Merge branch 'vendor/OPENSSL'
[dragonfly.git] / crypto / openssl / ssl / t1_lib.c
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                                 const unsigned char *sess_id, int sesslen,
125                                 SSL_SESSION **psess);
126 #endif
127
128 SSL3_ENC_METHOD TLSv1_enc_data={
129         tls1_enc,
130         tls1_mac,
131         tls1_setup_key_block,
132         tls1_generate_master_secret,
133         tls1_change_cipher_state,
134         tls1_final_finish_mac,
135         TLS1_FINISH_MAC_LENGTH,
136         tls1_cert_verify_mac,
137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139         tls1_alert_code,
140         tls1_export_keying_material,
141         };
142
143 long tls1_default_timeout(void)
144         {
145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
146          * is way too long for http, the cache would over fill */
147         return(60*60*2);
148         }
149
150 int tls1_new(SSL *s)
151         {
152         if (!ssl3_new(s)) return(0);
153         s->method->ssl_clear(s);
154         return(1);
155         }
156
157 void tls1_free(SSL *s)
158         {
159 #ifndef OPENSSL_NO_TLSEXT
160         if (s->tlsext_session_ticket)
161                 {
162                 OPENSSL_free(s->tlsext_session_ticket);
163                 }
164 #endif /* OPENSSL_NO_TLSEXT */
165         ssl3_free(s);
166         }
167
168 void tls1_clear(SSL *s)
169         {
170         ssl3_clear(s);
171         s->version = s->method->version;
172         }
173
174 #ifndef OPENSSL_NO_EC
175
176 static int nid_list[] =
177         {
178                 NID_sect163k1, /* sect163k1 (1) */
179                 NID_sect163r1, /* sect163r1 (2) */
180                 NID_sect163r2, /* sect163r2 (3) */
181                 NID_sect193r1, /* sect193r1 (4) */ 
182                 NID_sect193r2, /* sect193r2 (5) */ 
183                 NID_sect233k1, /* sect233k1 (6) */
184                 NID_sect233r1, /* sect233r1 (7) */ 
185                 NID_sect239k1, /* sect239k1 (8) */ 
186                 NID_sect283k1, /* sect283k1 (9) */
187                 NID_sect283r1, /* sect283r1 (10) */ 
188                 NID_sect409k1, /* sect409k1 (11) */ 
189                 NID_sect409r1, /* sect409r1 (12) */
190                 NID_sect571k1, /* sect571k1 (13) */ 
191                 NID_sect571r1, /* sect571r1 (14) */ 
192                 NID_secp160k1, /* secp160k1 (15) */
193                 NID_secp160r1, /* secp160r1 (16) */ 
194                 NID_secp160r2, /* secp160r2 (17) */ 
195                 NID_secp192k1, /* secp192k1 (18) */
196                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
197                 NID_secp224k1, /* secp224k1 (20) */ 
198                 NID_secp224r1, /* secp224r1 (21) */
199                 NID_secp256k1, /* secp256k1 (22) */ 
200                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
201                 NID_secp384r1, /* secp384r1 (24) */
202                 NID_secp521r1  /* secp521r1 (25) */     
203         };
204
205 static int pref_list[] =
206         {
207                 NID_sect571r1, /* sect571r1 (14) */ 
208                 NID_sect571k1, /* sect571k1 (13) */ 
209                 NID_secp521r1, /* secp521r1 (25) */     
210                 NID_sect409k1, /* sect409k1 (11) */ 
211                 NID_sect409r1, /* sect409r1 (12) */
212                 NID_secp384r1, /* secp384r1 (24) */
213                 NID_sect283k1, /* sect283k1 (9) */
214                 NID_sect283r1, /* sect283r1 (10) */ 
215                 NID_secp256k1, /* secp256k1 (22) */ 
216                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
217                 NID_sect239k1, /* sect239k1 (8) */ 
218                 NID_sect233k1, /* sect233k1 (6) */
219                 NID_sect233r1, /* sect233r1 (7) */ 
220                 NID_secp224k1, /* secp224k1 (20) */ 
221                 NID_secp224r1, /* secp224r1 (21) */
222                 NID_sect193r1, /* sect193r1 (4) */ 
223                 NID_sect193r2, /* sect193r2 (5) */ 
224                 NID_secp192k1, /* secp192k1 (18) */
225                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
226                 NID_sect163k1, /* sect163k1 (1) */
227                 NID_sect163r1, /* sect163r1 (2) */
228                 NID_sect163r2, /* sect163r2 (3) */
229                 NID_secp160k1, /* secp160k1 (15) */
230                 NID_secp160r1, /* secp160r1 (16) */ 
231                 NID_secp160r2, /* secp160r2 (17) */ 
232         };
233
234 int tls1_ec_curve_id2nid(int curve_id)
235         {
236         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237         if ((curve_id < 1) || ((unsigned int)curve_id >
238                                 sizeof(nid_list)/sizeof(nid_list[0])))
239                 return 0;
240         return nid_list[curve_id-1];
241         }
242
243 int tls1_ec_nid2curve_id(int nid)
244         {
245         /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246         switch (nid)
247                 {
248         case NID_sect163k1: /* sect163k1 (1) */
249                 return 1;
250         case NID_sect163r1: /* sect163r1 (2) */
251                 return 2;
252         case NID_sect163r2: /* sect163r2 (3) */
253                 return 3;
254         case NID_sect193r1: /* sect193r1 (4) */ 
255                 return 4;
256         case NID_sect193r2: /* sect193r2 (5) */ 
257                 return 5;
258         case NID_sect233k1: /* sect233k1 (6) */
259                 return 6;
260         case NID_sect233r1: /* sect233r1 (7) */ 
261                 return 7;
262         case NID_sect239k1: /* sect239k1 (8) */ 
263                 return 8;
264         case NID_sect283k1: /* sect283k1 (9) */
265                 return 9;
266         case NID_sect283r1: /* sect283r1 (10) */ 
267                 return 10;
268         case NID_sect409k1: /* sect409k1 (11) */ 
269                 return 11;
270         case NID_sect409r1: /* sect409r1 (12) */
271                 return 12;
272         case NID_sect571k1: /* sect571k1 (13) */ 
273                 return 13;
274         case NID_sect571r1: /* sect571r1 (14) */ 
275                 return 14;
276         case NID_secp160k1: /* secp160k1 (15) */
277                 return 15;
278         case NID_secp160r1: /* secp160r1 (16) */ 
279                 return 16;
280         case NID_secp160r2: /* secp160r2 (17) */ 
281                 return 17;
282         case NID_secp192k1: /* secp192k1 (18) */
283                 return 18;
284         case NID_X9_62_prime192v1: /* secp192r1 (19) */ 
285                 return 19;
286         case NID_secp224k1: /* secp224k1 (20) */ 
287                 return 20;
288         case NID_secp224r1: /* secp224r1 (21) */
289                 return 21;
290         case NID_secp256k1: /* secp256k1 (22) */ 
291                 return 22;
292         case NID_X9_62_prime256v1: /* secp256r1 (23) */ 
293                 return 23;
294         case NID_secp384r1: /* secp384r1 (24) */
295                 return 24;
296         case NID_secp521r1:  /* secp521r1 (25) */       
297                 return 25;
298         default:
299                 return 0;
300                 }
301         }
302 #endif /* OPENSSL_NO_EC */
303
304 #ifndef OPENSSL_NO_TLSEXT
305
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327
328 #define tlsext_sigalg(md) \
329                 tlsext_sigalg_rsa(md) \
330                 tlsext_sigalg_dsa(md) \
331                 tlsext_sigalg_ecdsa(md)
332
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335         tlsext_sigalg(TLSEXT_hash_sha512)
336         tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339         tlsext_sigalg(TLSEXT_hash_sha256)
340         tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343         tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 #ifndef OPENSSL_NO_MD5
346         tlsext_sigalg_rsa(TLSEXT_hash_md5)
347 #endif
348 };
349
350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351         {
352         size_t slen = sizeof(tls12_sigalgs);
353 #ifdef OPENSSL_FIPS
354         /* If FIPS mode don't include MD5 which is last */
355         if (FIPS_mode())
356                 slen -= 2;
357 #endif
358         if (p)
359                 memcpy(p, tls12_sigalgs, slen);
360         return (int)slen;
361         }
362
363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
364         {
365         int extdatalen=0;
366         unsigned char *ret = p;
367
368         /* don't add extensions for SSLv3 unless doing secure renegotiation */
369         if (s->client_version == SSL3_VERSION
370                                         && !s->s3->send_connection_binding)
371                 return p;
372
373         ret+=2;
374
375         if (ret>=limit) return NULL; /* this really never occurs, but ... */
376
377         if (s->tlsext_hostname != NULL)
378                 { 
379                 /* Add TLS extension servername to the Client Hello message */
380                 unsigned long size_str;
381                 long lenmax; 
382
383                 /* check for enough space.
384                    4 for the servername type and entension length
385                    2 for servernamelist length
386                    1 for the hostname type
387                    2 for hostname length
388                    + hostname length 
389                 */
390                    
391                 if ((lenmax = limit - ret - 9) < 0 
392                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
393                         return NULL;
394                         
395                 /* extension type and length */
396                 s2n(TLSEXT_TYPE_server_name,ret); 
397                 s2n(size_str+5,ret);
398                 
399                 /* length of servername list */
400                 s2n(size_str+3,ret);
401         
402                 /* hostname type, length and hostname */
403                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
404                 s2n(size_str,ret);
405                 memcpy(ret, s->tlsext_hostname, size_str);
406                 ret+=size_str;
407                 }
408
409         /* Add RI if renegotiating */
410         if (s->renegotiate)
411           {
412           int el;
413           
414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
415               {
416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
417               return NULL;
418               }
419
420           if((limit - p - 4 - el) < 0) return NULL;
421           
422           s2n(TLSEXT_TYPE_renegotiate,ret);
423           s2n(el,ret);
424
425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
426               {
427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
428               return NULL;
429               }
430
431           ret += el;
432         }
433
434 #ifndef OPENSSL_NO_SRP
435         /* Add SRP username if there is one */
436         if (s->srp_ctx.login != NULL)
437                 { /* Add TLS extension SRP username to the Client Hello message */
438
439                 int login_len = strlen(s->srp_ctx.login);       
440                 if (login_len > 255 || login_len == 0)
441                         {
442                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443                         return NULL;
444                         } 
445
446                 /* check for enough space.
447                    4 for the srp type type and entension length
448                    1 for the srp user identity
449                    + srp user identity length 
450                 */
451                 if ((limit - ret - 5 - login_len) < 0) return NULL; 
452
453                 /* fill in the extension */
454                 s2n(TLSEXT_TYPE_srp,ret);
455                 s2n(login_len+1,ret);
456                 (*ret++) = (unsigned char) login_len;
457                 memcpy(ret, s->srp_ctx.login, login_len);
458                 ret+=login_len;
459                 }
460 #endif
461
462 #ifndef OPENSSL_NO_EC
463         if (s->tlsext_ecpointformatlist != NULL &&
464             s->version != DTLS1_VERSION)
465                 {
466                 /* Add TLS extension ECPointFormats to the ClientHello message */
467                 long lenmax; 
468
469                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
470                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
471                 if (s->tlsext_ecpointformatlist_length > 255)
472                         {
473                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
474                         return NULL;
475                         }
476                 
477                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
478                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
479                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
480                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
481                 ret+=s->tlsext_ecpointformatlist_length;
482                 }
483         if (s->tlsext_ellipticcurvelist != NULL &&
484             s->version != DTLS1_VERSION)
485                 {
486                 /* Add TLS extension EllipticCurves to the ClientHello message */
487                 long lenmax; 
488
489                 if ((lenmax = limit - ret - 6) < 0) return NULL; 
490                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
491                 if (s->tlsext_ellipticcurvelist_length > 65532)
492                         {
493                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
494                         return NULL;
495                         }
496                 
497                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
498                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
499
500                 /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
501                  * elliptic_curve_list, but the examples use two bytes.
502                  * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
503                  * resolves this to two bytes.
504                  */
505                 s2n(s->tlsext_ellipticcurvelist_length, ret);
506                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
507                 ret+=s->tlsext_ellipticcurvelist_length;
508                 }
509 #endif /* OPENSSL_NO_EC */
510
511         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
512                 {
513                 int ticklen;
514                 if (!s->new_session && s->session && s->session->tlsext_tick)
515                         ticklen = s->session->tlsext_ticklen;
516                 else if (s->session && s->tlsext_session_ticket &&
517                          s->tlsext_session_ticket->data)
518                         {
519                         ticklen = s->tlsext_session_ticket->length;
520                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
521                         if (!s->session->tlsext_tick)
522                                 return NULL;
523                         memcpy(s->session->tlsext_tick,
524                                s->tlsext_session_ticket->data,
525                                ticklen);
526                         s->session->tlsext_ticklen = ticklen;
527                         }
528                 else
529                         ticklen = 0;
530                 if (ticklen == 0 && s->tlsext_session_ticket &&
531                     s->tlsext_session_ticket->data == NULL)
532                         goto skip_ext;
533                 /* Check for enough room 2 for extension type, 2 for len
534                  * rest for ticket
535                  */
536                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
537                 s2n(TLSEXT_TYPE_session_ticket,ret); 
538                 s2n(ticklen,ret);
539                 if (ticklen)
540                         {
541                         memcpy(ret, s->session->tlsext_tick, ticklen);
542                         ret += ticklen;
543                         }
544                 }
545                 skip_ext:
546
547         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548                 {
549                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550                         return NULL; 
551                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552                 s2n(sizeof(tls12_sigalgs) + 2, ret);
553                 s2n(sizeof(tls12_sigalgs), ret);
554                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555                 ret += sizeof(tls12_sigalgs);
556                 }
557
558 #ifdef TLSEXT_TYPE_opaque_prf_input
559         if (s->s3->client_opaque_prf_input != NULL &&
560             s->version != DTLS1_VERSION)
561                 {
562                 size_t col = s->s3->client_opaque_prf_input_len;
563                 
564                 if ((long)(limit - ret - 6 - col < 0))
565                         return NULL;
566                 if (col > 0xFFFD) /* can't happen */
567                         return NULL;
568
569                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
570                 s2n(col + 2, ret);
571                 s2n(col, ret);
572                 memcpy(ret, s->s3->client_opaque_prf_input, col);
573                 ret += col;
574                 }
575 #endif
576
577         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
578             s->version != DTLS1_VERSION)
579                 {
580                 int i;
581                 long extlen, idlen, itmp;
582                 OCSP_RESPID *id;
583
584                 idlen = 0;
585                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
586                         {
587                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
588                         itmp = i2d_OCSP_RESPID(id, NULL);
589                         if (itmp <= 0)
590                                 return NULL;
591                         idlen += itmp + 2;
592                         }
593
594                 if (s->tlsext_ocsp_exts)
595                         {
596                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
597                         if (extlen < 0)
598                                 return NULL;
599                         }
600                 else
601                         extlen = 0;
602                         
603                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
604                 s2n(TLSEXT_TYPE_status_request, ret);
605                 if (extlen + idlen > 0xFFF0)
606                         return NULL;
607                 s2n(extlen + idlen + 5, ret);
608                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
609                 s2n(idlen, ret);
610                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
611                         {
612                         /* save position of id len */
613                         unsigned char *q = ret;
614                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
615                         /* skip over id len */
616                         ret += 2;
617                         itmp = i2d_OCSP_RESPID(id, &ret);
618                         /* write id len */
619                         s2n(itmp, q);
620                         }
621                 s2n(extlen, ret);
622                 if (extlen > 0)
623                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
624                 }
625
626 #ifndef OPENSSL_NO_HEARTBEATS
627         /* Add Heartbeat extension */
628         s2n(TLSEXT_TYPE_heartbeat,ret);
629         s2n(1,ret);
630         /* Set mode:
631          * 1: peer may send requests
632          * 2: peer not allowed to send requests
633          */
634         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636         else
637                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638 #endif
639
640 #ifndef OPENSSL_NO_NEXTPROTONEG
641         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642                 {
643                 /* The client advertises an emtpy extension to indicate its
644                  * support for Next Protocol Negotiation */
645                 if (limit - ret - 4 < 0)
646                         return NULL;
647                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648                 s2n(0,ret);
649                 }
650 #endif
651
652 #ifndef OPENSSL_NO_SRTP
653         if(SSL_get_srtp_profiles(s))
654                 {
655                 int el;
656
657                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
658                 
659                 if((limit - p - 4 - el) < 0) return NULL;
660
661                 s2n(TLSEXT_TYPE_use_srtp,ret);
662                 s2n(el,ret);
663
664                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
665                         {
666                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
667                         return NULL;
668                         }
669                 ret += el;
670                 }
671 #endif
672
673         if ((extdatalen = ret-p-2)== 0) 
674                 return p;
675
676         s2n(extdatalen,p);
677         return ret;
678         }
679
680 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
681         {
682         int extdatalen=0;
683         unsigned char *ret = p;
684 #ifndef OPENSSL_NO_NEXTPROTONEG
685         int next_proto_neg_seen;
686 #endif
687
688         /* don't add extensions for SSLv3, unless doing secure renegotiation */
689         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
690                 return p;
691         
692         ret+=2;
693         if (ret>=limit) return NULL; /* this really never occurs, but ... */
694
695         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
696                 { 
697                 if ((long)(limit - ret - 4) < 0) return NULL; 
698
699                 s2n(TLSEXT_TYPE_server_name,ret);
700                 s2n(0,ret);
701                 }
702
703         if(s->s3->send_connection_binding)
704         {
705           int el;
706           
707           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
708               {
709               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
710               return NULL;
711               }
712
713           if((limit - p - 4 - el) < 0) return NULL;
714           
715           s2n(TLSEXT_TYPE_renegotiate,ret);
716           s2n(el,ret);
717
718           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
719               {
720               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
721               return NULL;
722               }
723
724           ret += el;
725         }
726
727 #ifndef OPENSSL_NO_EC
728         if (s->tlsext_ecpointformatlist != NULL &&
729             s->version != DTLS1_VERSION)
730                 {
731                 /* Add TLS extension ECPointFormats to the ServerHello message */
732                 long lenmax; 
733
734                 if ((lenmax = limit - ret - 5) < 0) return NULL; 
735                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
736                 if (s->tlsext_ecpointformatlist_length > 255)
737                         {
738                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
739                         return NULL;
740                         }
741                 
742                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
743                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
744                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
745                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
746                 ret+=s->tlsext_ecpointformatlist_length;
747
748                 }
749         /* Currently the server should not respond with a SupportedCurves extension */
750 #endif /* OPENSSL_NO_EC */
751
752         if (s->tlsext_ticket_expected
753                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) 
754                 { 
755                 if ((long)(limit - ret - 4) < 0) return NULL; 
756                 s2n(TLSEXT_TYPE_session_ticket,ret);
757                 s2n(0,ret);
758                 }
759
760         if (s->tlsext_status_expected)
761                 { 
762                 if ((long)(limit - ret - 4) < 0) return NULL; 
763                 s2n(TLSEXT_TYPE_status_request,ret);
764                 s2n(0,ret);
765                 }
766
767 #ifdef TLSEXT_TYPE_opaque_prf_input
768         if (s->s3->server_opaque_prf_input != NULL &&
769             s->version != DTLS1_VERSION)
770                 {
771                 size_t sol = s->s3->server_opaque_prf_input_len;
772                 
773                 if ((long)(limit - ret - 6 - sol) < 0)
774                         return NULL;
775                 if (sol > 0xFFFD) /* can't happen */
776                         return NULL;
777
778                 s2n(TLSEXT_TYPE_opaque_prf_input, ret); 
779                 s2n(sol + 2, ret);
780                 s2n(sol, ret);
781                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
782                 ret += sol;
783                 }
784 #endif
785
786 #ifndef OPENSSL_NO_SRTP
787         if(s->srtp_profile)
788                 {
789                 int el;
790
791                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
792                 
793                 if((limit - p - 4 - el) < 0) return NULL;
794
795                 s2n(TLSEXT_TYPE_use_srtp,ret);
796                 s2n(el,ret);
797
798                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
799                         {
800                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
801                         return NULL;
802                         }
803                 ret+=el;
804                 }
805 #endif
806
807         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 
808                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
809                 { const unsigned char cryptopro_ext[36] = {
810                         0xfd, 0xe8, /*65000*/
811                         0x00, 0x20, /*32 bytes length*/
812                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 
813                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 
814                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 
815                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
816                         if (limit-ret<36) return NULL;
817                         memcpy(ret,cryptopro_ext,36);
818                         ret+=36;
819
820                 }
821
822 #ifndef OPENSSL_NO_HEARTBEATS
823         /* Add Heartbeat extension if we've received one */
824         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
825                 {
826                 s2n(TLSEXT_TYPE_heartbeat,ret);
827                 s2n(1,ret);
828                 /* Set mode:
829                  * 1: peer may send requests
830                  * 2: peer not allowed to send requests
831                  */
832                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
833                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
834                 else
835                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
836
837                 }
838 #endif
839
840 #ifndef OPENSSL_NO_NEXTPROTONEG
841         next_proto_neg_seen = s->s3->next_proto_neg_seen;
842         s->s3->next_proto_neg_seen = 0;
843         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
844                 {
845                 const unsigned char *npa;
846                 unsigned int npalen;
847                 int r;
848
849                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
850                 if (r == SSL_TLSEXT_ERR_OK)
851                         {
852                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
853                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
854                         s2n(npalen,ret);
855                         memcpy(ret, npa, npalen);
856                         ret += npalen;
857                         s->s3->next_proto_neg_seen = 1;
858                         }
859                 }
860 #endif
861
862         if ((extdatalen = ret-p-2)== 0) 
863                 return p;
864
865         s2n(extdatalen,p);
866         return ret;
867         }
868
869 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
870         {
871         unsigned short type;
872         unsigned short size;
873         unsigned short len;
874         unsigned char *data = *p;
875         int renegotiate_seen = 0;
876         int sigalg_seen = 0;
877
878         s->servername_done = 0;
879         s->tlsext_status_type = -1;
880 #ifndef OPENSSL_NO_NEXTPROTONEG
881         s->s3->next_proto_neg_seen = 0;
882 #endif
883
884 #ifndef OPENSSL_NO_HEARTBEATS
885         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
886                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
887 #endif
888
889         if (data >= (d+n-2))
890                 goto ri_check;
891         n2s(data,len);
892
893         if (data > (d+n-len)) 
894                 goto ri_check;
895
896         while (data <= (d+n-4))
897                 {
898                 n2s(data,type);
899                 n2s(data,size);
900
901                 if (data+size > (d+n))
902                         goto ri_check;
903 #if 0
904                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
905 #endif
906                 if (s->tlsext_debug_cb)
907                         s->tlsext_debug_cb(s, 0, type, data, size,
908                                                 s->tlsext_debug_arg);
909 /* The servername extension is treated as follows:
910
911    - Only the hostname type is supported with a maximum length of 255.
912    - The servername is rejected if too long or if it contains zeros,
913      in which case an fatal alert is generated.
914    - The servername field is maintained together with the session cache.
915    - When a session is resumed, the servername call back invoked in order
916      to allow the application to position itself to the right context. 
917    - The servername is acknowledged if it is new for a session or when 
918      it is identical to a previously used for the same session. 
919      Applications can control the behaviour.  They can at any time
920      set a 'desirable' servername for a new SSL object. This can be the
921      case for example with HTTPS when a Host: header field is received and
922      a renegotiation is requested. In this case, a possible servername
923      presented in the new client hello is only acknowledged if it matches
924      the value of the Host: field. 
925    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
926      if they provide for changing an explicit servername context for the session,
927      i.e. when the session has been established with a servername extension. 
928    - On session reconnect, the servername extension may be absent. 
929
930 */      
931
932                 if (type == TLSEXT_TYPE_server_name)
933                         {
934                         unsigned char *sdata;
935                         int servname_type;
936                         int dsize; 
937                 
938                         if (size < 2) 
939                                 {
940                                 *al = SSL_AD_DECODE_ERROR;
941                                 return 0;
942                                 }
943                         n2s(data,dsize);  
944                         size -= 2;
945                         if (dsize > size  ) 
946                                 {
947                                 *al = SSL_AD_DECODE_ERROR;
948                                 return 0;
949                                 } 
950
951                         sdata = data;
952                         while (dsize > 3) 
953                                 {
954                                 servname_type = *(sdata++); 
955                                 n2s(sdata,len);
956                                 dsize -= 3;
957
958                                 if (len > dsize) 
959                                         {
960                                         *al = SSL_AD_DECODE_ERROR;
961                                         return 0;
962                                         }
963                                 if (s->servername_done == 0)
964                                 switch (servname_type)
965                                         {
966                                 case TLSEXT_NAMETYPE_host_name:
967                                         if (!s->hit)
968                                                 {
969                                                 if(s->session->tlsext_hostname)
970                                                         {
971                                                         *al = SSL_AD_DECODE_ERROR;
972                                                         return 0;
973                                                         }
974                                                 if (len > TLSEXT_MAXLEN_host_name)
975                                                         {
976                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
977                                                         return 0;
978                                                         }
979                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
980                                                         {
981                                                         *al = TLS1_AD_INTERNAL_ERROR;
982                                                         return 0;
983                                                         }
984                                                 memcpy(s->session->tlsext_hostname, sdata, len);
985                                                 s->session->tlsext_hostname[len]='\0';
986                                                 if (strlen(s->session->tlsext_hostname) != len) {
987                                                         OPENSSL_free(s->session->tlsext_hostname);
988                                                         s->session->tlsext_hostname = NULL;
989                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
990                                                         return 0;
991                                                 }
992                                                 s->servername_done = 1; 
993
994                                                 }
995                                         else 
996                                                 s->servername_done = s->session->tlsext_hostname
997                                                         && strlen(s->session->tlsext_hostname) == len 
998                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
999                                         
1000                                         break;
1001
1002                                 default:
1003                                         break;
1004                                         }
1005                                  
1006                                 dsize -= len;
1007                                 }
1008                         if (dsize != 0) 
1009                                 {
1010                                 *al = SSL_AD_DECODE_ERROR;
1011                                 return 0;
1012                                 }
1013
1014                         }
1015 #ifndef OPENSSL_NO_SRP
1016                 else if (type == TLSEXT_TYPE_srp)
1017                         {
1018                         if (size <= 0 || ((len = data[0])) != (size -1))
1019                                 {
1020                                 *al = SSL_AD_DECODE_ERROR;
1021                                 return 0;
1022                                 }
1023                         if (s->srp_ctx.login != NULL)
1024                                 {
1025                                 *al = SSL_AD_DECODE_ERROR;
1026                                 return 0;
1027                                 }
1028                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1029                                 return -1;
1030                         memcpy(s->srp_ctx.login, &data[1], len);
1031                         s->srp_ctx.login[len]='\0';
1032   
1033                         if (strlen(s->srp_ctx.login) != len) 
1034                                 {
1035                                 *al = SSL_AD_DECODE_ERROR;
1036                                 return 0;
1037                                 }
1038                         }
1039 #endif
1040
1041 #ifndef OPENSSL_NO_EC
1042                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1043                      s->version != DTLS1_VERSION)
1044                         {
1045                         unsigned char *sdata = data;
1046                         int ecpointformatlist_length = *(sdata++);
1047
1048                         if (ecpointformatlist_length != size - 1)
1049                                 {
1050                                 *al = TLS1_AD_DECODE_ERROR;
1051                                 return 0;
1052                                 }
1053                         if (!s->hit)
1054                                 {
1055                                 if(s->session->tlsext_ecpointformatlist)
1056                                         {
1057                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1058                                         s->session->tlsext_ecpointformatlist = NULL;
1059                                         }
1060                                 s->session->tlsext_ecpointformatlist_length = 0;
1061                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1062                                         {
1063                                         *al = TLS1_AD_INTERNAL_ERROR;
1064                                         return 0;
1065                                         }
1066                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1067                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1068                                 }
1069 #if 0
1070                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1071                         sdata = s->session->tlsext_ecpointformatlist;
1072                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1073                                 fprintf(stderr,"%i ",*(sdata++));
1074                         fprintf(stderr,"\n");
1075 #endif
1076                         }
1077                 else if (type == TLSEXT_TYPE_elliptic_curves &&
1078                      s->version != DTLS1_VERSION)
1079                         {
1080                         unsigned char *sdata = data;
1081                         int ellipticcurvelist_length = (*(sdata++) << 8);
1082                         ellipticcurvelist_length += (*(sdata++));
1083
1084                         if (ellipticcurvelist_length != size - 2 ||
1085                                 ellipticcurvelist_length < 1)
1086                                 {
1087                                 *al = TLS1_AD_DECODE_ERROR;
1088                                 return 0;
1089                                 }
1090                         if (!s->hit)
1091                                 {
1092                                 if(s->session->tlsext_ellipticcurvelist)
1093                                         {
1094                                         *al = TLS1_AD_DECODE_ERROR;
1095                                         return 0;
1096                                         }
1097                                 s->session->tlsext_ellipticcurvelist_length = 0;
1098                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1099                                         {
1100                                         *al = TLS1_AD_INTERNAL_ERROR;
1101                                         return 0;
1102                                         }
1103                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1104                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1105                                 }
1106 #if 0
1107                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1108                         sdata = s->session->tlsext_ellipticcurvelist;
1109                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1110                                 fprintf(stderr,"%i ",*(sdata++));
1111                         fprintf(stderr,"\n");
1112 #endif
1113                         }
1114 #endif /* OPENSSL_NO_EC */
1115 #ifdef TLSEXT_TYPE_opaque_prf_input
1116                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1117                      s->version != DTLS1_VERSION)
1118                         {
1119                         unsigned char *sdata = data;
1120
1121                         if (size < 2)
1122                                 {
1123                                 *al = SSL_AD_DECODE_ERROR;
1124                                 return 0;
1125                                 }
1126                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1127                         if (s->s3->client_opaque_prf_input_len != size - 2)
1128                                 {
1129                                 *al = SSL_AD_DECODE_ERROR;
1130                                 return 0;
1131                                 }
1132
1133                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1134                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1135                         if (s->s3->client_opaque_prf_input_len == 0)
1136                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1137                         else
1138                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1139                         if (s->s3->client_opaque_prf_input == NULL)
1140                                 {
1141                                 *al = TLS1_AD_INTERNAL_ERROR;
1142                                 return 0;
1143                                 }
1144                         }
1145 #endif
1146                 else if (type == TLSEXT_TYPE_session_ticket)
1147                         {
1148                         if (s->tls_session_ticket_ext_cb &&
1149                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1150                                 {
1151                                 *al = TLS1_AD_INTERNAL_ERROR;
1152                                 return 0;
1153                                 }
1154                         }
1155                 else if (type == TLSEXT_TYPE_renegotiate)
1156                         {
1157                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1158                                 return 0;
1159                         renegotiate_seen = 1;
1160                         }
1161                 else if (type == TLSEXT_TYPE_signature_algorithms)
1162                         {
1163                         int dsize;
1164                         if (sigalg_seen || size < 2) 
1165                                 {
1166                                 *al = SSL_AD_DECODE_ERROR;
1167                                 return 0;
1168                                 }
1169                         sigalg_seen = 1;
1170                         n2s(data,dsize);
1171                         size -= 2;
1172                         if (dsize != size || dsize & 1) 
1173                                 {
1174                                 *al = SSL_AD_DECODE_ERROR;
1175                                 return 0;
1176                                 }
1177                         if (!tls1_process_sigalgs(s, data, dsize))
1178                                 {
1179                                 *al = SSL_AD_DECODE_ERROR;
1180                                 return 0;
1181                                 }
1182                         }
1183                 else if (type == TLSEXT_TYPE_status_request &&
1184                          s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
1185                         {
1186                 
1187                         if (size < 5) 
1188                                 {
1189                                 *al = SSL_AD_DECODE_ERROR;
1190                                 return 0;
1191                                 }
1192
1193                         s->tlsext_status_type = *data++;
1194                         size--;
1195                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1196                                 {
1197                                 const unsigned char *sdata;
1198                                 int dsize;
1199                                 /* Read in responder_id_list */
1200                                 n2s(data,dsize);
1201                                 size -= 2;
1202                                 if (dsize > size  ) 
1203                                         {
1204                                         *al = SSL_AD_DECODE_ERROR;
1205                                         return 0;
1206                                         }
1207                                 while (dsize > 0)
1208                                         {
1209                                         OCSP_RESPID *id;
1210                                         int idsize;
1211                                         if (dsize < 4)
1212                                                 {
1213                                                 *al = SSL_AD_DECODE_ERROR;
1214                                                 return 0;
1215                                                 }
1216                                         n2s(data, idsize);
1217                                         dsize -= 2 + idsize;
1218                                         size -= 2 + idsize;
1219                                         if (dsize < 0)
1220                                                 {
1221                                                 *al = SSL_AD_DECODE_ERROR;
1222                                                 return 0;
1223                                                 }
1224                                         sdata = data;
1225                                         data += idsize;
1226                                         id = d2i_OCSP_RESPID(NULL,
1227                                                                 &sdata, idsize);
1228                                         if (!id)
1229                                                 {
1230                                                 *al = SSL_AD_DECODE_ERROR;
1231                                                 return 0;
1232                                                 }
1233                                         if (data != sdata)
1234                                                 {
1235                                                 OCSP_RESPID_free(id);
1236                                                 *al = SSL_AD_DECODE_ERROR;
1237                                                 return 0;
1238                                                 }
1239                                         if (!s->tlsext_ocsp_ids
1240                                                 && !(s->tlsext_ocsp_ids =
1241                                                 sk_OCSP_RESPID_new_null()))
1242                                                 {
1243                                                 OCSP_RESPID_free(id);
1244                                                 *al = SSL_AD_INTERNAL_ERROR;
1245                                                 return 0;
1246                                                 }
1247                                         if (!sk_OCSP_RESPID_push(
1248                                                         s->tlsext_ocsp_ids, id))
1249                                                 {
1250                                                 OCSP_RESPID_free(id);
1251                                                 *al = SSL_AD_INTERNAL_ERROR;
1252                                                 return 0;
1253                                                 }
1254                                         }
1255
1256                                 /* Read in request_extensions */
1257                                 if (size < 2)
1258                                         {
1259                                         *al = SSL_AD_DECODE_ERROR;
1260                                         return 0;
1261                                         }
1262                                 n2s(data,dsize);
1263                                 size -= 2;
1264                                 if (dsize != size)
1265                                         {
1266                                         *al = SSL_AD_DECODE_ERROR;
1267                                         return 0;
1268                                         }
1269                                 sdata = data;
1270                                 if (dsize > 0)
1271                                         {
1272                                         if (s->tlsext_ocsp_exts)
1273                                                 {
1274                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1275                                                                            X509_EXTENSION_free);
1276                                                 }
1277
1278                                         s->tlsext_ocsp_exts =
1279                                                 d2i_X509_EXTENSIONS(NULL,
1280                                                         &sdata, dsize);
1281                                         if (!s->tlsext_ocsp_exts
1282                                                 || (data + dsize != sdata))
1283                                                 {
1284                                                 *al = SSL_AD_DECODE_ERROR;
1285                                                 return 0;
1286                                                 }
1287                                         }
1288                                 }
1289                                 /* We don't know what to do with any other type
1290                                 * so ignore it.
1291                                 */
1292                                 else
1293                                         s->tlsext_status_type = -1;
1294                         }
1295 #ifndef OPENSSL_NO_HEARTBEATS
1296                 else if (type == TLSEXT_TYPE_heartbeat)
1297                         {
1298                         switch(data[0])
1299                                 {
1300                                 case 0x01:      /* Client allows us to send HB requests */
1301                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1302                                                         break;
1303                                 case 0x02:      /* Client doesn't accept HB requests */
1304                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1305                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1306                                                         break;
1307                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1308                                                         return 0;
1309                                 }
1310                         }
1311 #endif
1312 #ifndef OPENSSL_NO_NEXTPROTONEG
1313                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1314                          s->s3->tmp.finish_md_len == 0)
1315                         {
1316                         /* We shouldn't accept this extension on a
1317                          * renegotiation.
1318                          *
1319                          * s->new_session will be set on renegotiation, but we
1320                          * probably shouldn't rely that it couldn't be set on
1321                          * the initial renegotation too in certain cases (when
1322                          * there's some other reason to disallow resuming an
1323                          * earlier session -- the current code won't be doing
1324                          * anything like that, but this might change).
1325
1326                          * A valid sign that there's been a previous handshake
1327                          * in this connection is if s->s3->tmp.finish_md_len >
1328                          * 0.  (We are talking about a check that will happen
1329                          * in the Hello protocol round, well before a new
1330                          * Finished message could have been computed.) */
1331                         s->s3->next_proto_neg_seen = 1;
1332                         }
1333 #endif
1334
1335                 /* session ticket processed earlier */
1336 #ifndef OPENSSL_NO_SRTP
1337                 else if (type == TLSEXT_TYPE_use_srtp)
1338                         {
1339                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1340                                                               al))
1341                                 return 0;
1342                         }
1343 #endif
1344
1345                 data+=size;
1346                 }
1347                                 
1348         *p = data;
1349
1350         ri_check:
1351
1352         /* Need RI if renegotiating */
1353
1354         if (!renegotiate_seen && s->renegotiate &&
1355                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1356                 {
1357                 *al = SSL_AD_HANDSHAKE_FAILURE;
1358                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1359                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1360                 return 0;
1361                 }
1362
1363         return 1;
1364         }
1365
1366 #ifndef OPENSSL_NO_NEXTPROTONEG
1367 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1368  * elements of zero length are allowed and the set of elements must exactly fill
1369  * the length of the block. */
1370 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1371         {
1372         unsigned int off = 0;
1373
1374         while (off < len)
1375                 {
1376                 if (d[off] == 0)
1377                         return 0;
1378                 off += d[off];
1379                 off++;
1380                 }
1381
1382         return off == len;
1383         }
1384 #endif
1385
1386 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1387         {
1388         unsigned short length;
1389         unsigned short type;
1390         unsigned short size;
1391         unsigned char *data = *p;
1392         int tlsext_servername = 0;
1393         int renegotiate_seen = 0;
1394
1395 #ifndef OPENSSL_NO_NEXTPROTONEG
1396         s->s3->next_proto_neg_seen = 0;
1397 #endif
1398
1399 #ifndef OPENSSL_NO_HEARTBEATS
1400         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1401                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1402 #endif
1403
1404         if (data >= (d+n-2))
1405                 goto ri_check;
1406
1407         n2s(data,length);
1408         if (data+length != d+n)
1409                 {
1410                 *al = SSL_AD_DECODE_ERROR;
1411                 return 0;
1412                 }
1413
1414         while(data <= (d+n-4))
1415                 {
1416                 n2s(data,type);
1417                 n2s(data,size);
1418
1419                 if (data+size > (d+n))
1420                         goto ri_check;
1421
1422                 if (s->tlsext_debug_cb)
1423                         s->tlsext_debug_cb(s, 1, type, data, size,
1424                                                 s->tlsext_debug_arg);
1425
1426                 if (type == TLSEXT_TYPE_server_name)
1427                         {
1428                         if (s->tlsext_hostname == NULL || size > 0)
1429                                 {
1430                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1431                                 return 0;
1432                                 }
1433                         tlsext_servername = 1;   
1434                         }
1435
1436 #ifndef OPENSSL_NO_EC
1437                 else if (type == TLSEXT_TYPE_ec_point_formats &&
1438                      s->version != DTLS1_VERSION)
1439                         {
1440                         unsigned char *sdata = data;
1441                         int ecpointformatlist_length = *(sdata++);
1442
1443                         if (ecpointformatlist_length != size - 1 || 
1444                                 ecpointformatlist_length < 1)
1445                                 {
1446                                 *al = TLS1_AD_DECODE_ERROR;
1447                                 return 0;
1448                                 }
1449                         s->session->tlsext_ecpointformatlist_length = 0;
1450                         if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1451                         if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1452                                 {
1453                                 *al = TLS1_AD_INTERNAL_ERROR;
1454                                 return 0;
1455                                 }
1456                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1457                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1458 #if 0
1459                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1460                         sdata = s->session->tlsext_ecpointformatlist;
1461                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1462                                 fprintf(stderr,"%i ",*(sdata++));
1463                         fprintf(stderr,"\n");
1464 #endif
1465                         }
1466 #endif /* OPENSSL_NO_EC */
1467
1468                 else if (type == TLSEXT_TYPE_session_ticket)
1469                         {
1470                         if (s->tls_session_ticket_ext_cb &&
1471                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1472                                 {
1473                                 *al = TLS1_AD_INTERNAL_ERROR;
1474                                 return 0;
1475                                 }
1476                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1477                                 || (size > 0))
1478                                 {
1479                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1480                                 return 0;
1481                                 }
1482                         s->tlsext_ticket_expected = 1;
1483                         }
1484 #ifdef TLSEXT_TYPE_opaque_prf_input
1485                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1486                      s->version != DTLS1_VERSION)
1487                         {
1488                         unsigned char *sdata = data;
1489
1490                         if (size < 2)
1491                                 {
1492                                 *al = SSL_AD_DECODE_ERROR;
1493                                 return 0;
1494                                 }
1495                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1496                         if (s->s3->server_opaque_prf_input_len != size - 2)
1497                                 {
1498                                 *al = SSL_AD_DECODE_ERROR;
1499                                 return 0;
1500                                 }
1501                         
1502                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1503                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1504                         if (s->s3->server_opaque_prf_input_len == 0)
1505                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1506                         else
1507                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1508
1509                         if (s->s3->server_opaque_prf_input == NULL)
1510                                 {
1511                                 *al = TLS1_AD_INTERNAL_ERROR;
1512                                 return 0;
1513                                 }
1514                         }
1515 #endif
1516                 else if (type == TLSEXT_TYPE_status_request &&
1517                          s->version != DTLS1_VERSION)
1518                         {
1519                         /* MUST be empty and only sent if we've requested
1520                          * a status request message.
1521                          */ 
1522                         if ((s->tlsext_status_type == -1) || (size > 0))
1523                                 {
1524                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1525                                 return 0;
1526                                 }
1527                         /* Set flag to expect CertificateStatus message */
1528                         s->tlsext_status_expected = 1;
1529                         }
1530 #ifndef OPENSSL_NO_NEXTPROTONEG
1531                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1532                          s->s3->tmp.finish_md_len == 0)
1533                         {
1534                         unsigned char *selected;
1535                         unsigned char selected_len;
1536
1537                         /* We must have requested it. */
1538                         if (s->ctx->next_proto_select_cb == NULL)
1539                                 {
1540                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1541                                 return 0;
1542                                 }
1543                         /* The data must be valid */
1544                         if (!ssl_next_proto_validate(data, size))
1545                                 {
1546                                 *al = TLS1_AD_DECODE_ERROR;
1547                                 return 0;
1548                                 }
1549                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1550                                 {
1551                                 *al = TLS1_AD_INTERNAL_ERROR;
1552                                 return 0;
1553                                 }
1554                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1555                         if (!s->next_proto_negotiated)
1556                                 {
1557                                 *al = TLS1_AD_INTERNAL_ERROR;
1558                                 return 0;
1559                                 }
1560                         memcpy(s->next_proto_negotiated, selected, selected_len);
1561                         s->next_proto_negotiated_len = selected_len;
1562                         s->s3->next_proto_neg_seen = 1;
1563                         }
1564 #endif
1565                 else if (type == TLSEXT_TYPE_renegotiate)
1566                         {
1567                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1568                                 return 0;
1569                         renegotiate_seen = 1;
1570                         }
1571 #ifndef OPENSSL_NO_HEARTBEATS
1572                 else if (type == TLSEXT_TYPE_heartbeat)
1573                         {
1574                         switch(data[0])
1575                                 {
1576                                 case 0x01:      /* Server allows us to send HB requests */
1577                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1578                                                         break;
1579                                 case 0x02:      /* Server doesn't accept HB requests */
1580                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1581                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1582                                                         break;
1583                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1584                                                         return 0;
1585                                 }
1586                         }
1587 #endif
1588 #ifndef OPENSSL_NO_SRTP
1589                 else if (type == TLSEXT_TYPE_use_srtp)
1590                         {
1591                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1592                                                               al))
1593                                 return 0;
1594                         }
1595 #endif
1596
1597                 data+=size;             
1598                 }
1599
1600         if (data != d+n)
1601                 {
1602                 *al = SSL_AD_DECODE_ERROR;
1603                 return 0;
1604                 }
1605
1606         if (!s->hit && tlsext_servername == 1)
1607                 {
1608                 if (s->tlsext_hostname)
1609                         {
1610                         if (s->session->tlsext_hostname == NULL)
1611                                 {
1612                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
1613                                 if (!s->session->tlsext_hostname)
1614                                         {
1615                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1616                                         return 0;
1617                                         }
1618                                 }
1619                         else 
1620                                 {
1621                                 *al = SSL_AD_DECODE_ERROR;
1622                                 return 0;
1623                                 }
1624                         }
1625                 }
1626
1627         *p = data;
1628
1629         ri_check:
1630
1631         /* Determine if we need to see RI. Strictly speaking if we want to
1632          * avoid an attack we should *always* see RI even on initial server
1633          * hello because the client doesn't see any renegotiation during an
1634          * attack. However this would mean we could not connect to any server
1635          * which doesn't support RI so for the immediate future tolerate RI
1636          * absence on initial connect only.
1637          */
1638         if (!renegotiate_seen
1639                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1640                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1641                 {
1642                 *al = SSL_AD_HANDSHAKE_FAILURE;
1643                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1644                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1645                 return 0;
1646                 }
1647
1648         return 1;
1649         }
1650
1651
1652 int ssl_prepare_clienthello_tlsext(SSL *s)
1653         {
1654 #ifndef OPENSSL_NO_EC
1655         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats 
1656          * and elliptic curves we support.
1657          */
1658         int using_ecc = 0;
1659         int i;
1660         unsigned char *j;
1661         unsigned long alg_k, alg_a;
1662         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1663
1664         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1665                 {
1666                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1667
1668                 alg_k = c->algorithm_mkey;
1669                 alg_a = c->algorithm_auth;
1670                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1671                         {
1672                         using_ecc = 1;
1673                         break;
1674                         }
1675                 }
1676         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1677         if (using_ecc)
1678                 {
1679                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1680                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1681                         {
1682                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1683                         return -1;
1684                         }
1685                 s->tlsext_ecpointformatlist_length = 3;
1686                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1687                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1688                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1689
1690                 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1691                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1692                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1693                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1694                         {
1695                         s->tlsext_ellipticcurvelist_length = 0;
1696                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1697                         return -1;
1698                         }
1699                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1700                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1701                         {
1702                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1703                         s2n(id,j);
1704                         }
1705                 }
1706 #endif /* OPENSSL_NO_EC */
1707
1708 #ifdef TLSEXT_TYPE_opaque_prf_input
1709         {
1710                 int r = 1;
1711         
1712                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1713                         {
1714                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1715                         if (!r)
1716                                 return -1;
1717                         }
1718
1719                 if (s->tlsext_opaque_prf_input != NULL)
1720                         {
1721                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1722                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1723
1724                         if (s->tlsext_opaque_prf_input_len == 0)
1725                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1726                         else
1727                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1728                         if (s->s3->client_opaque_prf_input == NULL)
1729                                 {
1730                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1731                                 return -1;
1732                                 }
1733                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1734                         }
1735
1736                 if (r == 2)
1737                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1738                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1739         }
1740 #endif
1741
1742         return 1;
1743         }
1744
1745 int ssl_prepare_serverhello_tlsext(SSL *s)
1746         {
1747 #ifndef OPENSSL_NO_EC
1748         /* If we are server and using an ECC cipher suite, send the point formats we support 
1749          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1750          * supposed to send an EllipticCurves extension.
1751          */
1752
1753         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1754         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1755         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1756         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1757         
1758         if (using_ecc)
1759                 {
1760                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1761                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1762                         {
1763                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1764                         return -1;
1765                         }
1766                 s->tlsext_ecpointformatlist_length = 3;
1767                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1768                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1769                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1770                 }
1771 #endif /* OPENSSL_NO_EC */
1772
1773         return 1;
1774         }
1775
1776 int ssl_check_clienthello_tlsext_early(SSL *s)
1777         {
1778         int ret=SSL_TLSEXT_ERR_NOACK;
1779         int al = SSL_AD_UNRECOGNIZED_NAME;
1780
1781 #ifndef OPENSSL_NO_EC
1782         /* The handling of the ECPointFormats extension is done elsewhere, namely in 
1783          * ssl3_choose_cipher in s3_lib.c.
1784          */
1785         /* The handling of the EllipticCurves extension is done elsewhere, namely in 
1786          * ssl3_choose_cipher in s3_lib.c.
1787          */
1788 #endif
1789
1790         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1791                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1792         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1793                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1794
1795 #ifdef TLSEXT_TYPE_opaque_prf_input
1796         {
1797                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1798                  * but we might be sending an alert in response to the client hello,
1799                  * so this has to happen here in
1800                  * ssl_check_clienthello_tlsext_early(). */
1801
1802                 int r = 1;
1803         
1804                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1805                         {
1806                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1807                         if (!r)
1808                                 {
1809                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1810                                 al = SSL_AD_INTERNAL_ERROR;
1811                                 goto err;
1812                                 }
1813                         }
1814
1815                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1816                         OPENSSL_free(s->s3->server_opaque_prf_input);
1817                 s->s3->server_opaque_prf_input = NULL;
1818
1819                 if (s->tlsext_opaque_prf_input != NULL)
1820                         {
1821                         if (s->s3->client_opaque_prf_input != NULL &&
1822                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1823                                 {
1824                                 /* can only use this extension if we have a server opaque PRF input
1825                                  * of the same length as the client opaque PRF input! */
1826
1827                                 if (s->tlsext_opaque_prf_input_len == 0)
1828                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1829                                 else
1830                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1831                                 if (s->s3->server_opaque_prf_input == NULL)
1832                                         {
1833                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1834                                         al = SSL_AD_INTERNAL_ERROR;
1835                                         goto err;
1836                                         }
1837                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1838                                 }
1839                         }
1840
1841                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1842                         {
1843                         /* The callback wants to enforce use of the extension,
1844                          * but we can't do that with the client opaque PRF input;
1845                          * abort the handshake.
1846                          */
1847                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1848                         al = SSL_AD_HANDSHAKE_FAILURE;
1849                         }
1850         }
1851
1852  err:
1853 #endif
1854         switch (ret)
1855                 {
1856                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1857                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1858                         return -1;
1859
1860                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1861                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1862                         return 1; 
1863                                         
1864                 case SSL_TLSEXT_ERR_NOACK:
1865                         s->servername_done=0;
1866                         default:
1867                 return 1;
1868                 }
1869         }
1870
1871 int ssl_check_clienthello_tlsext_late(SSL *s)
1872         {
1873         int ret = SSL_TLSEXT_ERR_OK;
1874         int al;
1875
1876         /* If status request then ask callback what to do.
1877          * Note: this must be called after servername callbacks in case 
1878          * the certificate has changed, and must be called after the cipher
1879          * has been chosen because this may influence which certificate is sent
1880          */
1881         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1882                 {
1883                 int r;
1884                 CERT_PKEY *certpkey;
1885                 certpkey = ssl_get_server_send_pkey(s);
1886                 /* If no certificate can't return certificate status */
1887                 if (certpkey == NULL)
1888                         {
1889                         s->tlsext_status_expected = 0;
1890                         return 1;
1891                         }
1892                 /* Set current certificate to one we will use so
1893                  * SSL_get_certificate et al can pick it up.
1894                  */
1895                 s->cert->key = certpkey;
1896                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1897                 switch (r)
1898                         {
1899                         /* We don't want to send a status request response */
1900                         case SSL_TLSEXT_ERR_NOACK:
1901                                 s->tlsext_status_expected = 0;
1902                                 break;
1903                         /* status request response should be sent */
1904                         case SSL_TLSEXT_ERR_OK:
1905                                 if (s->tlsext_ocsp_resp)
1906                                         s->tlsext_status_expected = 1;
1907                                 else
1908                                         s->tlsext_status_expected = 0;
1909                                 break;
1910                         /* something bad happened */
1911                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1912                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1913                                 al = SSL_AD_INTERNAL_ERROR;
1914                                 goto err;
1915                         }
1916                 }
1917         else
1918                 s->tlsext_status_expected = 0;
1919
1920  err:
1921         switch (ret)
1922                 {
1923                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1924                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
1925                         return -1;
1926
1927                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1928                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1929                         return 1; 
1930
1931                 default:
1932                         return 1;
1933                 }
1934         }
1935
1936 int ssl_check_serverhello_tlsext(SSL *s)
1937         {
1938         int ret=SSL_TLSEXT_ERR_NOACK;
1939         int al = SSL_AD_UNRECOGNIZED_NAME;
1940
1941 #ifndef OPENSSL_NO_EC
1942         /* If we are client and using an elliptic curve cryptography cipher
1943          * suite, then if server returns an EC point formats lists extension
1944          * it must contain uncompressed.
1945          */
1946         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1947         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1948         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
1949             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 
1950             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
1951                 {
1952                 /* we are using an ECC cipher */
1953                 size_t i;
1954                 unsigned char *list;
1955                 int found_uncompressed = 0;
1956                 list = s->session->tlsext_ecpointformatlist;
1957                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1958                         {
1959                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
1960                                 {
1961                                 found_uncompressed = 1;
1962                                 break;
1963                                 }
1964                         }
1965                 if (!found_uncompressed)
1966                         {
1967                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1968                         return -1;
1969                         }
1970                 }
1971         ret = SSL_TLSEXT_ERR_OK;
1972 #endif /* OPENSSL_NO_EC */
1973
1974         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) 
1975                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1976         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
1977                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1978
1979 #ifdef TLSEXT_TYPE_opaque_prf_input
1980         if (s->s3->server_opaque_prf_input_len > 0)
1981                 {
1982                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
1983                  * So first verify that we really have a value from the server too. */
1984
1985                 if (s->s3->server_opaque_prf_input == NULL)
1986                         {
1987                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1988                         al = SSL_AD_HANDSHAKE_FAILURE;
1989                         }
1990                 
1991                 /* Anytime the server *has* sent an opaque PRF input, we need to check
1992                  * that we have a client opaque PRF input of the same size. */
1993                 if (s->s3->client_opaque_prf_input == NULL ||
1994                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
1995                         {
1996                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1997                         al = SSL_AD_ILLEGAL_PARAMETER;
1998                         }
1999                 }
2000 #endif
2001
2002         /* If we've requested certificate status and we wont get one
2003          * tell the callback
2004          */
2005         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2006                         && s->ctx && s->ctx->tlsext_status_cb)
2007                 {
2008                 int r;
2009                 /* Set resp to NULL, resplen to -1 so callback knows
2010                  * there is no response.
2011                  */
2012                 if (s->tlsext_ocsp_resp)
2013                         {
2014                         OPENSSL_free(s->tlsext_ocsp_resp);
2015                         s->tlsext_ocsp_resp = NULL;
2016                         }
2017                 s->tlsext_ocsp_resplen = -1;
2018                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2019                 if (r == 0)
2020                         {
2021                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2022                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023                         }
2024                 if (r < 0)
2025                         {
2026                         al = SSL_AD_INTERNAL_ERROR;
2027                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2028                         }
2029                 }
2030
2031         switch (ret)
2032                 {
2033                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2034                         ssl3_send_alert(s,SSL3_AL_FATAL,al); 
2035                         return -1;
2036
2037                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2038                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039                         return 1; 
2040                                         
2041                 case SSL_TLSEXT_ERR_NOACK:
2042                         s->servername_done=0;
2043                         default:
2044                 return 1;
2045                 }
2046         }
2047
2048 /* Since the server cache lookup is done early on in the processing of the
2049  * ClientHello, and other operations depend on the result, we need to handle
2050  * any TLS session ticket extension at the same time.
2051  *
2052  *   session_id: points at the session ID in the ClientHello. This code will
2053  *       read past the end of this in order to parse out the session ticket
2054  *       extension, if any.
2055  *   len: the length of the session ID.
2056  *   limit: a pointer to the first byte after the ClientHello.
2057  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2058  *       point to the resulting session.
2059  *
2060  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2061  * ciphersuite, in which case we have no use for session tickets and one will
2062  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2063  *
2064  * Returns:
2065  *   -1: fatal error, either from parsing or decrypting the ticket.
2066  *    0: no ticket was found (or was ignored, based on settings).
2067  *    1: a zero length extension was found, indicating that the client supports
2068  *       session tickets but doesn't currently have one to offer.
2069  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2070  *       couldn't be decrypted because of a non-fatal error.
2071  *    3: a ticket was successfully decrypted and *ret was set.
2072  *
2073  * Side effects:
2074  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2075  *   a new session ticket to the client because the client indicated support
2076  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2077  *   a session ticket or we couldn't use the one it gave us, or if
2078  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2079  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2080  */
2081 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2082                         const unsigned char *limit, SSL_SESSION **ret)
2083         {
2084         /* Point after session ID in client hello */
2085         const unsigned char *p = session_id + len;
2086         unsigned short i;
2087
2088         *ret = NULL;
2089         s->tlsext_ticket_expected = 0;
2090
2091         /* If tickets disabled behave as if no ticket present
2092          * to permit stateful resumption.
2093          */
2094         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2095                 return 0;
2096         if ((s->version <= SSL3_VERSION) || !limit)
2097                 return 0;
2098         if (p >= limit)
2099                 return -1;
2100         /* Skip past DTLS cookie */
2101         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2102                 {
2103                 i = *(p++);
2104                 p+= i;
2105                 if (p >= limit)
2106                         return -1;
2107                 }
2108         /* Skip past cipher list */
2109         n2s(p, i);
2110         p+= i;
2111         if (p >= limit)
2112                 return -1;
2113         /* Skip past compression algorithm list */
2114         i = *(p++);
2115         p += i;
2116         if (p > limit)
2117                 return -1;
2118         /* Now at start of extensions */
2119         if ((p + 2) >= limit)
2120                 return 0;
2121         n2s(p, i);
2122         while ((p + 4) <= limit)
2123                 {
2124                 unsigned short type, size;
2125                 n2s(p, type);
2126                 n2s(p, size);
2127                 if (p + size > limit)
2128                         return 0;
2129                 if (type == TLSEXT_TYPE_session_ticket)
2130                         {
2131                         int r;
2132                         if (size == 0)
2133                                 {
2134                                 /* The client will accept a ticket but doesn't
2135                                  * currently have one. */
2136                                 s->tlsext_ticket_expected = 1;
2137                                 return 1;
2138                                 }
2139                         if (s->tls_session_secret_cb)
2140                                 {
2141                                 /* Indicate that the ticket couldn't be
2142                                  * decrypted rather than generating the session
2143                                  * from ticket now, trigger abbreviated
2144                                  * handshake based on external mechanism to
2145                                  * calculate the master secret later. */
2146                                 return 2;
2147                                 }
2148                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2149                         switch (r)
2150                                 {
2151                                 case 2: /* ticket couldn't be decrypted */
2152                                         s->tlsext_ticket_expected = 1;
2153                                         return 2;
2154                                 case 3: /* ticket was decrypted */
2155                                         return r;
2156                                 case 4: /* ticket decrypted but need to renew */
2157                                         s->tlsext_ticket_expected = 1;
2158                                         return 3;
2159                                 default: /* fatal error */
2160                                         return -1;
2161                                 }
2162                         }
2163                 p += size;
2164                 }
2165         return 0;
2166         }
2167
2168 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2169  *
2170  *   etick: points to the body of the session ticket extension.
2171  *   eticklen: the length of the session tickets extenion.
2172  *   sess_id: points at the session ID.
2173  *   sesslen: the length of the session ID.
2174  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2175  *       point to the resulting session.
2176  *
2177  * Returns:
2178  *   -1: fatal error, either from parsing or decrypting the ticket.
2179  *    2: the ticket couldn't be decrypted.
2180  *    3: a ticket was successfully decrypted and *psess was set.
2181  *    4: same as 3, but the ticket needs to be renewed.
2182  */
2183 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2184                                 const unsigned char *sess_id, int sesslen,
2185                                 SSL_SESSION **psess)
2186         {
2187         SSL_SESSION *sess;
2188         unsigned char *sdec;
2189         const unsigned char *p;
2190         int slen, mlen, renew_ticket = 0;
2191         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2192         HMAC_CTX hctx;
2193         EVP_CIPHER_CTX ctx;
2194         SSL_CTX *tctx = s->initial_ctx;
2195         /* Need at least keyname + iv + some encrypted data */
2196         if (eticklen < 48)
2197                 return 2;
2198         /* Initialize session ticket encryption and HMAC contexts */
2199         HMAC_CTX_init(&hctx);
2200         EVP_CIPHER_CTX_init(&ctx);
2201         if (tctx->tlsext_ticket_key_cb)
2202                 {
2203                 unsigned char *nctick = (unsigned char *)etick;
2204                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2205                                                         &ctx, &hctx, 0);
2206                 if (rv < 0)
2207                         return -1;
2208                 if (rv == 0)
2209                         return 2;
2210                 if (rv == 2)
2211                         renew_ticket = 1;
2212                 }
2213         else
2214                 {
2215                 /* Check key name matches */
2216                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2217                         return 2;
2218                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2219                                         tlsext_tick_md(), NULL);
2220                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2221                                 tctx->tlsext_tick_aes_key, etick + 16);
2222                 }
2223         /* Attempt to process session ticket, first conduct sanity and
2224          * integrity checks on ticket.
2225          */
2226         mlen = HMAC_size(&hctx);
2227         if (mlen < 0)
2228                 {
2229                 EVP_CIPHER_CTX_cleanup(&ctx);
2230                 return -1;
2231                 }
2232         eticklen -= mlen;
2233         /* Check HMAC of encrypted ticket */
2234         HMAC_Update(&hctx, etick, eticklen);
2235         HMAC_Final(&hctx, tick_hmac, NULL);
2236         HMAC_CTX_cleanup(&hctx);
2237         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2238                 return 2;
2239         /* Attempt to decrypt session data */
2240         /* Move p after IV to start of encrypted ticket, update length */
2241         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2242         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2243         sdec = OPENSSL_malloc(eticklen);
2244         if (!sdec)
2245                 {
2246                 EVP_CIPHER_CTX_cleanup(&ctx);
2247                 return -1;
2248                 }
2249         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2250         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2251                 return 2;
2252         slen += mlen;
2253         EVP_CIPHER_CTX_cleanup(&ctx);
2254         p = sdec;
2255
2256         sess = d2i_SSL_SESSION(NULL, &p, slen);
2257         OPENSSL_free(sdec);
2258         if (sess)
2259                 {
2260                 /* The session ID, if non-empty, is used by some clients to
2261                  * detect that the ticket has been accepted. So we copy it to
2262                  * the session structure. If it is empty set length to zero
2263                  * as required by standard.
2264                  */
2265                 if (sesslen)
2266                         memcpy(sess->session_id, sess_id, sesslen);
2267                 sess->session_id_length = sesslen;
2268                 *psess = sess;
2269                 if (renew_ticket)
2270                         return 4;
2271                 else
2272                         return 3;
2273                 }
2274         ERR_clear_error();
2275         /* For session parse failure, indicate that we need to send a new
2276          * ticket. */
2277         return 2;
2278         }
2279
2280 /* Tables to translate from NIDs to TLS v1.2 ids */
2281
2282 typedef struct 
2283         {
2284         int nid;
2285         int id;
2286         } tls12_lookup;
2287
2288 static tls12_lookup tls12_md[] = {
2289 #ifndef OPENSSL_NO_MD5
2290         {NID_md5, TLSEXT_hash_md5},
2291 #endif
2292 #ifndef OPENSSL_NO_SHA
2293         {NID_sha1, TLSEXT_hash_sha1},
2294 #endif
2295 #ifndef OPENSSL_NO_SHA256
2296         {NID_sha224, TLSEXT_hash_sha224},
2297         {NID_sha256, TLSEXT_hash_sha256},
2298 #endif
2299 #ifndef OPENSSL_NO_SHA512
2300         {NID_sha384, TLSEXT_hash_sha384},
2301         {NID_sha512, TLSEXT_hash_sha512}
2302 #endif
2303 };
2304
2305 static tls12_lookup tls12_sig[] = {
2306 #ifndef OPENSSL_NO_RSA
2307         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2308 #endif
2309 #ifndef OPENSSL_NO_DSA
2310         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2311 #endif
2312 #ifndef OPENSSL_NO_ECDSA
2313         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2314 #endif
2315 };
2316
2317 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2318         {
2319         size_t i;
2320         for (i = 0; i < tlen; i++)
2321                 {
2322                 if (table[i].nid == nid)
2323                         return table[i].id;
2324                 }
2325         return -1;
2326         }
2327 #if 0
2328 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2329         {
2330         size_t i;
2331         for (i = 0; i < tlen; i++)
2332                 {
2333                 if (table[i].id == id)
2334                         return table[i].nid;
2335                 }
2336         return -1;
2337         }
2338 #endif
2339
2340 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2341         {
2342         int sig_id, md_id;
2343         if (!md)
2344                 return 0;
2345         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2346                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2347         if (md_id == -1)
2348                 return 0;
2349         sig_id = tls12_get_sigid(pk);
2350         if (sig_id == -1)
2351                 return 0;
2352         p[0] = (unsigned char)md_id;
2353         p[1] = (unsigned char)sig_id;
2354         return 1;
2355         }
2356
2357 int tls12_get_sigid(const EVP_PKEY *pk)
2358         {
2359         return tls12_find_id(pk->type, tls12_sig,
2360                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2361         }
2362
2363 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2364         {
2365         switch(hash_alg)
2366                 {
2367 #ifndef OPENSSL_NO_MD5
2368                 case TLSEXT_hash_md5:
2369 #ifdef OPENSSL_FIPS
2370                 if (FIPS_mode())
2371                         return NULL;
2372 #endif
2373                 return EVP_md5();
2374 #endif
2375 #ifndef OPENSSL_NO_SHA
2376                 case TLSEXT_hash_sha1:
2377                 return EVP_sha1();
2378 #endif
2379 #ifndef OPENSSL_NO_SHA256
2380                 case TLSEXT_hash_sha224:
2381                 return EVP_sha224();
2382
2383                 case TLSEXT_hash_sha256:
2384                 return EVP_sha256();
2385 #endif
2386 #ifndef OPENSSL_NO_SHA512
2387                 case TLSEXT_hash_sha384:
2388                 return EVP_sha384();
2389
2390                 case TLSEXT_hash_sha512:
2391                 return EVP_sha512();
2392 #endif
2393                 default:
2394                 return NULL;
2395
2396                 }
2397         }
2398
2399 /* Set preferred digest for each key type */
2400
2401 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2402         {
2403         int i, idx;
2404         const EVP_MD *md;
2405         CERT *c = s->cert;
2406         /* Extension ignored for TLS versions below 1.2 */
2407         if (TLS1_get_version(s) < TLS1_2_VERSION)
2408                 return 1;
2409         /* Should never happen */
2410         if (!c)
2411                 return 0;
2412
2413         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2414         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2415         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2416         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2417
2418         for (i = 0; i < dsize; i += 2)
2419                 {
2420                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2421
2422                 switch(sig_alg)
2423                         {
2424 #ifndef OPENSSL_NO_RSA
2425                         case TLSEXT_signature_rsa:
2426                         idx = SSL_PKEY_RSA_SIGN;
2427                         break;
2428 #endif
2429 #ifndef OPENSSL_NO_DSA
2430                         case TLSEXT_signature_dsa:
2431                         idx = SSL_PKEY_DSA_SIGN;
2432                         break;
2433 #endif
2434 #ifndef OPENSSL_NO_ECDSA
2435                         case TLSEXT_signature_ecdsa:
2436                         idx = SSL_PKEY_ECC;
2437                         break;
2438 #endif
2439                         default:
2440                         continue;
2441                         }
2442
2443                 if (c->pkeys[idx].digest == NULL)
2444                         {
2445                         md = tls12_get_hash(hash_alg);
2446                         if (md)
2447                                 {
2448                                 c->pkeys[idx].digest = md;
2449                                 if (idx == SSL_PKEY_RSA_SIGN)
2450                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2451                                 }
2452                         }
2453
2454                 }
2455
2456
2457         /* Set any remaining keys to default values. NOTE: if alg is not
2458          * supported it stays as NULL.
2459          */
2460 #ifndef OPENSSL_NO_DSA
2461         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2462                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2463 #endif
2464 #ifndef OPENSSL_NO_RSA
2465         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2466                 {
2467                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2468                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2469                 }
2470 #endif
2471 #ifndef OPENSSL_NO_ECDSA
2472         if (!c->pkeys[SSL_PKEY_ECC].digest)
2473                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2474 #endif
2475         return 1;
2476         }
2477
2478 #endif
2479
2480 #ifndef OPENSSL_NO_HEARTBEATS
2481 int
2482 tls1_process_heartbeat(SSL *s)
2483         {
2484         unsigned char *p = &s->s3->rrec.data[0], *pl;
2485         unsigned short hbtype;
2486         unsigned int payload;
2487         unsigned int padding = 16; /* Use minimum padding */
2488
2489         /* Read type and payload length first */
2490         hbtype = *p++;
2491         n2s(p, payload);
2492         pl = p;
2493
2494         if (s->msg_callback)
2495                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2496                         &s->s3->rrec.data[0], s->s3->rrec.length,
2497                         s, s->msg_callback_arg);
2498
2499         if (hbtype == TLS1_HB_REQUEST)
2500                 {
2501                 unsigned char *buffer, *bp;
2502                 int r;
2503
2504                 /* Allocate memory for the response, size is 1 bytes
2505                  * message type, plus 2 bytes payload length, plus
2506                  * payload, plus padding
2507                  */
2508                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2509                 bp = buffer;
2510                 
2511                 /* Enter response type, length and copy payload */
2512                 *bp++ = TLS1_HB_RESPONSE;
2513                 s2n(payload, bp);
2514                 memcpy(bp, pl, payload);
2515                 bp += payload;
2516                 /* Random padding */
2517                 RAND_pseudo_bytes(bp, padding);
2518
2519                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2520
2521                 if (r >= 0 && s->msg_callback)
2522                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2523                                 buffer, 3 + payload + padding,
2524                                 s, s->msg_callback_arg);
2525
2526                 OPENSSL_free(buffer);
2527
2528                 if (r < 0)
2529                         return r;
2530                 }
2531         else if (hbtype == TLS1_HB_RESPONSE)
2532                 {
2533                 unsigned int seq;
2534                 
2535                 /* We only send sequence numbers (2 bytes unsigned int),
2536                  * and 16 random bytes, so we just try to read the
2537                  * sequence number */
2538                 n2s(pl, seq);
2539                 
2540                 if (payload == 18 && seq == s->tlsext_hb_seq)
2541                         {
2542                         s->tlsext_hb_seq++;
2543                         s->tlsext_hb_pending = 0;
2544                         }
2545                 }
2546
2547         return 0;
2548         }
2549
2550 int
2551 tls1_heartbeat(SSL *s)
2552         {
2553         unsigned char *buf, *p;
2554         int ret;
2555         unsigned int payload = 18; /* Sequence number + random bytes */
2556         unsigned int padding = 16; /* Use minimum padding */
2557
2558         /* Only send if peer supports and accepts HB requests... */
2559         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2560             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2561                 {
2562                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2563                 return -1;
2564                 }
2565
2566         /* ...and there is none in flight yet... */
2567         if (s->tlsext_hb_pending)
2568                 {
2569                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2570                 return -1;
2571                 }
2572                 
2573         /* ...and no handshake in progress. */
2574         if (SSL_in_init(s) || s->in_handshake)
2575                 {
2576                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2577                 return -1;
2578                 }
2579                 
2580         /* Check if padding is too long, payload and padding
2581          * must not exceed 2^14 - 3 = 16381 bytes in total.
2582          */
2583         OPENSSL_assert(payload + padding <= 16381);
2584
2585         /* Create HeartBeat message, we just use a sequence number
2586          * as payload to distuingish different messages and add
2587          * some random stuff.
2588          *  - Message Type, 1 byte
2589          *  - Payload Length, 2 bytes (unsigned int)
2590          *  - Payload, the sequence number (2 bytes uint)
2591          *  - Payload, random bytes (16 bytes uint)
2592          *  - Padding
2593          */
2594         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2595         p = buf;
2596         /* Message Type */
2597         *p++ = TLS1_HB_REQUEST;
2598         /* Payload length (18 bytes here) */
2599         s2n(payload, p);
2600         /* Sequence number */
2601         s2n(s->tlsext_hb_seq, p);
2602         /* 16 random bytes */
2603         RAND_pseudo_bytes(p, 16);
2604         p += 16;
2605         /* Random padding */
2606         RAND_pseudo_bytes(p, padding);
2607
2608         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2609         if (ret >= 0)
2610                 {
2611                 if (s->msg_callback)
2612                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2613                                 buf, 3 + payload + padding,
2614                                 s, s->msg_callback_arg);
2615
2616                 s->tlsext_hb_pending = 1;
2617                 }
2618                 
2619         OPENSSL_free(buf);
2620
2621         return ret;
2622         }
2623 #endif