New ctrls to retrieve supported signature algorithms and curves and
[openssl.git] / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207                 NID_sect571r1, /* sect571r1 (14) */ 
208                 NID_sect571k1, /* sect571k1 (13) */ 
209                 NID_secp521r1, /* secp521r1 (25) */     
210                 NID_sect409k1, /* sect409k1 (11) */ 
211                 NID_sect409r1, /* sect409r1 (12) */
212                 NID_secp384r1, /* secp384r1 (24) */
213                 NID_sect283k1, /* sect283k1 (9) */
214                 NID_sect283r1, /* sect283r1 (10) */ 
215                 NID_secp256k1, /* secp256k1 (22) */ 
216                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
217                 NID_sect239k1, /* sect239k1 (8) */ 
218                 NID_sect233k1, /* sect233k1 (6) */
219                 NID_sect233r1, /* sect233r1 (7) */ 
220                 NID_secp224k1, /* secp224k1 (20) */ 
221                 NID_secp224r1, /* secp224r1 (21) */
222                 NID_sect193r1, /* sect193r1 (4) */ 
223                 NID_sect193r2, /* sect193r2 (5) */ 
224                 NID_secp192k1, /* secp192k1 (18) */
225                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
226                 NID_sect163k1, /* sect163k1 (1) */
227                 NID_sect163r1, /* sect163r1 (2) */
228                 NID_sect163r2, /* sect163r2 (3) */
229                 NID_secp160k1, /* secp160k1 (15) */
230                 NID_secp160r1, /* secp160r1 (16) */ 
231                 NID_secp160r2, /* secp160r2 (17) */ 
232         };
233
234 int tls1_ec_curve_id2nid(int curve_id)
235         {
236         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237         if ((curve_id < 1) || ((unsigned int)curve_id >
238                                 sizeof(nid_list)/sizeof(nid_list[0])))
239                 return 0;
240         return nid_list[curve_id-1];
241         }
242
243 int tls1_ec_nid2curve_id(int nid)
244         {
245         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246         switch (nid)
247                 {
248         case NID_sect163k1: /* sect163k1 (1) */
249                 return 1;
250         case NID_sect163r1: /* sect163r1 (2) */
251                 return 2;
252         case NID_sect163r2: /* sect163r2 (3) */
253                 return 3;
254         case NID_sect193r1: /* sect193r1 (4) */ 
255                 return 4;
256         case NID_sect193r2: /* sect193r2 (5) */ 
257                 return 5;
258         case NID_sect233k1: /* sect233k1 (6) */
259                 return 6;
260         case NID_sect233r1: /* sect233r1 (7) */ 
261                 return 7;
262         case NID_sect239k1: /* sect239k1 (8) */ 
263                 return 8;
264         case NID_sect283k1: /* sect283k1 (9) */
265                 return 9;
266         case NID_sect283r1: /* sect283r1 (10) */ 
267                 return 10;
268         case NID_sect409k1: /* sect409k1 (11) */ 
269                 return 11;
270         case NID_sect409r1: /* sect409r1 (12) */
271                 return 12;
272         case NID_sect571k1: /* sect571k1 (13) */ 
273                 return 13;
274         case NID_sect571r1: /* sect571r1 (14) */ 
275                 return 14;
276         case NID_secp160k1: /* secp160k1 (15) */
277                 return 15;
278         case NID_secp160r1: /* secp160r1 (16) */ 
279                 return 16;
280         case NID_secp160r2: /* secp160r2 (17) */ 
281                 return 17;
282         case NID_secp192k1: /* secp192k1 (18) */
283                 return 18;
284         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
285                 return 19;
286         case NID_secp224k1: /* secp224k1 (20) */ 
287                 return 20;
288         case NID_secp224r1: /* secp224r1 (21) */
289                 return 21;
290         case NID_secp256k1: /* secp256k1 (22) */ 
291                 return 22;
292         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
293                 return 23;
294         case NID_secp384r1: /* secp384r1 (24) */
295                 return 24;
296         case NID_secp521r1:  /* secp521r1 (25) */       
297                 return 25;
298         default:
299                 return 0;
300                 }
301         }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329                 tlsext_sigalg_rsa(md) \
330                 tlsext_sigalg_dsa(md) \
331                 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335         tlsext_sigalg(TLSEXT_hash_sha512)
336         tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339         tlsext_sigalg(TLSEXT_hash_sha256)
340         tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343         tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346         tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351         {
352         size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354         /* If FIPS mode don't include MD5 which is last */
355         if (FIPS_mode())
356                 slen -= 2;
357 #endif
358         if (p)
359                 memcpy(p, tls12_sigalgs, slen);
360         return (int)slen;
361         }
362
363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364         {
365         int extdatalen=0;
366         unsigned char *ret = p;
367
368         /* don't add extensions for SSLv3 unless doing secure renegotiation */
369         if (s->client_version == SSL3_VERSION
370                                         && !s->s3->send_connection_binding)
371                 return p;
372
373         ret+=2;
374
375         if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377         if (s->tlsext_hostname != NULL)
378                 { 
379                 /* Add TLS extension servername to the Client Hello message */
380                 unsigned long size_str;
381                 long lenmax; 
382
383                 /* check for enough space.
384                    4 for the servername type and entension length
385                    2 for servernamelist length
386                    1 for the hostname type
387                    2 for hostname length
388                    + hostname length 
389                 */
390                    
391                 if ((lenmax = limit - ret - 9) < 0 
392                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
393                         return NULL;
394                         
395                 /* extension type and length */
396                 s2n(TLSEXT_TYPE_server_name,ret); 
397                 s2n(size_str+5,ret);
398                 
399                 /* length of servername list */
400                 s2n(size_str+3,ret);
401         
402                 /* hostname type, length and hostname */
403                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404                 s2n(size_str,ret);
405                 memcpy(ret, s->tlsext_hostname, size_str);
406                 ret+=size_str;
407                 }
408
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413           
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419
420           if((limit - p - 4 - el) < 0) return NULL;
421           
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430
431           ret += el;
432         }
433
434 #ifndef OPENSSL_NO_SRP
435         /* Add SRP username if there is one */
436         if (s->srp_ctx.login != NULL)
437                 { /* Add TLS extension SRP username to the Client Hello message */
438
439                 int login_len = strlen(s->srp_ctx.login);       
440                 if (login_len > 255 || login_len == 0)
441                         {
442                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443                         return NULL;
444                         } 
445
446                 /* check for enough space.
447                    4 for the srp type type and entension length
448                    1 for the srp user identity
449                    + srp user identity length 
450                 */
451                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
452
453                 /* fill in the extension */
454                 s2n(TLSEXT_TYPE_srp,ret);
455                 s2n(login_len+1,ret);
456                 (*ret++) = (unsigned char) login_len;
457                 memcpy(ret, s->srp_ctx.login, login_len);
458                 ret+=login_len;
459                 }
460 #endif
461
462 #ifndef OPENSSL_NO_EC
463         if (s->tlsext_ecpointformatlist != NULL &&
464             s->version != DTLS1_VERSION)
465                 {
466                 /* Add TLS extension ECPointFormats to the ClientHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482                 }
483         if (s->tlsext_ellipticcurvelist != NULL &&
484             s->version != DTLS1_VERSION)
485                 {
486                 /* Add TLS extension EllipticCurves to the ClientHello message */
487                 long lenmax; 
488
489                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
490                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491                 if (s->tlsext_ellipticcurvelist_length > 65532)
492                         {
493                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494                         return NULL;
495                         }
496                 
497                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
498                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499
500                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501                  * elliptic_curve_list, but the examples use two bytes.
502                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503                  * resolves this to two bytes.
504                  */
505                 s2n(s->tlsext_ellipticcurvelist_length, ret);
506                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507                 ret+=s->tlsext_ellipticcurvelist_length;
508                 }
509 #endif /* OPENSSL_NO_EC */
510
511         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512                 {
513                 int ticklen;
514                 if (!s->new_session && s->session && s->session->tlsext_tick)
515                         ticklen = s->session->tlsext_ticklen;
516                 else if (s->session && s->tlsext_session_ticket &&
517                          s->tlsext_session_ticket->data)
518                         {
519                         ticklen = s->tlsext_session_ticket->length;
520                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521                         if (!s->session->tlsext_tick)
522                                 return NULL;
523                         memcpy(s->session->tlsext_tick,
524                                s->tlsext_session_ticket->data,
525                                ticklen);
526                         s->session->tlsext_ticklen = ticklen;
527                         }
528                 else
529                         ticklen = 0;
530                 if (ticklen == 0 && s->tlsext_session_ticket &&
531                     s->tlsext_session_ticket->data == NULL)
532                         goto skip_ext;
533                 /* Check for enough room 2 for extension type, 2 for len
534                  * rest for ticket
535                  */
536                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537                 s2n(TLSEXT_TYPE_session_ticket,ret); 
538                 s2n(ticklen,ret);
539                 if (ticklen)
540                         {
541                         memcpy(ret, s->session->tlsext_tick, ticklen);
542                         ret += ticklen;
543                         }
544                 }
545                 skip_ext:
546
547         if (TLS1_get_version(s) >= TLS1_2_VERSION)
548                 {
549                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550                         return NULL; 
551                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552                 s2n(sizeof(tls12_sigalgs) + 2, ret);
553                 s2n(sizeof(tls12_sigalgs), ret);
554                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555                 ret += sizeof(tls12_sigalgs);
556                 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559         if (s->s3->client_opaque_prf_input != NULL &&
560             s->version != DTLS1_VERSION)
561                 {
562                 size_t col = s->s3->client_opaque_prf_input_len;
563                 
564                 if ((long)(limit - ret - 6 - col < 0))
565                         return NULL;
566                 if (col > 0xFFFD) /* can't happen */
567                         return NULL;
568
569                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
570                 s2n(col + 2, ret);
571                 s2n(col, ret);
572                 memcpy(ret, s->s3->client_opaque_prf_input, col);
573                 ret += col;
574                 }
575 #endif
576
577         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578             s->version != DTLS1_VERSION)
579                 {
580                 int i;
581                 long extlen, idlen, itmp;
582                 OCSP_RESPID *id;
583
584                 idlen = 0;
585                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586                         {
587                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588                         itmp = i2d_OCSP_RESPID(id, NULL);
589                         if (itmp <= 0)
590                                 return NULL;
591                         idlen += itmp + 2;
592                         }
593
594                 if (s->tlsext_ocsp_exts)
595                         {
596                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597                         if (extlen < 0)
598                                 return NULL;
599                         }
600                 else
601                         extlen = 0;
602                         
603                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604                 s2n(TLSEXT_TYPE_status_request, ret);
605                 if (extlen + idlen > 0xFFF0)
606                         return NULL;
607                 s2n(extlen + idlen + 5, ret);
608                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609                 s2n(idlen, ret);
610                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611                         {
612                         /* save position of id len */
613                         unsigned char *q = ret;
614                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615                         /* skip over id len */
616                         ret += 2;
617                         itmp = i2d_OCSP_RESPID(id, &ret);
618                         /* write id len */
619                         s2n(itmp, q);
620                         }
621                 s2n(extlen, ret);
622                 if (extlen > 0)
623                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624                 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627         /* Add Heartbeat extension */
628         s2n(TLSEXT_TYPE_heartbeat,ret);
629         s2n(1,ret);
630         /* Set mode:
631          * 1: peer may send requests
632          * 2: peer not allowed to send requests
633          */
634         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636         else
637                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642                 {
643                 /* The client advertises an emtpy extension to indicate its
644                  * support for Next Protocol Negotiation */
645                 if (limit - ret - 4 < 0)
646                         return NULL;
647                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648                 s2n(0,ret);
649                 }
650 #endif
651
652         if(SSL_get_srtp_profiles(s))
653                 {
654                 int el;
655
656                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657                 
658                 if((limit - p - 4 - el) < 0) return NULL;
659
660                 s2n(TLSEXT_TYPE_use_srtp,ret);
661                 s2n(el,ret);
662
663                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664                         {
665                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666                         return NULL;
667                         }
668                 ret += el;
669                 }
670
671         if ((extdatalen = ret-p-2)== 0) 
672                 return p;
673
674         s2n(extdatalen,p);
675         return ret;
676         }
677
678 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
679         {
680         int extdatalen=0;
681         unsigned char *ret = p;
682 #ifndef OPENSSL_NO_NEXTPROTONEG
683         int next_proto_neg_seen;
684 #endif
685
686         /* don't add extensions for SSLv3, unless doing secure renegotiation */
687         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
688                 return p;
689         
690         ret+=2;
691         if (ret>=limit) return NULL; /* this really never occurs, but ... */
692
693         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
694                 { 
695                 if ((long)(limit - ret - 4) < 0) return NULL; 
696
697                 s2n(TLSEXT_TYPE_server_name,ret);
698                 s2n(0,ret);
699                 }
700
701         if(s->s3->send_connection_binding)
702         {
703           int el;
704           
705           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
706               {
707               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
708               return NULL;
709               }
710
711           if((limit - p - 4 - el) < 0) return NULL;
712           
713           s2n(TLSEXT_TYPE_renegotiate,ret);
714           s2n(el,ret);
715
716           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
717               {
718               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
719               return NULL;
720               }
721
722           ret += el;
723         }
724
725 #ifndef OPENSSL_NO_EC
726         if (s->tlsext_ecpointformatlist != NULL &&
727             s->version != DTLS1_VERSION)
728                 {
729                 /* Add TLS extension ECPointFormats to the ServerHello message */
730                 long lenmax; 
731
732                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
733                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
734                 if (s->tlsext_ecpointformatlist_length > 255)
735                         {
736                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
737                         return NULL;
738                         }
739                 
740                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
741                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
742                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
743                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
744                 ret+=s->tlsext_ecpointformatlist_length;
745
746                 }
747         /* Currently the server should not respond with a SupportedCurves extension */
748 #endif /* OPENSSL_NO_EC */
749
750         if (s->tlsext_ticket_expected
751                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
752                 { 
753                 if ((long)(limit - ret - 4) < 0) return NULL; 
754                 s2n(TLSEXT_TYPE_session_ticket,ret);
755                 s2n(0,ret);
756                 }
757
758         if (s->tlsext_status_expected)
759                 { 
760                 if ((long)(limit - ret - 4) < 0) return NULL; 
761                 s2n(TLSEXT_TYPE_status_request,ret);
762                 s2n(0,ret);
763                 }
764
765 #ifdef TLSEXT_TYPE_opaque_prf_input
766         if (s->s3->server_opaque_prf_input != NULL &&
767             s->version != DTLS1_VERSION)
768                 {
769                 size_t sol = s->s3->server_opaque_prf_input_len;
770                 
771                 if ((long)(limit - ret - 6 - sol) < 0)
772                         return NULL;
773                 if (sol > 0xFFFD) /* can't happen */
774                         return NULL;
775
776                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
777                 s2n(sol + 2, ret);
778                 s2n(sol, ret);
779                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
780                 ret += sol;
781                 }
782 #endif
783
784         if(s->srtp_profile)
785                 {
786                 int el;
787
788                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789                 
790                 if((limit - p - 4 - el) < 0) return NULL;
791
792                 s2n(TLSEXT_TYPE_use_srtp,ret);
793                 s2n(el,ret);
794
795                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796                         {
797                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798                         return NULL;
799                         }
800                 ret+=el;
801                 }
802
803         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
804                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
805                 { const unsigned char cryptopro_ext[36] = {
806                         0xfd, 0xe8, /*65000*/
807                         0x00, 0x20, /*32 bytes length*/
808                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
809                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
810                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
811                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
812                         if (limit-ret<36) return NULL;
813                         memcpy(ret,cryptopro_ext,36);
814                         ret+=36;
815
816                 }
817
818 #ifndef OPENSSL_NO_HEARTBEATS
819         /* Add Heartbeat extension if we've received one */
820         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821                 {
822                 s2n(TLSEXT_TYPE_heartbeat,ret);
823                 s2n(1,ret);
824                 /* Set mode:
825                  * 1: peer may send requests
826                  * 2: peer not allowed to send requests
827                  */
828                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830                 else
831                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
832
833                 }
834 #endif
835
836 #ifndef OPENSSL_NO_NEXTPROTONEG
837         next_proto_neg_seen = s->s3->next_proto_neg_seen;
838         s->s3->next_proto_neg_seen = 0;
839         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840                 {
841                 const unsigned char *npa;
842                 unsigned int npalen;
843                 int r;
844
845                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846                 if (r == SSL_TLSEXT_ERR_OK)
847                         {
848                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
850                         s2n(npalen,ret);
851                         memcpy(ret, npa, npalen);
852                         ret += npalen;
853                         s->s3->next_proto_neg_seen = 1;
854                         }
855                 }
856 #endif
857
858         if ((extdatalen = ret-p-2)== 0) 
859                 return p;
860
861         s2n(extdatalen,p);
862         return ret;
863         }
864
865 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866         {
867         unsigned short type;
868         unsigned short size;
869         unsigned short len;
870         unsigned char *data = *p;
871         int renegotiate_seen = 0;
872         int sigalg_seen = 0;
873
874         s->servername_done = 0;
875         s->tlsext_status_type = -1;
876 #ifndef OPENSSL_NO_NEXTPROTONEG
877         s->s3->next_proto_neg_seen = 0;
878 #endif
879
880 #ifndef OPENSSL_NO_HEARTBEATS
881         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883 #endif
884
885         if (data >= (d+n-2))
886                 goto ri_check;
887         n2s(data,len);
888
889         if (data > (d+n-len)) 
890                 goto ri_check;
891
892         while (data <= (d+n-4))
893                 {
894                 n2s(data,type);
895                 n2s(data,size);
896
897                 if (data+size > (d+n))
898                         goto ri_check;
899 #if 0
900                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
901 #endif
902                 if (s->tlsext_debug_cb)
903                         s->tlsext_debug_cb(s, 0, type, data, size,
904                                                 s->tlsext_debug_arg);
905 /* The servername extension is treated as follows:
906
907    - Only the hostname type is supported with a maximum length of 255.
908    - The servername is rejected if too long or if it contains zeros,
909      in which case an fatal alert is generated.
910    - The servername field is maintained together with the session cache.
911    - When a session is resumed, the servername call back invoked in order
912      to allow the application to position itself to the right context. 
913    - The servername is acknowledged if it is new for a session or when 
914      it is identical to a previously used for the same session. 
915      Applications can control the behaviour.  They can at any time
916      set a 'desirable' servername for a new SSL object. This can be the
917      case for example with HTTPS when a Host: header field is received and
918      a renegotiation is requested. In this case, a possible servername
919      presented in the new client hello is only acknowledged if it matches
920      the value of the Host: field. 
921    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
922      if they provide for changing an explicit servername context for the session,
923      i.e. when the session has been established with a servername extension. 
924    - On session reconnect, the servername extension may be absent. 
925
926 */      
927
928                 if (type == TLSEXT_TYPE_server_name)
929                         {
930                         unsigned char *sdata;
931                         int servname_type;
932                         int dsize; 
933                 
934                         if (size < 2) 
935                                 {
936                                 *al = SSL_AD_DECODE_ERROR;
937                                 return 0;
938                                 }
939                         n2s(data,dsize);  
940                         size -= 2;
941                         if (dsize > size  ) 
942                                 {
943                                 *al = SSL_AD_DECODE_ERROR;
944                                 return 0;
945                                 } 
946
947                         sdata = data;
948                         while (dsize > 3) 
949                                 {
950                                 servname_type = *(sdata++); 
951                                 n2s(sdata,len);
952                                 dsize -= 3;
953
954                                 if (len > dsize) 
955                                         {
956                                         *al = SSL_AD_DECODE_ERROR;
957                                         return 0;
958                                         }
959                                 if (s->servername_done == 0)
960                                 switch (servname_type)
961                                         {
962                                 case TLSEXT_NAMETYPE_host_name:
963                                         if (!s->hit)
964                                                 {
965                                                 if(s->session->tlsext_hostname)
966                                                         {
967                                                         *al = SSL_AD_DECODE_ERROR;
968                                                         return 0;
969                                                         }
970                                                 if (len > TLSEXT_MAXLEN_host_name)
971                                                         {
972                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
973                                                         return 0;
974                                                         }
975                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
976                                                         {
977                                                         *al = TLS1_AD_INTERNAL_ERROR;
978                                                         return 0;
979                                                         }
980                                                 memcpy(s->session->tlsext_hostname, sdata, len);
981                                                 s->session->tlsext_hostname[len]='\0';
982                                                 if (strlen(s->session->tlsext_hostname) != len) {
983                                                         OPENSSL_free(s->session->tlsext_hostname);
984                                                         s->session->tlsext_hostname = NULL;
985                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
986                                                         return 0;
987                                                 }
988                                                 s->servername_done = 1; 
989
990                                                 }
991                                         else 
992                                                 s->servername_done = s->session->tlsext_hostname
993                                                         && strlen(s->session->tlsext_hostname) == len 
994                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
995                                         
996                                         break;
997
998                                 default:
999                                         break;
1000                                         }
1001                                  
1002                                 dsize -= len;
1003                                 }
1004                         if (dsize != 0) 
1005                                 {
1006                                 *al = SSL_AD_DECODE_ERROR;
1007                                 return 0;
1008                                 }
1009
1010                         }
1011 #ifndef OPENSSL_NO_SRP
1012                 else if (type == TLSEXT_TYPE_srp)
1013                         {
1014                         if (size <= 0 || ((len = data[0])) != (size -1))
1015                                 {
1016                                 *al = SSL_AD_DECODE_ERROR;
1017                                 return 0;
1018                                 }
1019                         if (s->srp_ctx.login != NULL)
1020                                 {
1021                                 *al = SSL_AD_DECODE_ERROR;
1022                                 return 0;
1023                                 }
1024                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025                                 return -1;
1026                         memcpy(s->srp_ctx.login, &data[1], len);
1027                         s->srp_ctx.login[len]='\0';
1028   
1029                         if (strlen(s->srp_ctx.login) != len) 
1030                                 {
1031                                 *al = SSL_AD_DECODE_ERROR;
1032                                 return 0;
1033                                 }
1034                         }
1035 #endif
1036
1037 #ifndef OPENSSL_NO_EC
1038                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1039                      s->version != DTLS1_VERSION)
1040                         {
1041                         unsigned char *sdata = data;
1042                         int ecpointformatlist_length = *(sdata++);
1043
1044                         if (ecpointformatlist_length != size - 1)
1045                                 {
1046                                 *al = TLS1_AD_DECODE_ERROR;
1047                                 return 0;
1048                                 }
1049                         if (!s->hit)
1050                                 {
1051                                 if(s->session->tlsext_ecpointformatlist)
1052                                         {
1053                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1054                                         s->session->tlsext_ecpointformatlist = NULL;
1055                                         }
1056                                 s->session->tlsext_ecpointformatlist_length = 0;
1057                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1058                                         {
1059                                         *al = TLS1_AD_INTERNAL_ERROR;
1060                                         return 0;
1061                                         }
1062                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1063                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1064                                 }
1065 #if 0
1066                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1067                         sdata = s->session->tlsext_ecpointformatlist;
1068                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1069                                 fprintf(stderr,"%i ",*(sdata++));
1070                         fprintf(stderr,"\n");
1071 #endif
1072                         }
1073                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1074                      s->version != DTLS1_VERSION)
1075                         {
1076                         unsigned char *sdata = data;
1077                         int ellipticcurvelist_length = (*(sdata++) << 8);
1078                         ellipticcurvelist_length += (*(sdata++));
1079
1080                         if (ellipticcurvelist_length != size - 2)
1081                                 {
1082                                 *al = TLS1_AD_DECODE_ERROR;
1083                                 return 0;
1084                                 }
1085                         if (!s->hit)
1086                                 {
1087                                 if(s->session->tlsext_ellipticcurvelist)
1088                                         {
1089                                         *al = TLS1_AD_DECODE_ERROR;
1090                                         return 0;
1091                                         }
1092                                 s->session->tlsext_ellipticcurvelist_length = 0;
1093                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1094                                         {
1095                                         *al = TLS1_AD_INTERNAL_ERROR;
1096                                         return 0;
1097                                         }
1098                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1099                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1100                                 }
1101 #if 0
1102                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1103                         sdata = s->session->tlsext_ellipticcurvelist;
1104                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1105                                 fprintf(stderr,"%i ",*(sdata++));
1106                         fprintf(stderr,"\n");
1107 #endif
1108                         }
1109 #endif /* OPENSSL_NO_EC */
1110 #ifdef TLSEXT_TYPE_opaque_prf_input
1111                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1112                      s->version != DTLS1_VERSION)
1113                         {
1114                         unsigned char *sdata = data;
1115
1116                         if (size < 2)
1117                                 {
1118                                 *al = SSL_AD_DECODE_ERROR;
1119                                 return 0;
1120                                 }
1121                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1122                         if (s->s3->client_opaque_prf_input_len != size - 2)
1123                                 {
1124                                 *al = SSL_AD_DECODE_ERROR;
1125                                 return 0;
1126                                 }
1127
1128                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1129                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1130                         if (s->s3->client_opaque_prf_input_len == 0)
1131                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1132                         else
1133                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1134                         if (s->s3->client_opaque_prf_input == NULL)
1135                                 {
1136                                 *al = TLS1_AD_INTERNAL_ERROR;
1137                                 return 0;
1138                                 }
1139                         }
1140 #endif
1141                 else if (type == TLSEXT_TYPE_session_ticket)
1142                         {
1143                         if (s->tls_session_ticket_ext_cb &&
1144                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1145                                 {
1146                                 *al = TLS1_AD_INTERNAL_ERROR;
1147                                 return 0;
1148                                 }
1149                         }
1150                 else if (type == TLSEXT_TYPE_renegotiate)
1151                         {
1152                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1153                                 return 0;
1154                         renegotiate_seen = 1;
1155                         }
1156                 else if (type == TLSEXT_TYPE_signature_algorithms)
1157                         {
1158                         int dsize;
1159                         if (sigalg_seen || size < 2) 
1160                                 {
1161                                 *al = SSL_AD_DECODE_ERROR;
1162                                 return 0;
1163                                 }
1164                         sigalg_seen = 1;
1165                         n2s(data,dsize);
1166                         size -= 2;
1167                         if (dsize != size || dsize & 1) 
1168                                 {
1169                                 *al = SSL_AD_DECODE_ERROR;
1170                                 return 0;
1171                                 }
1172                         if (!tls1_process_sigalgs(s, data, dsize))
1173                                 {
1174                                 *al = SSL_AD_DECODE_ERROR;
1175                                 return 0;
1176                                 }
1177                         }
1178                 else if (type == TLSEXT_TYPE_status_request &&
1179                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1180                         {
1181                 
1182                         if (size < 5) 
1183                                 {
1184                                 *al = SSL_AD_DECODE_ERROR;
1185                                 return 0;
1186                                 }
1187
1188                         s->tlsext_status_type = *data++;
1189                         size--;
1190                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1191                                 {
1192                                 const unsigned char *sdata;
1193                                 int dsize;
1194                                 /* Read in responder_id_list */
1195                                 n2s(data,dsize);
1196                                 size -= 2;
1197                                 if (dsize > size  ) 
1198                                         {
1199                                         *al = SSL_AD_DECODE_ERROR;
1200                                         return 0;
1201                                         }
1202                                 while (dsize > 0)
1203                                         {
1204                                         OCSP_RESPID *id;
1205                                         int idsize;
1206                                         if (dsize < 4)
1207                                                 {
1208                                                 *al = SSL_AD_DECODE_ERROR;
1209                                                 return 0;
1210                                                 }
1211                                         n2s(data, idsize);
1212                                         dsize -= 2 + idsize;
1213                                         size -= 2 + idsize;
1214                                         if (dsize < 0)
1215                                                 {
1216                                                 *al = SSL_AD_DECODE_ERROR;
1217                                                 return 0;
1218                                                 }
1219                                         sdata = data;
1220                                         data += idsize;
1221                                         id = d2i_OCSP_RESPID(NULL,
1222                                                                 &sdata, idsize);
1223                                         if (!id)
1224                                                 {
1225                                                 *al = SSL_AD_DECODE_ERROR;
1226                                                 return 0;
1227                                                 }
1228                                         if (data != sdata)
1229                                                 {
1230                                                 OCSP_RESPID_free(id);
1231                                                 *al = SSL_AD_DECODE_ERROR;
1232                                                 return 0;
1233                                                 }
1234                                         if (!s->tlsext_ocsp_ids
1235                                                 && !(s->tlsext_ocsp_ids =
1236                                                 sk_OCSP_RESPID_new_null()))
1237                                                 {
1238                                                 OCSP_RESPID_free(id);
1239                                                 *al = SSL_AD_INTERNAL_ERROR;
1240                                                 return 0;
1241                                                 }
1242                                         if (!sk_OCSP_RESPID_push(
1243                                                         s->tlsext_ocsp_ids, id))
1244                                                 {
1245                                                 OCSP_RESPID_free(id);
1246                                                 *al = SSL_AD_INTERNAL_ERROR;
1247                                                 return 0;
1248                                                 }
1249                                         }
1250
1251                                 /* Read in request_extensions */
1252                                 if (size < 2)
1253                                         {
1254                                         *al = SSL_AD_DECODE_ERROR;
1255                                         return 0;
1256                                         }
1257                                 n2s(data,dsize);
1258                                 size -= 2;
1259                                 if (dsize != size)
1260                                         {
1261                                         *al = SSL_AD_DECODE_ERROR;
1262                                         return 0;
1263                                         }
1264                                 sdata = data;
1265                                 if (dsize > 0)
1266                                         {
1267                                         if (s->tlsext_ocsp_exts)
1268                                                 {
1269                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1270                                                                            X509_EXTENSION_free);
1271                                                 }
1272
1273                                         s->tlsext_ocsp_exts =
1274                                                 d2i_X509_EXTENSIONS(NULL,
1275                                                         &sdata, dsize);
1276                                         if (!s->tlsext_ocsp_exts
1277                                                 || (data + dsize != sdata))
1278                                                 {
1279                                                 *al = SSL_AD_DECODE_ERROR;
1280                                                 return 0;
1281                                                 }
1282                                         }
1283                                 }
1284                                 /* We don't know what to do with any other type
1285                                 * so ignore it.
1286                                 */
1287                                 else
1288                                         s->tlsext_status_type = -1;
1289                         }
1290 #ifndef OPENSSL_NO_HEARTBEATS
1291                 else if (type == TLSEXT_TYPE_heartbeat)
1292                         {
1293                         switch(data[0])
1294                                 {
1295                                 case 0x01:      /* Client allows us to send HB requests */
1296                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297                                                         break;
1298                                 case 0x02:      /* Client doesn't accept HB requests */
1299                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301                                                         break;
1302                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1303                                                         return 0;
1304                                 }
1305                         }
1306 #endif
1307 #ifndef OPENSSL_NO_NEXTPROTONEG
1308                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1309                          s->s3->tmp.finish_md_len == 0)
1310                         {
1311                         /* We shouldn't accept this extension on a
1312                          * renegotiation.
1313                          *
1314                          * s->new_session will be set on renegotiation, but we
1315                          * probably shouldn't rely that it couldn't be set on
1316                          * the initial renegotation too in certain cases (when
1317                          * there's some other reason to disallow resuming an
1318                          * earlier session -- the current code won't be doing
1319                          * anything like that, but this might change).
1320
1321                          * A valid sign that there's been a previous handshake
1322                          * in this connection is if s->s3->tmp.finish_md_len >
1323                          * 0.  (We are talking about a check that will happen
1324                          * in the Hello protocol round, well before a new
1325                          * Finished message could have been computed.) */
1326                         s->s3->next_proto_neg_seen = 1;
1327                         }
1328 #endif
1329
1330                 /* session ticket processed earlier */
1331                 else if (type == TLSEXT_TYPE_use_srtp)
1332                         {
1333                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334                                                               al))
1335                                 return 0;
1336                         }
1337
1338                 data+=size;
1339                 }
1340                                 
1341         *p = data;
1342
1343         ri_check:
1344
1345         /* Need RI if renegotiating */
1346
1347         if (!renegotiate_seen && s->renegotiate &&
1348                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1349                 {
1350                 *al = SSL_AD_HANDSHAKE_FAILURE;
1351                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1352                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1353                 return 0;
1354                 }
1355
1356         return 1;
1357         }
1358
1359 #ifndef OPENSSL_NO_NEXTPROTONEG
1360 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361  * elements of zero length are allowed and the set of elements must exactly fill
1362  * the length of the block. */
1363 static int ssl_next_proto_validate(unsigned char *d, unsigned len)
1364         {
1365         unsigned int off = 0;
1366
1367         while (off < len)
1368                 {
1369                 if (d[off] == 0)
1370                         return 0;
1371                 off += d[off];
1372                 off++;
1373                 }
1374
1375         return off == len;
1376         }
1377 #endif
1378
1379 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1380         {
1381         unsigned short length;
1382         unsigned short type;
1383         unsigned short size;
1384         unsigned char *data = *p;
1385         int tlsext_servername = 0;
1386         int renegotiate_seen = 0;
1387
1388 #ifndef OPENSSL_NO_NEXTPROTONEG
1389         s->s3->next_proto_neg_seen = 0;
1390 #endif
1391
1392 #ifndef OPENSSL_NO_HEARTBEATS
1393         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395 #endif
1396
1397         if (data >= (d+n-2))
1398                 goto ri_check;
1399
1400         n2s(data,length);
1401         if (data+length != d+n)
1402                 {
1403                 *al = SSL_AD_DECODE_ERROR;
1404                 return 0;
1405                 }
1406
1407         while(data <= (d+n-4))
1408                 {
1409                 n2s(data,type);
1410                 n2s(data,size);
1411
1412                 if (data+size > (d+n))
1413                         goto ri_check;
1414
1415                 if (s->tlsext_debug_cb)
1416                         s->tlsext_debug_cb(s, 1, type, data, size,
1417                                                 s->tlsext_debug_arg);
1418
1419                 if (type == TLSEXT_TYPE_server_name)
1420                         {
1421                         if (s->tlsext_hostname == NULL || size > 0)
1422                                 {
1423                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1424                                 return 0;
1425                                 }
1426                         tlsext_servername = 1;   
1427                         }
1428
1429 #ifndef OPENSSL_NO_EC
1430                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1431                      s->version != DTLS1_VERSION)
1432                         {
1433                         unsigned char *sdata = data;
1434                         int ecpointformatlist_length = *(sdata++);
1435
1436                         if (ecpointformatlist_length != size - 1)
1437                                 {
1438                                 *al = TLS1_AD_DECODE_ERROR;
1439                                 return 0;
1440                                 }
1441                         s->session->tlsext_ecpointformatlist_length = 0;
1442                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1443                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1444                                 {
1445                                 *al = TLS1_AD_INTERNAL_ERROR;
1446                                 return 0;
1447                                 }
1448                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1449                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1450 #if 0
1451                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1452                         sdata = s->session->tlsext_ecpointformatlist;
1453                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1454                                 fprintf(stderr,"%i ",*(sdata++));
1455                         fprintf(stderr,"\n");
1456 #endif
1457                         }
1458 #endif /* OPENSSL_NO_EC */
1459
1460                 else if (type == TLSEXT_TYPE_session_ticket)
1461                         {
1462                         if (s->tls_session_ticket_ext_cb &&
1463                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1464                                 {
1465                                 *al = TLS1_AD_INTERNAL_ERROR;
1466                                 return 0;
1467                                 }
1468                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1469                                 || (size > 0))
1470                                 {
1471                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1472                                 return 0;
1473                                 }
1474                         s->tlsext_ticket_expected = 1;
1475                         }
1476 #ifdef TLSEXT_TYPE_opaque_prf_input
1477                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1478                      s->version != DTLS1_VERSION)
1479                         {
1480                         unsigned char *sdata = data;
1481
1482                         if (size < 2)
1483                                 {
1484                                 *al = SSL_AD_DECODE_ERROR;
1485                                 return 0;
1486                                 }
1487                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1488                         if (s->s3->server_opaque_prf_input_len != size - 2)
1489                                 {
1490                                 *al = SSL_AD_DECODE_ERROR;
1491                                 return 0;
1492                                 }
1493                         
1494                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1495                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1496                         if (s->s3->server_opaque_prf_input_len == 0)
1497                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1498                         else
1499                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1500
1501                         if (s->s3->server_opaque_prf_input == NULL)
1502                                 {
1503                                 *al = TLS1_AD_INTERNAL_ERROR;
1504                                 return 0;
1505                                 }
1506                         }
1507 #endif
1508                 else if (type == TLSEXT_TYPE_status_request &&
1509                          s->version != DTLS1_VERSION)
1510                         {
1511                         /* MUST be empty and only sent if we've requested
1512                          * a status request message.
1513                          */ 
1514                         if ((s->tlsext_status_type == -1) || (size > 0))
1515                                 {
1516                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1517                                 return 0;
1518                                 }
1519                         /* Set flag to expect CertificateStatus message */
1520                         s->tlsext_status_expected = 1;
1521                         }
1522 #ifndef OPENSSL_NO_NEXTPROTONEG
1523                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1524                          s->s3->tmp.finish_md_len == 0)
1525                         {
1526                         unsigned char *selected;
1527                         unsigned char selected_len;
1528
1529                         /* We must have requested it. */
1530                         if ((s->ctx->next_proto_select_cb == NULL))
1531                                 {
1532                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533                                 return 0;
1534                                 }
1535                         /* The data must be valid */
1536                         if (!ssl_next_proto_validate(data, size))
1537                                 {
1538                                 *al = TLS1_AD_DECODE_ERROR;
1539                                 return 0;
1540                                 }
1541                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542                                 {
1543                                 *al = TLS1_AD_INTERNAL_ERROR;
1544                                 return 0;
1545                                 }
1546                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547                         if (!s->next_proto_negotiated)
1548                                 {
1549                                 *al = TLS1_AD_INTERNAL_ERROR;
1550                                 return 0;
1551                                 }
1552                         memcpy(s->next_proto_negotiated, selected, selected_len);
1553                         s->next_proto_negotiated_len = selected_len;
1554                         s->s3->next_proto_neg_seen = 1;
1555                         }
1556 #endif
1557                 else if (type == TLSEXT_TYPE_renegotiate)
1558                         {
1559                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1560                                 return 0;
1561                         renegotiate_seen = 1;
1562                         }
1563 #ifndef OPENSSL_NO_HEARTBEATS
1564                 else if (type == TLSEXT_TYPE_heartbeat)
1565                         {
1566                         switch(data[0])
1567                                 {
1568                                 case 0x01:      /* Server allows us to send HB requests */
1569                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570                                                         break;
1571                                 case 0x02:      /* Server doesn't accept HB requests */
1572                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574                                                         break;
1575                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1576                                                         return 0;
1577                                 }
1578                         }
1579 #endif
1580                 else if (type == TLSEXT_TYPE_use_srtp)
1581                         {
1582                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583                                                               al))
1584                                 return 0;
1585                         }
1586
1587                 data+=size;             
1588                 }
1589
1590         if (data != d+n)
1591                 {
1592                 *al = SSL_AD_DECODE_ERROR;
1593                 return 0;
1594                 }
1595
1596         if (!s->hit && tlsext_servername == 1)
1597                 {
1598                 if (s->tlsext_hostname)
1599                         {
1600                         if (s->session->tlsext_hostname == NULL)
1601                                 {
1602                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1603                                 if (!s->session->tlsext_hostname)
1604                                         {
1605                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1606                                         return 0;
1607                                         }
1608                                 }
1609                         else 
1610                                 {
1611                                 *al = SSL_AD_DECODE_ERROR;
1612                                 return 0;
1613                                 }
1614                         }
1615                 }
1616
1617         *p = data;
1618
1619         ri_check:
1620
1621         /* Determine if we need to see RI. Strictly speaking if we want to
1622          * avoid an attack we should *always* see RI even on initial server
1623          * hello because the client doesn't see any renegotiation during an
1624          * attack. However this would mean we could not connect to any server
1625          * which doesn't support RI so for the immediate future tolerate RI
1626          * absence on initial connect only.
1627          */
1628         if (!renegotiate_seen
1629                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1630                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1631                 {
1632                 *al = SSL_AD_HANDSHAKE_FAILURE;
1633                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1634                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1635                 return 0;
1636                 }
1637
1638         return 1;
1639         }
1640
1641
1642 int ssl_prepare_clienthello_tlsext(SSL *s)
1643         {
1644 #ifndef OPENSSL_NO_EC
1645         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1646          * and elliptic curves we support.
1647          */
1648         int using_ecc = 0;
1649         int i;
1650         unsigned char *j;
1651         unsigned long alg_k, alg_a;
1652         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1653
1654         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1655                 {
1656                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1657
1658                 alg_k = c->algorithm_mkey;
1659                 alg_a = c->algorithm_auth;
1660                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1661                         {
1662                         using_ecc = 1;
1663                         break;
1664                         }
1665                 }
1666         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1667         if (using_ecc)
1668                 {
1669                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1670                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1671                         {
1672                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1673                         return -1;
1674                         }
1675                 s->tlsext_ecpointformatlist_length = 3;
1676                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1677                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1678                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1679
1680                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1681                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1682                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1683                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1684                         {
1685                         s->tlsext_ellipticcurvelist_length = 0;
1686                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1687                         return -1;
1688                         }
1689                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1690                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1691                         {
1692                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1693                         s2n(id,j);
1694                         }
1695                 }
1696 #endif /* OPENSSL_NO_EC */
1697
1698 #ifdef TLSEXT_TYPE_opaque_prf_input
1699         {
1700                 int r = 1;
1701         
1702                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1703                         {
1704                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1705                         if (!r)
1706                                 return -1;
1707                         }
1708
1709                 if (s->tlsext_opaque_prf_input != NULL)
1710                         {
1711                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1712                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1713
1714                         if (s->tlsext_opaque_prf_input_len == 0)
1715                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1716                         else
1717                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1718                         if (s->s3->client_opaque_prf_input == NULL)
1719                                 {
1720                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1721                                 return -1;
1722                                 }
1723                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1724                         }
1725
1726                 if (r == 2)
1727                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1728                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1729         }
1730 #endif
1731
1732         return 1;
1733         }
1734
1735 int ssl_prepare_serverhello_tlsext(SSL *s)
1736         {
1737 #ifndef OPENSSL_NO_EC
1738         /* If we are server and using an ECC cipher suite, send the point formats we support 
1739          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1740          * supposed to send an EllipticCurves extension.
1741          */
1742
1743         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1744         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1745         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1746         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1747         
1748         if (using_ecc)
1749                 {
1750                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1751                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1752                         {
1753                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1754                         return -1;
1755                         }
1756                 s->tlsext_ecpointformatlist_length = 3;
1757                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1758                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1759                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1760                 }
1761 #endif /* OPENSSL_NO_EC */
1762
1763         return 1;
1764         }
1765
1766 int ssl_check_clienthello_tlsext(SSL *s)
1767         {
1768         int ret=SSL_TLSEXT_ERR_NOACK;
1769         int al = SSL_AD_UNRECOGNIZED_NAME;
1770
1771 #ifndef OPENSSL_NO_EC
1772         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1773          * ssl3_choose_cipher in s3_lib.c.
1774          */
1775         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1776          * ssl3_choose_cipher in s3_lib.c.
1777          */
1778 #endif
1779
1780         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1781                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1782         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1783                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784
1785         /* If status request then ask callback what to do.
1786          * Note: this must be called after servername callbacks in case 
1787          * the certificate has changed.
1788          */
1789         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790                 {
1791                 int r;
1792                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793                 switch (r)
1794                         {
1795                         /* We don't want to send a status request response */
1796                         case SSL_TLSEXT_ERR_NOACK:
1797                                 s->tlsext_status_expected = 0;
1798                                 break;
1799                         /* status request response should be sent */
1800                         case SSL_TLSEXT_ERR_OK:
1801                                 if (s->tlsext_ocsp_resp)
1802                                         s->tlsext_status_expected = 1;
1803                                 else
1804                                         s->tlsext_status_expected = 0;
1805                                 break;
1806                         /* something bad happened */
1807                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1808                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809                                 al = SSL_AD_INTERNAL_ERROR;
1810                                 goto err;
1811                         }
1812                 }
1813         else
1814                 s->tlsext_status_expected = 0;
1815
1816 #ifdef TLSEXT_TYPE_opaque_prf_input
1817         {
1818                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819                  * but we might be sending an alert in response to the client hello,
1820                  * so this has to happen here in ssl_check_clienthello_tlsext(). */
1821
1822                 int r = 1;
1823         
1824                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1825                         {
1826                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1827                         if (!r)
1828                                 {
1829                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1830                                 al = SSL_AD_INTERNAL_ERROR;
1831                                 goto err;
1832                                 }
1833                         }
1834
1835                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1836                         OPENSSL_free(s->s3->server_opaque_prf_input);
1837                 s->s3->server_opaque_prf_input = NULL;
1838
1839                 if (s->tlsext_opaque_prf_input != NULL)
1840                         {
1841                         if (s->s3->client_opaque_prf_input != NULL &&
1842                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1843                                 {
1844                                 /* can only use this extension if we have a server opaque PRF input
1845                                  * of the same length as the client opaque PRF input! */
1846
1847                                 if (s->tlsext_opaque_prf_input_len == 0)
1848                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1849                                 else
1850                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1851                                 if (s->s3->server_opaque_prf_input == NULL)
1852                                         {
1853                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1854                                         al = SSL_AD_INTERNAL_ERROR;
1855                                         goto err;
1856                                         }
1857                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1858                                 }
1859                         }
1860
1861                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1862                         {
1863                         /* The callback wants to enforce use of the extension,
1864                          * but we can't do that with the client opaque PRF input;
1865                          * abort the handshake.
1866                          */
1867                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1868                         al = SSL_AD_HANDSHAKE_FAILURE;
1869                         }
1870         }
1871
1872 #endif
1873  err:
1874         switch (ret)
1875                 {
1876                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1877                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1878                         return -1;
1879
1880                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1881                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1882                         return 1; 
1883                                         
1884                 case SSL_TLSEXT_ERR_NOACK:
1885                         s->servername_done=0;
1886                         default:
1887                 return 1;
1888                 }
1889         }
1890
1891 int ssl_check_serverhello_tlsext(SSL *s)
1892         {
1893         int ret=SSL_TLSEXT_ERR_NOACK;
1894         int al = SSL_AD_UNRECOGNIZED_NAME;
1895
1896 #ifndef OPENSSL_NO_EC
1897         /* If we are client and using an elliptic curve cryptography cipher
1898          * suite, then if server returns an EC point formats lists extension
1899          * it must contain uncompressed.
1900          */
1901         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1902         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1903         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1904             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1905             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1906                 {
1907                 /* we are using an ECC cipher */
1908                 size_t i;
1909                 unsigned char *list;
1910                 int found_uncompressed = 0;
1911                 list = s->session->tlsext_ecpointformatlist;
1912                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1913                         {
1914                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1915                                 {
1916                                 found_uncompressed = 1;
1917                                 break;
1918                                 }
1919                         }
1920                 if (!found_uncompressed)
1921                         {
1922                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1923                         return -1;
1924                         }
1925                 }
1926         ret = SSL_TLSEXT_ERR_OK;
1927 #endif /* OPENSSL_NO_EC */
1928
1929         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1930                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1931         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1932                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1933
1934 #ifdef TLSEXT_TYPE_opaque_prf_input
1935         if (s->s3->server_opaque_prf_input_len > 0)
1936                 {
1937                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1938                  * So first verify that we really have a value from the server too. */
1939
1940                 if (s->s3->server_opaque_prf_input == NULL)
1941                         {
1942                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1943                         al = SSL_AD_HANDSHAKE_FAILURE;
1944                         }
1945                 
1946                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1947                  * that we have a client opaque PRF input of the same size. */
1948                 if (s->s3->client_opaque_prf_input == NULL ||
1949                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1950                         {
1951                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1952                         al = SSL_AD_ILLEGAL_PARAMETER;
1953                         }
1954                 }
1955 #endif
1956
1957         /* If we've requested certificate status and we wont get one
1958          * tell the callback
1959          */
1960         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
1961                         && s->ctx && s->ctx->tlsext_status_cb)
1962                 {
1963                 int r;
1964                 /* Set resp to NULL, resplen to -1 so callback knows
1965                  * there is no response.
1966                  */
1967                 if (s->tlsext_ocsp_resp)
1968                         {
1969                         OPENSSL_free(s->tlsext_ocsp_resp);
1970                         s->tlsext_ocsp_resp = NULL;
1971                         }
1972                 s->tlsext_ocsp_resplen = -1;
1973                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1974                 if (r == 0)
1975                         {
1976                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1977                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1978                         }
1979                 if (r < 0)
1980                         {
1981                         al = SSL_AD_INTERNAL_ERROR;
1982                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1983                         }
1984                 }
1985
1986         switch (ret)
1987                 {
1988                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1989                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1990                         return -1;
1991
1992                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1993                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1994                         return 1; 
1995                                         
1996                 case SSL_TLSEXT_ERR_NOACK:
1997                         s->servername_done=0;
1998                         default:
1999                 return 1;
2000                 }
2001         }
2002
2003 /* Since the server cache lookup is done early on in the processing of the
2004  * ClientHello, and other operations depend on the result, we need to handle
2005  * any TLS session ticket extension at the same time.
2006  *
2007  *   session_id: points at the session ID in the ClientHello. This code will
2008  *       read past the end of this in order to parse out the session ticket
2009  *       extension, if any.
2010  *   len: the length of the session ID.
2011  *   limit: a pointer to the first byte after the ClientHello.
2012  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2013  *       point to the resulting session.
2014  *
2015  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016  * ciphersuite, in which case we have no use for session tickets and one will
2017  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018  *
2019  * Returns:
2020  *   -1: fatal error, either from parsing or decrypting the ticket.
2021  *    0: no ticket was found (or was ignored, based on settings).
2022  *    1: a zero length extension was found, indicating that the client supports
2023  *       session tickets but doesn't currently have one to offer.
2024  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025  *       couldn't be decrypted because of a non-fatal error.
2026  *    3: a ticket was successfully decrypted and *ret was set.
2027  *
2028  * Side effects:
2029  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030  *   a new session ticket to the client because the client indicated support
2031  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032  *   a session ticket or we couldn't use the one it gave us, or if
2033  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2035  */
2036 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2037                         const unsigned char *limit, SSL_SESSION **ret)
2038         {
2039         /* Point after session ID in client hello */
2040         const unsigned char *p = session_id + len;
2041         unsigned short i;
2042
2043         *ret = NULL;
2044         s->tlsext_ticket_expected = 0;
2045
2046         /* If tickets disabled behave as if no ticket present
2047          * to permit stateful resumption.
2048          */
2049         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2050                 return 0;
2051         if ((s->version <= SSL3_VERSION) || !limit)
2052                 return 0;
2053         if (p >= limit)
2054                 return -1;
2055         /* Skip past DTLS cookie */
2056         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2057                 {
2058                 i = *(p++);
2059                 p+= i;
2060                 if (p >= limit)
2061                         return -1;
2062                 }
2063         /* Skip past cipher list */
2064         n2s(p, i);
2065         p+= i;
2066         if (p >= limit)
2067                 return -1;
2068         /* Skip past compression algorithm list */
2069         i = *(p++);
2070         p += i;
2071         if (p > limit)
2072                 return -1;
2073         /* Now at start of extensions */
2074         if ((p + 2) >= limit)
2075                 return 0;
2076         n2s(p, i);
2077         while ((p + 4) <= limit)
2078                 {
2079                 unsigned short type, size;
2080                 n2s(p, type);
2081                 n2s(p, size);
2082                 if (p + size > limit)
2083                         return 0;
2084                 if (type == TLSEXT_TYPE_session_ticket)
2085                         {
2086                         int r;
2087                         if (size == 0)
2088                                 {
2089                                 /* The client will accept a ticket but doesn't
2090                                  * currently have one. */
2091                                 s->tlsext_ticket_expected = 1;
2092                                 return 1;
2093                                 }
2094                         if (s->tls_session_secret_cb)
2095                                 {
2096                                 /* Indicate that the ticket couldn't be
2097                                  * decrypted rather than generating the session
2098                                  * from ticket now, trigger abbreviated
2099                                  * handshake based on external mechanism to
2100                                  * calculate the master secret later. */
2101                                 return 2;
2102                                 }
2103                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104                         switch (r)
2105                                 {
2106                                 case 2: /* ticket couldn't be decrypted */
2107                                         s->tlsext_ticket_expected = 1;
2108                                         return 2;
2109                                 case 3: /* ticket was decrypted */
2110                                         return r;
2111                                 case 4: /* ticket decrypted but need to renew */
2112                                         s->tlsext_ticket_expected = 1;
2113                                         return 3;
2114                                 default: /* fatal error */
2115                                         return -1;
2116                                 }
2117                         }
2118                 p += size;
2119                 }
2120         return 0;
2121         }
2122
2123 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2124  *
2125  *   etick: points to the body of the session ticket extension.
2126  *   eticklen: the length of the session tickets extenion.
2127  *   sess_id: points at the session ID.
2128  *   sesslen: the length of the session ID.
2129  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2130  *       point to the resulting session.
2131  *
2132  * Returns:
2133  *   -1: fatal error, either from parsing or decrypting the ticket.
2134  *    2: the ticket couldn't be decrypted.
2135  *    3: a ticket was successfully decrypted and *psess was set.
2136  *    4: same as 3, but the ticket needs to be renewed.
2137  */
2138 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2139                                 const unsigned char *sess_id, int sesslen,
2140                                 SSL_SESSION **psess)
2141         {
2142         SSL_SESSION *sess;
2143         unsigned char *sdec;
2144         const unsigned char *p;
2145         int slen, mlen, renew_ticket = 0;
2146         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2147         HMAC_CTX hctx;
2148         EVP_CIPHER_CTX ctx;
2149         SSL_CTX *tctx = s->initial_ctx;
2150         /* Need at least keyname + iv + some encrypted data */
2151         if (eticklen < 48)
2152                 return 2;
2153         /* Initialize session ticket encryption and HMAC contexts */
2154         HMAC_CTX_init(&hctx);
2155         EVP_CIPHER_CTX_init(&ctx);
2156         if (tctx->tlsext_ticket_key_cb)
2157                 {
2158                 unsigned char *nctick = (unsigned char *)etick;
2159                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2160                                                         &ctx, &hctx, 0);
2161                 if (rv < 0)
2162                         return -1;
2163                 if (rv == 0)
2164                         return 2;
2165                 if (rv == 2)
2166                         renew_ticket = 1;
2167                 }
2168         else
2169                 {
2170                 /* Check key name matches */
2171                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2172                         return 2;
2173                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2174                                         tlsext_tick_md(), NULL);
2175                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2176                                 tctx->tlsext_tick_aes_key, etick + 16);
2177                 }
2178         /* Attempt to process session ticket, first conduct sanity and
2179          * integrity checks on ticket.
2180          */
2181         mlen = HMAC_size(&hctx);
2182         if (mlen < 0)
2183                 {
2184                 EVP_CIPHER_CTX_cleanup(&ctx);
2185                 return -1;
2186                 }
2187         eticklen -= mlen;
2188         /* Check HMAC of encrypted ticket */
2189         HMAC_Update(&hctx, etick, eticklen);
2190         HMAC_Final(&hctx, tick_hmac, NULL);
2191         HMAC_CTX_cleanup(&hctx);
2192         if (memcmp(tick_hmac, etick + eticklen, mlen))
2193                 return 2;
2194         /* Attempt to decrypt session data */
2195         /* Move p after IV to start of encrypted ticket, update length */
2196         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2197         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2198         sdec = OPENSSL_malloc(eticklen);
2199         if (!sdec)
2200                 {
2201                 EVP_CIPHER_CTX_cleanup(&ctx);
2202                 return -1;
2203                 }
2204         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2205         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2206                 return 2;
2207         slen += mlen;
2208         EVP_CIPHER_CTX_cleanup(&ctx);
2209         p = sdec;
2210
2211         sess = d2i_SSL_SESSION(NULL, &p, slen);
2212         OPENSSL_free(sdec);
2213         if (sess)
2214                 {
2215                 /* The session ID, if non-empty, is used by some clients to
2216                  * detect that the ticket has been accepted. So we copy it to
2217                  * the session structure. If it is empty set length to zero
2218                  * as required by standard.
2219                  */
2220                 if (sesslen)
2221                         memcpy(sess->session_id, sess_id, sesslen);
2222                 sess->session_id_length = sesslen;
2223                 *psess = sess;
2224                 if (renew_ticket)
2225                         return 4;
2226                 else
2227                         return 3;
2228                 }
2229         ERR_clear_error();
2230         /* For session parse failure, indicate that we need to send a new
2231          * ticket. */
2232         return 2;
2233         }
2234
2235 /* Tables to translate from NIDs to TLS v1.2 ids */
2236
2237 typedef struct 
2238         {
2239         int nid;
2240         int id;
2241         } tls12_lookup;
2242
2243 static tls12_lookup tls12_md[] = {
2244         {NID_md5, TLSEXT_hash_md5},
2245         {NID_sha1, TLSEXT_hash_sha1},
2246         {NID_sha224, TLSEXT_hash_sha224},
2247         {NID_sha256, TLSEXT_hash_sha256},
2248         {NID_sha384, TLSEXT_hash_sha384},
2249         {NID_sha512, TLSEXT_hash_sha512}
2250 };
2251
2252 static tls12_lookup tls12_sig[] = {
2253         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2254         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2255         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2256 };
2257
2258 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2259         {
2260         size_t i;
2261         for (i = 0; i < tlen; i++)
2262                 {
2263                 if (table[i].nid == nid)
2264                         return table[i].id;
2265                 }
2266         return -1;
2267         }
2268
2269 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2270         {
2271         size_t i;
2272         for (i = 0; i < tlen; i++)
2273                 {
2274                 if ((table[i].id) == id)
2275                         return table[i].nid;
2276                 }
2277         return NID_undef;
2278         }
2279
2280 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2281         {
2282         int sig_id, md_id;
2283         if (!md)
2284                 return 0;
2285         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2286                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2287         if (md_id == -1)
2288                 return 0;
2289         sig_id = tls12_get_sigid(pk);
2290         if (sig_id == -1)
2291                 return 0;
2292         p[0] = (unsigned char)md_id;
2293         p[1] = (unsigned char)sig_id;
2294         return 1;
2295         }
2296
2297 int tls12_get_sigid(const EVP_PKEY *pk)
2298         {
2299         return tls12_find_id(pk->type, tls12_sig,
2300                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2301         }
2302
2303 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2304         {
2305         switch(hash_alg)
2306                 {
2307 #ifndef OPENSSL_NO_MD5
2308                 case TLSEXT_hash_md5:
2309 #ifdef OPENSSL_FIPS
2310                 if (FIPS_mode())
2311                         return NULL;
2312 #endif
2313                 return EVP_md5();
2314 #endif
2315 #ifndef OPENSSL_NO_SHA
2316                 case TLSEXT_hash_sha1:
2317                 return EVP_sha1();
2318 #endif
2319 #ifndef OPENSSL_NO_SHA256
2320                 case TLSEXT_hash_sha224:
2321                 return EVP_sha224();
2322
2323                 case TLSEXT_hash_sha256:
2324                 return EVP_sha256();
2325 #endif
2326 #ifndef OPENSSL_NO_SHA512
2327                 case TLSEXT_hash_sha384:
2328                 return EVP_sha384();
2329
2330                 case TLSEXT_hash_sha512:
2331                 return EVP_sha512();
2332 #endif
2333                 default:
2334                 return NULL;
2335
2336                 }
2337         }
2338
2339 /* Set preferred digest for each key type */
2340
2341 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2342         {
2343         int i, idx;
2344         const EVP_MD *md;
2345         CERT *c = s->cert;
2346         TLS_SIGALGS *sigptr;
2347         /* Extension ignored for TLS versions below 1.2 */
2348         if (TLS1_get_version(s) < TLS1_2_VERSION)
2349                 return 1;
2350         /* Should never happen */
2351         if (!c)
2352                 return 0;
2353
2354         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2355         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2356         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2357         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2358
2359         if (c->sigalgs)
2360                 OPENSSL_free(c->sigalgs);
2361         c->sigalgs = OPENSSL_malloc((dsize/2) * sizeof(TLS_SIGALGS));
2362         if (!c->sigalgs)
2363                 return 0;
2364         c->sigalgslen = dsize/2;
2365
2366         for (i = 0, sigptr = c->sigalgs; i < dsize; i += 2, sigptr++)
2367                 {
2368                 sigptr->rhash = data[i];
2369                 sigptr->rsign = data[i + 1];
2370                 sigptr->hash_nid = tls12_find_nid(sigptr->rhash, tls12_md,
2371                                         sizeof(tls12_md)/sizeof(tls12_lookup));
2372                 sigptr->sign_nid = tls12_find_nid(sigptr->rsign, tls12_sig,
2373                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
2374                 if (!OBJ_find_sigid_by_algs(&sigptr->signandhash_nid,
2375                                                 sigptr->hash_nid,
2376                                                 sigptr->sign_nid))
2377                         sigptr->signandhash_nid = NID_undef;
2378                 switch(sigptr->rsign)
2379                         {
2380 #ifndef OPENSSL_NO_RSA
2381                         case TLSEXT_signature_rsa:
2382                         idx = SSL_PKEY_RSA_SIGN;
2383                         break;
2384 #endif
2385 #ifndef OPENSSL_NO_DSA
2386                         case TLSEXT_signature_dsa:
2387                         idx = SSL_PKEY_DSA_SIGN;
2388                         break;
2389 #endif
2390 #ifndef OPENSSL_NO_ECDSA
2391                         case TLSEXT_signature_ecdsa:
2392                         idx = SSL_PKEY_ECC;
2393                         break;
2394 #endif
2395                         default:
2396                         continue;
2397                         }
2398
2399                 if (c->pkeys[idx].digest == NULL)
2400                         {
2401                         md = tls12_get_hash(sigptr->rhash);
2402                         if (md)
2403                                 {
2404                                 c->pkeys[idx].digest = md;
2405                                 if (idx == SSL_PKEY_RSA_SIGN)
2406                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2407                                 }
2408                         }
2409
2410                 }
2411
2412
2413         /* Set any remaining keys to default values. NOTE: if alg is not
2414          * supported it stays as NULL.
2415          */
2416 #ifndef OPENSSL_NO_DSA
2417         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2418                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2419 #endif
2420 #ifndef OPENSSL_NO_RSA
2421         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2422                 {
2423                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2424                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2425                 }
2426 #endif
2427 #ifndef OPENSSL_NO_ECDSA
2428         if (!c->pkeys[SSL_PKEY_ECC].digest)
2429                 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2430 #endif
2431         return 1;
2432         }
2433
2434 #endif
2435
2436 int SSL_get_sigalgs(SSL *s, int idx,
2437                         int *psign, int *phash, int *psignandhash,
2438                         unsigned char *rsig, unsigned char *rhash)
2439         {
2440         if (s->cert->sigalgs == NULL)
2441                 return 0;
2442         if (idx >= 0)
2443                 {
2444                 TLS_SIGALGS *psig;
2445                 if (idx >= (int)s->cert->sigalgslen)
2446                         return 0;
2447                 psig = s->cert->sigalgs + idx;
2448                 if (psign)
2449                         *psign = psig->sign_nid;
2450                 if (phash)
2451                         *phash = psig->hash_nid;
2452                 if (psignandhash)
2453                         *psignandhash = psig->signandhash_nid;
2454                 if (rsig)
2455                         *rsig = psig->rsign;
2456                 if (rhash)
2457                         *rhash = psig->rhash;
2458                 }
2459         return s->cert->sigalgslen;
2460         }
2461         
2462
2463 #ifndef OPENSSL_NO_HEARTBEATS
2464 int
2465 tls1_process_heartbeat(SSL *s)
2466         {
2467         unsigned char *p = &s->s3->rrec.data[0], *pl;
2468         unsigned short hbtype;
2469         unsigned int payload;
2470         unsigned int padding = 16; /* Use minimum padding */
2471
2472         /* Read type and payload length first */
2473         hbtype = *p++;
2474         n2s(p, payload);
2475         pl = p;
2476
2477         if (s->msg_callback)
2478                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2479                         &s->s3->rrec.data[0], s->s3->rrec.length,
2480                         s, s->msg_callback_arg);
2481
2482         if (hbtype == TLS1_HB_REQUEST)
2483                 {
2484                 unsigned char *buffer, *bp;
2485                 int r;
2486
2487                 /* Allocate memory for the response, size is 1 bytes
2488                  * message type, plus 2 bytes payload length, plus
2489                  * payload, plus padding
2490                  */
2491                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2492                 bp = buffer;
2493                 
2494                 /* Enter response type, length and copy payload */
2495                 *bp++ = TLS1_HB_RESPONSE;
2496                 s2n(payload, bp);
2497                 memcpy(bp, pl, payload);
2498                 bp += payload;
2499                 /* Random padding */
2500                 RAND_pseudo_bytes(bp, padding);
2501
2502                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2503
2504                 if (r >= 0 && s->msg_callback)
2505                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2506                                 buffer, 3 + payload + padding,
2507                                 s, s->msg_callback_arg);
2508
2509                 OPENSSL_free(buffer);
2510
2511                 if (r < 0)
2512                         return r;
2513                 }
2514         else if (hbtype == TLS1_HB_RESPONSE)
2515                 {
2516                 unsigned int seq;
2517                 
2518                 /* We only send sequence numbers (2 bytes unsigned int),
2519                  * and 16 random bytes, so we just try to read the
2520                  * sequence number */
2521                 n2s(pl, seq);
2522                 
2523                 if (payload == 18 && seq == s->tlsext_hb_seq)
2524                         {
2525                         s->tlsext_hb_seq++;
2526                         s->tlsext_hb_pending = 0;
2527                         }
2528                 }
2529
2530         return 0;
2531         }
2532
2533 int
2534 tls1_heartbeat(SSL *s)
2535         {
2536         unsigned char *buf, *p;
2537         int ret;
2538         unsigned int payload = 18; /* Sequence number + random bytes */
2539         unsigned int padding = 16; /* Use minimum padding */
2540
2541         /* Only send if peer supports and accepts HB requests... */
2542         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2543             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2544                 {
2545                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2546                 return -1;
2547                 }
2548
2549         /* ...and there is none in flight yet... */
2550         if (s->tlsext_hb_pending)
2551                 {
2552                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2553                 return -1;
2554                 }
2555                 
2556         /* ...and no handshake in progress. */
2557         if (SSL_in_init(s) || s->in_handshake)
2558                 {
2559                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2560                 return -1;
2561                 }
2562                 
2563         /* Check if padding is too long, payload and padding
2564          * must not exceed 2^14 - 3 = 16381 bytes in total.
2565          */
2566         OPENSSL_assert(payload + padding <= 16381);
2567
2568         /* Create HeartBeat message, we just use a sequence number
2569          * as payload to distuingish different messages and add
2570          * some random stuff.
2571          *  - Message Type, 1 byte
2572          *  - Payload Length, 2 bytes (unsigned int)
2573          *  - Payload, the sequence number (2 bytes uint)
2574          *  - Payload, random bytes (16 bytes uint)
2575          *  - Padding
2576          */
2577         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2578         p = buf;
2579         /* Message Type */
2580         *p++ = TLS1_HB_REQUEST;
2581         /* Payload length (18 bytes here) */
2582         s2n(payload, p);
2583         /* Sequence number */
2584         s2n(s->tlsext_hb_seq, p);
2585         /* 16 random bytes */
2586         RAND_pseudo_bytes(p, 16);
2587         p += 16;
2588         /* Random padding */
2589         RAND_pseudo_bytes(p, padding);
2590
2591         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2592         if (ret >= 0)
2593                 {
2594                 if (s->msg_callback)
2595                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2596                                 buf, 3 + payload + padding,
2597                                 s, s->msg_callback_arg);
2598
2599                 s->tlsext_hb_pending = 1;
2600                 }
2601                 
2602         OPENSSL_free(buf);
2603
2604         return ret;
2605         }
2606 #endif