Add TLS exporter.
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include "ssl_locl.h"
118
119 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
120
121 #ifndef OPENSSL_NO_TLSEXT
122 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
123                                 const unsigned char *sess_id, int sesslen,
124                                 SSL_SESSION **psess);
125 #endif
126
127 SSL3_ENC_METHOD TLSv1_enc_data={
128         tls1_enc,
129         tls1_mac,
130         tls1_setup_key_block,
131         tls1_generate_master_secret,
132         tls1_change_cipher_state,
133         tls1_final_finish_mac,
134         TLS1_FINISH_MAC_LENGTH,
135         tls1_cert_verify_mac,
136         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138         tls1_alert_code,
139         tls1_export_keying_material,
140         };
141
142 long tls1_default_timeout(void)
143         {
144         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
145          * is way too long for http, the cache would over fill */
146         return(60*60*2);
147         }
148
149 int tls1_new(SSL *s)
150         {
151         if (!ssl3_new(s)) return(0);
152         s->method->ssl_clear(s);
153         return(1);
154         }
155
156 void tls1_free(SSL *s)
157         {
158 #ifndef OPENSSL_NO_TLSEXT
159         if (s->tlsext_session_ticket)
160                 {
161                 OPENSSL_free(s->tlsext_session_ticket);
162                 }
163 #endif /* OPENSSL_NO_TLSEXT */
164         ssl3_free(s);
165         }
166
167 void tls1_clear(SSL *s)
168         {
169         ssl3_clear(s);
170         s->version = s->method->version;
171         }
172
173 #ifndef OPENSSL_NO_EC
174
175 static int nid_list[] =
176         {
177                 NID_sect163k1, /* sect163k1 (1) */
178                 NID_sect163r1, /* sect163r1 (2) */
179                 NID_sect163r2, /* sect163r2 (3) */
180                 NID_sect193r1, /* sect193r1 (4) */ 
181                 NID_sect193r2, /* sect193r2 (5) */ 
182                 NID_sect233k1, /* sect233k1 (6) */
183                 NID_sect233r1, /* sect233r1 (7) */ 
184                 NID_sect239k1, /* sect239k1 (8) */ 
185                 NID_sect283k1, /* sect283k1 (9) */
186                 NID_sect283r1, /* sect283r1 (10) */ 
187                 NID_sect409k1, /* sect409k1 (11) */ 
188                 NID_sect409r1, /* sect409r1 (12) */
189                 NID_sect571k1, /* sect571k1 (13) */ 
190                 NID_sect571r1, /* sect571r1 (14) */ 
191                 NID_secp160k1, /* secp160k1 (15) */
192                 NID_secp160r1, /* secp160r1 (16) */ 
193                 NID_secp160r2, /* secp160r2 (17) */ 
194                 NID_secp192k1, /* secp192k1 (18) */
195                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
196                 NID_secp224k1, /* secp224k1 (20) */ 
197                 NID_secp224r1, /* secp224r1 (21) */
198                 NID_secp256k1, /* secp256k1 (22) */ 
199                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
200                 NID_secp384r1, /* secp384r1 (24) */
201                 NID_secp521r1  /* secp521r1 (25) */     
202         };
203
204 static int pref_list[] =
205         {
206                 NID_sect571r1, /* sect571r1 (14) */ 
207                 NID_sect571k1, /* sect571k1 (13) */ 
208                 NID_secp521r1, /* secp521r1 (25) */     
209                 NID_sect409k1, /* sect409k1 (11) */ 
210                 NID_sect409r1, /* sect409r1 (12) */
211                 NID_secp384r1, /* secp384r1 (24) */
212                 NID_sect283k1, /* sect283k1 (9) */
213                 NID_sect283r1, /* sect283r1 (10) */ 
214                 NID_secp256k1, /* secp256k1 (22) */ 
215                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
216                 NID_sect239k1, /* sect239k1 (8) */ 
217                 NID_sect233k1, /* sect233k1 (6) */
218                 NID_sect233r1, /* sect233r1 (7) */ 
219                 NID_secp224k1, /* secp224k1 (20) */ 
220                 NID_secp224r1, /* secp224r1 (21) */
221                 NID_sect193r1, /* sect193r1 (4) */ 
222                 NID_sect193r2, /* sect193r2 (5) */ 
223                 NID_secp192k1, /* secp192k1 (18) */
224                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
225                 NID_sect163k1, /* sect163k1 (1) */
226                 NID_sect163r1, /* sect163r1 (2) */
227                 NID_sect163r2, /* sect163r2 (3) */
228                 NID_secp160k1, /* secp160k1 (15) */
229                 NID_secp160r1, /* secp160r1 (16) */ 
230                 NID_secp160r2, /* secp160r2 (17) */ 
231         };
232
233 int tls1_ec_curve_id2nid(int curve_id)
234         {
235         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
236         if ((curve_id < 1) || ((unsigned int)curve_id >
237                                 sizeof(nid_list)/sizeof(nid_list[0])))
238                 return 0;
239         return nid_list[curve_id-1];
240         }
241
242 int tls1_ec_nid2curve_id(int nid)
243         {
244         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
245         switch (nid)
246                 {
247         case NID_sect163k1: /* sect163k1 (1) */
248                 return 1;
249         case NID_sect163r1: /* sect163r1 (2) */
250                 return 2;
251         case NID_sect163r2: /* sect163r2 (3) */
252                 return 3;
253         case NID_sect193r1: /* sect193r1 (4) */ 
254                 return 4;
255         case NID_sect193r2: /* sect193r2 (5) */ 
256                 return 5;
257         case NID_sect233k1: /* sect233k1 (6) */
258                 return 6;
259         case NID_sect233r1: /* sect233r1 (7) */ 
260                 return 7;
261         case NID_sect239k1: /* sect239k1 (8) */ 
262                 return 8;
263         case NID_sect283k1: /* sect283k1 (9) */
264                 return 9;
265         case NID_sect283r1: /* sect283r1 (10) */ 
266                 return 10;
267         case NID_sect409k1: /* sect409k1 (11) */ 
268                 return 11;
269         case NID_sect409r1: /* sect409r1 (12) */
270                 return 12;
271         case NID_sect571k1: /* sect571k1 (13) */ 
272                 return 13;
273         case NID_sect571r1: /* sect571r1 (14) */ 
274                 return 14;
275         case NID_secp160k1: /* secp160k1 (15) */
276                 return 15;
277         case NID_secp160r1: /* secp160r1 (16) */ 
278                 return 16;
279         case NID_secp160r2: /* secp160r2 (17) */ 
280                 return 17;
281         case NID_secp192k1: /* secp192k1 (18) */
282                 return 18;
283         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
284                 return 19;
285         case NID_secp224k1: /* secp224k1 (20) */ 
286                 return 20;
287         case NID_secp224r1: /* secp224r1 (21) */
288                 return 21;
289         case NID_secp256k1: /* secp256k1 (22) */ 
290                 return 22;
291         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
292                 return 23;
293         case NID_secp384r1: /* secp384r1 (24) */
294                 return 24;
295         case NID_secp521r1:  /* secp521r1 (25) */       
296                 return 25;
297         default:
298                 return 0;
299                 }
300         }
301 #endif /* OPENSSL_NO_EC */
302
303 #ifndef OPENSSL_NO_TLSEXT
304
305 /* List of supported signature algorithms and hashes. Should make this
306  * customisable at some point, for now include everything we support.
307  */
308
309 #ifdef OPENSSL_NO_RSA
310 #define tlsext_sigalg_rsa(md) /* */
311 #else
312 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
313 #endif
314
315 #ifdef OPENSSL_NO_DSA
316 #define tlsext_sigalg_dsa(md) /* */
317 #else
318 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
319 #endif
320
321 #ifdef OPENSSL_NO_ECDSA
322 #define tlsext_sigalg_ecdsa(md) /* */
323 #else
324 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
325 #endif
326
327 #define tlsext_sigalg(md) \
328                 tlsext_sigalg_rsa(md) \
329                 tlsext_sigalg_dsa(md) \
330                 tlsext_sigalg_ecdsa(md)
331
332 static unsigned char tls12_sigalgs[] = {
333 #ifndef OPENSSL_NO_SHA512
334         tlsext_sigalg(TLSEXT_hash_sha512)
335         tlsext_sigalg(TLSEXT_hash_sha384)
336 #endif
337 #ifndef OPENSSL_NO_SHA256
338         tlsext_sigalg(TLSEXT_hash_sha256)
339         tlsext_sigalg(TLSEXT_hash_sha224)
340 #endif
341 #ifndef OPENSSL_NO_SHA
342         tlsext_sigalg(TLSEXT_hash_sha1)
343 #endif
344 #ifndef OPENSSL_NO_MD5
345         tlsext_sigalg_rsa(TLSEXT_hash_md5)
346 #endif
347 };
348
349 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
350         {
351         size_t slen = sizeof(tls12_sigalgs);
352 #ifdef OPENSSL_FIPS
353         /* If FIPS mode don't include MD5 which is last */
354         if (FIPS_mode())
355                 slen -= 2;
356 #endif
357         if (p)
358                 memcpy(p, tls12_sigalgs, slen);
359         return (int)slen;
360         }
361
362 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
363         {
364         int extdatalen=0;
365         unsigned char *ret = p;
366
367         /* don't add extensions for SSLv3 unless doing secure renegotiation */
368         if (s->client_version == SSL3_VERSION
369                                         && !s->s3->send_connection_binding)
370                 return p;
371
372         ret+=2;
373
374         if (ret>=limit) return NULL; /* this really never occurs, but ... */
375
376         if (s->tlsext_hostname != NULL)
377                 { 
378                 /* Add TLS extension servername to the Client Hello message */
379                 unsigned long size_str;
380                 long lenmax; 
381
382                 /* check for enough space.
383                    4 for the servername type and entension length
384                    2 for servernamelist length
385                    1 for the hostname type
386                    2 for hostname length
387                    + hostname length 
388                 */
389                    
390                 if ((lenmax = limit - ret - 9) < 0 
391                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
392                         return NULL;
393                         
394                 /* extension type and length */
395                 s2n(TLSEXT_TYPE_server_name,ret); 
396                 s2n(size_str+5,ret);
397                 
398                 /* length of servername list */
399                 s2n(size_str+3,ret);
400         
401                 /* hostname type, length and hostname */
402                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
403                 s2n(size_str,ret);
404                 memcpy(ret, s->tlsext_hostname, size_str);
405                 ret+=size_str;
406                 }
407
408         /* Add RI if renegotiating */
409         if (s->renegotiate)
410           {
411           int el;
412           
413           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
414               {
415               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
416               return NULL;
417               }
418
419           if((limit - p - 4 - el) < 0) return NULL;
420           
421           s2n(TLSEXT_TYPE_renegotiate,ret);
422           s2n(el,ret);
423
424           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
425               {
426               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
427               return NULL;
428               }
429
430           ret += el;
431         }
432
433 #ifndef OPENSSL_NO_SRP
434 #define MIN(x,y) (((x)<(y))?(x):(y))
435         /* we add SRP username the first time only if we have one! */
436         if (s->srp_ctx.login != NULL)
437                 {/* Add TLS extension SRP username to the Client Hello message */
438                 int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
439                 long lenmax; 
440
441                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
442                 if (login_len > lenmax) return NULL;
443                 if (login_len > 255)
444                         {
445                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
446                         return NULL;
447                         }
448                 s2n(TLSEXT_TYPE_srp,ret);
449                 s2n(login_len+1,ret);
450
451                 (*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
452                 memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
453                 ret+=login_len;
454                 }
455 #endif
456
457 #ifndef OPENSSL_NO_EC
458         if (s->tlsext_ecpointformatlist != NULL &&
459             s->version != DTLS1_VERSION)
460                 {
461                 /* Add TLS extension ECPointFormats to the ClientHello message */
462                 long lenmax; 
463
464                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
465                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
466                 if (s->tlsext_ecpointformatlist_length > 255)
467                         {
468                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
469                         return NULL;
470                         }
471                 
472                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
473                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
474                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
475                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
476                 ret+=s->tlsext_ecpointformatlist_length;
477                 }
478         if (s->tlsext_ellipticcurvelist != NULL &&
479             s->version != DTLS1_VERSION)
480                 {
481                 /* Add TLS extension EllipticCurves to the ClientHello message */
482                 long lenmax; 
483
484                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
485                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
486                 if (s->tlsext_ellipticcurvelist_length > 65532)
487                         {
488                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
489                         return NULL;
490                         }
491                 
492                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
493                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
494
495                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
496                  * elliptic_curve_list, but the examples use two bytes.
497                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
498                  * resolves this to two bytes.
499                  */
500                 s2n(s->tlsext_ellipticcurvelist_length, ret);
501                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
502                 ret+=s->tlsext_ellipticcurvelist_length;
503                 }
504 #endif /* OPENSSL_NO_EC */
505
506         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
507                 {
508                 int ticklen;
509                 if (!s->new_session && s->session && s->session->tlsext_tick)
510                         ticklen = s->session->tlsext_ticklen;
511                 else if (s->session && s->tlsext_session_ticket &&
512                          s->tlsext_session_ticket->data)
513                         {
514                         ticklen = s->tlsext_session_ticket->length;
515                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
516                         if (!s->session->tlsext_tick)
517                                 return NULL;
518                         memcpy(s->session->tlsext_tick,
519                                s->tlsext_session_ticket->data,
520                                ticklen);
521                         s->session->tlsext_ticklen = ticklen;
522                         }
523                 else
524                         ticklen = 0;
525                 if (ticklen == 0 && s->tlsext_session_ticket &&
526                     s->tlsext_session_ticket->data == NULL)
527                         goto skip_ext;
528                 /* Check for enough room 2 for extension type, 2 for len
529                  * rest for ticket
530                  */
531                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
532                 s2n(TLSEXT_TYPE_session_ticket,ret); 
533                 s2n(ticklen,ret);
534                 if (ticklen)
535                         {
536                         memcpy(ret, s->session->tlsext_tick, ticklen);
537                         ret += ticklen;
538                         }
539                 }
540                 skip_ext:
541
542         if (TLS1_get_version(s) >= TLS1_2_VERSION)
543                 {
544                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
545                         return NULL; 
546                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
547                 s2n(sizeof(tls12_sigalgs) + 2, ret);
548                 s2n(sizeof(tls12_sigalgs), ret);
549                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
550                 ret += sizeof(tls12_sigalgs);
551                 }
552
553 #ifdef TLSEXT_TYPE_opaque_prf_input
554         if (s->s3->client_opaque_prf_input != NULL &&
555             s->version != DTLS1_VERSION)
556                 {
557                 size_t col = s->s3->client_opaque_prf_input_len;
558                 
559                 if ((long)(limit - ret - 6 - col < 0))
560                         return NULL;
561                 if (col > 0xFFFD) /* can't happen */
562                         return NULL;
563
564                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
565                 s2n(col + 2, ret);
566                 s2n(col, ret);
567                 memcpy(ret, s->s3->client_opaque_prf_input, col);
568                 ret += col;
569                 }
570 #endif
571
572         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
573             s->version != DTLS1_VERSION)
574                 {
575                 int i;
576                 long extlen, idlen, itmp;
577                 OCSP_RESPID *id;
578
579                 idlen = 0;
580                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
581                         {
582                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
583                         itmp = i2d_OCSP_RESPID(id, NULL);
584                         if (itmp <= 0)
585                                 return NULL;
586                         idlen += itmp + 2;
587                         }
588
589                 if (s->tlsext_ocsp_exts)
590                         {
591                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
592                         if (extlen < 0)
593                                 return NULL;
594                         }
595                 else
596                         extlen = 0;
597                         
598                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
599                 s2n(TLSEXT_TYPE_status_request, ret);
600                 if (extlen + idlen > 0xFFF0)
601                         return NULL;
602                 s2n(extlen + idlen + 5, ret);
603                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
604                 s2n(idlen, ret);
605                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
606                         {
607                         /* save position of id len */
608                         unsigned char *q = ret;
609                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
610                         /* skip over id len */
611                         ret += 2;
612                         itmp = i2d_OCSP_RESPID(id, &ret);
613                         /* write id len */
614                         s2n(itmp, q);
615                         }
616                 s2n(extlen, ret);
617                 if (extlen > 0)
618                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
619                 }
620
621 #ifndef OPENSSL_NO_NEXTPROTONEG
622         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
623                 {
624                 /* The client advertises an emtpy extension to indicate its
625                  * support for Next Protocol Negotiation */
626                 if (limit - ret - 4 < 0)
627                         return NULL;
628                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
629                 s2n(0,ret);
630                 }
631 #endif
632
633         if(SSL_get_srtp_profiles(s))
634                 {
635                 int el;
636
637                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
638                 
639                 if((limit - p - 4 - el) < 0) return NULL;
640
641                 s2n(TLSEXT_TYPE_use_srtp,ret);
642                 s2n(el,ret);
643
644                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
645                         {
646                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
647                         return NULL;
648                         }
649                 ret += el;
650                 }
651
652         if ((extdatalen = ret-p-2)== 0) 
653                 return p;
654
655         s2n(extdatalen,p);
656         return ret;
657         }
658
659 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
660         {
661         int extdatalen=0;
662         unsigned char *ret = p;
663 #ifndef OPENSSL_NO_NEXTPROTONEG
664         int next_proto_neg_seen;
665 #endif
666
667         /* don't add extensions for SSLv3, unless doing secure renegotiation */
668         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
669                 return p;
670         
671         ret+=2;
672         if (ret>=limit) return NULL; /* this really never occurs, but ... */
673
674         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
675                 { 
676                 if ((long)(limit - ret - 4) < 0) return NULL; 
677
678                 s2n(TLSEXT_TYPE_server_name,ret);
679                 s2n(0,ret);
680                 }
681
682         if(s->s3->send_connection_binding)
683         {
684           int el;
685           
686           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
687               {
688               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
689               return NULL;
690               }
691
692           if((limit - p - 4 - el) < 0) return NULL;
693           
694           s2n(TLSEXT_TYPE_renegotiate,ret);
695           s2n(el,ret);
696
697           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
698               {
699               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
700               return NULL;
701               }
702
703           ret += el;
704         }
705
706 #ifndef OPENSSL_NO_EC
707         if (s->tlsext_ecpointformatlist != NULL &&
708             s->version != DTLS1_VERSION)
709                 {
710                 /* Add TLS extension ECPointFormats to the ServerHello message */
711                 long lenmax; 
712
713                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
714                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
715                 if (s->tlsext_ecpointformatlist_length > 255)
716                         {
717                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
718                         return NULL;
719                         }
720                 
721                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
722                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
723                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
724                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
725                 ret+=s->tlsext_ecpointformatlist_length;
726
727                 }
728         /* Currently the server should not respond with a SupportedCurves extension */
729 #endif /* OPENSSL_NO_EC */
730
731         if (s->tlsext_ticket_expected
732                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
733                 { 
734                 if ((long)(limit - ret - 4) < 0) return NULL; 
735                 s2n(TLSEXT_TYPE_session_ticket,ret);
736                 s2n(0,ret);
737                 }
738
739         if (s->tlsext_status_expected)
740                 { 
741                 if ((long)(limit - ret - 4) < 0) return NULL; 
742                 s2n(TLSEXT_TYPE_status_request,ret);
743                 s2n(0,ret);
744                 }
745
746 #ifdef TLSEXT_TYPE_opaque_prf_input
747         if (s->s3->server_opaque_prf_input != NULL &&
748             s->version != DTLS1_VERSION)
749                 {
750                 size_t sol = s->s3->server_opaque_prf_input_len;
751                 
752                 if ((long)(limit - ret - 6 - sol) < 0)
753                         return NULL;
754                 if (sol > 0xFFFD) /* can't happen */
755                         return NULL;
756
757                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
758                 s2n(sol + 2, ret);
759                 s2n(sol, ret);
760                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
761                 ret += sol;
762                 }
763 #endif
764
765         if(s->srtp_profile)
766                 {
767                 int el;
768
769                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
770                 
771                 if((limit - p - 4 - el) < 0) return NULL;
772
773                 s2n(TLSEXT_TYPE_use_srtp,ret);
774                 s2n(el,ret);
775
776                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
777                         {
778                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
779                         return NULL;
780                         }
781                 ret+=el;
782                 }
783
784         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
785                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
786                 { const unsigned char cryptopro_ext[36] = {
787                         0xfd, 0xe8, /*65000*/
788                         0x00, 0x20, /*32 bytes length*/
789                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
790                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
791                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
792                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
793                         if (limit-ret<36) return NULL;
794                         memcpy(ret,cryptopro_ext,36);
795                         ret+=36;
796
797                 }
798
799 #ifndef OPENSSL_NO_NEXTPROTONEG
800         next_proto_neg_seen = s->s3->next_proto_neg_seen;
801         s->s3->next_proto_neg_seen = 0;
802         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
803                 {
804                 const unsigned char *npa;
805                 unsigned int npalen;
806                 int r;
807
808                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
809                 if (r == SSL_TLSEXT_ERR_OK)
810                         {
811                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
812                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
813                         s2n(npalen,ret);
814                         memcpy(ret, npa, npalen);
815                         ret += npalen;
816                         s->s3->next_proto_neg_seen = 1;
817                         }
818                 }
819 #endif
820
821         if ((extdatalen = ret-p-2)== 0) 
822                 return p;
823
824         s2n(extdatalen,p);
825         return ret;
826         }
827
828 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
829         {
830         unsigned short type;
831         unsigned short size;
832         unsigned short len;
833         unsigned char *data = *p;
834         int renegotiate_seen = 0;
835         int sigalg_seen = 0;
836
837         s->servername_done = 0;
838         s->tlsext_status_type = -1;
839
840         if (data >= (d+n-2))
841                 goto ri_check;
842         n2s(data,len);
843
844         if (data > (d+n-len)) 
845                 goto ri_check;
846
847         while (data <= (d+n-4))
848                 {
849                 n2s(data,type);
850                 n2s(data,size);
851
852                 if (data+size > (d+n))
853                         goto ri_check;
854 #if 0
855                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
856 #endif
857                 if (s->tlsext_debug_cb)
858                         s->tlsext_debug_cb(s, 0, type, data, size,
859                                                 s->tlsext_debug_arg);
860 /* The servername extension is treated as follows:
861
862    - Only the hostname type is supported with a maximum length of 255.
863    - The servername is rejected if too long or if it contains zeros,
864      in which case an fatal alert is generated.
865    - The servername field is maintained together with the session cache.
866    - When a session is resumed, the servername call back invoked in order
867      to allow the application to position itself to the right context. 
868    - The servername is acknowledged if it is new for a session or when 
869      it is identical to a previously used for the same session. 
870      Applications can control the behaviour.  They can at any time
871      set a 'desirable' servername for a new SSL object. This can be the
872      case for example with HTTPS when a Host: header field is received and
873      a renegotiation is requested. In this case, a possible servername
874      presented in the new client hello is only acknowledged if it matches
875      the value of the Host: field. 
876    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
877      if they provide for changing an explicit servername context for the session,
878      i.e. when the session has been established with a servername extension. 
879    - On session reconnect, the servername extension may be absent. 
880
881 */      
882
883                 if (type == TLSEXT_TYPE_server_name)
884                         {
885                         unsigned char *sdata;
886                         int servname_type;
887                         int dsize; 
888                 
889                         if (size < 2) 
890                                 {
891                                 *al = SSL_AD_DECODE_ERROR;
892                                 return 0;
893                                 }
894                         n2s(data,dsize);  
895                         size -= 2;
896                         if (dsize > size  ) 
897                                 {
898                                 *al = SSL_AD_DECODE_ERROR;
899                                 return 0;
900                                 } 
901
902                         sdata = data;
903                         while (dsize > 3) 
904                                 {
905                                 servname_type = *(sdata++); 
906                                 n2s(sdata,len);
907                                 dsize -= 3;
908
909                                 if (len > dsize) 
910                                         {
911                                         *al = SSL_AD_DECODE_ERROR;
912                                         return 0;
913                                         }
914                                 if (s->servername_done == 0)
915                                 switch (servname_type)
916                                         {
917                                 case TLSEXT_NAMETYPE_host_name:
918                                         if (!s->hit)
919                                                 {
920                                                 if(s->session->tlsext_hostname)
921                                                         {
922                                                         *al = SSL_AD_DECODE_ERROR;
923                                                         return 0;
924                                                         }
925                                                 if (len > TLSEXT_MAXLEN_host_name)
926                                                         {
927                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
928                                                         return 0;
929                                                         }
930                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
931                                                         {
932                                                         *al = TLS1_AD_INTERNAL_ERROR;
933                                                         return 0;
934                                                         }
935                                                 memcpy(s->session->tlsext_hostname, sdata, len);
936                                                 s->session->tlsext_hostname[len]='\0';
937                                                 if (strlen(s->session->tlsext_hostname) != len) {
938                                                         OPENSSL_free(s->session->tlsext_hostname);
939                                                         s->session->tlsext_hostname = NULL;
940                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
941                                                         return 0;
942                                                 }
943                                                 s->servername_done = 1; 
944
945                                                 }
946                                         else 
947                                                 s->servername_done = s->session->tlsext_hostname
948                                                         && strlen(s->session->tlsext_hostname) == len 
949                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
950                                         
951                                         break;
952
953                                 default:
954                                         break;
955                                         }
956                                  
957                                 dsize -= len;
958                                 }
959                         if (dsize != 0) 
960                                 {
961                                 *al = SSL_AD_DECODE_ERROR;
962                                 return 0;
963                                 }
964
965                         }
966 #ifndef OPENSSL_NO_SRP
967                 else if (type == TLSEXT_TYPE_srp)
968                         {
969                         if (size > 0)
970                                 {
971                                 len = data[0];
972                                 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
973                                         return -1;
974                                 memcpy(s->srp_ctx.login, &data[1], len);
975                                 s->srp_ctx.login[len]='\0';  
976                                 }
977                         }
978 #endif
979
980 #ifndef OPENSSL_NO_EC
981                 else if (type == TLSEXT_TYPE_ec_point_formats &&
982                      s->version != DTLS1_VERSION)
983                         {
984                         unsigned char *sdata = data;
985                         int ecpointformatlist_length = *(sdata++);
986
987                         if (ecpointformatlist_length != size - 1)
988                                 {
989                                 *al = TLS1_AD_DECODE_ERROR;
990                                 return 0;
991                                 }
992                         if (!s->hit)
993                                 {
994                                 if(s->session->tlsext_ecpointformatlist)
995                                         {
996                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
997                                         s->session->tlsext_ecpointformatlist = NULL;
998                                         }
999                                 s->session->tlsext_ecpointformatlist_length = 0;
1000                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1001                                         {
1002                                         *al = TLS1_AD_INTERNAL_ERROR;
1003                                         return 0;
1004                                         }
1005                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1006                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1007                                 }
1008 #if 0
1009                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1010                         sdata = s->session->tlsext_ecpointformatlist;
1011                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1012                                 fprintf(stderr,"%i ",*(sdata++));
1013                         fprintf(stderr,"\n");
1014 #endif
1015                         }
1016                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1017                      s->version != DTLS1_VERSION)
1018                         {
1019                         unsigned char *sdata = data;
1020                         int ellipticcurvelist_length = (*(sdata++) << 8);
1021                         ellipticcurvelist_length += (*(sdata++));
1022
1023                         if (ellipticcurvelist_length != size - 2)
1024                                 {
1025                                 *al = TLS1_AD_DECODE_ERROR;
1026                                 return 0;
1027                                 }
1028                         if (!s->hit)
1029                                 {
1030                                 if(s->session->tlsext_ellipticcurvelist)
1031                                         {
1032                                         *al = TLS1_AD_DECODE_ERROR;
1033                                         return 0;
1034                                         }
1035                                 s->session->tlsext_ellipticcurvelist_length = 0;
1036                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1037                                         {
1038                                         *al = TLS1_AD_INTERNAL_ERROR;
1039                                         return 0;
1040                                         }
1041                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1042                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1043                                 }
1044 #if 0
1045                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1046                         sdata = s->session->tlsext_ellipticcurvelist;
1047                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1048                                 fprintf(stderr,"%i ",*(sdata++));
1049                         fprintf(stderr,"\n");
1050 #endif
1051                         }
1052 #endif /* OPENSSL_NO_EC */
1053 #ifdef TLSEXT_TYPE_opaque_prf_input
1054                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1055                      s->version != DTLS1_VERSION)
1056                         {
1057                         unsigned char *sdata = data;
1058
1059                         if (size < 2)
1060                                 {
1061                                 *al = SSL_AD_DECODE_ERROR;
1062                                 return 0;
1063                                 }
1064                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1065                         if (s->s3->client_opaque_prf_input_len != size - 2)
1066                                 {
1067                                 *al = SSL_AD_DECODE_ERROR;
1068                                 return 0;
1069                                 }
1070
1071                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1072                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1073                         if (s->s3->client_opaque_prf_input_len == 0)
1074                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1075                         else
1076                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1077                         if (s->s3->client_opaque_prf_input == NULL)
1078                                 {
1079                                 *al = TLS1_AD_INTERNAL_ERROR;
1080                                 return 0;
1081                                 }
1082                         }
1083 #endif
1084                 else if (type == TLSEXT_TYPE_session_ticket)
1085                         {
1086                         if (s->tls_session_ticket_ext_cb &&
1087                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1088                                 {
1089                                 *al = TLS1_AD_INTERNAL_ERROR;
1090                                 return 0;
1091                                 }
1092                         }
1093                 else if (type == TLSEXT_TYPE_renegotiate)
1094                         {
1095                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1096                                 return 0;
1097                         renegotiate_seen = 1;
1098                         }
1099                 else if (type == TLSEXT_TYPE_signature_algorithms)
1100                         {
1101                         int dsize;
1102                         if (sigalg_seen || size < 2) 
1103                                 {
1104                                 *al = SSL_AD_DECODE_ERROR;
1105                                 return 0;
1106                                 }
1107                         sigalg_seen = 1;
1108                         n2s(data,dsize);
1109                         size -= 2;
1110                         if (dsize != size || dsize & 1) 
1111                                 {
1112                                 *al = SSL_AD_DECODE_ERROR;
1113                                 return 0;
1114                                 }
1115                         if (!tls1_process_sigalgs(s, data, dsize))
1116                                 {
1117                                 *al = SSL_AD_DECODE_ERROR;
1118                                 return 0;
1119                                 }
1120                         }
1121                 else if (type == TLSEXT_TYPE_status_request &&
1122                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1123                         {
1124                 
1125                         if (size < 5) 
1126                                 {
1127                                 *al = SSL_AD_DECODE_ERROR;
1128                                 return 0;
1129                                 }
1130
1131                         s->tlsext_status_type = *data++;
1132                         size--;
1133                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1134                                 {
1135                                 const unsigned char *sdata;
1136                                 int dsize;
1137                                 /* Read in responder_id_list */
1138                                 n2s(data,dsize);
1139                                 size -= 2;
1140                                 if (dsize > size  ) 
1141                                         {
1142                                         *al = SSL_AD_DECODE_ERROR;
1143                                         return 0;
1144                                         }
1145                                 while (dsize > 0)
1146                                         {
1147                                         OCSP_RESPID *id;
1148                                         int idsize;
1149                                         if (dsize < 4)
1150                                                 {
1151                                                 *al = SSL_AD_DECODE_ERROR;
1152                                                 return 0;
1153                                                 }
1154                                         n2s(data, idsize);
1155                                         dsize -= 2 + idsize;
1156                                         size -= 2 + idsize;
1157                                         if (dsize < 0)
1158                                                 {
1159                                                 *al = SSL_AD_DECODE_ERROR;
1160                                                 return 0;
1161                                                 }
1162                                         sdata = data;
1163                                         data += idsize;
1164                                         id = d2i_OCSP_RESPID(NULL,
1165                                                                 &sdata, idsize);
1166                                         if (!id)
1167                                                 {
1168                                                 *al = SSL_AD_DECODE_ERROR;
1169                                                 return 0;
1170                                                 }
1171                                         if (data != sdata)
1172                                                 {
1173                                                 OCSP_RESPID_free(id);
1174                                                 *al = SSL_AD_DECODE_ERROR;
1175                                                 return 0;
1176                                                 }
1177                                         if (!s->tlsext_ocsp_ids
1178                                                 && !(s->tlsext_ocsp_ids =
1179                                                 sk_OCSP_RESPID_new_null()))
1180                                                 {
1181                                                 OCSP_RESPID_free(id);
1182                                                 *al = SSL_AD_INTERNAL_ERROR;
1183                                                 return 0;
1184                                                 }
1185                                         if (!sk_OCSP_RESPID_push(
1186                                                         s->tlsext_ocsp_ids, id))
1187                                                 {
1188                                                 OCSP_RESPID_free(id);
1189                                                 *al = SSL_AD_INTERNAL_ERROR;
1190                                                 return 0;
1191                                                 }
1192                                         }
1193
1194                                 /* Read in request_extensions */
1195                                 if (size < 2)
1196                                         {
1197                                         *al = SSL_AD_DECODE_ERROR;
1198                                         return 0;
1199                                         }
1200                                 n2s(data,dsize);
1201                                 size -= 2;
1202                                 if (dsize != size)
1203                                         {
1204                                         *al = SSL_AD_DECODE_ERROR;
1205                                         return 0;
1206                                         }
1207                                 sdata = data;
1208                                 if (dsize > 0)
1209                                         {
1210                                         s->tlsext_ocsp_exts =
1211                                                 d2i_X509_EXTENSIONS(NULL,
1212                                                         &sdata, dsize);
1213                                         if (!s->tlsext_ocsp_exts
1214                                                 || (data + dsize != sdata))
1215                                                 {
1216                                                 *al = SSL_AD_DECODE_ERROR;
1217                                                 return 0;
1218                                                 }
1219                                         }
1220                                 }
1221                                 /* We don't know what to do with any other type
1222                                 * so ignore it.
1223                                 */
1224                                 else
1225                                         s->tlsext_status_type = -1;
1226                         }
1227 #ifndef OPENSSL_NO_NEXTPROTONEG
1228                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1229                          s->s3->tmp.finish_md_len == 0)
1230                         {
1231                         /* We shouldn't accept this extension on a
1232                          * renegotiation.
1233                          *
1234                          * s->new_session will be set on renegotiation, but we
1235                          * probably shouldn't rely that it couldn't be set on
1236                          * the initial renegotation too in certain cases (when
1237                          * there's some other reason to disallow resuming an
1238                          * earlier session -- the current code won't be doing
1239                          * anything like that, but this might change).
1240
1241                          * A valid sign that there's been a previous handshake
1242                          * in this connection is if s->s3->tmp.finish_md_len >
1243                          * 0.  (We are talking about a check that will happen
1244                          * in the Hello protocol round, well before a new
1245                          * Finished message could have been computed.) */
1246                         s->s3->next_proto_neg_seen = 1;
1247                         }
1248 #endif
1249
1250                 /* session ticket processed earlier */
1251                 else if (type == TLSEXT_TYPE_use_srtp)
1252                         {
1253                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1254                                                               al))
1255                                 return 0;
1256                         }
1257
1258                 data+=size;
1259                 }
1260                                 
1261         *p = data;
1262
1263         ri_check:
1264
1265         /* Need RI if renegotiating */
1266
1267         if (!renegotiate_seen && s->renegotiate &&
1268                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1269                 {
1270                 *al = SSL_AD_HANDSHAKE_FAILURE;
1271                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1272                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1273                 return 0;
1274                 }
1275
1276         return 1;
1277         }
1278
1279 #ifndef OPENSSL_NO_NEXTPROTONEG
1280 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1281  * elements of zero length are allowed and the set of elements must exactly fill
1282  * the length of the block. */
1283 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1284         {
1285         unsigned int off = 0;
1286
1287         while (off < len)
1288                 {
1289                 if (d[off] == 0)
1290                         return 0;
1291                 off += d[off];
1292                 off++;
1293                 }
1294
1295         return off == len;
1296         }
1297 #endif
1298
1299 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1300         {
1301         unsigned short length;
1302         unsigned short type;
1303         unsigned short size;
1304         unsigned char *data = *p;
1305         int tlsext_servername = 0;
1306         int renegotiate_seen = 0;
1307
1308         if (data >= (d+n-2))
1309                 goto ri_check;
1310
1311         n2s(data,length);
1312         if (data+length != d+n)
1313                 {
1314                 *al = SSL_AD_DECODE_ERROR;
1315                 return 0;
1316                 }
1317
1318         while(data <= (d+n-4))
1319                 {
1320                 n2s(data,type);
1321                 n2s(data,size);
1322
1323                 if (data+size > (d+n))
1324                         goto ri_check;
1325
1326                 if (s->tlsext_debug_cb)
1327                         s->tlsext_debug_cb(s, 1, type, data, size,
1328                                                 s->tlsext_debug_arg);
1329
1330                 if (type == TLSEXT_TYPE_server_name)
1331                         {
1332                         if (s->tlsext_hostname == NULL || size > 0)
1333                                 {
1334                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1335                                 return 0;
1336                                 }
1337                         tlsext_servername = 1;   
1338                         }
1339
1340 #ifndef OPENSSL_NO_EC
1341                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1342                      s->version != DTLS1_VERSION)
1343                         {
1344                         unsigned char *sdata = data;
1345                         int ecpointformatlist_length = *(sdata++);
1346
1347                         if (ecpointformatlist_length != size - 1)
1348                                 {
1349                                 *al = TLS1_AD_DECODE_ERROR;
1350                                 return 0;
1351                                 }
1352                         s->session->tlsext_ecpointformatlist_length = 0;
1353                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1354                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1355                                 {
1356                                 *al = TLS1_AD_INTERNAL_ERROR;
1357                                 return 0;
1358                                 }
1359                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1360                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1361 #if 0
1362                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1363                         sdata = s->session->tlsext_ecpointformatlist;
1364                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1365                                 fprintf(stderr,"%i ",*(sdata++));
1366                         fprintf(stderr,"\n");
1367 #endif
1368                         }
1369 #endif /* OPENSSL_NO_EC */
1370
1371                 else if (type == TLSEXT_TYPE_session_ticket)
1372                         {
1373                         if (s->tls_session_ticket_ext_cb &&
1374                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1375                                 {
1376                                 *al = TLS1_AD_INTERNAL_ERROR;
1377                                 return 0;
1378                                 }
1379                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1380                                 || (size > 0))
1381                                 {
1382                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1383                                 return 0;
1384                                 }
1385                         s->tlsext_ticket_expected = 1;
1386                         }
1387 #ifdef TLSEXT_TYPE_opaque_prf_input
1388                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1389                      s->version != DTLS1_VERSION)
1390                         {
1391                         unsigned char *sdata = data;
1392
1393                         if (size < 2)
1394                                 {
1395                                 *al = SSL_AD_DECODE_ERROR;
1396                                 return 0;
1397                                 }
1398                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1399                         if (s->s3->server_opaque_prf_input_len != size - 2)
1400                                 {
1401                                 *al = SSL_AD_DECODE_ERROR;
1402                                 return 0;
1403                                 }
1404                         
1405                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1406                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1407                         if (s->s3->server_opaque_prf_input_len == 0)
1408                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1409                         else
1410                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1411
1412                         if (s->s3->server_opaque_prf_input == NULL)
1413                                 {
1414                                 *al = TLS1_AD_INTERNAL_ERROR;
1415                                 return 0;
1416                                 }
1417                         }
1418 #endif
1419                 else if (type == TLSEXT_TYPE_status_request &&
1420                          s->version != DTLS1_VERSION)
1421                         {
1422                         /* MUST be empty and only sent if we've requested
1423                          * a status request message.
1424                          */ 
1425                         if ((s->tlsext_status_type == -1) || (size > 0))
1426                                 {
1427                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1428                                 return 0;
1429                                 }
1430                         /* Set flag to expect CertificateStatus message */
1431                         s->tlsext_status_expected = 1;
1432                         }
1433 #ifndef OPENSSL_NO_NEXTPROTONEG
1434                 else if (type == TLSEXT_TYPE_next_proto_neg)
1435                         {
1436                         unsigned char *selected;
1437                         unsigned char selected_len;
1438
1439                         /* We must have requested it. */
1440                         if ((s->ctx->next_proto_select_cb == NULL))
1441                                 {
1442                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1443                                 return 0;
1444                                 }
1445                         /* The data must be valid */
1446                         if (!ssl_next_proto_validate(data, size))
1447                                 {
1448                                 *al = TLS1_AD_DECODE_ERROR;
1449                                 return 0;
1450                                 }
1451                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1452                                 {
1453                                 *al = TLS1_AD_INTERNAL_ERROR;
1454                                 return 0;
1455                                 }
1456                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1457                         if (!s->next_proto_negotiated)
1458                                 {
1459                                 *al = TLS1_AD_INTERNAL_ERROR;
1460                                 return 0;
1461                                 }
1462                         memcpy(s->next_proto_negotiated, selected, selected_len);
1463                         s->next_proto_negotiated_len = selected_len;
1464                         }
1465 #endif
1466                 else if (type == TLSEXT_TYPE_renegotiate)
1467                         {
1468                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1469                                 return 0;
1470                         renegotiate_seen = 1;
1471                         }
1472                 else if (type == TLSEXT_TYPE_use_srtp)
1473                         {
1474                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1475                                                               al))
1476                                 return 0;
1477                         }
1478
1479                 data+=size;             
1480                 }
1481
1482         if (data != d+n)
1483                 {
1484                 *al = SSL_AD_DECODE_ERROR;
1485                 return 0;
1486                 }
1487
1488         if (!s->hit && tlsext_servername == 1)
1489                 {
1490                 if (s->tlsext_hostname)
1491                         {
1492                         if (s->session->tlsext_hostname == NULL)
1493                                 {
1494                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1495                                 if (!s->session->tlsext_hostname)
1496                                         {
1497                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1498                                         return 0;
1499                                         }
1500                                 }
1501                         else 
1502                                 {
1503                                 *al = SSL_AD_DECODE_ERROR;
1504                                 return 0;
1505                                 }
1506                         }
1507                 }
1508
1509         *p = data;
1510
1511         ri_check:
1512
1513         /* Determine if we need to see RI. Strictly speaking if we want to
1514          * avoid an attack we should *always* see RI even on initial server
1515          * hello because the client doesn't see any renegotiation during an
1516          * attack. However this would mean we could not connect to any server
1517          * which doesn't support RI so for the immediate future tolerate RI
1518          * absence on initial connect only.
1519          */
1520         if (!renegotiate_seen
1521                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1522                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1523                 {
1524                 *al = SSL_AD_HANDSHAKE_FAILURE;
1525                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1526                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1527                 return 0;
1528                 }
1529
1530         return 1;
1531         }
1532
1533
1534 int ssl_prepare_clienthello_tlsext(SSL *s)
1535         {
1536 #ifndef OPENSSL_NO_EC
1537         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1538          * and elliptic curves we support.
1539          */
1540         int using_ecc = 0;
1541         int i;
1542         unsigned char *j;
1543         unsigned long alg_k, alg_a;
1544         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1545
1546         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1547                 {
1548                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1549
1550                 alg_k = c->algorithm_mkey;
1551                 alg_a = c->algorithm_auth;
1552                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1553                         {
1554                         using_ecc = 1;
1555                         break;
1556                         }
1557                 }
1558         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1559         if (using_ecc)
1560                 {
1561                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1562                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1563                         {
1564                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1565                         return -1;
1566                         }
1567                 s->tlsext_ecpointformatlist_length = 3;
1568                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1569                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1570                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1571
1572                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1573                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1574                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1575                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1576                         {
1577                         s->tlsext_ellipticcurvelist_length = 0;
1578                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1579                         return -1;
1580                         }
1581                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1582                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1583                         {
1584                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1585                         s2n(id,j);
1586                         }
1587                 }
1588 #endif /* OPENSSL_NO_EC */
1589
1590 #ifdef TLSEXT_TYPE_opaque_prf_input
1591         {
1592                 int r = 1;
1593         
1594                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1595                         {
1596                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1597                         if (!r)
1598                                 return -1;
1599                         }
1600
1601                 if (s->tlsext_opaque_prf_input != NULL)
1602                         {
1603                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1604                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1605
1606                         if (s->tlsext_opaque_prf_input_len == 0)
1607                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1608                         else
1609                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1610                         if (s->s3->client_opaque_prf_input == NULL)
1611                                 {
1612                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1613                                 return -1;
1614                                 }
1615                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1616                         }
1617
1618                 if (r == 2)
1619                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1620                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1621         }
1622 #endif
1623
1624         return 1;
1625         }
1626
1627 int ssl_prepare_serverhello_tlsext(SSL *s)
1628         {
1629 #ifndef OPENSSL_NO_EC
1630         /* If we are server and using an ECC cipher suite, send the point formats we support 
1631          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1632          * supposed to send an EllipticCurves extension.
1633          */
1634
1635         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1636         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1637         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1638         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1639         
1640         if (using_ecc)
1641                 {
1642                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1643                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1644                         {
1645                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1646                         return -1;
1647                         }
1648                 s->tlsext_ecpointformatlist_length = 3;
1649                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1650                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1651                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1652                 }
1653 #endif /* OPENSSL_NO_EC */
1654
1655         return 1;
1656         }
1657
1658 int ssl_check_clienthello_tlsext(SSL *s)
1659         {
1660         int ret=SSL_TLSEXT_ERR_NOACK;
1661         int al = SSL_AD_UNRECOGNIZED_NAME;
1662
1663 #ifndef OPENSSL_NO_EC
1664         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1665          * ssl3_choose_cipher in s3_lib.c.
1666          */
1667         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1668          * ssl3_choose_cipher in s3_lib.c.
1669          */
1670 #endif
1671
1672         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1673                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1674         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1675                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1676
1677         /* If status request then ask callback what to do.
1678          * Note: this must be called after servername callbacks in case 
1679          * the certificate has changed.
1680          */
1681         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1682                 {
1683                 int r;
1684                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1685                 switch (r)
1686                         {
1687                         /* We don't want to send a status request response */
1688                         case SSL_TLSEXT_ERR_NOACK:
1689                                 s->tlsext_status_expected = 0;
1690                                 break;
1691                         /* status request response should be sent */
1692                         case SSL_TLSEXT_ERR_OK:
1693                                 if (s->tlsext_ocsp_resp)
1694                                         s->tlsext_status_expected = 1;
1695                                 else
1696                                         s->tlsext_status_expected = 0;
1697                                 break;
1698                         /* something bad happened */
1699                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1700                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1701                                 al = SSL_AD_INTERNAL_ERROR;
1702                                 goto err;
1703                         }
1704                 }
1705         else
1706                 s->tlsext_status_expected = 0;
1707
1708 #ifdef TLSEXT_TYPE_opaque_prf_input
1709         {
1710                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1711                  * but we might be sending an alert in response to the client hello,
1712                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1713
1714                 int r = 1;
1715         
1716                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1717                         {
1718                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1719                         if (!r)
1720                                 {
1721                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1722                                 al = SSL_AD_INTERNAL_ERROR;
1723                                 goto err;
1724                                 }
1725                         }
1726
1727                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1728                         OPENSSL_free(s->s3->server_opaque_prf_input);
1729                 s->s3->server_opaque_prf_input = NULL;
1730
1731                 if (s->tlsext_opaque_prf_input != NULL)
1732                         {
1733                         if (s->s3->client_opaque_prf_input != NULL &&
1734                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1735                                 {
1736                                 /* can only use this extension if we have a server opaque PRF input
1737                                  * of the same length as the client opaque PRF input! */
1738
1739                                 if (s->tlsext_opaque_prf_input_len == 0)
1740                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1741                                 else
1742                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1743                                 if (s->s3->server_opaque_prf_input == NULL)
1744                                         {
1745                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1746                                         al = SSL_AD_INTERNAL_ERROR;
1747                                         goto err;
1748                                         }
1749                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1750                                 }
1751                         }
1752
1753                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1754                         {
1755                         /* The callback wants to enforce use of the extension,
1756                          * but we can't do that with the client opaque PRF input;
1757                          * abort the handshake.
1758                          */
1759                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1760                         al = SSL_AD_HANDSHAKE_FAILURE;
1761                         }
1762         }
1763
1764 #endif
1765  err:
1766         switch (ret)
1767                 {
1768                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1769                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1770                         return -1;
1771
1772                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1773                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1774                         return 1; 
1775                                         
1776                 case SSL_TLSEXT_ERR_NOACK:
1777                         s->servername_done=0;
1778                         default:
1779                 return 1;
1780                 }
1781         }
1782
1783 int ssl_check_serverhello_tlsext(SSL *s)
1784         {
1785         int ret=SSL_TLSEXT_ERR_NOACK;
1786         int al = SSL_AD_UNRECOGNIZED_NAME;
1787
1788 #ifndef OPENSSL_NO_EC
1789         /* If we are client and using an elliptic curve cryptography cipher
1790          * suite, then if server returns an EC point formats lists extension
1791          * it must contain uncompressed.
1792          */
1793         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1794         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1795         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1796             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1797             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1798                 {
1799                 /* we are using an ECC cipher */
1800                 size_t i;
1801                 unsigned char *list;
1802                 int found_uncompressed = 0;
1803                 list = s->session->tlsext_ecpointformatlist;
1804                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1805                         {
1806                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1807                                 {
1808                                 found_uncompressed = 1;
1809                                 break;
1810                                 }
1811                         }
1812                 if (!found_uncompressed)
1813                         {
1814                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1815                         return -1;
1816                         }
1817                 }
1818         ret = SSL_TLSEXT_ERR_OK;
1819 #endif /* OPENSSL_NO_EC */
1820
1821         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1822                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1823         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1824                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1825
1826 #ifdef TLSEXT_TYPE_opaque_prf_input
1827         if (s->s3->server_opaque_prf_input_len > 0)
1828                 {
1829                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1830                  * So first verify that we really have a value from the server too. */
1831
1832                 if (s->s3->server_opaque_prf_input == NULL)
1833                         {
1834                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1835                         al = SSL_AD_HANDSHAKE_FAILURE;
1836                         }
1837                 
1838                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1839                  * that we have a client opaque PRF input of the same size. */
1840                 if (s->s3->client_opaque_prf_input == NULL ||
1841                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1842                         {
1843                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1844                         al = SSL_AD_ILLEGAL_PARAMETER;
1845                         }
1846                 }
1847 #endif
1848
1849         /* If we've requested certificate status and we wont get one
1850          * tell the callback
1851          */
1852         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1853                         && s->ctx && s->ctx->tlsext_status_cb)
1854                 {
1855                 int r;
1856                 /* Set resp to NULL, resplen to -1 so callback knows
1857                  * there is no response.
1858                  */
1859                 if (s->tlsext_ocsp_resp)
1860                         {
1861                         OPENSSL_free(s->tlsext_ocsp_resp);
1862                         s->tlsext_ocsp_resp = NULL;
1863                         }
1864                 s->tlsext_ocsp_resplen = -1;
1865                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1866                 if (r == 0)
1867                         {
1868                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1869                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1870                         }
1871                 if (r < 0)
1872                         {
1873                         al = SSL_AD_INTERNAL_ERROR;
1874                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1875                         }
1876                 }
1877
1878         switch (ret)
1879                 {
1880                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1881                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1882                         return -1;
1883
1884                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1885                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1886                         return 1; 
1887                                         
1888                 case SSL_TLSEXT_ERR_NOACK:
1889                         s->servername_done=0;
1890                         default:
1891                 return 1;
1892                 }
1893         }
1894
1895 /* Since the server cache lookup is done early on in the processing of the
1896  * ClientHello, and other operations depend on the result, we need to handle
1897  * any TLS session ticket extension at the same time.
1898  *
1899  *   session_id: points at the session ID in the ClientHello. This code will
1900  *       read past the end of this in order to parse out the session ticket
1901  *       extension, if any.
1902  *   len: the length of the session ID.
1903  *   limit: a pointer to the first byte after the ClientHello.
1904  *   ret: (output) on return, if a ticket was decrypted, then this is set to
1905  *       point to the resulting session.
1906  *
1907  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
1908  * ciphersuite, in which case we have no use for session tickets and one will
1909  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
1910  *
1911  * Returns:
1912  *   -1: fatal error, either from parsing or decrypting the ticket.
1913  *    0: no ticket was found (or was ignored, based on settings).
1914  *    1: a zero length extension was found, indicating that the client supports
1915  *       session tickets but doesn't currently have one to offer.
1916  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
1917  *       couldn't be decrypted because of a non-fatal error.
1918  *    3: a ticket was successfully decrypted and *ret was set.
1919  *
1920  * Side effects:
1921  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
1922  *   a new session ticket to the client because the client indicated support
1923  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
1924  *   a session ticket or we couldn't use the one it gave us, or if
1925  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
1926  *   Otherwise, s->tlsext_ticket_expected is set to 0.
1927  */
1928 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1929                         const unsigned char *limit, SSL_SESSION **ret)
1930         {
1931         /* Point after session ID in client hello */
1932         const unsigned char *p = session_id + len;
1933         unsigned short i;
1934
1935         *ret = NULL;
1936         s->tlsext_ticket_expected = 0;
1937
1938         /* If tickets disabled behave as if no ticket present
1939          * to permit stateful resumption.
1940          */
1941         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1942                 return 0;
1943         if ((s->version <= SSL3_VERSION) || !limit)
1944                 return 0;
1945         if (p >= limit)
1946                 return -1;
1947         /* Skip past DTLS cookie */
1948         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
1949                 {
1950                 i = *(p++);
1951                 p+= i;
1952                 if (p >= limit)
1953                         return -1;
1954                 }
1955         /* Skip past cipher list */
1956         n2s(p, i);
1957         p+= i;
1958         if (p >= limit)
1959                 return -1;
1960         /* Skip past compression algorithm list */
1961         i = *(p++);
1962         p += i;
1963         if (p > limit)
1964                 return -1;
1965         /* Now at start of extensions */
1966         if ((p + 2) >= limit)
1967                 return 0;
1968         n2s(p, i);
1969         while ((p + 4) <= limit)
1970                 {
1971                 unsigned short type, size;
1972                 n2s(p, type);
1973                 n2s(p, size);
1974                 if (p + size > limit)
1975                         return 0;
1976                 if (type == TLSEXT_TYPE_session_ticket)
1977                         {
1978                         int r;
1979                         if (size == 0)
1980                                 {
1981                                 /* The client will accept a ticket but doesn't
1982                                  * currently have one. */
1983                                 s->tlsext_ticket_expected = 1;
1984                                 return 1;
1985                                 }
1986                         if (s->tls_session_secret_cb)
1987                                 {
1988                                 /* Indicate that the ticket couldn't be
1989                                  * decrypted rather than generating the session
1990                                  * from ticket now, trigger abbreviated
1991                                  * handshake based on external mechanism to
1992                                  * calculate the master secret later. */
1993                                 return 2;
1994                                 }
1995                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
1996                         switch (r)
1997                                 {
1998                                 case 2: /* ticket couldn't be decrypted */
1999                                         s->tlsext_ticket_expected = 1;
2000                                         return 2;
2001                                 case 3: /* ticket was decrypted */
2002                                         return r;
2003                                 case 4: /* ticket decrypted but need to renew */
2004                                         s->tlsext_ticket_expected = 1;
2005                                         return 3;
2006                                 default: /* fatal error */
2007                                         return -1;
2008                                 }
2009                         }
2010                 p += size;
2011                 }
2012         return 0;
2013         }
2014
2015 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2016  *
2017  *   etick: points to the body of the session ticket extension.
2018  *   eticklen: the length of the session tickets extenion.
2019  *   sess_id: points at the session ID.
2020  *   sesslen: the length of the session ID.
2021  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2022  *       point to the resulting session.
2023  *
2024  * Returns:
2025  *   -1: fatal error, either from parsing or decrypting the ticket.
2026  *    2: the ticket couldn't be decrypted.
2027  *    3: a ticket was successfully decrypted and *psess was set.
2028  *    4: same as 3, but the ticket needs to be renewed.
2029  */
2030 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2031                                 const unsigned char *sess_id, int sesslen,
2032                                 SSL_SESSION **psess)
2033         {
2034         SSL_SESSION *sess;
2035         unsigned char *sdec;
2036         const unsigned char *p;
2037         int slen, mlen, renew_ticket = 0;
2038         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2039         HMAC_CTX hctx;
2040         EVP_CIPHER_CTX ctx;
2041         SSL_CTX *tctx = s->initial_ctx;
2042         /* Need at least keyname + iv + some encrypted data */
2043         if (eticklen < 48)
2044                 return 2;
2045         /* Initialize session ticket encryption and HMAC contexts */
2046         HMAC_CTX_init(&hctx);
2047         EVP_CIPHER_CTX_init(&ctx);
2048         if (tctx->tlsext_ticket_key_cb)
2049                 {
2050                 unsigned char *nctick = (unsigned char *)etick;
2051                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2052                                                         &ctx, &hctx, 0);
2053                 if (rv < 0)
2054                         return -1;
2055                 if (rv == 0)
2056                         return 2;
2057                 if (rv == 2)
2058                         renew_ticket = 1;
2059                 }
2060         else
2061                 {
2062                 /* Check key name matches */
2063                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2064                         return 2;
2065                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2066                                         tlsext_tick_md(), NULL);
2067                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2068                                 tctx->tlsext_tick_aes_key, etick + 16);
2069                 }
2070         /* Attempt to process session ticket, first conduct sanity and
2071          * integrity checks on ticket.
2072          */
2073         mlen = HMAC_size(&hctx);
2074         if (mlen < 0)
2075                 {
2076                 EVP_CIPHER_CTX_cleanup(&ctx);
2077                 return -1;
2078                 }
2079         eticklen -= mlen;
2080         /* Check HMAC of encrypted ticket */
2081         HMAC_Update(&hctx, etick, eticklen);
2082         HMAC_Final(&hctx, tick_hmac, NULL);
2083         HMAC_CTX_cleanup(&hctx);
2084         if (memcmp(tick_hmac, etick + eticklen, mlen))
2085                 return 2;
2086         /* Attempt to decrypt session data */
2087         /* Move p after IV to start of encrypted ticket, update length */
2088         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2089         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2090         sdec = OPENSSL_malloc(eticklen);
2091         if (!sdec)
2092                 {
2093                 EVP_CIPHER_CTX_cleanup(&ctx);
2094                 return -1;
2095                 }
2096         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2097         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2098                 return 2;
2099         slen += mlen;
2100         EVP_CIPHER_CTX_cleanup(&ctx);
2101         p = sdec;
2102
2103         sess = d2i_SSL_SESSION(NULL, &p, slen);
2104         OPENSSL_free(sdec);
2105         if (sess)
2106                 {
2107                 /* The session ID, if non-empty, is used by some clients to
2108                  * detect that the ticket has been accepted. So we copy it to
2109                  * the session structure. If it is empty set length to zero
2110                  * as required by standard.
2111                  */
2112                 if (sesslen)
2113                         memcpy(sess->session_id, sess_id, sesslen);
2114                 sess->session_id_length = sesslen;
2115                 *psess = sess;
2116                 if (renew_ticket)
2117                         return 4;
2118                 else
2119                         return 3;
2120                 }
2121         ERR_clear_error();
2122         /* For session parse failure, indicate that we need to send a new
2123          * ticket. */
2124         return 2;
2125         }
2126
2127 /* Tables to translate from NIDs to TLS v1.2 ids */
2128
2129 typedef struct 
2130         {
2131         int nid;
2132         int id;
2133         } tls12_lookup;
2134
2135 static tls12_lookup tls12_md[] = {
2136 #ifndef OPENSSL_NO_MD5
2137         {NID_md5, TLSEXT_hash_md5},
2138 #endif
2139 #ifndef OPENSSL_NO_SHA
2140         {NID_sha1, TLSEXT_hash_sha1},
2141 #endif
2142 #ifndef OPENSSL_NO_SHA256
2143         {NID_sha224, TLSEXT_hash_sha224},
2144         {NID_sha256, TLSEXT_hash_sha256},
2145 #endif
2146 #ifndef OPENSSL_NO_SHA512
2147         {NID_sha384, TLSEXT_hash_sha384},
2148         {NID_sha512, TLSEXT_hash_sha512}
2149 #endif
2150 };
2151
2152 static tls12_lookup tls12_sig[] = {
2153 #ifndef OPENSSL_NO_RSA
2154         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2155 #endif
2156 #ifndef OPENSSL_NO_RSA
2157         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2158 #endif
2159 #ifndef OPENSSL_NO_ECDSA
2160         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2161 #endif
2162 };
2163
2164 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2165         {
2166         size_t i;
2167         for (i = 0; i < tlen; i++)
2168                 {
2169                 if (table[i].nid == nid)
2170                         return table[i].id;
2171                 }
2172         return -1;
2173         }
2174 #if 0
2175 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2176         {
2177         size_t i;
2178         for (i = 0; i < tlen; i++)
2179                 {
2180                 if (table[i].id == id)
2181                         return table[i].nid;
2182                 }
2183         return -1;
2184         }
2185 #endif
2186
2187 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2188         {
2189         int sig_id, md_id;
2190         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2191                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2192         if (md_id == -1)
2193                 return 0;
2194         sig_id = tls12_get_sigid(pk);
2195         if (sig_id == -1)
2196                 return 0;
2197         p[0] = (unsigned char)md_id;
2198         p[1] = (unsigned char)sig_id;
2199         return 1;
2200         }
2201
2202 int tls12_get_sigid(const EVP_PKEY *pk)
2203         {
2204         return tls12_find_id(pk->type, tls12_sig,
2205                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2206         }
2207
2208 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2209         {
2210         switch(hash_alg)
2211                 {
2212 #ifndef OPENSSL_NO_MD5
2213                 case TLSEXT_hash_md5:
2214 #ifdef OPENSSL_FIPS
2215                 if (FIPS_mode())
2216                         return NULL;
2217 #endif
2218                 return EVP_md5();
2219 #endif
2220 #ifndef OPENSSL_NO_SHA
2221                 case TLSEXT_hash_sha1:
2222                 return EVP_sha1();
2223 #endif
2224 #ifndef OPENSSL_NO_SHA256
2225                 case TLSEXT_hash_sha224:
2226                 return EVP_sha224();
2227
2228                 case TLSEXT_hash_sha256:
2229                 return EVP_sha256();
2230 #endif
2231 #ifndef OPENSSL_NO_SHA512
2232                 case TLSEXT_hash_sha384:
2233                 return EVP_sha384();
2234
2235                 case TLSEXT_hash_sha512:
2236                 return EVP_sha512();
2237 #endif
2238                 default:
2239                 return NULL;
2240
2241                 }
2242         }
2243
2244 /* Set preferred digest for each key type */
2245
2246 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2247         {
2248         int i, idx;
2249         const EVP_MD *md;
2250         CERT *c = s->cert;
2251         /* Extension ignored for TLS versions below 1.2 */
2252         if (TLS1_get_version(s) < TLS1_2_VERSION)
2253                 return 1;
2254         /* Should never happen */
2255         if (!c)
2256                 return 0;
2257
2258         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2259         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2260         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2261         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2262
2263         for (i = 0; i < dsize; i += 2)
2264                 {
2265                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2266
2267                 switch(sig_alg)
2268                         {
2269 #ifndef OPENSSL_NO_RSA
2270                         case TLSEXT_signature_rsa:
2271                         idx = SSL_PKEY_RSA_SIGN;
2272                         break;
2273 #endif
2274 #ifndef OPENSSL_NO_DSA
2275                         case TLSEXT_signature_dsa:
2276                         idx = SSL_PKEY_DSA_SIGN;
2277                         break;
2278 #endif
2279 #ifndef OPENSSL_NO_ECDSA
2280                         case TLSEXT_signature_ecdsa:
2281                         idx = SSL_PKEY_ECC;
2282                         break;
2283 #endif
2284                         default:
2285                         continue;
2286                         }
2287
2288                 if (c->pkeys[idx].digest == NULL)
2289                         {
2290                         md = tls12_get_hash(hash_alg);
2291                         if (md)
2292                                 {
2293                                 c->pkeys[idx].digest = md;
2294                                 if (idx == SSL_PKEY_RSA_SIGN)
2295                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2296                                 }
2297                         }
2298
2299                 }
2300
2301
2302         /* Set any remaining keys to default values. NOTE: if alg is not
2303          * supported it stays as NULL.
2304          */
2305 #ifndef OPENSSL_NO_DSA
2306         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2307                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2308 #endif
2309 #ifndef OPENSSL_NO_RSA
2310         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2311                 {
2312                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2313                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2314                 }
2315 #endif
2316 #ifndef OPENSSL_NO_ECDSA
2317         if (!c->pkeys[SSL_PKEY_ECC].digest)
2318                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2319 #endif
2320         return 1;
2321         }
2322
2323 #endif