;
2297
2298                         if (size == 0)
2299                                 {
2300                                 *al = TLS1_AD_DECODE_ERROR;
2301                                 return 0;
2302                                 }
2303
2304                         server_authz_dataformatlist_length = *(sdata++);
2305
2306                         if (server_authz_dataformatlist_length != size - 1)
2307                                 {
2308                                 *al = TLS1_AD_DECODE_ERROR;
2309                                 return 0;
2310                                 }
2311
2312                         /* Successful session resumption uses the same authz
2313                          * information as the original session so we ignore this
2314                          * in the case of a session resumption. */
2315                         if (!s->hit)
2316                                 {
2317                                 if (s->s3->tlsext_authz_client_types != NULL)
2318                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
2319                                 s->s3->tlsext_authz_client_types =
2320                                         OPENSSL_malloc(server_authz_dataformatlist_length);
2321                                 if (!s->s3->tlsext_authz_client_types)
2322                                         {
2323                                         *al = TLS1_AD_INTERNAL_ERROR;
2324                                         return 0;
2325                                         }
2326
2327                                 s->s3->tlsext_authz_client_types_len =
2328                                         server_authz_dataformatlist_length;
2329                                 memcpy(s->s3->tlsext_authz_client_types,
2330                                        sdata,
2331                                        server_authz_dataformatlist_length);
2332
2333                                 /* Sort the types in order to check for duplicates. */
2334                                 qsort(s->s3->tlsext_authz_client_types,
2335                                       server_authz_dataformatlist_length,
2336                                       1 /* element size */,
2337                                       byte_compare);
2338
2339                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
2340                                         {
2341                                         if (i > 0 &&
2342                                             s->s3->tlsext_authz_client_types[i] ==
2343                                               s->s3->tlsext_authz_client_types[i-1])
2344                                                 {
2345                                                 *al = TLS1_AD_DECODE_ERROR;
2346                                                 return 0;
2347                                                 }
2348                                         }
2349                                 }
2350                         }
2351
2352                 /* If this ClientHello extension was unhandled and this is 
2353                  * a nonresumed connection, check whether the extension is a 
2354                  * custom TLS Extension (has a custom_srv_ext_record), and if
2355                  * so call the callback and record the extension number so that
2356                  * an appropriate ServerHello may be later returned.
2357                  */
2358                 else if (!s->hit && s->ctx->custom_srv_ext_records_count)
2359                         {
2360                         custom_srv_ext_record *record;
2361
2362                         for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
2363                                 {
2364                                 record = &s->ctx->custom_srv_ext_records[i];
2365                                 if (type == record->ext_type)
2366                                         {
2367                                         /* Error on duplicate TLS Extensions */
2368                                         size_t j;
2369
2370                                         for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
2371                                                 {
2372                                                 if (s->s3->tlsext_custom_types[j] == type)
2373                                                         {
2374                                                         *al = TLS1_AD_DECODE_ERROR;
2375                                                         return 0;
2376                                                         }
2377                                                 }
2378
2379                                         /* Callback */
2380                                         if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
2381                                                 return 0;
2382                                                 
2383                                         /* Add the (non-duplicated) entry */
2384                                         s->s3->tlsext_custom_types_count++;
2385                                         s->s3->tlsext_custom_types = OPENSSL_realloc(
2386                                                         s->s3->tlsext_custom_types,
2387                                                         s->s3->tlsext_custom_types_count*2);
2388                                         if (s->s3->tlsext_custom_types == NULL)
2389                                                 {
2390                                                 s->s3->tlsext_custom_types = 0;
2391                                                 *al = TLS1_AD_INTERNAL_ERROR;
2392                                                 return 0;
2393                                                 }
2394                                         s->s3->tlsext_custom_types[
2395                                                         s->s3->tlsext_custom_types_count-1] = type;
2396                                         }                                               
2397                                 }
2398                         }
2399
2400                 data+=size;
2401                 }
2402
2403         *p = data;
2404
2405         ri_check:
2406
2407         /* Need RI if renegotiating */
2408
2409         if (!renegotiate_seen && s->renegotiate &&
2410                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2411                 {
2412                 *al = SSL_AD_HANDSHAKE_FAILURE;
2413                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2414                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2415                 return 0;
2416                 }
2417         /* If no signature algorithms extension set default values */
2418         if (!s->cert->peer_sigalgs)
2419                 ssl_cert_set_default_md(s->cert);
2420
2421         return 1;
2422         }
2423
2424 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2425         {
2426         int al = -1;
2427         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
2428                 {
2429                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2430                 return 0;
2431                 }
2432
2433         if (ssl_check_clienthello_tlsext_early(s) <= 0) 
2434                 {
2435                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
2436                 return 0;
2437                 }
2438         return 1;
2439 }
2440
2441 #ifndef OPENSSL_NO_NEXTPROTONEG
2442 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2443  * elements of zero length are allowed and the set of elements must exactly fill
2444  * the length of the block. */
2445 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2446         {
2447         unsigned int off = 0;
2448
2449         while (off < len)
2450                 {
2451                 if (d[off] == 0)
2452                         return 0;
2453                 off += d[off];
2454                 off++;
2455                 }
2456
2457         return off == len;
2458         }
2459 #endif
2460
2461 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2462         {
2463         unsigned short length;
2464         unsigned short type;
2465         unsigned short size;
2466         unsigned char *data = *p;
2467         int tlsext_servername = 0;
2468         int renegotiate_seen = 0;
2469
2470 #ifndef OPENSSL_NO_NEXTPROTONEG
2471         s->s3->next_proto_neg_seen = 0;
2472 #endif
2473
2474 #ifndef OPENSSL_NO_HEARTBEATS
2475         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2476                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2477 #endif
2478
2479         if (data >= (d+n-2))
2480                 goto ri_check;
2481
2482         n2s(data,length);
2483         if (data+length != d+n)
2484                 {
2485                 *al = SSL_AD_DECODE_ERROR;
2486                 return 0;
2487                 }
2488
2489         while(data <= (d+n-4))
2490                 {
2491                 n2s(data,type);
2492                 n2s(data,size);
2493
2494                 if (data+size > (d+n))
2495                         goto ri_check;
2496
2497                 if (s->tlsext_debug_cb)
2498                         s->tlsext_debug_cb(s, 1, type, data, size,
2499                                                 s->tlsext_debug_arg);
2500
2501                 if (type == TLSEXT_TYPE_server_name)
2502                         {
2503                         if (s->tlsext_hostname == NULL || size > 0)
2504                                 {
2505                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2506                                 return 0;
2507                                 }
2508                         tlsext_servername = 1;   
2509                         }
2510
2511 #ifndef OPENSSL_NO_EC
2512                 else if (type == TLSEXT_TYPE_ec_point_formats)
2513                         {
2514                         unsigned char *sdata = data;
2515                         int ecpointformatlist_length = *(sdata++);
2516
2517                         if (ecpointformatlist_length != size - 1)
2518                                 {
2519                                 *al = TLS1_AD_DECODE_ERROR;
2520                                 return 0;
2521                                 }
2522                         s->session->tlsext_ecpointformatlist_length = 0;
2523                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2524                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2525                                 {
2526                                 *al = TLS1_AD_INTERNAL_ERROR;
2527                                 return 0;
2528                                 }
2529                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2530                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2531 #if 0
2532                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2533                         sdata = s->session->tlsext_ecpointformatlist;
2534                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2535                                 fprintf(stderr,"%i ",*(sdata++));
2536                         fprintf(stderr,"\n");
2537 #endif
2538                         }
2539 #endif /* OPENSSL_NO_EC */
2540
2541                 else if (type == TLSEXT_TYPE_session_ticket)
2542                         {
2543                         if (s->tls_session_ticket_ext_cb &&
2544                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2545                                 {
2546                                 *al = TLS1_AD_INTERNAL_ERROR;
2547                                 return 0;
2548                                 }
2549                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2550                                 || (size > 0))
2551                                 {
2552                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2553                                 return 0;
2554                                 }
2555                         s->tlsext_ticket_expected = 1;
2556                         }
2557 #ifdef TLSEXT_TYPE_opaque_prf_input
2558                 else if (type == TLSEXT_TYPE_opaque_prf_input)
2559                         {
2560                         unsigned char *sdata = data;
2561
2562                         if (size < 2)
2563                                 {
2564                                 *al = SSL_AD_DECODE_ERROR;
2565                                 return 0;
2566                                 }
2567                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2568                         if (s->s3->server_opaque_prf_input_len != size - 2)
2569                                 {
2570                                 *al = SSL_AD_DECODE_ERROR;
2571                                 return 0;
2572                                 }
2573                         
2574                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2575                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2576                         if (s->s3->server_opaque_prf_input_len == 0)
2577                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2578                         else
2579                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2580
2581                         if (s->s3->server_opaque_prf_input == NULL)
2582                                 {
2583                                 *al = TLS1_AD_INTERNAL_ERROR;
2584                                 return 0;
2585                                 }
2586                         }
2587 #endif
2588                 else if (type == TLSEXT_TYPE_status_request)
2589                         {
2590                         /* MUST be empty and only sent if we've requested
2591                          * a status request message.
2592                          */ 
2593                         if ((s->tlsext_status_type == -1) || (size > 0))
2594                                 {
2595                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2596                                 return 0;
2597                                 }
2598                         /* Set flag to expect CertificateStatus message */
2599                         s->tlsext_status_expected = 1;
2600                         }
2601 #ifndef OPENSSL_NO_NEXTPROTONEG
2602                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2603                          s->s3->tmp.finish_md_len == 0)
2604                         {
2605                         unsigned char *selected;
2606                         unsigned char selected_len;
2607
2608                         /* We must have requested it. */
2609                         if (s->ctx->next_proto_select_cb == NULL)
2610                                 {
2611                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2612                                 return 0;
2613                                 }
2614                         /* The data must be valid */
2615                         if (!ssl_next_proto_validate(data, size))
2616                                 {
2617                                 *al = TLS1_AD_DECODE_ERROR;
2618                                 return 0;
2619                                 }
2620                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2621                                 {
2622                                 *al = TLS1_AD_INTERNAL_ERROR;
2623                                 return 0;
2624                                 }
2625                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2626                         if (!s->next_proto_negotiated)
2627                                 {
2628                                 *al = TLS1_AD_INTERNAL_ERROR;
2629                                 return 0;
2630                                 }
2631                         memcpy(s->next_proto_negotiated, selected, selected_len);
2632                         s->next_proto_negotiated_len = selected_len;
2633                         s->s3->next_proto_neg_seen = 1;
2634                         }
2635 #endif
2636                 else if (type == TLSEXT_TYPE_renegotiate)
2637                         {
2638                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2639                                 return 0;
2640                         renegotiate_seen = 1;
2641                         }
2642 #ifndef OPENSSL_NO_HEARTBEATS
2643                 else if (type == TLSEXT_TYPE_heartbeat)
2644                         {
2645                         switch(data[0])
2646                                 {
2647                                 case 0x01:      /* Server allows us to send HB requests */
2648                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2649                                                         break;
2650                                 case 0x02:      /* Server doesn't accept HB requests */
2651                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2652                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2653                                                         break;
2654                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2655                                                         return 0;
2656                                 }
2657                         }
2658 #endif
2659                 else if (type == TLSEXT_TYPE_use_srtp)
2660                         {
2661                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2662                                                               al))
2663                                 return 0;
2664                         }
2665
2666                 else if (type == TLSEXT_TYPE_server_authz)
2667                         {
2668                         /* We only support audit proofs. It's an error to send
2669                          * an authz hello extension if the client
2670                          * didn't request a proof. */
2671                         unsigned char *sdata = data;
2672                         unsigned char server_authz_dataformatlist_length;
2673
2674                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2675                                 {
2676                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2677                                 return 0;
2678                                 }
2679
2680                         if (!size)
2681                                 {
2682                                 *al = TLS1_AD_DECODE_ERROR;
2683                                 return 0;
2684                                 }
2685
2686                         server_authz_dataformatlist_length = *(sdata++);
2687                         if (server_authz_dataformatlist_length != size - 1)
2688                                 {
2689                                 *al = TLS1_AD_DECODE_ERROR;
2690                                 return 0;
2691                                 }
2692
2693                         /* We only support audit proofs, so a legal ServerHello
2694                          * authz list contains exactly one entry. */
2695                         if (server_authz_dataformatlist_length != 1 ||
2696                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2697                                 {
2698                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2699                                 return 0;
2700                                 }
2701
2702                         s->s3->tlsext_authz_server_promised = 1;
2703                         }
2704
2705                 /* If this extension type was not otherwise handled, but 
2706                  * matches a custom_cli_ext_record, then send it to the c
2707                  * callback */
2708                 else if (s->ctx->custom_cli_ext_records_count)
2709                         {
2710                         size_t i;
2711                         custom_cli_ext_record* record;
2712
2713                         for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
2714                                 {
2715                                 record = &s->ctx->custom_cli_ext_records[i];
2716                                 if (record->ext_type == type)
2717                                         {
2718                                         if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
2719                                                 return 0;
2720                                         break;
2721                                         }
2722                                 }                       
2723                         }
2724  
2725                 data += size;
2726                 }
2727
2728         if (data != d+n)
2729                 {
2730                 *al = SSL_AD_DECODE_ERROR;
2731                 return 0;
2732                 }
2733
2734         if (!s->hit && tlsext_servername == 1)
2735                 {
2736                 if (s->tlsext_hostname)
2737                         {
2738                         if (s->session->tlsext_hostname == NULL)
2739                                 {
2740                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2741                                 if (!s->session->tlsext_hostname)
2742                                         {
2743                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2744                                         return 0;
2745                                         }
2746                                 }
2747                         else 
2748                                 {
2749                                 *al = SSL_AD_DECODE_ERROR;
2750                                 return 0;
2751                                 }
2752                         }
2753                 }
2754
2755         *p = data;
2756
2757         ri_check:
2758
2759         /* Determine if we need to see RI. Strictly speaking if we want to
2760          * avoid an attack we should *always* see RI even on initial server
2761          * hello because the client doesn't see any renegotiation during an
2762          * attack. However this would mean we could not connect to any server
2763          * which doesn't support RI so for the immediate future tolerate RI
2764          * absence on initial connect only.
2765          */
2766         if (!renegotiate_seen
2767                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2768                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2769                 {
2770                 *al = SSL_AD_HANDSHAKE_FAILURE;
2771                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2772                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2773                 return 0;
2774                 }
2775
2776         return 1;
2777         }
2778
2779
2780 int ssl_prepare_clienthello_tlsext(SSL *s)
2781         {
2782
2783 #ifdef TLSEXT_TYPE_opaque_prf_input
2784         {
2785                 int r = 1;
2786         
2787                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2788                         {
2789                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2790                         if (!r)
2791                                 return -1;
2792                         }
2793
2794                 if (s->tlsext_opaque_prf_input != NULL)
2795                         {
2796                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2797                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2798
2799                         if (s->tlsext_opaque_prf_input_len == 0)
2800                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2801                         else
2802                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2803                         if (s->s3->client_opaque_prf_input == NULL)
2804                                 {
2805                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2806                                 return -1;
2807                                 }
2808                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2809                         }
2810
2811                 if (r == 2)
2812                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2813                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2814         }
2815 #endif
2816
2817         return 1;
2818         }
2819
2820 int ssl_prepare_serverhello_tlsext(SSL *s)
2821         {
2822         return 1;
2823         }
2824
2825 static int ssl_check_clienthello_tlsext_early(SSL *s)
2826         {
2827         int ret=SSL_TLSEXT_ERR_NOACK;
2828         int al = SSL_AD_UNRECOGNIZED_NAME;
2829
2830 #ifndef OPENSSL_NO_EC
2831         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2832          * ssl3_choose_cipher in s3_lib.c.
2833          */
2834         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2835          * ssl3_choose_cipher in s3_lib.c.
2836          */
2837 #endif
2838
2839         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2840                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2841         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2842                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2843
2844 #ifdef TLSEXT_TYPE_opaque_prf_input
2845         {
2846                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2847                  * but we might be sending an alert in response to the client hello,
2848                  * so this has to happen here in
2849                  * ssl_check_clienthello_tlsext_early(). */
2850
2851                 int r = 1;
2852         
2853                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2854                         {
2855                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2856                         if (!r)
2857                                 {
2858                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2859                                 al = SSL_AD_INTERNAL_ERROR;
2860                                 goto err;
2861                                 }
2862                         }
2863
2864                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2865                         OPENSSL_free(s->s3->server_opaque_prf_input);
2866                 s->s3->server_opaque_prf_input = NULL;
2867
2868                 if (s->tlsext_opaque_prf_input != NULL)
2869                         {
2870                         if (s->s3->client_opaque_prf_input != NULL &&
2871                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2872                                 {
2873                                 /* can only use this extension if we have a server opaque PRF input
2874                                  * of the same length as the client opaque PRF input! */
2875
2876                                 if (s->tlsext_opaque_prf_input_len == 0)
2877                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2878                                 else
2879                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2880                                 if (s->s3->server_opaque_prf_input == NULL)
2881                                         {
2882                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2883                                         al = SSL_AD_INTERNAL_ERROR;
2884                                         goto err;
2885                                         }
2886                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2887                                 }
2888                         }
2889
2890                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2891                         {
2892                         /* The callback wants to enforce use of the extension,
2893                          * but we can't do that with the client opaque PRF input;
2894                          * abort the handshake.
2895                          */
2896                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2897                         al = SSL_AD_HANDSHAKE_FAILURE;
2898                         }
2899         }
2900
2901  err:
2902 #endif
2903         switch (ret)
2904                 {
2905                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2906                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2907                         return -1;
2908
2909                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2910                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2911                         return 1; 
2912                                         
2913                 case SSL_TLSEXT_ERR_NOACK:
2914                         s->servername_done=0;
2915                         default:
2916                 return 1;
2917                 }
2918         }
2919
2920 int ssl_check_clienthello_tlsext_late(SSL *s)
2921         {
2922         int ret = SSL_TLSEXT_ERR_OK;
2923         int al;
2924
2925         /* If status request then ask callback what to do.
2926          * Note: this must be called after servername callbacks in case
2927          * the certificate has changed, and must be called after the cipher
2928          * has been chosen because this may influence which certificate is sent
2929          */
2930         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2931                 {
2932                 int r;
2933                 CERT_PKEY *certpkey;
2934                 certpkey = ssl_get_server_send_pkey(s);
2935                 /* If no certificate can't return certificate status */
2936                 if (certpkey == NULL)
2937                         {
2938                         s->tlsext_status_expected = 0;
2939                         return 1;
2940                         }
2941                 /* Set current certificate to one we will use so
2942                  * SSL_get_certificate et al can pick it up.
2943                  */
2944                 s->cert->key = certpkey;
2945                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2946                 switch (r)
2947                         {
2948                         /* We don't want to send a status request response */
2949                         case SSL_TLSEXT_ERR_NOACK:
2950                                 s->tlsext_status_expected = 0;
2951                                 break;
2952                         /* status request response should be sent */
2953                         case SSL_TLSEXT_ERR_OK:
2954                                 if (s->tlsext_ocsp_resp)
2955                                         s->tlsext_status_expected = 1;
2956                                 else
2957                                         s->tlsext_status_expected = 0;
2958                                 break;
2959                         /* something bad happened */
2960                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2961                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2962                                 al = SSL_AD_INTERNAL_ERROR;
2963                                 goto err;
2964                         }
2965                 }
2966         else
2967                 s->tlsext_status_expected = 0;
2968
2969  err:
2970         switch (ret)
2971                 {
2972                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2973                         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2974                         return -1;
2975
2976                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2977                         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2978                         return 1; 
2979
2980                 default:
2981                         return 1;
2982                 }
2983         }
2984
2985 int ssl_check_serverhello_tlsext(SSL *s)
2986         {
2987         int ret=SSL_TLSEXT_ERR_NOACK;
2988         int al = SSL_AD_UNRECOGNIZED_NAME;
2989
2990 #ifndef OPENSSL_NO_EC
2991         /* If we are client and using an elliptic curve cryptography cipher
2992          * suite, then if server returns an EC point formats lists extension
2993          * it must contain uncompressed.
2994          */
2995         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2996         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2997         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2998             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2999             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
3000                 {
3001                 /* we are using an ECC cipher */
3002                 size_t i;
3003                 unsigned char *list;
3004                 int found_uncompressed = 0;
3005                 list = s->session->tlsext_ecpointformatlist;
3006                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
3007                         {
3008                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
3009                                 {
3010                                 found_uncompressed = 1;
3011                                 break;
3012                                 }
3013                         }
3014                 if (!found_uncompressed)
3015                         {
3016                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3017                         return -1;
3018                         }
3019                 }
3020         ret = SSL_TLSEXT_ERR_OK;
3021 #endif /* OPENSSL_NO_EC */
3022
3023         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
3024                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
3025         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
3026                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
3027
3028 #ifdef TLSEXT_TYPE_opaque_prf_input
3029         if (s->s3->server_opaque_prf_input_len > 0)
3030                 {
3031                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
3032                  * So first verify that we really have a value from the server too. */
3033
3034                 if (s->s3->server_opaque_prf_input == NULL)
3035                         {
3036                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3037                         al = SSL_AD_HANDSHAKE_FAILURE;
3038                         }
3039                 
3040                 /* Anytime the server *has* sent an opaque PRF input, we need to check
3041                  * that we have a client opaque PRF input of the same size. */
3042                 if (s->s3->client_opaque_prf_input == NULL ||
3043                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
3044                         {
3045                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3046                         al = SSL_AD_ILLEGAL_PARAMETER;
3047                         }
3048                 }
3049 #endif
3050
3051         /* If we've requested certificate status and we wont get one
3052          * tell the callback
3053          */
3054         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3055                         && s->ctx && s->ctx->tlsext_status_cb)
3056                 {
3057                 int r;
3058                 /* Set resp to NULL, resplen to -1 so callback knows
3059                  * there is no response.
3060                  */
3061                 if (s->tlsext_ocsp_resp)
3062                         {
3063                         OPENSSL_free(s->tlsext_ocsp_resp);
3064                         s->tlsext_ocsp_resp = NULL;
3065                         }
3066                 s->tlsext_ocsp_resplen = -1;
3067                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3068                 if (r == 0)
3069                         {
3070                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3071                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3072                         }
3073                 if (r < 0)
3074                         {
3075                         al = SSL_AD_INTERNAL_ERROR;
3076                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3077                         }
3078                 }
3079
3080         switch (ret)
3081                 {
3082                 case SSL_TLSEXT_ERR_ALERT_FATAL:
3083                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3084                         return -1;
3085
3086                 case SSL_TLSEXT_ERR_ALERT_WARNING:
3087                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
3088                         return 1; 
3089                                         
3090                 case SSL_TLSEXT_ERR_NOACK:
3091                         s->servername_done=0;
3092                         default:
3093                 return 1;
3094                 }
3095         }
3096
3097 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
3098         {
3099         int al = -1;
3100         if (s->version < SSL3_VERSION)
3101                 return 1;
3102         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
3103                 {
3104                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
3105                 return 0;
3106                 }
3107
3108         if (ssl_check_serverhello_tlsext(s) <= 0) 
3109                 {
3110                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
3111                 return 0;
3112                 }
3113         return 1;
3114 }
3115
3116 /* Since the server cache lookup is done early on in the processing of the
3117  * ClientHello, and other operations depend on the result, we need to handle
3118  * any TLS session ticket extension at the same time.
3119  *
3120  *   session_id: points at the session ID in the ClientHello. This code will
3121  *       read past the end of this in order to parse out the session ticket
3122  *       extension, if any.
3123  *   len: the length of the session ID.
3124  *   limit: a pointer to the first byte after the ClientHello.
3125  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3126  *       point to the resulting session.
3127  *
3128  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3129  * ciphersuite, in which case we have no use for session tickets and one will
3130  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3131  *
3132  * Returns:
3133  *   -1: fatal error, either from parsing or decrypting the ticket.
3134  *    0: no ticket was found (or was ignored, based on settings).
3135  *    1: a zero length extension was found, indicating that the client supports
3136  *       session tickets but doesn't currently have one to offer.
3137  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3138  *       couldn't be decrypted because of a non-fatal error.
3139  *    3: a ticket was successfully decrypted and *ret was set.
3140  *
3141  * Side effects:
3142  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3143  *   a new session ticket to the client because the client indicated support
3144  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3145  *   a session ticket or we couldn't use the one it gave us, or if
3146  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3147  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3148  */
3149 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3150                         const unsigned char *limit, SSL_SESSION **ret)
3151         {
3152         /* Point after session ID in client hello */
3153         const unsigned char *p = session_id + len;
3154         unsigned short i;
3155
3156         *ret = NULL;
3157         s->tlsext_ticket_expected = 0;
3158
3159         /* If tickets disabled behave as if no ticket present
3160          * to permit stateful resumption.
3161          */
3162         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3163                 return 0;
3164         if ((s->version <= SSL3_VERSION) || !limit)
3165                 return 0;
3166         if (p >= limit)
3167                 return -1;
3168         /* Skip past DTLS cookie */
3169         if (SSL_IS_DTLS(s))
3170                 {
3171                 i = *(p++);
3172                 p+= i;
3173                 if (p >= limit)
3174                         return -1;
3175                 }
3176         /* Skip past cipher list */
3177         n2s(p, i);
3178         p+= i;
3179         if (p >= limit)
3180                 return -1;
3181         /* Skip past compression algorithm list */
3182         i = *(p++);
3183         p += i;
3184         if (p > limit)
3185                 return -1;
3186         /* Now at start of extensions */
3187         if ((p + 2) >= limit)
3188                 return 0;
3189         n2s(p, i);
3190         while ((p + 4) <= limit)
3191                 {
3192                 unsigned short type, size;
3193                 n2s(p, type);
3194                 n2s(p, size);
3195                 if (p + size > limit)
3196                         return 0;
3197                 if (type == TLSEXT_TYPE_session_ticket)
3198                         {
3199                         int r;
3200                         if (size == 0)
3201                                 {
3202                                 /* The client will accept a ticket but doesn't
3203                                  * currently have one. */
3204                                 s->tlsext_ticket_expected = 1;
3205                                 return 1;
3206                                 }
3207                         if (s->tls_session_secret_cb)
3208                                 {
3209                                 /* Indicate that the ticket couldn't be
3210                                  * decrypted rather than generating the session
3211                                  * from ticket now, trigger abbreviated
3212                                  * handshake based on external mechanism to
3213                                  * calculate the master secret later. */
3214                                 return 2;
3215                                 }
3216                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3217                         switch (r)
3218                                 {
3219                                 case 2: /* ticket couldn't be decrypted */
3220                                         s->tlsext_ticket_expected = 1;
3221                                         return 2;
3222                                 case 3: /* ticket was decrypted */
3223                                         return r;
3224                                 case 4: /* ticket decrypted but need to renew */
3225                                         s->tlsext_ticket_expected = 1;
3226                                         return 3;
3227                                 default: /* fatal error */
3228                                         return -1;
3229                                 }
3230                         }
3231                 p += size;
3232                 }
3233         return 0;
3234         }
3235
3236 /* tls_decrypt_ticket attempts to decrypt a session ticket.
3237  *
3238  *   etick: points to the body of the session ticket extension.
3239  *   eticklen: the length of the session tickets extenion.
3240  *   sess_id: points at the session ID.
3241  *   sesslen: the length of the session ID.
3242  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3243  *       point to the resulting session.
3244  *
3245  * Returns:
3246  *   -1: fatal error, either from parsing or decrypting the ticket.
3247  *    2: the ticket couldn't be decrypted.
3248  *    3: a ticket was successfully decrypted and *psess was set.
3249  *    4: same as 3, but the ticket needs to be renewed.
3250  */
3251 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
3252                                 const unsigned char *sess_id, int sesslen,
3253                                 SSL_SESSION **psess)
3254         {
3255         SSL_SESSION *sess;
3256         unsigned char *sdec;
3257         const unsigned char *p;
3258         int slen, mlen, renew_ticket = 0;
3259         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3260         HMAC_CTX hctx;
3261         EVP_CIPHER_CTX ctx;
3262         SSL_CTX *tctx = s->initial_ctx;
3263         /* Need at least keyname + iv + some encrypted data */
3264         if (eticklen < 48)
3265                 return 2;
3266         /* Initialize session ticket encryption and HMAC contexts */
3267         HMAC_CTX_init(&hctx);
3268         EVP_CIPHER_CTX_init(&ctx);
3269         if (tctx->tlsext_ticket_key_cb)
3270                 {
3271                 unsigned char *nctick = (unsigned char *)etick;
3272                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3273                                                         &ctx, &hctx, 0);
3274                 if (rv < 0)
3275                         return -1;
3276                 if (rv == 0)
3277                         return 2;
3278                 if (rv == 2)
3279                         renew_ticket = 1;
3280                 }
3281         else
3282                 {
3283                 /* Check key name matches */
3284                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3285                         return 2;
3286                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3287                                         tlsext_tick_md(), NULL);
3288                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3289                                 tctx->tlsext_tick_aes_key, etick + 16);
3290                 }
3291         /* Attempt to process session ticket, first conduct sanity and
3292          * integrity checks on ticket.
3293          */
3294         mlen = HMAC_size(&hctx);
3295         if (mlen < 0)
3296                 {
3297                 EVP_CIPHER_CTX_cleanup(&ctx);
3298                 return -1;
3299                 }
3300         eticklen -= mlen;
3301         /* Check HMAC of encrypted ticket */
3302         HMAC_Update(&hctx, etick, eticklen);
3303         HMAC_Final(&hctx, tick_hmac, NULL);
3304         HMAC_CTX_cleanup(&hctx);
3305         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
3306                 return 2;
3307         /* Attempt to decrypt session data */
3308         /* Move p after IV to start of encrypted ticket, update length */
3309         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3310         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3311         sdec = OPENSSL_malloc(eticklen);
3312         if (!sdec)
3313                 {
3314                 EVP_CIPHER_CTX_cleanup(&ctx);
3315                 return -1;
3316                 }
3317         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
3318         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
3319                 return 2;
3320         slen += mlen;
3321         EVP_CIPHER_CTX_cleanup(&ctx);
3322         p = sdec;
3323
3324         sess = d2i_SSL_SESSION(NULL, &p, slen);
3325         OPENSSL_free(sdec);
3326         if (sess)
3327                 {
3328                 /* The session ID, if non-empty, is used by some clients to
3329                  * detect that the ticket has been accepted. So we copy it to
3330                  * the session structure. If it is empty set length to zero
3331                  * as required by standard.
3332                  */
3333                 if (sesslen)
3334                         memcpy(sess->session_id, sess_id, sesslen);
3335                 sess->session_id_length = sesslen;
3336                 *psess = sess;
3337                 if (renew_ticket)
3338                         return 4;
3339                 else
3340                         return 3;
3341                 }
3342         ERR_clear_error();
3343         /* For session parse failure, indicate that we need to send a new
3344          * ticket. */
3345         return 2;
3346         }
3347
3348 /* Tables to translate from NIDs to TLS v1.2 ids */
3349
3350 typedef struct 
3351         {
3352         int nid;
3353         int id;
3354         } tls12_lookup;
3355
3356 static tls12_lookup tls12_md[] = {
3357         {NID_md5, TLSEXT_hash_md5},
3358         {NID_sha1, TLSEXT_hash_sha1},
3359         {NID_sha224, TLSEXT_hash_sha224},
3360         {NID_sha256, TLSEXT_hash_sha256},
3361         {NID_sha384, TLSEXT_hash_sha384},
3362         {NID_sha512, TLSEXT_hash_sha512}
3363 };
3364
3365 static tls12_lookup tls12_sig[] = {
3366         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3367         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3368         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3369 };
3370
3371 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3372         {
3373         size_t i;
3374         for (i = 0; i < tlen; i++)
3375                 {
3376                 if (table[i].nid == nid)
3377                         return table[i].id;
3378                 }
3379         return -1;
3380         }
3381
3382 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3383         {
3384         size_t i;
3385         for (i = 0; i < tlen; i++)
3386                 {
3387                 if ((table[i].id) == id)
3388                         return table[i].nid;
3389                 }
3390         return NID_undef;
3391         }
3392
3393 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
3394         {
3395         int sig_id, md_id;
3396         if (!md)
3397                 return 0;
3398         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3399                                 sizeof(tls12_md)/sizeof(tls12_lookup));
3400         if (md_id == -1)
3401                 return 0;
3402         sig_id = tls12_get_sigid(pk);
3403         if (sig_id == -1)
3404                 return 0;
3405         p[0] = (unsigned char)md_id;
3406         p[1] = (unsigned char)sig_id;
3407         return 1;
3408         }
3409
3410 int tls12_get_sigid(const EVP_PKEY *pk)
3411         {
3412         return tls12_find_id(pk->type, tls12_sig,
3413                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3414         }
3415
3416 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3417         {
3418         switch(hash_alg)
3419                 {
3420 #ifndef OPENSSL_NO_MD5
3421                 case TLSEXT_hash_md5:
3422 #ifdef OPENSSL_FIPS
3423                 if (FIPS_mode())
3424                         return NULL;
3425 #endif
3426                 return EVP_md5();
3427 #endif
3428 #ifndef OPENSSL_NO_SHA
3429                 case TLSEXT_hash_sha1:
3430                 return EVP_sha1();
3431 #endif
3432 #ifndef OPENSSL_NO_SHA256
3433                 case TLSEXT_hash_sha224:
3434                 return EVP_sha224();
3435
3436                 case TLSEXT_hash_sha256:
3437                 return EVP_sha256();
3438 #endif
3439 #ifndef OPENSSL_NO_SHA512
3440                 case TLSEXT_hash_sha384:
3441                 return EVP_sha384();
3442
3443                 case TLSEXT_hash_sha512:
3444                 return EVP_sha512();
3445 #endif
3446                 default:
3447                 return NULL;
3448
3449                 }
3450         }
3451
3452 static int tls12_get_pkey_idx(unsigned char sig_alg)
3453         {
3454         switch(sig_alg)
3455                 {
3456 #ifndef OPENSSL_NO_RSA
3457         case TLSEXT_signature_rsa:
3458                 return SSL_PKEY_RSA_SIGN;
3459 #endif
3460 #ifndef OPENSSL_NO_DSA
3461         case TLSEXT_signature_dsa:
3462                 return SSL_PKEY_DSA_SIGN;
3463 #endif
3464 #ifndef OPENSSL_NO_ECDSA
3465         case TLSEXT_signature_ecdsa:
3466                 return SSL_PKEY_ECC;
3467 #endif
3468                 }
3469         return -1;
3470         }
3471
3472 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3473 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3474                         int *psignhash_nid, const unsigned char *data)
3475         {
3476         int sign_nid = 0, hash_nid = 0;
3477         if (!phash_nid && !psign_nid && !psignhash_nid)
3478                 return;
3479         if (phash_nid || psignhash_nid)
3480                 {
3481                 hash_nid = tls12_find_nid(data[0], tls12_md,
3482                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3483                 if (phash_nid)
3484                         *phash_nid = hash_nid;