check EC tmp key matches preferences
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 static int ssl_check_clienthello_tlsext(SSL *s);
127 int ssl_check_serverhello_tlsext(SSL *s);
128 #endif
129
130 SSL3_ENC_METHOD TLSv1_enc_data={
131         tls1_enc,
132         tls1_mac,
133         tls1_setup_key_block,
134         tls1_generate_master_secret,
135         tls1_change_cipher_state,
136         tls1_final_finish_mac,
137         TLS1_FINISH_MAC_LENGTH,
138         tls1_cert_verify_mac,
139         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
140         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
141         tls1_alert_code,
142         tls1_export_keying_material,
143         };
144
145 long tls1_default_timeout(void)
146         {
147         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
148          * is way too long for http, the cache would over fill */
149         return(60*60*2);
150         }
151
152 int tls1_new(SSL *s)
153         {
154         if (!ssl3_new(s)) return(0);
155         s->method->ssl_clear(s);
156         return(1);
157         }
158
159 void tls1_free(SSL *s)
160         {
161 #ifndef OPENSSL_NO_TLSEXT
162         if (s->tlsext_session_ticket)
163                 {
164                 OPENSSL_free(s->tlsext_session_ticket);
165                 }
166 #endif /* OPENSSL_NO_TLSEXT */
167         ssl3_free(s);
168         }
169
170 void tls1_clear(SSL *s)
171         {
172         ssl3_clear(s);
173         s->version = s->method->version;
174         }
175
176 #ifndef OPENSSL_NO_EC
177
178 static int nid_list[] =
179         {
180                 NID_sect163k1, /* sect163k1 (1) */
181                 NID_sect163r1, /* sect163r1 (2) */
182                 NID_sect163r2, /* sect163r2 (3) */
183                 NID_sect193r1, /* sect193r1 (4) */ 
184                 NID_sect193r2, /* sect193r2 (5) */ 
185                 NID_sect233k1, /* sect233k1 (6) */
186                 NID_sect233r1, /* sect233r1 (7) */ 
187                 NID_sect239k1, /* sect239k1 (8) */ 
188                 NID_sect283k1, /* sect283k1 (9) */
189                 NID_sect283r1, /* sect283r1 (10) */ 
190                 NID_sect409k1, /* sect409k1 (11) */ 
191                 NID_sect409r1, /* sect409r1 (12) */
192                 NID_sect571k1, /* sect571k1 (13) */ 
193                 NID_sect571r1, /* sect571r1 (14) */ 
194                 NID_secp160k1, /* secp160k1 (15) */
195                 NID_secp160r1, /* secp160r1 (16) */ 
196                 NID_secp160r2, /* secp160r2 (17) */ 
197                 NID_secp192k1, /* secp192k1 (18) */
198                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
199                 NID_secp224k1, /* secp224k1 (20) */ 
200                 NID_secp224r1, /* secp224r1 (21) */
201                 NID_secp256k1, /* secp256k1 (22) */ 
202                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
203                 NID_secp384r1, /* secp384r1 (24) */
204                 NID_secp521r1  /* secp521r1 (25) */     
205         };
206
207
208 static const unsigned char ecformats_default[] = 
209         {
210         TLSEXT_ECPOINTFORMAT_uncompressed,
211         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
212         TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
213         };
214
215 static const unsigned char eccurves_default[] =
216         {
217                 0,14, /* sect571r1 (14) */ 
218                 0,13, /* sect571k1 (13) */ 
219                 0,25, /* secp521r1 (25) */      
220                 0,11, /* sect409k1 (11) */ 
221                 0,12, /* sect409r1 (12) */
222                 0,24, /* secp384r1 (24) */
223                 0,9,  /* sect283k1 (9) */
224                 0,10, /* sect283r1 (10) */ 
225                 0,22, /* secp256k1 (22) */ 
226                 0,23, /* secp256r1 (23) */ 
227                 0,8,  /* sect239k1 (8) */ 
228                 0,6,  /* sect233k1 (6) */
229                 0,7,  /* sect233r1 (7) */ 
230                 0,20, /* secp224k1 (20) */ 
231                 0,21, /* secp224r1 (21) */
232                 0,4,  /* sect193r1 (4) */ 
233                 0,5,  /* sect193r2 (5) */ 
234                 0,18, /* secp192k1 (18) */
235                 0,19, /* secp192r1 (19) */ 
236                 0,1,  /* sect163k1 (1) */
237                 0,2,  /* sect163r1 (2) */
238                 0,3,  /* sect163r2 (3) */
239                 0,15, /* secp160k1 (15) */
240                 0,16, /* secp160r1 (16) */ 
241                 0,17, /* secp160r2 (17) */ 
242         };
243
244 int tls1_ec_curve_id2nid(int curve_id)
245         {
246         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
247         if ((curve_id < 1) || ((unsigned int)curve_id >
248                                 sizeof(nid_list)/sizeof(nid_list[0])))
249                 return 0;
250         return nid_list[curve_id-1];
251         }
252
253 int tls1_ec_nid2curve_id(int nid)
254         {
255         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
256         switch (nid)
257                 {
258         case NID_sect163k1: /* sect163k1 (1) */
259                 return 1;
260         case NID_sect163r1: /* sect163r1 (2) */
261                 return 2;
262         case NID_sect163r2: /* sect163r2 (3) */
263                 return 3;
264         case NID_sect193r1: /* sect193r1 (4) */ 
265                 return 4;
266         case NID_sect193r2: /* sect193r2 (5) */ 
267                 return 5;
268         case NID_sect233k1: /* sect233k1 (6) */
269                 return 6;
270         case NID_sect233r1: /* sect233r1 (7) */ 
271                 return 7;
272         case NID_sect239k1: /* sect239k1 (8) */ 
273                 return 8;
274         case NID_sect283k1: /* sect283k1 (9) */
275                 return 9;
276         case NID_sect283r1: /* sect283r1 (10) */ 
277                 return 10;
278         case NID_sect409k1: /* sect409k1 (11) */ 
279                 return 11;
280         case NID_sect409r1: /* sect409r1 (12) */
281                 return 12;
282         case NID_sect571k1: /* sect571k1 (13) */ 
283                 return 13;
284         case NID_sect571r1: /* sect571r1 (14) */ 
285                 return 14;
286         case NID_secp160k1: /* secp160k1 (15) */
287                 return 15;
288         case NID_secp160r1: /* secp160r1 (16) */ 
289                 return 16;
290         case NID_secp160r2: /* secp160r2 (17) */ 
291                 return 17;
292         case NID_secp192k1: /* secp192k1 (18) */
293                 return 18;
294         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
295                 return 19;
296         case NID_secp224k1: /* secp224k1 (20) */ 
297                 return 20;
298         case NID_secp224r1: /* secp224r1 (21) */
299                 return 21;
300         case NID_secp256k1: /* secp256k1 (22) */ 
301                 return 22;
302         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
303                 return 23;
304         case NID_secp384r1: /* secp384r1 (24) */
305                 return 24;
306         case NID_secp521r1:  /* secp521r1 (25) */       
307                 return 25;
308         default:
309                 return 0;
310                 }
311         }
312 /* Get curves list, if "sess" is set return client curves otherwise
313  * preferred list
314  */
315 static void tls1_get_curvelist(SSL *s, int sess,
316                                         const unsigned char **pcurves,
317                                         size_t *pcurveslen)
318         {
319         if (sess)
320                 {
321                 *pcurves = s->session->tlsext_ellipticcurvelist;
322                 *pcurveslen = s->session->tlsext_ellipticcurvelist_length;
323                 }
324         else
325                 {
326                 *pcurves = s->tlsext_ellipticcurvelist;
327                 *pcurveslen = s->tlsext_ellipticcurvelist_length;
328                 }
329         /* If not set use default: for now static structure */
330         if (!*pcurves)
331                 {
332                 *pcurves = eccurves_default;
333                 *pcurveslen = sizeof(eccurves_default);
334                 }
335         }
336 /* Check a curve is one of our preferences */
337 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
338         {
339         const unsigned char *curves;
340         size_t curveslen, i;
341         if (len != 3 || p[0] != NAMED_CURVE_TYPE)
342                 return 0;
343         tls1_get_curvelist(s, 0, &curves, &curveslen);
344         for (i = 0; i < curveslen; i += 2, curves += 2)
345                 {
346                 if (p[1] == curves[0] && p[2] == curves[1])
347                         return 1;
348                 }
349         return 0;
350         }
351
352 /* Return nth shared curve. If nmatch == -1 return number of
353  * matches.
354  */
355
356 int tls1_shared_curve(SSL *s, int nmatch)
357         {
358         const unsigned char *pref, *supp;
359         size_t preflen, supplen, i, j;
360         int k;
361         /* Can't do anything on client side */
362         if (s->server == 0)
363                 return -1;
364         tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
365                                 &supp, &supplen);
366         tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE),
367                                 &pref, &preflen);
368         preflen /= 2;
369         supplen /= 2;
370         k = 0;
371         for (i = 0; i < preflen; i++, pref+=2)
372                 {
373                 const unsigned char *tsupp = supp;
374                 for (j = 0; j < supplen; j++, tsupp+=2)
375                         {
376                         if (pref[0] == tsupp[0] && pref[1] == tsupp[1])
377                                 {
378                                 if (nmatch == k)
379                                         {
380                                         int id = (pref[0] << 8) | pref[1];
381                                         return tls1_ec_curve_id2nid(id);
382                                         }
383                                 k++;
384                                 }
385                         }
386                 }
387         if (nmatch == -1)
388                 return k;
389         return 0;
390         }
391
392 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
393                         int *curves, size_t ncurves)
394         {
395         unsigned char *clist, *p;
396         size_t i;
397         /* Bitmap of curves included to detect duplicates: only works
398          * while curve ids < 32 
399          */
400         unsigned long dup_list = 0;
401         clist = OPENSSL_malloc(ncurves * 2);
402         if (!clist)
403                 return 0;
404         for (i = 0, p = clist; i < ncurves; i++)
405                 {
406                 unsigned long idmask;
407                 int id;
408                 id = tls1_ec_nid2curve_id(curves[i]);
409                 idmask = 1L << id;
410                 if (!id || (dup_list & idmask))
411                         {
412                         OPENSSL_free(clist);
413                         return 0;
414                         }
415                 dup_list |= idmask;
416                 s2n(id, p);
417                 }
418         if (*pext)
419                 OPENSSL_free(*pext);
420         *pext = clist;
421         *pextlen = ncurves * 2;
422         return 1;
423         }
424
425 #define MAX_CURVELIST   25
426
427 typedef struct
428         {
429         size_t nidcnt;
430         int nid_arr[MAX_CURVELIST];
431         } nid_cb_st;
432
433 static int nid_cb(const char *elem, int len, void *arg)
434         {
435         nid_cb_st *narg = arg;
436         size_t i;
437         int nid;
438         char etmp[20];
439         if (narg->nidcnt == MAX_CURVELIST)
440                 return 0;
441         if (len > (int)(sizeof(etmp) - 1))
442                 return 0;
443         memcpy(etmp, elem, len);
444         etmp[len] = 0;
445         nid = EC_curve_nist2nid(etmp);
446         if (nid == NID_undef)
447                 nid = OBJ_sn2nid(etmp);
448         if (nid == NID_undef)
449                 nid = OBJ_ln2nid(etmp);
450         if (nid == NID_undef)
451                 return 0;
452         for (i = 0; i < narg->nidcnt; i++)
453                 if (narg->nid_arr[i] == nid)
454                         return 0;
455         narg->nid_arr[narg->nidcnt++] = nid;
456         return 1;
457         }
458 /* Set curves based on a colon separate list */
459 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
460                                 const char *str)
461         {
462         nid_cb_st ncb;
463         ncb.nidcnt = 0;
464         if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
465                 return 0;
466         return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
467         }
468 /* For an EC key set TLS id and required compression based on parameters */
469 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
470                                 EC_KEY *ec)
471         {
472         int is_prime, id;
473         const EC_GROUP *grp;
474         const EC_POINT *pt;
475         const EC_METHOD *meth;
476         if (!ec)
477                 return 0;
478         /* Determine if it is a prime field */
479         grp = EC_KEY_get0_group(ec);
480         pt = EC_KEY_get0_public_key(ec);
481         if (!grp || !pt)
482                 return 0;
483         meth = EC_GROUP_method_of(grp);
484         if (!meth)
485                 return 0;
486         if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
487                 is_prime = 1;
488         else
489                 is_prime = 0;
490         /* Determine curve ID */
491         id = EC_GROUP_get_curve_name(grp);
492         id = tls1_ec_nid2curve_id(id);
493         /* If we have an ID set it, otherwise set arbitrary explicit curve */
494         if (id)
495                 {
496                 curve_id[0] = 0;
497                 curve_id[1] = (unsigned char)id;
498                 }
499         else
500                 {
501                 curve_id[0] = 0xff;
502                 if (is_prime)
503                         curve_id[1] = 0x01;
504                 else
505                         curve_id[1] = 0x02;
506                 }
507         if (comp_id)
508                 {
509                 if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED)
510                         {
511                         if (is_prime)
512                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
513                         else
514                                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
515                         }
516                 else
517                         *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
518                 }
519         return 1;
520         }
521 /* Check an EC key is compatible with extensions */
522 static int tls1_check_ec_key(SSL *s,
523                         unsigned char *curve_id, unsigned char *comp_id)
524         {
525         const unsigned char *p;
526         size_t plen, i;
527         int j;
528         /* If point formats extension present check it, otherwise everything
529          * is supported (see RFC4492).
530          */
531         if (comp_id && s->session->tlsext_ecpointformatlist)
532                 {
533                 p = s->session->tlsext_ecpointformatlist;
534                 plen = s->session->tlsext_ecpointformatlist_length;
535                 for (i = 0; i < plen; i++, p++)
536                         {
537                         if (*comp_id == *p)
538                                 break;
539                         }
540                 if (i == plen)
541                         return 0;
542                 }
543         /* Check curve is consistent with client and server preferences */
544         for (j = 0; j <= 1; j++)
545                 {
546                 tls1_get_curvelist(s, j, &p, &plen);
547                 for (i = 0; i < plen; i+=2, p+=2)
548                         {
549                         if (p[0] == curve_id[0] && p[1] == curve_id[1])
550                                 break;
551                         }
552                 if (i == plen)
553                         return 0;
554                 }
555         return 1;
556         }
557
558 /* Check cert parameters compatible with extensions: currently just checks
559  * EC certificates have compatible curves and compression.
560  */
561 static int tls1_check_cert_param(SSL *s, X509 *x)
562         {
563         unsigned char comp_id, curve_id[2];
564         EVP_PKEY *pkey;
565         int rv;
566         pkey = X509_get_pubkey(x);
567         if (!pkey)
568                 return 0;
569         /* If not EC nothing to do */
570         if (pkey->type != EVP_PKEY_EC)
571                 {
572                 EVP_PKEY_free(pkey);
573                 return 1;
574                 }
575         rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
576         EVP_PKEY_free(pkey);
577         if (!rv)
578                 return 0;
579         return tls1_check_ec_key(s, curve_id, &comp_id);
580         }
581 /* Check EC temporary key is compatible with client extensions */
582 int tls1_check_ec_tmp_key(SSL *s)
583         {
584         unsigned char curve_id[2];
585         EC_KEY *ec = s->cert->ecdh_tmp;
586         if (s->cert->ecdh_tmp_auto)
587                 {
588                 /* Need a shared curve */
589                 if (tls1_shared_curve(s, 0))
590                         return 1;
591                 else return 0;
592                 }
593         if (!ec)
594                 {
595                 if (s->cert->ecdh_tmp_cb)
596                         return 1;
597                 else
598                         return 0;
599                 }
600         if (!tls1_set_ec_id(curve_id, NULL, ec))
601                 return 0;
602 /* Set this to allow use of invalid curves for testing */
603 #if 0
604         return 1;
605 #else
606         return tls1_check_ec_key(s, curve_id, NULL);
607 #endif
608         }
609
610 #endif /* OPENSSL_NO_EC */
611
612 #ifndef OPENSSL_NO_TLSEXT
613
614 /* List of supported signature algorithms and hashes. Should make this
615  * customisable at some point, for now include everything we support.
616  */
617
618 #ifdef OPENSSL_NO_RSA
619 #define tlsext_sigalg_rsa(md) /* */
620 #else
621 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
622 #endif
623
624 #ifdef OPENSSL_NO_DSA
625 #define tlsext_sigalg_dsa(md) /* */
626 #else
627 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
628 #endif
629
630 #ifdef OPENSSL_NO_ECDSA
631 #define tlsext_sigalg_ecdsa(md) /* */
632 #else
633 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
634 #endif
635
636 #define tlsext_sigalg(md) \
637                 tlsext_sigalg_rsa(md) \
638                 tlsext_sigalg_dsa(md) \
639                 tlsext_sigalg_ecdsa(md)
640
641 static unsigned char tls12_sigalgs[] = {
642 #ifndef OPENSSL_NO_SHA512
643         tlsext_sigalg(TLSEXT_hash_sha512)
644         tlsext_sigalg(TLSEXT_hash_sha384)
645 #endif
646 #ifndef OPENSSL_NO_SHA256
647         tlsext_sigalg(TLSEXT_hash_sha256)
648         tlsext_sigalg(TLSEXT_hash_sha224)
649 #endif
650 #ifndef OPENSSL_NO_SHA
651         tlsext_sigalg(TLSEXT_hash_sha1)
652 #endif
653 #ifndef OPENSSL_NO_MD5
654         tlsext_sigalg_rsa(TLSEXT_hash_md5)
655 #endif
656 };
657
658 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
659         {
660         /* If server use client authentication sigalgs if not NULL */
661         if (s->server && s->cert->client_sigalgs)
662                 {
663                 *psigs = s->cert->client_sigalgs;
664                 return s->cert->client_sigalgslen;
665                 }
666         else if (s->cert->conf_sigalgs)
667                 {
668                 *psigs = s->cert->conf_sigalgs;
669                 return s->cert->conf_sigalgslen;
670                 }
671         else
672                 {
673                 *psigs = tls12_sigalgs;
674 #ifdef OPENSSL_FIPS
675                 /* If FIPS mode don't include MD5 which is last */
676                 if (FIPS_mode())
677                         return sizeof(tls12_sigalgs) - 2;
678                 else
679 #endif
680                         return sizeof(tls12_sigalgs);
681                 }
682         }
683 /* Get a mask of disabled algorithms: an algorithm is disabled
684  * if it isn't supported or doesn't appear in supported signature
685  * algorithms. Unlike ssl_cipher_get_disabled this applies to a specific
686  * session and not global settings.
687  * 
688  */
689 void ssl_set_client_disabled(SSL *s)
690         {
691         CERT *c = s->cert;
692         const unsigned char *sigalgs;
693         size_t i, sigalgslen;
694         int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
695         c->mask_a = 0;
696         c->mask_k = 0;
697         /* If less than TLS 1.2 don't allow TLS 1.2 only ciphers */
698         if (TLS1_get_version(s) < TLS1_2_VERSION)
699                 c->mask_ssl = SSL_TLSV1_2;
700         else
701                 c->mask_ssl = 0;
702         /* Now go through all signature algorithms seeing if we support
703          * any for RSA, DSA, ECDSA. Do this for all versions not just
704          * TLS 1.2.
705          */
706         sigalgslen = tls12_get_psigalgs(s, &sigalgs);
707         for (i = 0; i < sigalgslen; i += 2, sigalgs += 2)
708                 {
709                 switch(sigalgs[1])
710                         {
711 #ifndef OPENSSL_NO_RSA
712                 case TLSEXT_signature_rsa:
713                         have_rsa = 1;
714                         break;
715 #endif
716 #ifndef OPENSSL_NO_DSA
717                 case TLSEXT_signature_dsa:
718                         have_dsa = 1;
719                         break;
720 #endif
721 #ifndef OPENSSL_NO_ECDSA
722                 case TLSEXT_signature_ecdsa:
723                         have_ecdsa = 1;
724                         break;
725 #endif
726                         }
727                 }
728         /* Disable auth and static DH if we don't include any appropriate
729          * signature algorithms.
730          */
731         if (!have_rsa)
732                 {
733                 c->mask_a |= SSL_aRSA;
734                 c->mask_k |= SSL_kDHr|SSL_kECDHr;
735                 }
736         if (!have_dsa)
737                 {
738                 c->mask_a |= SSL_aDSS;
739                 c->mask_k |= SSL_kDHd;
740                 }
741         if (!have_ecdsa)
742                 {
743                 c->mask_a |= SSL_aECDSA;
744                 c->mask_k |= SSL_kECDHe;
745                 }
746 #ifndef OPENSSL_NO_KRB5
747         if (!kssl_tgt_is_available(s->kssl_ctx))
748                 {
749                 c->mask_a |= SSL_aKRB5;
750                 c->mask_k |= SSL_kKRB5;
751                 }
752 #endif
753 #ifndef OPENSSL_NO_PSK
754         /* with PSK there must be client callback set */
755         if (!s->psk_client_callback)
756                 {
757                 c->mask_a |= SSL_aPSK;
758                 c->mask_k |= SSL_kPSK;
759                 }
760 #endif /* OPENSSL_NO_PSK */
761         c->valid = 1;
762         }
763
764 /* byte_compare is a compare function for qsort(3) that compares bytes. */
765 static int byte_compare(const void *in_a, const void *in_b)
766         {
767         unsigned char a = *((const unsigned char*) in_a);
768         unsigned char b = *((const unsigned char*) in_b);
769
770         if (a > b)
771                 return 1;
772         else if (a < b)
773                 return -1;
774         return 0;
775 }
776
777 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
778         {
779         int extdatalen=0;
780         unsigned char *ret = p;
781 #ifndef OPENSSL_NO_EC
782         /* See if we support any ECC ciphersuites */
783         int using_ecc = 0;
784         if (s->version != DTLS1_VERSION && s->version >= TLS1_VERSION)
785                 {
786                 int i;
787                 unsigned long alg_k, alg_a;
788                 STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
789
790                 for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
791                         {
792                         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
793
794                         alg_k = c->algorithm_mkey;
795                         alg_a = c->algorithm_auth;
796                         if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)
797                                 || (alg_a & SSL_aECDSA)))
798                                 {
799                                 using_ecc = 1;
800                                 break;
801                                 }
802                         }
803                 }
804 #endif
805
806         /* don't add extensions for SSLv3 unless doing secure renegotiation */
807         if (s->client_version == SSL3_VERSION
808                                         && !s->s3->send_connection_binding)
809                 return p;
810
811         ret+=2;
812
813         if (ret>=limit) return NULL; /* this really never occurs, but ... */
814
815         if (s->tlsext_hostname != NULL)
816                 { 
817                 /* Add TLS extension servername to the Client Hello message */
818                 unsigned long size_str;
819                 long lenmax; 
820
821                 /* check for enough space.
822                    4 for the servername type and entension length
823                    2 for servernamelist length
824                    1 for the hostname type
825                    2 for hostname length
826                    + hostname length 
827                 */
828                    
829                 if ((lenmax = limit - ret - 9) < 0 
830                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
831                         return NULL;
832                         
833                 /* extension type and length */
834                 s2n(TLSEXT_TYPE_server_name,ret); 
835                 s2n(size_str+5,ret);
836                 
837                 /* length of servername list */
838                 s2n(size_str+3,ret);
839         
840                 /* hostname type, length and hostname */
841                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
842                 s2n(size_str,ret);
843                 memcpy(ret, s->tlsext_hostname, size_str);
844                 ret+=size_str;
845                 }
846
847         /* Add RI if renegotiating */
848         if (s->renegotiate)
849           {
850           int el;
851           
852           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
853               {
854               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
855               return NULL;
856               }
857
858           if((limit - p - 4 - el) < 0) return NULL;
859           
860           s2n(TLSEXT_TYPE_renegotiate,ret);
861           s2n(el,ret);
862
863           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
864               {
865               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
866               return NULL;
867               }
868
869           ret += el;
870         }
871
872 #ifndef OPENSSL_NO_SRP
873         /* Add SRP username if there is one */
874         if (s->srp_ctx.login != NULL)
875                 { /* Add TLS extension SRP username to the Client Hello message */
876
877                 int login_len = strlen(s->srp_ctx.login);       
878                 if (login_len > 255 || login_len == 0)
879                         {
880                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
881                         return NULL;
882                         } 
883
884                 /* check for enough space.
885                    4 for the srp type type and entension length
886                    1 for the srp user identity
887                    + srp user identity length 
888                 */
889                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
890
891                 /* fill in the extension */
892                 s2n(TLSEXT_TYPE_srp,ret);
893                 s2n(login_len+1,ret);
894                 (*ret++) = (unsigned char) login_len;
895                 memcpy(ret, s->srp_ctx.login, login_len);
896                 ret+=login_len;
897                 }
898 #endif
899
900 #ifndef OPENSSL_NO_EC
901         if (using_ecc)
902                 {
903                 /* Add TLS extension ECPointFormats to the ClientHello message */
904                 long lenmax; 
905                 const unsigned char *plist;
906                 size_t plistlen;
907                 /* If we have a custom point format list use it otherwise
908                  * use default */
909                 plist = s->tlsext_ecpointformatlist;
910                 if (plist)
911                         plistlen = s->tlsext_ecpointformatlist_length;
912                 else
913                         {
914                         plist = ecformats_default;
915                         plistlen = sizeof(ecformats_default);
916                         }
917
918                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
919                 if (plistlen > (size_t)lenmax) return NULL;
920                 if (plistlen > 255)
921                         {
922                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
923                         return NULL;
924                         }
925                 
926                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
927                 s2n(plistlen + 1,ret);
928                 *(ret++) = (unsigned char)plistlen ;
929                 memcpy(ret, plist, plistlen);
930                 ret+=plistlen;
931
932                 /* Add TLS extension EllipticCurves to the ClientHello message */
933                 plist = s->tlsext_ellipticcurvelist;
934                 tls1_get_curvelist(s, 0, &plist, &plistlen);
935
936                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
937                 if (plistlen > (size_t)lenmax) return NULL;
938                 if (plistlen > 65532)
939                         {
940                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
941                         return NULL;
942                         }
943                 
944                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
945                 s2n(plistlen + 2, ret);
946
947                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
948                  * elliptic_curve_list, but the examples use two bytes.
949                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
950                  * resolves this to two bytes.
951                  */
952                 s2n(plistlen, ret);
953                 memcpy(ret, plist, plistlen);
954                 ret+=plistlen;
955                 }
956 #endif /* OPENSSL_NO_EC */
957
958         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
959                 {
960                 int ticklen;
961                 if (!s->new_session && s->session && s->session->tlsext_tick)
962                         ticklen = s->session->tlsext_ticklen;
963                 else if (s->session && s->tlsext_session_ticket &&
964                          s->tlsext_session_ticket->data)
965                         {
966                         ticklen = s->tlsext_session_ticket->length;
967                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
968                         if (!s->session->tlsext_tick)
969                                 return NULL;
970                         memcpy(s->session->tlsext_tick,
971                                s->tlsext_session_ticket->data,
972                                ticklen);
973                         s->session->tlsext_ticklen = ticklen;
974                         }
975                 else
976                         ticklen = 0;
977                 if (ticklen == 0 && s->tlsext_session_ticket &&
978                     s->tlsext_session_ticket->data == NULL)
979                         goto skip_ext;
980                 /* Check for enough room 2 for extension type, 2 for len
981                  * rest for ticket
982                  */
983                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
984                 s2n(TLSEXT_TYPE_session_ticket,ret); 
985                 s2n(ticklen,ret);
986                 if (ticklen)
987                         {
988                         memcpy(ret, s->session->tlsext_tick, ticklen);
989                         ret += ticklen;
990                         }
991                 }
992                 skip_ext:
993
994         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
995                 {
996                 size_t salglen;
997                 const unsigned char *salg;
998                 salglen = tls12_get_psigalgs(s, &salg);
999                 if ((size_t)(limit - ret) < salglen + 6)
1000                         return NULL; 
1001                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
1002                 s2n(salglen + 2, ret);
1003                 s2n(salglen, ret);
1004                 memcpy(ret, salg, salglen);
1005                 ret += salglen;
1006                 }
1007
1008 #ifdef TLSEXT_TYPE_opaque_prf_input
1009         if (s->s3->client_opaque_prf_input != NULL &&
1010             s->version != DTLS1_VERSION)
1011                 {
1012                 size_t col = s->s3->client_opaque_prf_input_len;
1013                 
1014                 if ((long)(limit - ret - 6 - col < 0))
1015                         return NULL;
1016                 if (col > 0xFFFD) /* can't happen */
1017                         return NULL;
1018
1019                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1020                 s2n(col + 2, ret);
1021                 s2n(col, ret);
1022                 memcpy(ret, s->s3->client_opaque_prf_input, col);
1023                 ret += col;
1024                 }
1025 #endif
1026
1027         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
1028             s->version != DTLS1_VERSION)
1029                 {
1030                 int i;
1031                 long extlen, idlen, itmp;
1032                 OCSP_RESPID *id;
1033
1034                 idlen = 0;
1035                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1036                         {
1037                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1038                         itmp = i2d_OCSP_RESPID(id, NULL);
1039                         if (itmp <= 0)
1040                                 return NULL;
1041                         idlen += itmp + 2;
1042                         }
1043
1044                 if (s->tlsext_ocsp_exts)
1045                         {
1046                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1047                         if (extlen < 0)
1048                                 return NULL;
1049                         }
1050                 else
1051                         extlen = 0;
1052                         
1053                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
1054                 s2n(TLSEXT_TYPE_status_request, ret);
1055                 if (extlen + idlen > 0xFFF0)
1056                         return NULL;
1057                 s2n(extlen + idlen + 5, ret);
1058                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1059                 s2n(idlen, ret);
1060                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
1061                         {
1062                         /* save position of id len */
1063                         unsigned char *q = ret;
1064                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1065                         /* skip over id len */
1066                         ret += 2;
1067                         itmp = i2d_OCSP_RESPID(id, &ret);
1068                         /* write id len */
1069                         s2n(itmp, q);
1070                         }
1071                 s2n(extlen, ret);
1072                 if (extlen > 0)
1073                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1074                 }
1075
1076 #ifndef OPENSSL_NO_HEARTBEATS
1077         /* Add Heartbeat extension */
1078         s2n(TLSEXT_TYPE_heartbeat,ret);
1079         s2n(1,ret);
1080         /* Set mode:
1081          * 1: peer may send requests
1082          * 2: peer not allowed to send requests
1083          */
1084         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1085                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1086         else
1087                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
1088 #endif
1089
1090 #ifndef OPENSSL_NO_NEXTPROTONEG
1091         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
1092                 {
1093                 /* The client advertises an emtpy extension to indicate its
1094                  * support for Next Protocol Negotiation */
1095                 if (limit - ret - 4 < 0)
1096                         return NULL;
1097                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
1098                 s2n(0,ret);
1099                 }
1100 #endif
1101
1102         if(SSL_get_srtp_profiles(s))
1103                 {
1104                 int el;
1105
1106                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1107                 
1108                 if((limit - p - 4 - el) < 0) return NULL;
1109
1110                 s2n(TLSEXT_TYPE_use_srtp,ret);
1111                 s2n(el,ret);
1112
1113                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
1114                         {
1115                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1116                         return NULL;
1117                         }
1118                 ret += el;
1119                 }
1120
1121         /* Add TLS extension Server_Authz_DataFormats to the ClientHello */
1122         /* 2 bytes for extension type */
1123         /* 2 bytes for extension length */
1124         /* 1 byte for the list length */
1125         /* 1 byte for the list (we only support audit proofs) */
1126         if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
1127                 {
1128                 size_t lenmax;
1129                 const unsigned short ext_len = 2;
1130                 const unsigned char list_len = 1;
1131
1132                 if ((lenmax = limit - ret - 6) < 0) return NULL;
1133
1134                 s2n(TLSEXT_TYPE_server_authz, ret);
1135                 /* Extension length: 2 bytes */
1136                 s2n(ext_len, ret);
1137                 *(ret++) = list_len;
1138                 *(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
1139                 }
1140
1141         if ((extdatalen = ret-p-2) == 0)
1142                 return p;
1143
1144         s2n(extdatalen,p);
1145         return ret;
1146         }
1147
1148 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
1149         {
1150         int extdatalen=0;
1151         unsigned char *ret = p;
1152 #ifndef OPENSSL_NO_NEXTPROTONEG
1153         int next_proto_neg_seen;
1154 #endif
1155
1156         /* don't add extensions for SSLv3, unless doing secure renegotiation */
1157         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1158                 return p;
1159         
1160         ret+=2;
1161         if (ret>=limit) return NULL; /* this really never occurs, but ... */
1162
1163         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
1164                 { 
1165                 if ((long)(limit - ret - 4) < 0) return NULL; 
1166
1167                 s2n(TLSEXT_TYPE_server_name,ret);
1168                 s2n(0,ret);
1169                 }
1170
1171         if(s->s3->send_connection_binding)
1172         {
1173           int el;
1174           
1175           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
1176               {
1177               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1178               return NULL;
1179               }
1180
1181           if((limit - p - 4 - el) < 0) return NULL;
1182           
1183           s2n(TLSEXT_TYPE_renegotiate,ret);
1184           s2n(el,ret);
1185
1186           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
1187               {
1188               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1189               return NULL;
1190               }
1191
1192           ret += el;
1193         }
1194
1195 #ifndef OPENSSL_NO_EC
1196         if (s->tlsext_ecpointformatlist != NULL &&
1197             s->version != DTLS1_VERSION)
1198                 {
1199                 /* Add TLS extension ECPointFormats to the ServerHello message */
1200                 long lenmax; 
1201
1202                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
1203                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
1204                 if (s->tlsext_ecpointformatlist_length > 255)
1205                         {
1206                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1207                         return NULL;
1208                         }
1209                 
1210                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
1211                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
1212                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
1213                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
1214                 ret+=s->tlsext_ecpointformatlist_length;
1215
1216                 }
1217         /* Currently the server should not respond with a SupportedCurves extension */
1218 #endif /* OPENSSL_NO_EC */
1219
1220         if (s->tlsext_ticket_expected
1221                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
1222                 { 
1223                 if ((long)(limit - ret - 4) < 0) return NULL; 
1224                 s2n(TLSEXT_TYPE_session_ticket,ret);
1225                 s2n(0,ret);
1226                 }
1227
1228         if (s->tlsext_status_expected)
1229                 { 
1230                 if ((long)(limit - ret - 4) < 0) return NULL; 
1231                 s2n(TLSEXT_TYPE_status_request,ret);
1232                 s2n(0,ret);
1233                 }
1234
1235 #ifdef TLSEXT_TYPE_opaque_prf_input
1236         if (s->s3->server_opaque_prf_input != NULL &&
1237             s->version != DTLS1_VERSION)
1238                 {
1239                 size_t sol = s->s3->server_opaque_prf_input_len;
1240                 
1241                 if ((long)(limit - ret - 6 - sol) < 0)
1242                         return NULL;
1243                 if (sol > 0xFFFD) /* can't happen */
1244                         return NULL;
1245
1246                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
1247                 s2n(sol + 2, ret);
1248                 s2n(sol, ret);
1249                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
1250                 ret += sol;
1251                 }
1252 #endif
1253
1254         if(s->srtp_profile)
1255                 {
1256                 int el;
1257
1258                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1259                 
1260                 if((limit - p - 4 - el) < 0) return NULL;
1261
1262                 s2n(TLSEXT_TYPE_use_srtp,ret);
1263                 s2n(el,ret);
1264
1265                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
1266                         {
1267                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1268                         return NULL;
1269                         }
1270                 ret+=el;
1271                 }
1272
1273         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
1274                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
1275                 { const unsigned char cryptopro_ext[36] = {
1276                         0xfd, 0xe8, /*65000*/
1277                         0x00, 0x20, /*32 bytes length*/
1278                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
1279                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
1280                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
1281                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
1282                         if (limit-ret<36) return NULL;
1283                         memcpy(ret,cryptopro_ext,36);
1284                         ret+=36;
1285
1286                 }
1287
1288 #ifndef OPENSSL_NO_HEARTBEATS
1289         /* Add Heartbeat extension if we've received one */
1290         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
1291                 {
1292                 s2n(TLSEXT_TYPE_heartbeat,ret);
1293                 s2n(1,ret);
1294                 /* Set mode:
1295                  * 1: peer may send requests
1296                  * 2: peer not allowed to send requests
1297                  */
1298                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1299                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1300                 else
1301                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1302
1303                 }
1304 #endif
1305
1306 #ifndef OPENSSL_NO_NEXTPROTONEG
1307         next_proto_neg_seen = s->s3->next_proto_neg_seen;
1308         s->s3->next_proto_neg_seen = 0;
1309         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
1310                 {
1311                 const unsigned char *npa;
1312                 unsigned int npalen;
1313                 int r;
1314
1315                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
1316                 if (r == SSL_TLSEXT_ERR_OK)
1317                         {
1318                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
1319                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
1320                         s2n(npalen,ret);
1321                         memcpy(ret, npa, npalen);
1322                         ret += npalen;
1323                         s->s3->next_proto_neg_seen = 1;
1324                         }
1325                 }
1326 #endif
1327
1328         /* If the client supports authz then see whether we have any to offer
1329          * to it. */
1330         if (s->s3->tlsext_authz_client_types_len)
1331                 {
1332                 size_t authz_length;
1333                 /* By now we already know the new cipher, so we can look ahead
1334                  * to see whether the cert we are going to send
1335                  * has any authz data attached to it. */
1336                 const unsigned char* authz = ssl_get_authz_data(s, &authz_length);
1337                 const unsigned char* const orig_authz = authz;
1338                 size_t i;
1339                 unsigned authz_count = 0;
1340
1341                 /* The authz data contains a number of the following structures:
1342                  *      uint8_t authz_type
1343                  *      uint16_t length
1344                  *      uint8_t data[length]
1345                  *
1346                  * First we walk over it to find the number of authz elements. */
1347                 for (i = 0; i < authz_length; i++)
1348                         {
1349                         unsigned short length;
1350                         unsigned char type;
1351
1352                         type = *(authz++);
1353                         if (memchr(s->s3->tlsext_authz_client_types,
1354                                    type,
1355                                    s->s3->tlsext_authz_client_types_len) != NULL)
1356                                 authz_count++;
1357
1358                         n2s(authz, length);
1359                         /* n2s increments authz by 2 */
1360                         i += 2;
1361                         authz += length;
1362                         i += length;
1363                         }
1364
1365                 if (authz_count)
1366                         {
1367                         /* Add TLS extension server_authz to the ServerHello message
1368                          * 2 bytes for extension type
1369                          * 2 bytes for extension length
1370                          * 1 byte for the list length
1371                          * n bytes for the list */
1372                         const unsigned short ext_len = 1 + authz_count;
1373
1374                         if ((long)(limit - ret - 4 - ext_len) < 0) return NULL;
1375                         s2n(TLSEXT_TYPE_server_authz, ret);
1376                         s2n(ext_len, ret);
1377                         *(ret++) = authz_count;
1378                         s->s3->tlsext_authz_promised_to_client = 1;
1379                         }
1380
1381                 authz = orig_authz;
1382                 for (i = 0; i < authz_length; i++)
1383                         {
1384                         unsigned short length;
1385                         unsigned char type;
1386
1387                         authz_count++;
1388                         type = *(authz++);
1389                         if (memchr(s->s3->tlsext_authz_client_types,
1390                                    type,
1391                                    s->s3->tlsext_authz_client_types_len) != NULL)
1392                                 *(ret++) = type;
1393                         n2s(authz, length);
1394                         /* n2s increments authz by 2 */
1395                         i += 2;
1396                         authz += length;
1397                         i += length;
1398                         }
1399                 }
1400
1401         if ((extdatalen = ret-p-2)== 0) 
1402                 return p;
1403
1404         s2n(extdatalen,p);
1405         return ret;
1406         }
1407
1408 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 
1409         {       
1410         unsigned short type;
1411         unsigned short size;
1412         unsigned short len;
1413         unsigned char *data = *p;
1414         int renegotiate_seen = 0;
1415
1416         s->servername_done = 0;
1417         s->tlsext_status_type = -1;
1418 #ifndef OPENSSL_NO_NEXTPROTONEG
1419         s->s3->next_proto_neg_seen = 0;
1420 #endif
1421
1422 #ifndef OPENSSL_NO_HEARTBEATS
1423         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1424                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1425 #endif
1426         /* Clear any signature algorithms extension received */
1427         if (s->cert->peer_sigalgs)
1428                 {
1429                 OPENSSL_free(s->cert->peer_sigalgs);
1430                 s->cert->peer_sigalgs = NULL;
1431                 }
1432         /* Clear any shared sigtnature algorithms */
1433         if (s->cert->shared_sigalgs)
1434                 {
1435                 OPENSSL_free(s->cert->shared_sigalgs);
1436                 s->cert->shared_sigalgs = NULL;
1437                 }
1438
1439         if (data >= (d+n-2))
1440                 goto ri_check;
1441         n2s(data,len);
1442
1443         if (data > (d+n-len)) 
1444                 goto ri_check;
1445
1446         while (data <= (d+n-4))
1447                 {
1448                 n2s(data,type);
1449                 n2s(data,size);
1450
1451                 if (data+size > (d+n))
1452                         goto ri_check;
1453 #if 0
1454                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1455 #endif
1456                 if (s->tlsext_debug_cb)
1457                         s->tlsext_debug_cb(s, 0, type, data, size,
1458                                                 s->tlsext_debug_arg);
1459 /* The servername extension is treated as follows:
1460
1461    - Only the hostname type is supported with a maximum length of 255.
1462    - The servername is rejected if too long or if it contains zeros,
1463      in which case an fatal alert is generated.
1464    - The servername field is maintained together with the session cache.
1465    - When a session is resumed, the servername call back invoked in order
1466      to allow the application to position itself to the right context. 
1467    - The servername is acknowledged if it is new for a session or when 
1468      it is identical to a previously used for the same session. 
1469      Applications can control the behaviour.  They can at any time
1470      set a 'desirable' servername for a new SSL object. This can be the
1471      case for example with HTTPS when a Host: header field is received and
1472      a renegotiation is requested. In this case, a possible servername
1473      presented in the new client hello is only acknowledged if it matches
1474      the value of the Host: field. 
1475    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1476      if they provide for changing an explicit servername context for the session,
1477      i.e. when the session has been established with a servername extension. 
1478    - On session reconnect, the servername extension may be absent. 
1479
1480 */      
1481
1482                 if (type == TLSEXT_TYPE_server_name)
1483                         {
1484                         unsigned char *sdata;
1485                         int servname_type;
1486                         int dsize; 
1487                 
1488                         if (size < 2) 
1489                                 {
1490                                 *al = SSL_AD_DECODE_ERROR;
1491                                 return 0;
1492                                 }
1493                         n2s(data,dsize);  
1494                         size -= 2;
1495                         if (dsize > size  ) 
1496                                 {
1497                                 *al = SSL_AD_DECODE_ERROR;
1498                                 return 0;
1499                                 } 
1500
1501                         sdata = data;
1502                         while (dsize > 3) 
1503                                 {
1504                                 servname_type = *(sdata++); 
1505                                 n2s(sdata,len);
1506                                 dsize -= 3;
1507
1508                                 if (len > dsize) 
1509                                         {
1510                                         *al = SSL_AD_DECODE_ERROR;
1511                                         return 0;
1512                                         }
1513                                 if (s->servername_done == 0)
1514                                 switch (servname_type)
1515                                         {
1516                                 case TLSEXT_NAMETYPE_host_name:
1517                                         if (!s->hit)
1518                                                 {
1519                                                 if(s->session->tlsext_hostname)
1520                                                         {
1521                                                         *al = SSL_AD_DECODE_ERROR;
1522                                                         return 0;
1523                                                         }
1524                                                 if (len > TLSEXT_MAXLEN_host_name)
1525                                                         {
1526                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1527                                                         return 0;
1528                                                         }
1529                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1530                                                         {
1531                                                         *al = TLS1_AD_INTERNAL_ERROR;
1532                                                         return 0;
1533                                                         }
1534                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1535                                                 s->session->tlsext_hostname[len]='\0';
1536                                                 if (strlen(s->session->tlsext_hostname) != len) {
1537                                                         OPENSSL_free(s->session->tlsext_hostname);
1538                                                         s->session->tlsext_hostname = NULL;
1539                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1540                                                         return 0;
1541                                                 }
1542                                                 s->servername_done = 1; 
1543
1544                                                 }
1545                                         else 
1546                                                 s->servername_done = s->session->tlsext_hostname
1547                                                         && strlen(s->session->tlsext_hostname) == len 
1548                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1549                                         
1550                                         break;
1551
1552                                 default:
1553                                         break;
1554                                         }
1555                                  
1556                                 dsize -= len;
1557                                 }
1558                         if (dsize != 0) 
1559                                 {
1560                                 *al = SSL_AD_DECODE_ERROR;
1561                                 return 0;
1562                                 }
1563
1564                         }
1565 #ifndef OPENSSL_NO_SRP
1566                 else if (type == TLSEXT_TYPE_srp)
1567                         {
1568                         if (size <= 0 || ((len = data[0])) != (size -1))
1569                                 {
1570                                 *al = SSL_AD_DECODE_ERROR;
1571                                 return 0;
1572                                 }
1573                         if (s->srp_ctx.login != NULL)
1574                                 {
1575                                 *al = SSL_AD_DECODE_ERROR;
1576                                 return 0;
1577                                 }
1578                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1579                                 return -1;
1580                         memcpy(s->srp_ctx.login, &data[1], len);
1581                         s->srp_ctx.login[len]='\0';
1582   
1583                         if (strlen(s->srp_ctx.login) != len) 
1584                                 {
1585                                 *al = SSL_AD_DECODE_ERROR;
1586                                 return 0;
1587                                 }
1588                         }
1589 #endif
1590
1591 #ifndef OPENSSL_NO_EC
1592                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1593                      s->version != DTLS1_VERSION)
1594                         {
1595                         unsigned char *sdata = data;
1596                         int ecpointformatlist_length = *(sdata++);
1597
1598                         if (ecpointformatlist_length != size - 1)
1599                                 {
1600                                 *al = TLS1_AD_DECODE_ERROR;
1601                                 return 0;
1602                                 }
1603                         if (!s->hit)
1604                                 {
1605                                 if(s->session->tlsext_ecpointformatlist)
1606                                         {
1607                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1608                                         s->session->tlsext_ecpointformatlist = NULL;
1609                                         }
1610                                 s->session->tlsext_ecpointformatlist_length = 0;
1611                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1612                                         {
1613                                         *al = TLS1_AD_INTERNAL_ERROR;
1614                                         return 0;
1615                                         }
1616                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1617                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1618                                 }
1619 #if 0
1620                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1621                         sdata = s->session->tlsext_ecpointformatlist;
1622                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1623                                 fprintf(stderr,"%i ",*(sdata++));
1624                         fprintf(stderr,"\n");
1625 #endif
1626                         }
1627                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1628                      s->version != DTLS1_VERSION)
1629                         {
1630                         unsigned char *sdata = data;
1631                         int ellipticcurvelist_length = (*(sdata++) << 8);
1632                         ellipticcurvelist_length += (*(sdata++));
1633
1634                         if (ellipticcurvelist_length != size - 2)
1635                                 {
1636                                 *al = TLS1_AD_DECODE_ERROR;
1637                                 return 0;
1638                                 }
1639                         if (!s->hit)
1640                                 {
1641                                 if(s->session->tlsext_ellipticcurvelist)
1642                                         {
1643                                         *al = TLS1_AD_DECODE_ERROR;
1644                                         return 0;
1645                                         }
1646                                 s->session->tlsext_ellipticcurvelist_length = 0;
1647                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1648                                         {
1649                                         *al = TLS1_AD_INTERNAL_ERROR;
1650                                         return 0;
1651                                         }
1652                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1653                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1654                                 }
1655 #if 0
1656                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1657                         sdata = s->session->tlsext_ellipticcurvelist;
1658                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1659                                 fprintf(stderr,"%i ",*(sdata++));
1660                         fprintf(stderr,"\n");
1661 #endif
1662                         }
1663 #endif /* OPENSSL_NO_EC */
1664 #ifdef TLSEXT_TYPE_opaque_prf_input
1665                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1666                      s->version != DTLS1_VERSION)
1667                         {
1668                         unsigned char *sdata = data;
1669
1670                         if (size < 2)
1671                                 {
1672                                 *al = SSL_AD_DECODE_ERROR;
1673                                 return 0;
1674                                 }
1675                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1676                         if (s->s3->client_opaque_prf_input_len != size - 2)
1677                                 {
1678                                 *al = SSL_AD_DECODE_ERROR;
1679                                 return 0;
1680                                 }
1681
1682                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1683                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1684                         if (s->s3->client_opaque_prf_input_len == 0)
1685                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1686                         else
1687                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1688                         if (s->s3->client_opaque_prf_input == NULL)
1689                                 {
1690                                 *al = TLS1_AD_INTERNAL_ERROR;
1691                                 return 0;
1692                                 }
1693                         }
1694 #endif
1695                 else if (type == TLSEXT_TYPE_session_ticket)
1696                         {
1697                         if (s->tls_session_ticket_ext_cb &&
1698                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1699                                 {
1700                                 *al = TLS1_AD_INTERNAL_ERROR;
1701                                 return 0;
1702                                 }
1703                         }
1704                 else if (type == TLSEXT_TYPE_renegotiate)
1705                         {
1706                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1707                                 return 0;
1708                         renegotiate_seen = 1;
1709                         }
1710                 else if (type == TLSEXT_TYPE_signature_algorithms)
1711                         {
1712                         int dsize;
1713                         if (s->cert->peer_sigalgs || size < 2) 
1714                                 {
1715                                 *al = SSL_AD_DECODE_ERROR;
1716                                 return 0;
1717                                 }
1718                         n2s(data,dsize);
1719                         size -= 2;
1720                         if (dsize != size || dsize & 1 || !dsize) 
1721                                 {
1722                                 *al = SSL_AD_DECODE_ERROR;
1723                                 return 0;
1724                                 }
1725                         if (!tls1_process_sigalgs(s, data, dsize))
1726                                 {
1727                                 *al = SSL_AD_DECODE_ERROR;
1728                                 return 0;
1729                                 }
1730                         /* If sigalgs received and no shared algorithms fatal
1731                          * error.
1732                          */
1733                         if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs)
1734                                 {
1735                                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1736                                         SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
1737                                 *al = SSL_AD_ILLEGAL_PARAMETER;
1738                                 return 0;
1739                                 }
1740                         }
1741                 else if (type == TLSEXT_TYPE_status_request &&
1742                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1743                         {
1744                 
1745                         if (size < 5) 
1746                                 {
1747                                 *al = SSL_AD_DECODE_ERROR;
1748                                 return 0;
1749                                 }
1750
1751                         s->tlsext_status_type = *data++;
1752                         size--;
1753                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1754                                 {
1755                                 const unsigned char *sdata;
1756                                 int dsize;
1757                                 /* Read in responder_id_list */
1758                                 n2s(data,dsize);
1759                                 size -= 2;
1760                                 if (dsize > size  ) 
1761                                         {
1762                                         *al = SSL_AD_DECODE_ERROR;
1763                                         return 0;
1764                                         }
1765                                 while (dsize > 0)
1766                                         {
1767                                         OCSP_RESPID *id;
1768                                         int idsize;
1769                                         if (dsize < 4)
1770                                                 {
1771                                                 *al = SSL_AD_DECODE_ERROR;
1772                                                 return 0;
1773                                                 }
1774                                         n2s(data, idsize);
1775                                         dsize -= 2 + idsize;
1776                                         size -= 2 + idsize;
1777                                         if (dsize < 0)
1778                                                 {
1779                                                 *al = SSL_AD_DECODE_ERROR;
1780                                                 return 0;
1781                                                 }
1782                                         sdata = data;
1783                                         data += idsize;
1784                                         id = d2i_OCSP_RESPID(NULL,
1785                                                                 &sdata, idsize);
1786                                         if (!id)
1787                                                 {
1788                                                 *al = SSL_AD_DECODE_ERROR;
1789                                                 return 0;
1790                                                 }
1791                                         if (data != sdata)
1792                                                 {
1793                                                 OCSP_RESPID_free(id);
1794                                                 *al = SSL_AD_DECODE_ERROR;
1795                                                 return 0;
1796                                                 }
1797                                         if (!s->tlsext_ocsp_ids
1798                                                 && !(s->tlsext_ocsp_ids =
1799                                                 sk_OCSP_RESPID_new_null()))
1800                                                 {
1801                                                 OCSP_RESPID_free(id);
1802                                                 *al = SSL_AD_INTERNAL_ERROR;
1803                                                 return 0;
1804                                                 }
1805                                         if (!sk_OCSP_RESPID_push(
1806                                                         s->tlsext_ocsp_ids, id))
1807                                                 {
1808                                                 OCSP_RESPID_free(id);
1809                                                 *al = SSL_AD_INTERNAL_ERROR;
1810                                                 return 0;
1811                                                 }
1812                                         }
1813
1814                                 /* Read in request_extensions */
1815                                 if (size < 2)
1816                                         {
1817                                         *al = SSL_AD_DECODE_ERROR;
1818                                         return 0;
1819                                         }
1820                                 n2s(data,dsize);
1821                                 size -= 2;
1822                                 if (dsize != size)
1823                                         {
1824                                         *al = SSL_AD_DECODE_ERROR;
1825                                         return 0;
1826                                         }
1827                                 sdata = data;
1828                                 if (dsize > 0)
1829                                         {
1830                                         if (s->tlsext_ocsp_exts)
1831                                                 {
1832                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1833                                                                            X509_EXTENSION_free);
1834                                                 }
1835
1836                                         s->tlsext_ocsp_exts =
1837                                                 d2i_X509_EXTENSIONS(NULL,
1838                                                         &sdata, dsize);
1839                                         if (!s->tlsext_ocsp_exts
1840                                                 || (data + dsize != sdata))
1841                                                 {
1842                                                 *al = SSL_AD_DECODE_ERROR;
1843                                                 return 0;
1844                                                 }
1845                                         }
1846                                 }
1847                                 /* We don't know what to do with any other type
1848                                 * so ignore it.
1849                                 */
1850                                 else
1851                                         s->tlsext_status_type = -1;
1852                         }
1853 #ifndef OPENSSL_NO_HEARTBEATS
1854                 else if (type == TLSEXT_TYPE_heartbeat)
1855                         {
1856                         switch(data[0])
1857                                 {
1858                                 case 0x01:      /* Client allows us to send HB requests */
1859                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1860                                                         break;
1861                                 case 0x02:      /* Client doesn't accept HB requests */
1862                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1863                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1864                                                         break;
1865                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1866                                                         return 0;
1867                                 }
1868                         }
1869 #endif
1870 #ifndef OPENSSL_NO_NEXTPROTONEG
1871                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1872                          s->s3->tmp.finish_md_len == 0)
1873                         {
1874                         /* We shouldn't accept this extension on a
1875                          * renegotiation.
1876                          *
1877                          * s->new_session will be set on renegotiation, but we
1878                          * probably shouldn't rely that it couldn't be set on
1879                          * the initial renegotation too in certain cases (when
1880                          * there's some other reason to disallow resuming an
1881                          * earlier session -- the current code won't be doing
1882                          * anything like that, but this might change).
1883
1884                          * A valid sign that there's been a previous handshake
1885                          * in this connection is if s->s3->tmp.finish_md_len >
1886                          * 0.  (We are talking about a check that will happen
1887                          * in the Hello protocol round, well before a new
1888                          * Finished message could have been computed.) */
1889                         s->s3->next_proto_neg_seen = 1;
1890                         }
1891 #endif
1892
1893                 /* session ticket processed earlier */
1894                 else if (type == TLSEXT_TYPE_use_srtp)
1895                         {
1896                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1897                                                               al))
1898                                 return 0;
1899                         }
1900
1901                 else if (type == TLSEXT_TYPE_server_authz)
1902                         {
1903                         unsigned char *sdata = data;
1904                         unsigned char server_authz_dataformatlist_length;
1905
1906                         if (size == 0)
1907                                 {
1908                                 *al = TLS1_AD_DECODE_ERROR;
1909                                 return 0;
1910                                 }
1911
1912                         server_authz_dataformatlist_length = *(sdata++);
1913
1914                         if (server_authz_dataformatlist_length != size - 1)
1915                                 {
1916                                 *al = TLS1_AD_DECODE_ERROR;
1917                                 return 0;
1918                                 }
1919
1920                         /* Successful session resumption uses the same authz
1921                          * information as the original session so we ignore this
1922                          * in the case of a session resumption. */
1923                         if (!s->hit)
1924                                 {
1925                                 size_t i;
1926                                 if (s->s3->tlsext_authz_client_types != NULL)
1927                                         OPENSSL_free(s->s3->tlsext_authz_client_types);
1928                                 s->s3->tlsext_authz_client_types =
1929                                         OPENSSL_malloc(server_authz_dataformatlist_length);
1930                                 if (!s->s3->tlsext_authz_client_types)
1931                                         {
1932                                         *al = TLS1_AD_INTERNAL_ERROR;
1933                                         return 0;
1934                                         }
1935
1936                                 s->s3->tlsext_authz_client_types_len =
1937                                         server_authz_dataformatlist_length;
1938                                 memcpy(s->s3->tlsext_authz_client_types,
1939                                        sdata,
1940                                        server_authz_dataformatlist_length);
1941
1942                                 /* Sort the types in order to check for duplicates. */
1943                                 qsort(s->s3->tlsext_authz_client_types,
1944                                       server_authz_dataformatlist_length,
1945                                       1 /* element size */,
1946                                       byte_compare);
1947
1948                                 for (i = 0; i < server_authz_dataformatlist_length; i++)
1949                                         {
1950                                         if (i > 0 &&
1951                                             s->s3->tlsext_authz_client_types[i] ==
1952                                               s->s3->tlsext_authz_client_types[i-1])
1953                                                 {
1954                                                 *al = TLS1_AD_DECODE_ERROR;
1955                                                 return 0;
1956                                                 }
1957                                         }
1958                                 }
1959                         }
1960
1961                 data+=size;
1962                 }
1963
1964         *p = data;
1965
1966         ri_check:
1967
1968         /* Need RI if renegotiating */
1969
1970         if (!renegotiate_seen && s->renegotiate &&
1971                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1972                 {
1973                 *al = SSL_AD_HANDSHAKE_FAILURE;
1974                 SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
1975                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1976                 return 0;
1977                 }
1978         /* If no signature algorithms extension set default values */
1979         if (!s->cert->peer_sigalgs)
1980                 ssl_cert_set_default_md(s->cert);
1981
1982         return 1;
1983         }
1984
1985 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
1986         {
1987         int al = -1;
1988         if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
1989                 {
1990                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1991                 return 0;
1992                 }
1993
1994         if (ssl_check_clienthello_tlsext(s) <= 0) 
1995                 {
1996                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
1997                 return 0;
1998                 }
1999         return 1;
2000 }
2001
2002 #ifndef OPENSSL_NO_NEXTPROTONEG
2003 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2004  * elements of zero length are allowed and the set of elements must exactly fill
2005  * the length of the block. */
2006 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2007         {
2008         unsigned int off = 0;
2009
2010         while (off < len)
2011                 {
2012                 if (d[off] == 0)
2013                         return 0;
2014                 off += d[off];
2015                 off++;
2016                 }
2017
2018         return off == len;
2019         }
2020 #endif
2021
2022 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
2023         {
2024         unsigned short length;
2025         unsigned short type;
2026         unsigned short size;
2027         unsigned char *data = *p;
2028         int tlsext_servername = 0;
2029         int renegotiate_seen = 0;
2030
2031 #ifndef OPENSSL_NO_NEXTPROTONEG
2032         s->s3->next_proto_neg_seen = 0;
2033 #endif
2034
2035 #ifndef OPENSSL_NO_HEARTBEATS
2036         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2037                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2038 #endif
2039
2040         if (data >= (d+n-2))
2041                 goto ri_check;
2042
2043         n2s(data,length);
2044         if (data+length != d+n)
2045                 {
2046                 *al = SSL_AD_DECODE_ERROR;
2047                 return 0;
2048                 }
2049
2050         while(data <= (d+n-4))
2051                 {
2052                 n2s(data,type);
2053                 n2s(data,size);
2054
2055                 if (data+size > (d+n))
2056                         goto ri_check;
2057
2058                 if (s->tlsext_debug_cb)
2059                         s->tlsext_debug_cb(s, 1, type, data, size,
2060                                                 s->tlsext_debug_arg);
2061
2062                 if (type == TLSEXT_TYPE_server_name)
2063                         {
2064                         if (s->tlsext_hostname == NULL || size > 0)
2065                                 {
2066                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2067                                 return 0;
2068                                 }
2069                         tlsext_servername = 1;   
2070                         }
2071
2072 #ifndef OPENSSL_NO_EC
2073                 else if (type == TLSEXT_TYPE_ec_point_formats &&
2074                      s->version != DTLS1_VERSION)
2075                         {
2076                         unsigned char *sdata = data;
2077                         int ecpointformatlist_length = *(sdata++);
2078
2079                         if (ecpointformatlist_length != size - 1)
2080                                 {
2081                                 *al = TLS1_AD_DECODE_ERROR;
2082                                 return 0;
2083                                 }
2084                         s->session->tlsext_ecpointformatlist_length = 0;
2085                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
2086                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
2087                                 {
2088                                 *al = TLS1_AD_INTERNAL_ERROR;
2089                                 return 0;
2090                                 }
2091                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
2092                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
2093 #if 0
2094                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2095                         sdata = s->session->tlsext_ecpointformatlist;
2096                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2097                                 fprintf(stderr,"%i ",*(sdata++));
2098                         fprintf(stderr,"\n");
2099 #endif
2100                         }
2101 #endif /* OPENSSL_NO_EC */
2102
2103                 else if (type == TLSEXT_TYPE_session_ticket)
2104                         {
2105                         if (s->tls_session_ticket_ext_cb &&
2106                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
2107                                 {
2108                                 *al = TLS1_AD_INTERNAL_ERROR;
2109                                 return 0;
2110                                 }
2111                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2112                                 || (size > 0))
2113                                 {
2114                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2115                                 return 0;
2116                                 }
2117                         s->tlsext_ticket_expected = 1;
2118                         }
2119 #ifdef TLSEXT_TYPE_opaque_prf_input
2120                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
2121                      s->version != DTLS1_VERSION)
2122                         {
2123                         unsigned char *sdata = data;
2124
2125                         if (size < 2)
2126                                 {
2127                                 *al = SSL_AD_DECODE_ERROR;
2128                                 return 0;
2129                                 }
2130                         n2s(sdata, s->s3->server_opaque_prf_input_len);
2131                         if (s->s3->server_opaque_prf_input_len != size - 2)
2132                                 {
2133                                 *al = SSL_AD_DECODE_ERROR;
2134                                 return 0;
2135                                 }
2136                         
2137                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2138                                 OPENSSL_free(s->s3->server_opaque_prf_input);
2139                         if (s->s3->server_opaque_prf_input_len == 0)
2140                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2141                         else
2142                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2143
2144                         if (s->s3->server_opaque_prf_input == NULL)
2145                                 {
2146                                 *al = TLS1_AD_INTERNAL_ERROR;
2147                                 return 0;
2148                                 }
2149                         }
2150 #endif
2151                 else if (type == TLSEXT_TYPE_status_request &&
2152                          s->version != DTLS1_VERSION)
2153                         {
2154                         /* MUST be empty and only sent if we've requested
2155                          * a status request message.
2156                          */ 
2157                         if ((s->tlsext_status_type == -1) || (size > 0))
2158                                 {
2159                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2160                                 return 0;
2161                                 }
2162                         /* Set flag to expect CertificateStatus message */
2163                         s->tlsext_status_expected = 1;
2164                         }
2165 #ifndef OPENSSL_NO_NEXTPROTONEG
2166                 else if (type == TLSEXT_TYPE_next_proto_neg &&
2167                          s->s3->tmp.finish_md_len == 0)
2168                         {
2169                         unsigned char *selected;
2170                         unsigned char selected_len;
2171
2172                         /* We must have requested it. */
2173                         if ((s->ctx->next_proto_select_cb == NULL))
2174                                 {
2175                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2176                                 return 0;
2177                                 }
2178                         /* The data must be valid */
2179                         if (!ssl_next_proto_validate(data, size))
2180                                 {
2181                                 *al = TLS1_AD_DECODE_ERROR;
2182                                 return 0;
2183                                 }
2184                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
2185                                 {
2186                                 *al = TLS1_AD_INTERNAL_ERROR;
2187                                 return 0;
2188                                 }
2189                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2190                         if (!s->next_proto_negotiated)
2191                                 {
2192                                 *al = TLS1_AD_INTERNAL_ERROR;
2193                                 return 0;
2194                                 }
2195                         memcpy(s->next_proto_negotiated, selected, selected_len);
2196                         s->next_proto_negotiated_len = selected_len;
2197                         s->s3->next_proto_neg_seen = 1;
2198                         }
2199 #endif
2200                 else if (type == TLSEXT_TYPE_renegotiate)
2201                         {
2202                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2203                                 return 0;
2204                         renegotiate_seen = 1;
2205                         }
2206 #ifndef OPENSSL_NO_HEARTBEATS
2207                 else if (type == TLSEXT_TYPE_heartbeat)
2208                         {
2209                         switch(data[0])
2210                                 {
2211                                 case 0x01:      /* Server allows us to send HB requests */
2212                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2213                                                         break;
2214                                 case 0x02:      /* Server doesn't accept HB requests */
2215                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2216                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2217                                                         break;
2218                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
2219                                                         return 0;
2220                                 }
2221                         }
2222 #endif
2223                 else if (type == TLSEXT_TYPE_use_srtp)
2224                         {
2225                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
2226                                                               al))
2227                                 return 0;
2228                         }
2229
2230                 else if (type == TLSEXT_TYPE_server_authz)
2231                         {
2232                         /* We only support audit proofs. It's an error to send
2233                          * an authz hello extension if the client
2234                          * didn't request a proof. */
2235                         unsigned char *sdata = data;
2236                         unsigned char server_authz_dataformatlist_length;
2237
2238                         if (!s->ctx->tlsext_authz_server_audit_proof_cb)
2239                                 {
2240                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2241                                 return 0;
2242                                 }
2243
2244                         if (!size)
2245                                 {
2246                                 *al = TLS1_AD_DECODE_ERROR;
2247                                 return 0;
2248                                 }
2249
2250                         server_authz_dataformatlist_length = *(sdata++);
2251                         if (server_authz_dataformatlist_length != size - 1)
2252                                 {
2253                                 *al = TLS1_AD_DECODE_ERROR;
2254                                 return 0;
2255                                 }
2256
2257                         /* We only support audit proofs, so a legal ServerHello
2258                          * authz list contains exactly one entry. */
2259                         if (server_authz_dataformatlist_length != 1 ||
2260                                 sdata[0] != TLSEXT_AUTHZDATAFORMAT_audit_proof)
2261                                 {
2262                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2263                                 return 0;
2264                                 }
2265
2266                         s->s3->tlsext_authz_server_promised = 1;
2267                         }
2268  
2269                 data += size;
2270                 }
2271
2272         if (data != d+n)
2273                 {
2274                 *al = SSL_AD_DECODE_ERROR;
2275                 return 0;
2276                 }
2277
2278         if (!s->hit && tlsext_servername == 1)
2279                 {
2280                 if (s->tlsext_hostname)
2281                         {
2282                         if (s->session->tlsext_hostname == NULL)
2283                                 {
2284                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
2285                                 if (!s->session->tlsext_hostname)
2286                                         {
2287                                         *al = SSL_AD_UNRECOGNIZED_NAME;
2288                                         return 0;
2289                                         }
2290                                 }
2291                         else 
2292                                 {
2293                                 *al = SSL_AD_DECODE_ERROR;
2294                                 return 0;
2295                                 }
2296                         }
2297                 }
2298
2299         *p = data;
2300
2301         ri_check:
2302
2303         /* Determine if we need to see RI. Strictly speaking if we want to
2304          * avoid an attack we should *always* see RI even on initial server
2305          * hello because the client doesn't see any renegotiation during an
2306          * attack. However this would mean we could not connect to any server
2307          * which doesn't support RI so for the immediate future tolerate RI
2308          * absence on initial connect only.
2309          */
2310         if (!renegotiate_seen
2311                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2312                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
2313                 {
2314                 *al = SSL_AD_HANDSHAKE_FAILURE;
2315                 SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2316                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2317                 return 0;
2318                 }
2319
2320         return 1;
2321         }
2322
2323
2324 int ssl_prepare_clienthello_tlsext(SSL *s)
2325         {
2326
2327 #ifdef TLSEXT_TYPE_opaque_prf_input
2328         {
2329                 int r = 1;
2330         
2331                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2332                         {
2333                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2334                         if (!r)
2335                                 return -1;
2336                         }
2337
2338                 if (s->tlsext_opaque_prf_input != NULL)
2339                         {
2340                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
2341                                 OPENSSL_free(s->s3->client_opaque_prf_input);
2342
2343                         if (s->tlsext_opaque_prf_input_len == 0)
2344                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2345                         else
2346                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2347                         if (s->s3->client_opaque_prf_input == NULL)
2348                                 {
2349                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2350                                 return -1;
2351                                 }
2352                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2353                         }
2354
2355                 if (r == 2)
2356                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
2357                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2358         }
2359 #endif
2360
2361         return 1;
2362         }
2363
2364 int ssl_prepare_serverhello_tlsext(SSL *s)
2365         {
2366 #ifndef OPENSSL_NO_EC
2367         /* If we are server and using an ECC cipher suite, send the point formats we support 
2368          * if the client sent us an ECPointsFormat extension.  Note that the server is not
2369          * supposed to send an EllipticCurves extension.
2370          */
2371
2372         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2373         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2374         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
2375         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
2376         
2377         if (using_ecc)
2378                 {
2379                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
2380                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
2381                         {
2382                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
2383                         return -1;
2384                         }
2385                 s->tlsext_ecpointformatlist_length = 3;
2386                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
2387                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
2388                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
2389                 }
2390 #endif /* OPENSSL_NO_EC */
2391
2392         return 1;
2393         }
2394
2395 static int ssl_check_clienthello_tlsext(SSL *s)
2396         {
2397         int ret=SSL_TLSEXT_ERR_NOACK;
2398         int al = SSL_AD_UNRECOGNIZED_NAME;
2399
2400 #ifndef OPENSSL_NO_EC
2401         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
2402          * ssl3_choose_cipher in s3_lib.c.
2403          */
2404         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
2405          * ssl3_choose_cipher in s3_lib.c.
2406          */
2407 #endif
2408
2409         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2410                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2411         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2412                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2413
2414         /* If status request then ask callback what to do.
2415          * Note: this must be called after servername callbacks in case 
2416          * the certificate has changed.
2417          */
2418         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2419                 {
2420                 int r;
2421                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2422                 switch (r)
2423                         {
2424                         /* We don't want to send a status request response */
2425                         case SSL_TLSEXT_ERR_NOACK:
2426                                 s->tlsext_status_expected = 0;
2427                                 break;
2428                         /* status request response should be sent */
2429                         case SSL_TLSEXT_ERR_OK:
2430                                 if (s->tlsext_ocsp_resp)
2431                                         s->tlsext_status_expected = 1;
2432                                 else
2433                                         s->tlsext_status_expected = 0;
2434                                 break;
2435                         /* something bad happened */
2436                         case SSL_TLSEXT_ERR_ALERT_FATAL:
2437                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2438                                 al = SSL_AD_INTERNAL_ERROR;
2439                                 goto err;
2440                         }
2441                 }
2442         else
2443                 s->tlsext_status_expected = 0;
2444
2445 #ifdef TLSEXT_TYPE_opaque_prf_input
2446         {
2447                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
2448                  * but we might be sending an alert in response to the client hello,
2449                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
2450
2451                 int r = 1;
2452         
2453                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
2454                         {
2455                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
2456                         if (!r)
2457                                 {
2458                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2459                                 al = SSL_AD_INTERNAL_ERROR;
2460                                 goto err;
2461                                 }
2462                         }
2463
2464                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
2465                         OPENSSL_free(s->s3->server_opaque_prf_input);
2466                 s->s3->server_opaque_prf_input = NULL;
2467
2468                 if (s->tlsext_opaque_prf_input != NULL)
2469                         {
2470                         if (s->s3->client_opaque_prf_input != NULL &&
2471                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
2472                                 {
2473                                 /* can only use this extension if we have a server opaque PRF input
2474                                  * of the same length as the client opaque PRF input! */
2475
2476                                 if (s->tlsext_opaque_prf_input_len == 0)
2477                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
2478                                 else
2479                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
2480                                 if (s->s3->server_opaque_prf_input == NULL)
2481                                         {
2482                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2483                                         al = SSL_AD_INTERNAL_ERROR;
2484                                         goto err;
2485                                         }
2486                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
2487                                 }
2488                         }
2489
2490                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
2491                         {
2492                         /* The callback wants to enforce use of the extension,
2493                          * but we can't do that with the client opaque PRF input;
2494                          * abort the handshake.
2495                          */
2496                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2497                         al = SSL_AD_HANDSHAKE_FAILURE;
2498                         }
2499         }
2500
2501 #endif
2502  err:
2503         switch (ret)
2504                 {
2505                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2506                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2507                         return -1;
2508
2509                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2510                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2511                         return 1; 
2512                                         
2513                 case SSL_TLSEXT_ERR_NOACK:
2514                         s->servername_done=0;
2515                         default:
2516                 return 1;
2517                 }
2518         }
2519
2520 int ssl_check_serverhello_tlsext(SSL *s)
2521         {
2522         int ret=SSL_TLSEXT_ERR_NOACK;
2523         int al = SSL_AD_UNRECOGNIZED_NAME;
2524
2525 #ifndef OPENSSL_NO_EC
2526         /* If we are client and using an elliptic curve cryptography cipher
2527          * suite, then if server returns an EC point formats lists extension
2528          * it must contain uncompressed.
2529          */
2530         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2531         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2532         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
2533             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
2534             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2535                 {
2536                 /* we are using an ECC cipher */
2537                 size_t i;
2538                 unsigned char *list;
2539                 int found_uncompressed = 0;
2540                 list = s->session->tlsext_ecpointformatlist;
2541                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2542                         {
2543                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2544                                 {
2545                                 found_uncompressed = 1;
2546                                 break;
2547                                 }
2548                         }
2549                 if (!found_uncompressed)
2550                         {
2551                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2552                         return -1;
2553                         }
2554                 }
2555         ret = SSL_TLSEXT_ERR_OK;
2556 #endif /* OPENSSL_NO_EC */
2557
2558         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
2559                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2560         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
2561                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2562
2563 #ifdef TLSEXT_TYPE_opaque_prf_input
2564         if (s->s3->server_opaque_prf_input_len > 0)
2565                 {
2566                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2567                  * So first verify that we really have a value from the server too. */
2568
2569                 if (s->s3->server_opaque_prf_input == NULL)
2570                         {
2571                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2572                         al = SSL_AD_HANDSHAKE_FAILURE;
2573                         }
2574                 
2575                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2576                  * that we have a client opaque PRF input of the same size. */
2577                 if (s->s3->client_opaque_prf_input == NULL ||
2578                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2579                         {
2580                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2581                         al = SSL_AD_ILLEGAL_PARAMETER;
2582                         }
2583                 }
2584 #endif
2585
2586         /* If we've requested certificate status and we wont get one
2587          * tell the callback
2588          */
2589         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2590                         && s->ctx && s->ctx->tlsext_status_cb)
2591                 {
2592                 int r;
2593                 /* Set resp to NULL, resplen to -1 so callback knows
2594                  * there is no response.
2595                  */
2596                 if (s->tlsext_ocsp_resp)
2597                         {
2598                         OPENSSL_free(s->tlsext_ocsp_resp);
2599                         s->tlsext_ocsp_resp = NULL;
2600                         }
2601                 s->tlsext_ocsp_resplen = -1;
2602                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2603                 if (r == 0)
2604                         {
2605                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2606                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2607                         }
2608                 if (r < 0)
2609                         {
2610                         al = SSL_AD_INTERNAL_ERROR;
2611                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2612                         }
2613                 }
2614
2615         switch (ret)
2616                 {
2617                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2618                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2619                         return -1;
2620
2621                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2622                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2623                         return 1; 
2624                                         
2625                 case SSL_TLSEXT_ERR_NOACK:
2626                         s->servername_done=0;
2627                         default:
2628                 return 1;
2629                 }
2630         }
2631
2632 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
2633         {
2634         int al = -1;
2635         if (s->version < SSL3_VERSION)
2636                 return 1;
2637         if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) 
2638                 {
2639                 ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2640                 return 0;
2641                 }
2642
2643         if (ssl_check_serverhello_tlsext(s) <= 0) 
2644                 {
2645                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
2646                 return 0;
2647                 }
2648         return 1;
2649 }
2650
2651 /* Since the server cache lookup is done early on in the processing of the
2652  * ClientHello, and other operations depend on the result, we need to handle
2653  * any TLS session ticket extension at the same time.
2654  *
2655  *   session_id: points at the session ID in the ClientHello. This code will
2656  *       read past the end of this in order to parse out the session ticket
2657  *       extension, if any.
2658  *   len: the length of the session ID.
2659  *   limit: a pointer to the first byte after the ClientHello.
2660  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2661  *       point to the resulting session.
2662  *
2663  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2664  * ciphersuite, in which case we have no use for session tickets and one will
2665  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2666  *
2667  * Returns:
2668  *   -1: fatal error, either from parsing or decrypting the ticket.
2669  *    0: no ticket was found (or was ignored, based on settings).
2670  *    1: a zero length extension was found, indicating that the client supports
2671  *       session tickets but doesn't currently have one to offer.
2672  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2673  *       couldn't be decrypted because of a non-fatal error.
2674  *    3: a ticket was successfully decrypted and *ret was set.
2675  *
2676  * Side effects:
2677  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2678  *   a new session ticket to the client because the client indicated support
2679  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2680  *   a session ticket or we couldn't use the one it gave us, or if
2681  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2682  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2683  */
2684 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2685                         const unsigned char *limit, SSL_SESSION **ret)
2686         {
2687         /* Point after session ID in client hello */
2688         const unsigned char *p = session_id + len;
2689         unsigned short i;
2690
2691         *ret = NULL;
2692         s->tlsext_ticket_expected = 0;
2693
2694         /* If tickets disabled behave as if no ticket present
2695          * to permit stateful resumption.
2696          */
2697         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2698                 return 0;
2699         if ((s->version <= SSL3_VERSION) || !limit)
2700                 return 0;
2701         if (p >= limit)
2702                 return -1;
2703         /* Skip past DTLS cookie */
2704         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2705                 {
2706                 i = *(p++);
2707                 p+= i;
2708                 if (p >= limit)
2709                         return -1;
2710                 }
2711         /* Skip past cipher list */
2712         n2s(p, i);
2713         p+= i;
2714         if (p >= limit)
2715                 return -1;
2716         /* Skip past compression algorithm list */
2717         i = *(p++);
2718         p += i;
2719         if (p > limit)
2720                 return -1;
2721         /* Now at start of extensions */
2722         if ((p + 2) >= limit)
2723                 return 0;
2724         n2s(p, i);
2725         while ((p + 4) <= limit)
2726                 {
2727                 unsigned short type, size;
2728                 n2s(p, type);
2729                 n2s(p, size);
2730                 if (p + size > limit)
2731                         return 0;
2732                 if (type == TLSEXT_TYPE_session_ticket)
2733                         {
2734                         int r;
2735                         if (size == 0)
2736                                 {
2737                                 /* The client will accept a ticket but doesn't
2738                                  * currently have one. */
2739                                 s->tlsext_ticket_expected = 1;
2740                                 return 1;
2741                                 }
2742                         if (s->tls_session_secret_cb)
2743                                 {
2744                                 /* Indicate that the ticket couldn't be
2745                                  * decrypted rather than generating the session
2746                                  * from ticket now, trigger abbreviated
2747                                  * handshake based on external mechanism to
2748                                  * calculate the master secret later. */
2749                                 return 2;
2750                                 }
2751                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2752                         switch (r)
2753                                 {
2754                                 case 2: /* ticket couldn't be decrypted */
2755                                         s->tlsext_ticket_expected = 1;
2756                                         return 2;
2757                                 case 3: /* ticket was decrypted */
2758                                         return r;
2759                                 case 4: /* ticket decrypted but need to renew */
2760                                         s->tlsext_ticket_expected = 1;
2761                                         return 3;
2762                                 default: /* fatal error */
2763                                         return -1;
2764                                 }
2765                         }
2766                 p += size;
2767                 }
2768         return 0;
2769         }
2770
2771 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2772  *
2773  *   etick: points to the body of the session ticket extension.
2774  *   eticklen: the length of the session tickets extenion.
2775  *   sess_id: points at the session ID.
2776  *   sesslen: the length of the session ID.
2777  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2778  *       point to the resulting session.
2779  *
2780  * Returns:
2781  *   -1: fatal error, either from parsing or decrypting the ticket.
2782  *    2: the ticket couldn't be decrypted.
2783  *    3: a ticket was successfully decrypted and *psess was set.
2784  *    4: same as 3, but the ticket needs to be renewed.
2785  */
2786 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2787                                 const unsigned char *sess_id, int sesslen,
2788                                 SSL_SESSION **psess)
2789         {
2790         SSL_SESSION *sess;
2791         unsigned char *sdec;
2792         const unsigned char *p;
2793         int slen, mlen, renew_ticket = 0;
2794         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2795         HMAC_CTX hctx;
2796         EVP_CIPHER_CTX ctx;
2797         SSL_CTX *tctx = s->initial_ctx;
2798         /* Need at least keyname + iv + some encrypted data */
2799         if (eticklen < 48)
2800                 return 2;
2801         /* Initialize session ticket encryption and HMAC contexts */
2802         HMAC_CTX_init(&hctx);
2803         EVP_CIPHER_CTX_init(&ctx);
2804         if (tctx->tlsext_ticket_key_cb)
2805                 {
2806                 unsigned char *nctick = (unsigned char *)etick;
2807                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2808                                                         &ctx, &hctx, 0);
2809                 if (rv < 0)
2810                         return -1;
2811                 if (rv == 0)
2812                         return 2;
2813                 if (rv == 2)
2814                         renew_ticket = 1;
2815                 }
2816         else
2817                 {
2818                 /* Check key name matches */
2819                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2820                         return 2;
2821                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2822                                         tlsext_tick_md(), NULL);
2823                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2824                                 tctx->tlsext_tick_aes_key, etick + 16);
2825                 }
2826         /* Attempt to process session ticket, first conduct sanity and
2827          * integrity checks on ticket.
2828          */
2829         mlen = HMAC_size(&hctx);
2830         if (mlen < 0)
2831                 {
2832                 EVP_CIPHER_CTX_cleanup(&ctx);
2833                 return -1;
2834                 }
2835         eticklen -= mlen;
2836         /* Check HMAC of encrypted ticket */
2837         HMAC_Update(&hctx, etick, eticklen);
2838         HMAC_Final(&hctx, tick_hmac, NULL);
2839         HMAC_CTX_cleanup(&hctx);
2840         if (memcmp(tick_hmac, etick + eticklen, mlen))
2841                 return 2;
2842         /* Attempt to decrypt session data */
2843         /* Move p after IV to start of encrypted ticket, update length */
2844         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2845         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2846         sdec = OPENSSL_malloc(eticklen);
2847         if (!sdec)
2848                 {
2849                 EVP_CIPHER_CTX_cleanup(&ctx);
2850                 return -1;
2851                 }
2852         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2853         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2854                 return 2;
2855         slen += mlen;
2856         EVP_CIPHER_CTX_cleanup(&ctx);
2857         p = sdec;
2858
2859         sess = d2i_SSL_SESSION(NULL, &p, slen);
2860         OPENSSL_free(sdec);
2861         if (sess)
2862                 {
2863                 /* The session ID, if non-empty, is used by some clients to
2864                  * detect that the ticket has been accepted. So we copy it to
2865                  * the session structure. If it is empty set length to zero
2866                  * as required by standard.
2867                  */
2868                 if (sesslen)
2869                         memcpy(sess->session_id, sess_id, sesslen);
2870                 sess->session_id_length = sesslen;
2871                 *psess = sess;
2872                 if (renew_ticket)
2873                         return 4;
2874                 else
2875                         return 3;
2876                 }
2877         ERR_clear_error();
2878         /* For session parse failure, indicate that we need to send a new
2879          * ticket. */
2880         return 2;
2881         }
2882
2883 /* Tables to translate from NIDs to TLS v1.2 ids */
2884
2885 typedef struct 
2886         {
2887         int nid;
2888         int id;
2889         } tls12_lookup;
2890
2891 static tls12_lookup tls12_md[] = {
2892         {NID_md5, TLSEXT_hash_md5},
2893         {NID_sha1, TLSEXT_hash_sha1},
2894         {NID_sha224, TLSEXT_hash_sha224},
2895         {NID_sha256, TLSEXT_hash_sha256},
2896         {NID_sha384, TLSEXT_hash_sha384},
2897         {NID_sha512, TLSEXT_hash_sha512}
2898 };
2899
2900 static tls12_lookup tls12_sig[] = {
2901         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2902         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2903         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2904 };
2905
2906 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2907         {
2908         size_t i;
2909         for (i = 0; i < tlen; i++)
2910                 {
2911                 if (table[i].nid == nid)
2912                         return table[i].id;
2913                 }
2914         return -1;
2915         }
2916
2917 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2918         {
2919         size_t i;
2920         for (i = 0; i < tlen; i++)
2921                 {
2922                 if ((table[i].id) == id)
2923                         return table[i].nid;
2924                 }
2925         return NID_undef;
2926         }
2927
2928 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2929         {
2930         int sig_id, md_id;
2931         if (!md)
2932                 return 0;
2933         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2934                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2935         if (md_id == -1)
2936                 return 0;
2937         sig_id = tls12_get_sigid(pk);
2938         if (sig_id == -1)
2939                 return 0;
2940         p[0] = (unsigned char)md_id;
2941         p[1] = (unsigned char)sig_id;
2942         return 1;
2943         }
2944
2945 int tls12_get_sigid(const EVP_PKEY *pk)
2946         {
2947         return tls12_find_id(pk->type, tls12_sig,
2948                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2949         }
2950
2951 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2952         {
2953         switch(hash_alg)
2954                 {
2955 #ifndef OPENSSL_NO_MD5
2956                 case TLSEXT_hash_md5:
2957 #ifdef OPENSSL_FIPS
2958                 if (FIPS_mode())
2959                         return NULL;
2960 #endif
2961                 return EVP_md5();
2962 #endif
2963 #ifndef OPENSSL_NO_SHA
2964                 case TLSEXT_hash_sha1:
2965                 return EVP_sha1();
2966 #endif
2967 #ifndef OPENSSL_NO_SHA256
2968                 case TLSEXT_hash_sha224:
2969                 return EVP_sha224();
2970
2971                 case TLSEXT_hash_sha256:
2972                 return EVP_sha256();
2973 #endif
2974 #ifndef OPENSSL_NO_SHA512
2975                 case TLSEXT_hash_sha384:
2976                 return EVP_sha384();
2977
2978                 case TLSEXT_hash_sha512:
2979                 return EVP_sha512();
2980 #endif
2981                 default:
2982                 return NULL;
2983
2984                 }
2985         }
2986
2987 static int tls12_get_pkey_idx(unsigned char sig_alg)
2988         {
2989         switch(sig_alg)
2990                 {
2991 #ifndef OPENSSL_NO_RSA
2992         case TLSEXT_signature_rsa:
2993                 return SSL_PKEY_RSA_SIGN;
2994 #endif
2995 #ifndef OPENSSL_NO_DSA
2996         case TLSEXT_signature_dsa:
2997                 return SSL_PKEY_DSA_SIGN;
2998 #endif
2999 #ifndef OPENSSL_NO_ECDSA
3000         case TLSEXT_signature_ecdsa:
3001                 return SSL_PKEY_ECC;
3002 #endif
3003                 }
3004         return -1;
3005         }
3006
3007 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3008 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3009                         int *psignhash_nid, const unsigned char *data)
3010         {
3011         int sign_nid = 0, hash_nid = 0;
3012         if (!phash_nid && !psign_nid && !psignhash_nid)
3013                 return;
3014         if (phash_nid || psignhash_nid)
3015                 {
3016                 hash_nid = tls12_find_nid(data[0], tls12_md,
3017                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3018                 if (phash_nid)
3019                         *phash_nid = hash_nid;
3020                 }
3021         if (psign_nid || psignhash_nid)
3022                 {
3023                 sign_nid = tls12_find_nid(data[1], tls12_sig,
3024                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
3025                 if (psign_nid)
3026                         *psign_nid = sign_nid;
3027                 }
3028         if (psignhash_nid)
3029                 {
3030                 if (sign_nid && hash_nid)
3031                         OBJ_find_sigid_by_algs(psignhash_nid,
3032                                                         hash_nid, sign_nid);
3033                 else
3034                         *psignhash_nid = NID_undef;
3035                 }
3036         }
3037 /* Given preference and allowed sigalgs set shared sigalgs */
3038 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3039                                 const unsigned char *pref, size_t preflen,
3040                                 const unsigned char *allow, size_t allowlen)
3041         {
3042         const unsigned char *ptmp, *atmp;
3043         size_t i, j, nmatch = 0;
3044         for (i = 0, ptmp = pref; i < preflen; i+=2, ptmp+=2)
3045                 {
3046                 /* Skip disabled hashes or signature algorithms */
3047                 if (tls12_get_hash(ptmp[0]) == NULL)
3048                         continue;
3049                 if (tls12_get_pkey_idx(ptmp[1]) == -1)
3050                         continue;
3051                 for (j = 0, atmp = allow; j < allowlen; j+=2, atmp+=2)
3052                         {
3053                         if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1])
3054                                 {
3055                                 nmatch++;
3056                                 if (shsig)
3057                                         {
3058                                         shsig->rhash = ptmp[0];
3059                                         shsig->rsign = ptmp[1];
3060                                         tls1_lookup_sigalg(&shsig->hash_nid,
3061                                                 &shsig->sign_nid,
3062                                                 &shsig->signandhash_nid,
3063                                                 ptmp);
3064                                         shsig++;
3065                                         }
3066                                 break;
3067                                 }
3068                         }
3069                 }
3070         return nmatch;
3071         }
3072
3073 /* Set shared signature algorithms for SSL structures */
3074 static int tls1_set_shared_sigalgs(SSL *s)
3075         {
3076         const unsigned char *pref, *allow, *conf;
3077         size_t preflen, allowlen, conflen;
3078         size_t nmatch;
3079         TLS_SIGALGS *salgs = NULL;
3080         CERT *c = s->cert;
3081         /* If client use client signature algorithms if not NULL */
3082         if (!s->server && c->client_sigalgs)
3083                 {
3084                 conf = c->client_sigalgs;
3085                 conflen = c->client_sigalgslen;
3086                 }
3087         else if (c->conf_sigalgs)
3088                 {
3089                 conf = c->conf_sigalgs;
3090                 conflen = c->conf_sigalgslen;
3091                 }
3092         else
3093                 {
3094                 conf = tls12_sigalgs;
3095                 conflen = sizeof(tls12_sigalgs);
3096 #ifdef OPENSSL_FIPS
3097                 if (FIPS_mode())
3098                         conflen -= 2;
3099 #endif
3100                 }
3101         if(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
3102                 {
3103                 pref = conf;
3104                 preflen = conflen;
3105                 allow = c->peer_sigalgs;
3106                 allowlen = c->peer_sigalgslen;
3107                 }
3108         else
3109                 {
3110                 allow = conf;
3111                 allowlen = conflen;
3112                 pref = c->peer_sigalgs;
3113                 preflen = c->peer_sigalgslen;
3114                 }
3115         nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3116         if (!nmatch)
3117                 return 1;
3118         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3119         if (!salgs)
3120                 return 0;
3121         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3122         c->shared_sigalgs = salgs;
3123         c->shared_sigalgslen = nmatch;
3124         return 1;
3125         }
3126                 
3127
3128 /* Set preferred digest for each key type */
3129
3130 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
3131         {
3132         int idx;
3133         size_t i;
3134         const EVP_MD *md;
3135         CERT *c = s->cert;
3136         TLS_SIGALGS *sigptr;
3137         /* Extension ignored for TLS versions below 1.2 */
3138         if (TLS1_get_version(s) < TLS1_2_VERSION)
3139                 return 1;
3140         /* Should never happen */
3141         if (!c)
3142                 return 0;
3143
3144         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
3145         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
3146         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
3147         c->pkeys[SSL_PKEY_ECC].digest = NULL;
3148
3149         c->peer_sigalgs = OPENSSL_malloc(dsize);
3150         if (!c->peer_sigalgs)
3151                 return 0;
3152         c->peer_sigalgslen = dsize;
3153         memcpy(c->peer_sigalgs, data, dsize);
3154
3155         tls1_set_shared_sigalgs(s);
3156
3157         for (i = 0, sigptr = c->shared_sigalgs;
3158                         i < c->shared_sigalgslen; i++, sigptr++)
3159                 {
3160                 idx = tls12_get_pkey_idx(sigptr->rsign);
3161                 if (idx > 0 && c->pkeys[idx].digest == NULL)
3162                         {
3163                         md = tls12_get_hash(sigptr->rhash);
3164                         c->pkeys[idx].digest = md;
3165                         if (idx == SSL_PKEY_RSA_SIGN)
3166                                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3167                         }
3168
3169                 }
3170         /* In strict mode leave unset digests as NULL to indicate we can't
3171          * use the certificate for signing.
3172          */
3173         if (!(s->cert->cert_flags & SSL_CERT_FLAG_TLS_STRICT))
3174                 {
3175                 /* Set any remaining keys to default values. NOTE: if alg is
3176                  * not supported it stays as NULL.
3177                  */
3178 #ifndef OPENSSL_NO_DSA
3179                 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3180                         c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3181 #endif
3182 #ifndef OPENSSL_NO_RSA
3183                 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
3184                         {
3185                         c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3186                         c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3187                         }
3188 #endif
3189 #ifndef OPENSSL_NO_ECDSA
3190                 if (!c->pkeys[SSL_PKEY_ECC].digest)
3191                         c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3192 #endif
3193                 }
3194         return 1;
3195         }
3196
3197
3198 int SSL_get_sigalgs(SSL *s, int idx,
3199                         int *psign, int *phash, int *psignhash,
3200                         unsigned char *rsig, unsigned char *rhash)
3201         {
3202         const unsigned char *psig = s->cert->peer_sigalgs;
3203         if (psig == NULL)
3204                 return 0;
3205         if (idx >= 0)
3206                 {
3207                 idx <<= 1;
3208                 if (idx >= (int)s->cert->peer_sigalgslen)
3209                         return 0;
3210                 psig += idx;
3211                 if (rhash)
3212                         *rhash = psig[0];
3213                 if (rsig)
3214                         *rsig = psig[1];
3215                 tls1_lookup_sigalg(phash, psign, psignhash, psig);
3216                 }
3217         return s->cert->peer_sigalgslen / 2;
3218         }
3219
3220 int SSL_get_shared_sigalgs(SSL *s, int idx,
3221                         int *psign, int *phash, int *psignhash,
3222                         unsigned char *rsig, unsigned char *rhash)
3223         {
3224         TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3225         if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3226                 return 0;
3227         shsigalgs += idx;
3228         if (phash)
3229                 *phash = shsigalgs->hash_nid;
3230         if (psign)
3231                 *psign = shsigalgs->sign_nid;
3232         if (psignhash)
3233                 *psignhash = shsigalgs->signandhash_nid;
3234         if (rsig)
3235                 *rsig = shsigalgs->rsign;
3236         if (rhash)
3237                 *rhash = shsigalgs->rhash;
3238         return s->cert->shared_sigalgslen;
3239         }
3240         
3241
3242 #ifndef OPENSSL_NO_HEARTBEATS
3243 int
3244 tls1_process_heartbeat(SSL *s)
3245         {
3246         unsigned char *p = &s->s3->rrec.data[0], *pl;
3247         unsigned short hbtype;
3248         unsigned int payload;
3249         unsigned int padding = 16; /* Use minimum padding */
3250
3251         /* Read type and payload length first */
3252         hbtype = *p++;
3253         n2s(p, payload);
3254         pl = p;
3255
3256         if (s->msg_callback)
3257                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3258                         &s->s3->rrec.data[0], s->s3->rrec.length,
3259                         s, s->msg_callback_arg);
3260
3261         if (hbtype == TLS1_HB_REQUEST)
3262                 {
3263                 unsigned char *buffer, *bp;
3264                 int r;
3265
3266                 /* Allocate memory for the response, size is 1 bytes
3267                  * message type, plus 2 bytes payload length, plus
3268                  * payload, plus padding
3269                  */
3270                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3271                 bp = buffer;
3272                 
3273                 /* Enter response type, length and copy payload */
3274                 *bp++ = TLS1_HB_RESPONSE;
3275                 s2n(payload, bp);
3276                 memcpy(bp, pl, payload);
3277                 bp += payload;
3278                 /* Random padding */
3279                 RAND_pseudo_bytes(bp, padding);
3280
3281                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
3282
3283                 if (r >= 0 && s->msg_callback)
3284                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3285                                 buffer, 3 + payload + padding,
3286                                 s, s->msg_callback_arg);
3287
3288                 OPENSSL_free(buffer);
3289
3290                 if (r < 0)
3291                         return r;
3292                 }
3293         else if (hbtype == TLS1_HB_RESPONSE)
3294                 {
3295                 unsigned int seq;
3296                 
3297                 /* We only send sequence numbers (2 bytes unsigned int),
3298                  * and 16 random bytes, so we just try to read the
3299                  * sequence number */
3300                 n2s(pl, seq);
3301                 
3302                 if (payload == 18 && seq == s->tlsext_hb_seq)
3303                         {
3304                         s->tlsext_hb_seq++;
3305                         s->tlsext_hb_pending = 0;
3306                         }
3307                 }
3308
3309         return 0;
3310         }
3311
3312 int
3313 tls1_heartbeat(SSL *s)
3314         {
3315         unsigned char *buf, *p;
3316         int ret;
3317         unsigned int payload = 18; /* Sequence number + random bytes */
3318         unsigned int padding = 16; /* Use minimum padding */
3319
3320         /* Only send if peer supports and accepts HB requests... */
3321         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3322             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
3323                 {
3324                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3325                 return -1;
3326                 }
3327
3328         /* ...and there is none in flight yet... */
3329         if (s->tlsext_hb_pending)
3330                 {
3331                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
3332                 return -1;
3333                 }
3334                 
3335         /* ...and no handshake in progress. */
3336         if (SSL_in_init(s) || s->in_handshake)
3337                 {
3338                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
3339                 return -1;
3340                 }
3341                 
3342         /* Check if padding is too long, payload and padding
3343          * must not exceed 2^14 - 3 = 16381 bytes in total.
3344          */
3345         OPENSSL_assert(payload + padding <= 16381);
3346
3347         /* Create HeartBeat message, we just use a sequence number
3348          * as payload to distuingish different messages and add
3349          * some random stuff.
3350          *  - Message Type, 1 byte
3351          *  - Payload Length, 2 bytes (unsigned int)
3352          *  - Payload, the sequence number (2 bytes uint)
3353          *  - Payload, random bytes (16 bytes uint)
3354          *  - Padding
3355          */
3356         buf = OPENSSL_malloc(1 + 2 + payload + padding);
3357         p = buf;
3358         /* Message Type */
3359         *p++ = TLS1_HB_REQUEST;
3360         /* Payload length (18 bytes here) */
3361         s2n(payload, p);
3362         /* Sequence number */
3363         s2n(s->tlsext_hb_seq, p);
3364         /* 16 random bytes */
3365         RAND_pseudo_bytes(p, 16);
3366         p += 16;
3367         /* Random padding */
3368         RAND_pseudo_bytes(p, padding);
3369
3370         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
3371         if (ret >= 0)
3372                 {
3373                 if (s->msg_callback)
3374                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3375                                 buf, 3 + payload + padding,
3376                                 s, s->msg_callback_arg);
3377
3378                 s->tlsext_hb_pending = 1;
3379                 }
3380                 
3381         OPENSSL_free(buf);
3382
3383         return ret;
3384         }
3385 #endif
3386
3387 #define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
3388
3389 typedef struct
3390         {
3391         size_t sigalgcnt;
3392         int sigalgs[MAX_SIGALGLEN];
3393         } sig_cb_st;
3394
3395 static int sig_cb(const char *elem, int len, void *arg)
3396         {
3397         sig_cb_st *sarg = arg;
3398         size_t i;
3399         char etmp[20], *p;
3400         int sig_alg, hash_alg;
3401         if (sarg->sigalgcnt == MAX_SIGALGLEN)
3402                 return 0;
3403         if (len > (int)(sizeof(etmp) - 1))
3404                 return 0;
3405         memcpy(etmp, elem, len);
3406         etmp[len] = 0;
3407         p = strchr(etmp, '+');
3408         if (!p)
3409                 return 0;
3410         *p = 0;
3411         p++;
3412         if (!*p)
3413                 return 0;
3414
3415         if (!strcmp(etmp, "RSA"))
3416                 sig_alg = EVP_PKEY_RSA;
3417         else if (!strcmp(etmp, "DSA"))
3418                 sig_alg = EVP_PKEY_DSA;
3419         else if (!strcmp(etmp, "ECDSA"))
3420                 sig_alg = EVP_PKEY_EC;
3421         else return 0;
3422
3423         hash_alg = OBJ_sn2nid(p);
3424         if (hash_alg == NID_undef)
3425                 hash_alg = OBJ_ln2nid(p);
3426         if (hash_alg == NID_undef)
3427                 return 0;
3428
3429         for (i = 0; i < sarg->sigalgcnt; i+=2)
3430                 {
3431                 if (sarg->sigalgs[i] == sig_alg
3432                         && sarg->sigalgs[i + 1] == hash_alg)
3433                         return 0;
3434                 }
3435         sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
3436         sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
3437         return 1;
3438         }
3439
3440 /* Set suppored signature algorithms based on a colon separated list
3441  * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
3442 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
3443         {
3444         sig_cb_st sig;
3445         sig.sigalgcnt = 0;
3446         if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
3447                 return 0;
3448         return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
3449         }
3450
3451 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
3452         {
3453         unsigned char *sigalgs, *sptr;
3454         int rhash, rsign;
3455         size_t i;
3456         if (salglen & 1)
3457                 return 0;
3458         sigalgs = OPENSSL_malloc(salglen);
3459         if (sigalgs == NULL)
3460                 return 0;
3461         for (i = 0, sptr = sigalgs; i < salglen; i+=2)
3462                 {
3463                 rhash = tls12_find_id(*psig_nids++, tls12_md,
3464                                         sizeof(tls12_md)/sizeof(tls12_lookup));
3465                 rsign = tls12_find_id(*psig_nids++, tls12_sig,
3466                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
3467
3468                 if (rhash == -1 || rsign == -1)
3469                         goto err;
3470                 *sptr++ = rhash;
3471                 *sptr++ = rsign;
3472                 }
3473
3474         if (client)
3475                 {
3476                 if (c->client_sigalgs)
3477                         OPENSSL_free(c->client_sigalgs);
3478                 c->client_sigalgs = sigalgs;
3479                 c->client_sigalgslen = salglen;
3480                 }
3481         else
3482                 {
3483                 if (c->conf_sigalgs)
3484                         OPENSSL_free(c->conf_sigalgs);
3485                 c->conf_sigalgs = sigalgs;
3486                 c->conf_sigalgslen = salglen;
3487                 }
3488
3489         return 1;
3490
3491         err:
3492         OPENSSL_free(sigalgs);
3493         return 0;
3494         }
3495
3496 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
3497         {
3498         int sig_nid;
3499         size_t i;
3500         if (default_nid == -1)
3501                 return 1;
3502         sig_nid = X509_get_signature_nid(x);
3503         if (default_nid)
3504                 return sig_nid == default_nid ? 1 : 0;
3505         for (i = 0; i < c->shared_sigalgslen; i++)
3506                 if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
3507                         return 1;
3508         return 0;
3509         }
3510
3511 /* Check certificate chain is consistent with TLS extensions and is
3512  * usable by server.
3513  */
3514 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
3515                                                                         int idx)
3516         {
3517         int i;
3518         int rv = CERT_PKEY_INVALID;
3519         CERT_PKEY *cpk = NULL;
3520         CERT *c = s->cert;
3521         if (idx != -1)
3522                 {
3523                 cpk = c->pkeys + idx;
3524                 x = cpk->x509;
3525                 pk = cpk->privatekey;
3526                 chain = cpk->chain;
3527                 /* If no cert or key, forget it */
3528                 if (!x || !pk)
3529                         goto end;
3530                 }
3531         else
3532                 {
3533                 idx = ssl_cert_type(x, pk);
3534                 if (idx == -1)
3535                         goto end;
3536                 }
3537
3538         /* Check all signature algorithms are consistent with
3539          * signature algorithms extension if TLS 1.2 or later
3540          * and strict mode.
3541          */
3542         if (TLS1_get_version(s) >= TLS1_2_VERSION
3543                 && c->cert_flags & SSL_CERT_FLAG_TLS_STRICT)
3544                 {
3545                 int default_nid;
3546                 unsigned char rsign = 0;
3547                 if (c->peer_sigalgs)
3548                         default_nid = 0;
3549                 /* If no sigalgs extension use defaults from RFC5246 */
3550                 else
3551                         {
3552                         switch(idx)
3553                                 {       
3554                         case SSL_PKEY_RSA_ENC:
3555                         case SSL_PKEY_RSA_SIGN:
3556                         case SSL_PKEY_DH_RSA:
3557                                 rsign = TLSEXT_signature_rsa;
3558                                 default_nid = NID_sha1WithRSAEncryption;