xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision 40a8ac8f62b535d30349faf28cf47106b7041b83)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 				const unsigned char *sess_id, int sesslen,
125 				SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 	tls1_enc,
130 	tls1_mac,
131 	tls1_setup_key_block,
132 	tls1_generate_master_secret,
133 	tls1_change_cipher_state,
134 	tls1_final_finish_mac,
135 	TLS1_FINISH_MAC_LENGTH,
136 	tls1_cert_verify_mac,
137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 	tls1_alert_code,
140 	tls1_export_keying_material,
141 	};
142 
143 long tls1_default_timeout(void)
144 	{
145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 	 * is way too long for http, the cache would over fill */
147 	return(60*60*2);
148 	}
149 
150 int tls1_new(SSL *s)
151 	{
152 	if (!ssl3_new(s)) return(0);
153 	s->method->ssl_clear(s);
154 	return(1);
155 	}
156 
157 void tls1_free(SSL *s)
158 	{
159 #ifndef OPENSSL_NO_TLSEXT
160 	if (s->tlsext_session_ticket)
161 		{
162 		OPENSSL_free(s->tlsext_session_ticket);
163 		}
164 #endif /* OPENSSL_NO_TLSEXT */
165 	ssl3_free(s);
166 	}
167 
168 void tls1_clear(SSL *s)
169 	{
170 	ssl3_clear(s);
171 	s->version = s->method->version;
172 	}
173 
174 #ifndef OPENSSL_NO_EC
175 
176 static int nid_list[] =
177 	{
178 		NID_sect163k1, /* sect163k1 (1) */
179 		NID_sect163r1, /* sect163r1 (2) */
180 		NID_sect163r2, /* sect163r2 (3) */
181 		NID_sect193r1, /* sect193r1 (4) */
182 		NID_sect193r2, /* sect193r2 (5) */
183 		NID_sect233k1, /* sect233k1 (6) */
184 		NID_sect233r1, /* sect233r1 (7) */
185 		NID_sect239k1, /* sect239k1 (8) */
186 		NID_sect283k1, /* sect283k1 (9) */
187 		NID_sect283r1, /* sect283r1 (10) */
188 		NID_sect409k1, /* sect409k1 (11) */
189 		NID_sect409r1, /* sect409r1 (12) */
190 		NID_sect571k1, /* sect571k1 (13) */
191 		NID_sect571r1, /* sect571r1 (14) */
192 		NID_secp160k1, /* secp160k1 (15) */
193 		NID_secp160r1, /* secp160r1 (16) */
194 		NID_secp160r2, /* secp160r2 (17) */
195 		NID_secp192k1, /* secp192k1 (18) */
196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
197 		NID_secp224k1, /* secp224k1 (20) */
198 		NID_secp224r1, /* secp224r1 (21) */
199 		NID_secp256k1, /* secp256k1 (22) */
200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
201 		NID_secp384r1, /* secp384r1 (24) */
202 		NID_secp521r1  /* secp521r1 (25) */
203 	};
204 
205 static int pref_list[] =
206 	{
207 		NID_sect571r1, /* sect571r1 (14) */
208 		NID_sect571k1, /* sect571k1 (13) */
209 		NID_secp521r1, /* secp521r1 (25) */
210 		NID_sect409k1, /* sect409k1 (11) */
211 		NID_sect409r1, /* sect409r1 (12) */
212 		NID_secp384r1, /* secp384r1 (24) */
213 		NID_sect283k1, /* sect283k1 (9) */
214 		NID_sect283r1, /* sect283r1 (10) */
215 		NID_secp256k1, /* secp256k1 (22) */
216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
217 		NID_sect239k1, /* sect239k1 (8) */
218 		NID_sect233k1, /* sect233k1 (6) */
219 		NID_sect233r1, /* sect233r1 (7) */
220 		NID_secp224k1, /* secp224k1 (20) */
221 		NID_secp224r1, /* secp224r1 (21) */
222 		NID_sect193r1, /* sect193r1 (4) */
223 		NID_sect193r2, /* sect193r2 (5) */
224 		NID_secp192k1, /* secp192k1 (18) */
225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
226 		NID_sect163k1, /* sect163k1 (1) */
227 		NID_sect163r1, /* sect163r1 (2) */
228 		NID_sect163r2, /* sect163r2 (3) */
229 		NID_secp160k1, /* secp160k1 (15) */
230 		NID_secp160r1, /* secp160r1 (16) */
231 		NID_secp160r2, /* secp160r2 (17) */
232 	};
233 
234 int tls1_ec_curve_id2nid(int curve_id)
235 	{
236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 	if ((curve_id < 1) || ((unsigned int)curve_id >
238 				sizeof(nid_list)/sizeof(nid_list[0])))
239 		return 0;
240 	return nid_list[curve_id-1];
241 	}
242 
243 int tls1_ec_nid2curve_id(int nid)
244 	{
245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 	switch (nid)
247 		{
248 	case NID_sect163k1: /* sect163k1 (1) */
249 		return 1;
250 	case NID_sect163r1: /* sect163r1 (2) */
251 		return 2;
252 	case NID_sect163r2: /* sect163r2 (3) */
253 		return 3;
254 	case NID_sect193r1: /* sect193r1 (4) */
255 		return 4;
256 	case NID_sect193r2: /* sect193r2 (5) */
257 		return 5;
258 	case NID_sect233k1: /* sect233k1 (6) */
259 		return 6;
260 	case NID_sect233r1: /* sect233r1 (7) */
261 		return 7;
262 	case NID_sect239k1: /* sect239k1 (8) */
263 		return 8;
264 	case NID_sect283k1: /* sect283k1 (9) */
265 		return 9;
266 	case NID_sect283r1: /* sect283r1 (10) */
267 		return 10;
268 	case NID_sect409k1: /* sect409k1 (11) */
269 		return 11;
270 	case NID_sect409r1: /* sect409r1 (12) */
271 		return 12;
272 	case NID_sect571k1: /* sect571k1 (13) */
273 		return 13;
274 	case NID_sect571r1: /* sect571r1 (14) */
275 		return 14;
276 	case NID_secp160k1: /* secp160k1 (15) */
277 		return 15;
278 	case NID_secp160r1: /* secp160r1 (16) */
279 		return 16;
280 	case NID_secp160r2: /* secp160r2 (17) */
281 		return 17;
282 	case NID_secp192k1: /* secp192k1 (18) */
283 		return 18;
284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 		return 19;
286 	case NID_secp224k1: /* secp224k1 (20) */
287 		return 20;
288 	case NID_secp224r1: /* secp224r1 (21) */
289 		return 21;
290 	case NID_secp256k1: /* secp256k1 (22) */
291 		return 22;
292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 		return 23;
294 	case NID_secp384r1: /* secp384r1 (24) */
295 		return 24;
296 	case NID_secp521r1:  /* secp521r1 (25) */
297 		return 25;
298 	default:
299 		return 0;
300 		}
301 	}
302 #endif /* OPENSSL_NO_EC */
303 
304 #ifndef OPENSSL_NO_TLSEXT
305 
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309 
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315 
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321 
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327 
328 #define tlsext_sigalg(md) \
329 		tlsext_sigalg_rsa(md) \
330 		tlsext_sigalg_dsa(md) \
331 		tlsext_sigalg_ecdsa(md)
332 
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 	tlsext_sigalg(TLSEXT_hash_sha512)
336 	tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 	tlsext_sigalg(TLSEXT_hash_sha256)
340 	tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 	tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 };
346 
347 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
348 	{
349 	size_t slen = sizeof(tls12_sigalgs);
350 	if (p)
351 		memcpy(p, tls12_sigalgs, slen);
352 	return (int)slen;
353 	}
354 
355 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
356 	{
357 	int extdatalen=0;
358 	unsigned char *orig = buf;
359 	unsigned char *ret = buf;
360 
361 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
362 	if (s->client_version == SSL3_VERSION
363 					&& !s->s3->send_connection_binding)
364 		return orig;
365 
366 	ret+=2;
367 
368 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
369 
370  	if (s->tlsext_hostname != NULL)
371 		{
372 		/* Add TLS extension servername to the Client Hello message */
373 		unsigned long size_str;
374 		long lenmax;
375 
376 		/* check for enough space.
377 		   4 for the servername type and entension length
378 		   2 for servernamelist length
379 		   1 for the hostname type
380 		   2 for hostname length
381 		   + hostname length
382 		*/
383 
384 		if ((lenmax = limit - ret - 9) < 0
385 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
386 			return NULL;
387 
388 		/* extension type and length */
389 		s2n(TLSEXT_TYPE_server_name,ret);
390 		s2n(size_str+5,ret);
391 
392 		/* length of servername list */
393 		s2n(size_str+3,ret);
394 
395 		/* hostname type, length and hostname */
396 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
397 		s2n(size_str,ret);
398 		memcpy(ret, s->tlsext_hostname, size_str);
399 		ret+=size_str;
400 		}
401 
402         /* Add RI if renegotiating */
403         if (s->renegotiate)
404           {
405           int el;
406 
407           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
408               {
409               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
410               return NULL;
411               }
412 
413           if((limit - ret - 4 - el) < 0) return NULL;
414 
415           s2n(TLSEXT_TYPE_renegotiate,ret);
416           s2n(el,ret);
417 
418           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
419               {
420               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
421               return NULL;
422               }
423 
424           ret += el;
425         }
426 
427 #ifndef OPENSSL_NO_SRP
428 	/* Add SRP username if there is one */
429 	if (s->srp_ctx.login != NULL)
430 		{ /* Add TLS extension SRP username to the Client Hello message */
431 
432 		int login_len = strlen(s->srp_ctx.login);
433 		if (login_len > 255 || login_len == 0)
434 			{
435 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
436 			return NULL;
437 			}
438 
439 		/* check for enough space.
440 		   4 for the srp type type and entension length
441 		   1 for the srp user identity
442 		   + srp user identity length
443 		*/
444 		if ((limit - ret - 5 - login_len) < 0) return NULL;
445 
446 		/* fill in the extension */
447 		s2n(TLSEXT_TYPE_srp,ret);
448 		s2n(login_len+1,ret);
449 		(*ret++) = (unsigned char) login_len;
450 		memcpy(ret, s->srp_ctx.login, login_len);
451 		ret+=login_len;
452 		}
453 #endif
454 
455 #ifndef OPENSSL_NO_EC
456 	if (s->tlsext_ecpointformatlist != NULL)
457 		{
458 		/* Add TLS extension ECPointFormats to the ClientHello message */
459 		long lenmax;
460 
461 		if ((lenmax = limit - ret - 5) < 0) return NULL;
462 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463 		if (s->tlsext_ecpointformatlist_length > 255)
464 			{
465 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466 			return NULL;
467 			}
468 
469 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
470 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
471 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473 		ret+=s->tlsext_ecpointformatlist_length;
474 		}
475 	if (s->tlsext_ellipticcurvelist != NULL)
476 		{
477 		/* Add TLS extension EllipticCurves to the ClientHello message */
478 		long lenmax;
479 
480 		if ((lenmax = limit - ret - 6) < 0) return NULL;
481 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
482 		if (s->tlsext_ellipticcurvelist_length > 65532)
483 			{
484 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
485 			return NULL;
486 			}
487 
488 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
489 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
490 
491 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
492 		 * elliptic_curve_list, but the examples use two bytes.
493 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
494 		 * resolves this to two bytes.
495 		 */
496 		s2n(s->tlsext_ellipticcurvelist_length, ret);
497 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
498 		ret+=s->tlsext_ellipticcurvelist_length;
499 		}
500 #endif /* OPENSSL_NO_EC */
501 
502 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
503 		{
504 		int ticklen;
505 		if (!s->new_session && s->session && s->session->tlsext_tick)
506 			ticklen = s->session->tlsext_ticklen;
507 		else if (s->session && s->tlsext_session_ticket &&
508 			 s->tlsext_session_ticket->data)
509 			{
510 			ticklen = s->tlsext_session_ticket->length;
511 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
512 			if (!s->session->tlsext_tick)
513 				return NULL;
514 			memcpy(s->session->tlsext_tick,
515 			       s->tlsext_session_ticket->data,
516 			       ticklen);
517 			s->session->tlsext_ticklen = ticklen;
518 			}
519 		else
520 			ticklen = 0;
521 		if (ticklen == 0 && s->tlsext_session_ticket &&
522 		    s->tlsext_session_ticket->data == NULL)
523 			goto skip_ext;
524 		/* Check for enough room 2 for extension type, 2 for len
525  		 * rest for ticket
526   		 */
527 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
528 		s2n(TLSEXT_TYPE_session_ticket,ret);
529 		s2n(ticklen,ret);
530 		if (ticklen)
531 			{
532 			memcpy(ret, s->session->tlsext_tick, ticklen);
533 			ret += ticklen;
534 			}
535 		}
536 		skip_ext:
537 
538 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
539 		{
540 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
541 			return NULL;
542 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
543 		s2n(sizeof(tls12_sigalgs) + 2, ret);
544 		s2n(sizeof(tls12_sigalgs), ret);
545 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
546 		ret += sizeof(tls12_sigalgs);
547 		}
548 
549 #ifdef TLSEXT_TYPE_opaque_prf_input
550 	if (s->s3->client_opaque_prf_input != NULL &&
551 	    s->version != DTLS1_VERSION)
552 		{
553 		size_t col = s->s3->client_opaque_prf_input_len;
554 
555 		if ((long)(limit - ret - 6 - col < 0))
556 			return NULL;
557 		if (col > 0xFFFD) /* can't happen */
558 			return NULL;
559 
560 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
561 		s2n(col + 2, ret);
562 		s2n(col, ret);
563 		memcpy(ret, s->s3->client_opaque_prf_input, col);
564 		ret += col;
565 		}
566 #endif
567 
568 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
569 	    s->version != DTLS1_VERSION)
570 		{
571 		int i;
572 		long extlen, idlen, itmp;
573 		OCSP_RESPID *id;
574 
575 		idlen = 0;
576 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
577 			{
578 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
579 			itmp = i2d_OCSP_RESPID(id, NULL);
580 			if (itmp <= 0)
581 				return NULL;
582 			idlen += itmp + 2;
583 			}
584 
585 		if (s->tlsext_ocsp_exts)
586 			{
587 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
588 			if (extlen < 0)
589 				return NULL;
590 			}
591 		else
592 			extlen = 0;
593 
594 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
595 		s2n(TLSEXT_TYPE_status_request, ret);
596 		if (extlen + idlen > 0xFFF0)
597 			return NULL;
598 		s2n(extlen + idlen + 5, ret);
599 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
600 		s2n(idlen, ret);
601 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
602 			{
603 			/* save position of id len */
604 			unsigned char *q = ret;
605 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
606 			/* skip over id len */
607 			ret += 2;
608 			itmp = i2d_OCSP_RESPID(id, &ret);
609 			/* write id len */
610 			s2n(itmp, q);
611 			}
612 		s2n(extlen, ret);
613 		if (extlen > 0)
614 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
615 		}
616 
617 #ifndef OPENSSL_NO_HEARTBEATS
618 	/* Add Heartbeat extension */
619 	if ((limit - ret - 4 - 1) < 0)
620 		return NULL;
621 	s2n(TLSEXT_TYPE_heartbeat,ret);
622 	s2n(1,ret);
623 	/* Set mode:
624 	 * 1: peer may send requests
625 	 * 2: peer not allowed to send requests
626 	 */
627 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
628 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
629 	else
630 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
631 #endif
632 
633 #ifndef OPENSSL_NO_NEXTPROTONEG
634 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
635 		{
636 		/* The client advertises an emtpy extension to indicate its
637 		 * support for Next Protocol Negotiation */
638 		if (limit - ret - 4 < 0)
639 			return NULL;
640 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
641 		s2n(0,ret);
642 		}
643 #endif
644 
645 #ifndef OPENSSL_NO_SRTP
646         if(SSL_get_srtp_profiles(s))
647                 {
648                 int el;
649 
650                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
651 
652                 if((limit - ret - 4 - el) < 0) return NULL;
653 
654                 s2n(TLSEXT_TYPE_use_srtp,ret);
655                 s2n(el,ret);
656 
657                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
658 			{
659 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
660 			return NULL;
661 			}
662                 ret += el;
663                 }
664 #endif
665 	/* Add padding to workaround bugs in F5 terminators.
666 	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
667 	 *
668 	 * NB: because this code works out the length of all existing
669 	 * extensions it MUST always appear last.
670 	 */
671 	if (s->options & SSL_OP_TLSEXT_PADDING)
672 		{
673 		int hlen = ret - (unsigned char *)s->init_buf->data;
674 		/* The code in s23_clnt.c to build ClientHello messages
675 		 * includes the 5-byte record header in the buffer, while
676 		 * the code in s3_clnt.c does not.
677 		 */
678 		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
679 			hlen -= 5;
680 		if (hlen > 0xff && hlen < 0x200)
681 			{
682 			hlen = 0x200 - hlen;
683 			if (hlen >= 4)
684 				hlen -= 4;
685 			else
686 				hlen = 0;
687 
688 			s2n(TLSEXT_TYPE_padding, ret);
689 			s2n(hlen, ret);
690 			memset(ret, 0, hlen);
691 			ret += hlen;
692 			}
693 		}
694 
695 	if ((extdatalen = ret-orig-2)== 0)
696 		return orig;
697 
698 	s2n(extdatalen, orig);
699 	return ret;
700 	}
701 
702 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
703 	{
704 	int extdatalen=0;
705 	unsigned char *orig = buf;
706 	unsigned char *ret = buf;
707 #ifndef OPENSSL_NO_NEXTPROTONEG
708 	int next_proto_neg_seen;
709 #endif
710 
711 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
712 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
713 		return orig;
714 
715 	ret+=2;
716 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
717 
718 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
719 		{
720 		if ((long)(limit - ret - 4) < 0) return NULL;
721 
722 		s2n(TLSEXT_TYPE_server_name,ret);
723 		s2n(0,ret);
724 		}
725 
726 	if(s->s3->send_connection_binding)
727         {
728           int el;
729 
730           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
731               {
732               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733               return NULL;
734               }
735 
736           if((limit - ret - 4 - el) < 0) return NULL;
737 
738           s2n(TLSEXT_TYPE_renegotiate,ret);
739           s2n(el,ret);
740 
741           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
742               {
743               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
744               return NULL;
745               }
746 
747           ret += el;
748         }
749 
750 #ifndef OPENSSL_NO_EC
751 	if (s->tlsext_ecpointformatlist != NULL)
752 		{
753 		/* Add TLS extension ECPointFormats to the ServerHello message */
754 		long lenmax;
755 
756 		if ((lenmax = limit - ret - 5) < 0) return NULL;
757 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 		if (s->tlsext_ecpointformatlist_length > 255)
759 			{
760 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 			return NULL;
762 			}
763 
764 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
765 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
766 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 		ret+=s->tlsext_ecpointformatlist_length;
769 
770 		}
771 	/* Currently the server should not respond with a SupportedCurves extension */
772 #endif /* OPENSSL_NO_EC */
773 
774 	if (s->tlsext_ticket_expected
775 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
776 		{
777 		if ((long)(limit - ret - 4) < 0) return NULL;
778 		s2n(TLSEXT_TYPE_session_ticket,ret);
779 		s2n(0,ret);
780 		}
781 
782 	if (s->tlsext_status_expected)
783 		{
784 		if ((long)(limit - ret - 4) < 0) return NULL;
785 		s2n(TLSEXT_TYPE_status_request,ret);
786 		s2n(0,ret);
787 		}
788 
789 #ifdef TLSEXT_TYPE_opaque_prf_input
790 	if (s->s3->server_opaque_prf_input != NULL &&
791 	    s->version != DTLS1_VERSION)
792 		{
793 		size_t sol = s->s3->server_opaque_prf_input_len;
794 
795 		if ((long)(limit - ret - 6 - sol) < 0)
796 			return NULL;
797 		if (sol > 0xFFFD) /* can't happen */
798 			return NULL;
799 
800 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
801 		s2n(sol + 2, ret);
802 		s2n(sol, ret);
803 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 		ret += sol;
805 		}
806 #endif
807 
808 #ifndef OPENSSL_NO_SRTP
809         if(s->srtp_profile)
810                 {
811                 int el;
812 
813                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814 
815                 if((limit - ret - 4 - el) < 0) return NULL;
816 
817                 s2n(TLSEXT_TYPE_use_srtp,ret);
818                 s2n(el,ret);
819 
820                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
821 			{
822 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 			return NULL;
824 			}
825                 ret+=el;
826                 }
827 #endif
828 
829 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
830 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
831 		{ const unsigned char cryptopro_ext[36] = {
832 			0xfd, 0xe8, /*65000*/
833 			0x00, 0x20, /*32 bytes length*/
834 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
838 			if (limit-ret<36) return NULL;
839 			memcpy(ret,cryptopro_ext,36);
840 			ret+=36;
841 
842 		}
843 
844 #ifndef OPENSSL_NO_HEARTBEATS
845 	/* Add Heartbeat extension if we've received one */
846 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
847 		{
848 		if ((limit - ret - 4 - 1) < 0)
849 			return NULL;
850 		s2n(TLSEXT_TYPE_heartbeat,ret);
851 		s2n(1,ret);
852 		/* Set mode:
853 		 * 1: peer may send requests
854 		 * 2: peer not allowed to send requests
855 		 */
856 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
857 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
858 		else
859 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
860 
861 		}
862 #endif
863 
864 #ifndef OPENSSL_NO_NEXTPROTONEG
865 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
866 	s->s3->next_proto_neg_seen = 0;
867 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
868 		{
869 		const unsigned char *npa;
870 		unsigned int npalen;
871 		int r;
872 
873 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
874 		if (r == SSL_TLSEXT_ERR_OK)
875 			{
876 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
877 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
878 			s2n(npalen,ret);
879 			memcpy(ret, npa, npalen);
880 			ret += npalen;
881 			s->s3->next_proto_neg_seen = 1;
882 			}
883 		}
884 #endif
885 
886 	if ((extdatalen = ret-orig-2)== 0)
887 		return orig;
888 
889 	s2n(extdatalen, orig);
890 	return ret;
891 	}
892 
893 #ifndef OPENSSL_NO_EC
894 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
895  * SecureTransport using the TLS extension block in |d|, of length |n|.
896  * Safari, since 10.6, sends exactly these extensions, in this order:
897  *   SNI,
898  *   elliptic_curves
899  *   ec_point_formats
900  *
901  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
902  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
903  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
904  * 10.8..10.8.3 (which don't work).
905  */
906 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
907 	unsigned short type, size;
908 	static const unsigned char kSafariExtensionsBlock[] = {
909 		0x00, 0x0a,  /* elliptic_curves extension */
910 		0x00, 0x08,  /* 8 bytes */
911 		0x00, 0x06,  /* 6 bytes of curve ids */
912 		0x00, 0x17,  /* P-256 */
913 		0x00, 0x18,  /* P-384 */
914 		0x00, 0x19,  /* P-521 */
915 
916 		0x00, 0x0b,  /* ec_point_formats */
917 		0x00, 0x02,  /* 2 bytes */
918 		0x01,        /* 1 point format */
919 		0x00,        /* uncompressed */
920 	};
921 
922 	/* The following is only present in TLS 1.2 */
923 	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
924 		0x00, 0x0d,  /* signature_algorithms */
925 		0x00, 0x0c,  /* 12 bytes */
926 		0x00, 0x0a,  /* 10 bytes */
927 		0x05, 0x01,  /* SHA-384/RSA */
928 		0x04, 0x01,  /* SHA-256/RSA */
929 		0x02, 0x01,  /* SHA-1/RSA */
930 		0x04, 0x03,  /* SHA-256/ECDSA */
931 		0x02, 0x03,  /* SHA-1/ECDSA */
932 	};
933 
934 	if (data >= (d+n-2))
935 		return;
936 	data += 2;
937 
938 	if (data > (d+n-4))
939 		return;
940 	n2s(data,type);
941 	n2s(data,size);
942 
943 	if (type != TLSEXT_TYPE_server_name)
944 		return;
945 
946 	if (data+size > d+n)
947 		return;
948 	data += size;
949 
950 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
951 		{
952 		const size_t len1 = sizeof(kSafariExtensionsBlock);
953 		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
954 
955 		if (data + len1 + len2 != d+n)
956 			return;
957 		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
958 			return;
959 		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
960 			return;
961 		}
962 	else
963 		{
964 		const size_t len = sizeof(kSafariExtensionsBlock);
965 
966 		if (data + len != d+n)
967 			return;
968 		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
969 			return;
970 		}
971 
972 	s->s3->is_probably_safari = 1;
973 }
974 #endif /* !OPENSSL_NO_EC */
975 
976 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
977 	{
978 	unsigned short type;
979 	unsigned short size;
980 	unsigned short len;
981 	unsigned char *data = *p;
982 	int renegotiate_seen = 0;
983 	int sigalg_seen = 0;
984 
985 	s->servername_done = 0;
986 	s->tlsext_status_type = -1;
987 #ifndef OPENSSL_NO_NEXTPROTONEG
988 	s->s3->next_proto_neg_seen = 0;
989 #endif
990 
991 #ifndef OPENSSL_NO_HEARTBEATS
992 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
993 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
994 #endif
995 
996 #ifndef OPENSSL_NO_EC
997 	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
998 		ssl_check_for_safari(s, data, d, n);
999 #endif /* !OPENSSL_NO_EC */
1000 
1001 	if (data >= (d+n-2))
1002 		goto ri_check;
1003 	n2s(data,len);
1004 
1005 	if (data > (d+n-len))
1006 		goto ri_check;
1007 
1008 	while (data <= (d+n-4))
1009 		{
1010 		n2s(data,type);
1011 		n2s(data,size);
1012 
1013 		if (data+size > (d+n))
1014 	   		goto ri_check;
1015 #if 0
1016 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
1017 #endif
1018 		if (s->tlsext_debug_cb)
1019 			s->tlsext_debug_cb(s, 0, type, data, size,
1020 						s->tlsext_debug_arg);
1021 /* The servername extension is treated as follows:
1022 
1023    - Only the hostname type is supported with a maximum length of 255.
1024    - The servername is rejected if too long or if it contains zeros,
1025      in which case an fatal alert is generated.
1026    - The servername field is maintained together with the session cache.
1027    - When a session is resumed, the servername call back invoked in order
1028      to allow the application to position itself to the right context.
1029    - The servername is acknowledged if it is new for a session or when
1030      it is identical to a previously used for the same session.
1031      Applications can control the behaviour.  They can at any time
1032      set a 'desirable' servername for a new SSL object. This can be the
1033      case for example with HTTPS when a Host: header field is received and
1034      a renegotiation is requested. In this case, a possible servername
1035      presented in the new client hello is only acknowledged if it matches
1036      the value of the Host: field.
1037    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1038      if they provide for changing an explicit servername context for the session,
1039      i.e. when the session has been established with a servername extension.
1040    - On session reconnect, the servername extension may be absent.
1041 
1042 */
1043 
1044 		if (type == TLSEXT_TYPE_server_name)
1045 			{
1046 			unsigned char *sdata;
1047 			int servname_type;
1048 			int dsize;
1049 
1050 			if (size < 2)
1051 				{
1052 				*al = SSL_AD_DECODE_ERROR;
1053 				return 0;
1054 				}
1055 			n2s(data,dsize);
1056 			size -= 2;
1057 			if (dsize > size  )
1058 				{
1059 				*al = SSL_AD_DECODE_ERROR;
1060 				return 0;
1061 				}
1062 
1063 			sdata = data;
1064 			while (dsize > 3)
1065 				{
1066 	 			servname_type = *(sdata++);
1067 				n2s(sdata,len);
1068 				dsize -= 3;
1069 
1070 				if (len > dsize)
1071 					{
1072 					*al = SSL_AD_DECODE_ERROR;
1073 					return 0;
1074 					}
1075 				if (s->servername_done == 0)
1076 				switch (servname_type)
1077 					{
1078 				case TLSEXT_NAMETYPE_host_name:
1079 					if (!s->hit)
1080 						{
1081 						if(s->session->tlsext_hostname)
1082 							{
1083 							*al = SSL_AD_DECODE_ERROR;
1084 							return 0;
1085 							}
1086 						if (len > TLSEXT_MAXLEN_host_name)
1087 							{
1088 							*al = TLS1_AD_UNRECOGNIZED_NAME;
1089 							return 0;
1090 							}
1091 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1092 							{
1093 							*al = TLS1_AD_INTERNAL_ERROR;
1094 							return 0;
1095 							}
1096 						memcpy(s->session->tlsext_hostname, sdata, len);
1097 						s->session->tlsext_hostname[len]='\0';
1098 						if (strlen(s->session->tlsext_hostname) != len) {
1099 							OPENSSL_free(s->session->tlsext_hostname);
1100 							s->session->tlsext_hostname = NULL;
1101 							*al = TLS1_AD_UNRECOGNIZED_NAME;
1102 							return 0;
1103 						}
1104 						s->servername_done = 1;
1105 
1106 						}
1107 					else
1108 						s->servername_done = s->session->tlsext_hostname
1109 							&& strlen(s->session->tlsext_hostname) == len
1110 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1111 
1112 					break;
1113 
1114 				default:
1115 					break;
1116 					}
1117 
1118 				dsize -= len;
1119 				}
1120 			if (dsize != 0)
1121 				{
1122 				*al = SSL_AD_DECODE_ERROR;
1123 				return 0;
1124 				}
1125 
1126 			}
1127 #ifndef OPENSSL_NO_SRP
1128 		else if (type == TLSEXT_TYPE_srp)
1129 			{
1130 			if (size <= 0 || ((len = data[0])) != (size -1))
1131 				{
1132 				*al = SSL_AD_DECODE_ERROR;
1133 				return 0;
1134 				}
1135 			if (s->srp_ctx.login != NULL)
1136 				{
1137 				*al = SSL_AD_DECODE_ERROR;
1138 				return 0;
1139 				}
1140 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1141 				return -1;
1142 			memcpy(s->srp_ctx.login, &data[1], len);
1143 			s->srp_ctx.login[len]='\0';
1144 
1145 			if (strlen(s->srp_ctx.login) != len)
1146 				{
1147 				*al = SSL_AD_DECODE_ERROR;
1148 				return 0;
1149 				}
1150 			}
1151 #endif
1152 
1153 #ifndef OPENSSL_NO_EC
1154 		else if (type == TLSEXT_TYPE_ec_point_formats)
1155 			{
1156 			unsigned char *sdata = data;
1157 			int ecpointformatlist_length = *(sdata++);
1158 
1159 			if (ecpointformatlist_length != size - 1)
1160 				{
1161 				*al = TLS1_AD_DECODE_ERROR;
1162 				return 0;
1163 				}
1164 			if (!s->hit)
1165 				{
1166 				if(s->session->tlsext_ecpointformatlist)
1167 					{
1168 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1169 					s->session->tlsext_ecpointformatlist = NULL;
1170 					}
1171 				s->session->tlsext_ecpointformatlist_length = 0;
1172 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1173 					{
1174 					*al = TLS1_AD_INTERNAL_ERROR;
1175 					return 0;
1176 					}
1177 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1178 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1179 				}
1180 #if 0
1181 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1182 			sdata = s->session->tlsext_ecpointformatlist;
1183 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1184 				fprintf(stderr,"%i ",*(sdata++));
1185 			fprintf(stderr,"\n");
1186 #endif
1187 			}
1188 		else if (type == TLSEXT_TYPE_elliptic_curves)
1189 			{
1190 			unsigned char *sdata = data;
1191 			int ellipticcurvelist_length = (*(sdata++) << 8);
1192 			ellipticcurvelist_length += (*(sdata++));
1193 
1194 			if (ellipticcurvelist_length != size - 2 ||
1195 				ellipticcurvelist_length < 1)
1196 				{
1197 				*al = TLS1_AD_DECODE_ERROR;
1198 				return 0;
1199 				}
1200 			if (!s->hit)
1201 				{
1202 				if(s->session->tlsext_ellipticcurvelist)
1203 					{
1204 					*al = TLS1_AD_DECODE_ERROR;
1205 					return 0;
1206 					}
1207 				s->session->tlsext_ellipticcurvelist_length = 0;
1208 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1209 					{
1210 					*al = TLS1_AD_INTERNAL_ERROR;
1211 					return 0;
1212 					}
1213 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215 				}
1216 #if 0
1217 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218 			sdata = s->session->tlsext_ellipticcurvelist;
1219 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220 				fprintf(stderr,"%i ",*(sdata++));
1221 			fprintf(stderr,"\n");
1222 #endif
1223 			}
1224 #endif /* OPENSSL_NO_EC */
1225 #ifdef TLSEXT_TYPE_opaque_prf_input
1226 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227 	             s->version != DTLS1_VERSION)
1228 			{
1229 			unsigned char *sdata = data;
1230 
1231 			if (size < 2)
1232 				{
1233 				*al = SSL_AD_DECODE_ERROR;
1234 				return 0;
1235 				}
1236 			n2s(sdata, s->s3->client_opaque_prf_input_len);
1237 			if (s->s3->client_opaque_prf_input_len != size - 2)
1238 				{
1239 				*al = SSL_AD_DECODE_ERROR;
1240 				return 0;
1241 				}
1242 
1243 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244 				OPENSSL_free(s->s3->client_opaque_prf_input);
1245 			if (s->s3->client_opaque_prf_input_len == 0)
1246 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247 			else
1248 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249 			if (s->s3->client_opaque_prf_input == NULL)
1250 				{
1251 				*al = TLS1_AD_INTERNAL_ERROR;
1252 				return 0;
1253 				}
1254 			}
1255 #endif
1256 		else if (type == TLSEXT_TYPE_session_ticket)
1257 			{
1258 			if (s->tls_session_ticket_ext_cb &&
1259 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1260 				{
1261 				*al = TLS1_AD_INTERNAL_ERROR;
1262 				return 0;
1263 				}
1264 			}
1265 		else if (type == TLSEXT_TYPE_renegotiate)
1266 			{
1267 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268 				return 0;
1269 			renegotiate_seen = 1;
1270 			}
1271 		else if (type == TLSEXT_TYPE_signature_algorithms)
1272 			{
1273 			int dsize;
1274 			if (sigalg_seen || size < 2)
1275 				{
1276 				*al = SSL_AD_DECODE_ERROR;
1277 				return 0;
1278 				}
1279 			sigalg_seen = 1;
1280 			n2s(data,dsize);
1281 			size -= 2;
1282 			if (dsize != size || dsize & 1)
1283 				{
1284 				*al = SSL_AD_DECODE_ERROR;
1285 				return 0;
1286 				}
1287 			if (!tls1_process_sigalgs(s, data, dsize))
1288 				{
1289 				*al = SSL_AD_DECODE_ERROR;
1290 				return 0;
1291 				}
1292 			}
1293 		else if (type == TLSEXT_TYPE_status_request &&
1294 		         s->version != DTLS1_VERSION)
1295 			{
1296 
1297 			if (size < 5)
1298 				{
1299 				*al = SSL_AD_DECODE_ERROR;
1300 				return 0;
1301 				}
1302 
1303 			s->tlsext_status_type = *data++;
1304 			size--;
1305 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1306 				{
1307 				const unsigned char *sdata;
1308 				int dsize;
1309 				/* Read in responder_id_list */
1310 				n2s(data,dsize);
1311 				size -= 2;
1312 				if (dsize > size  )
1313 					{
1314 					*al = SSL_AD_DECODE_ERROR;
1315 					return 0;
1316 					}
1317 				while (dsize > 0)
1318 					{
1319 					OCSP_RESPID *id;
1320 					int idsize;
1321 					if (dsize < 4)
1322 						{
1323 						*al = SSL_AD_DECODE_ERROR;
1324 						return 0;
1325 						}
1326 					n2s(data, idsize);
1327 					dsize -= 2 + idsize;
1328 					size -= 2 + idsize;
1329 					if (dsize < 0)
1330 						{
1331 						*al = SSL_AD_DECODE_ERROR;
1332 						return 0;
1333 						}
1334 					sdata = data;
1335 					data += idsize;
1336 					id = d2i_OCSP_RESPID(NULL,
1337 								&sdata, idsize);
1338 					if (!id)
1339 						{
1340 						*al = SSL_AD_DECODE_ERROR;
1341 						return 0;
1342 						}
1343 					if (data != sdata)
1344 						{
1345 						OCSP_RESPID_free(id);
1346 						*al = SSL_AD_DECODE_ERROR;
1347 						return 0;
1348 						}
1349 					if (!s->tlsext_ocsp_ids
1350 						&& !(s->tlsext_ocsp_ids =
1351 						sk_OCSP_RESPID_new_null()))
1352 						{
1353 						OCSP_RESPID_free(id);
1354 						*al = SSL_AD_INTERNAL_ERROR;
1355 						return 0;
1356 						}
1357 					if (!sk_OCSP_RESPID_push(
1358 							s->tlsext_ocsp_ids, id))
1359 						{
1360 						OCSP_RESPID_free(id);
1361 						*al = SSL_AD_INTERNAL_ERROR;
1362 						return 0;
1363 						}
1364 					}
1365 
1366 				/* Read in request_extensions */
1367 				if (size < 2)
1368 					{
1369 					*al = SSL_AD_DECODE_ERROR;
1370 					return 0;
1371 					}
1372 				n2s(data,dsize);
1373 				size -= 2;
1374 				if (dsize != size)
1375 					{
1376 					*al = SSL_AD_DECODE_ERROR;
1377 					return 0;
1378 					}
1379 				sdata = data;
1380 				if (dsize > 0)
1381 					{
1382 					if (s->tlsext_ocsp_exts)
1383 						{
1384 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385 									   X509_EXTENSION_free);
1386 						}
1387 
1388 					s->tlsext_ocsp_exts =
1389 						d2i_X509_EXTENSIONS(NULL,
1390 							&sdata, dsize);
1391 					if (!s->tlsext_ocsp_exts
1392 						|| (data + dsize != sdata))
1393 						{
1394 						*al = SSL_AD_DECODE_ERROR;
1395 						return 0;
1396 						}
1397 					}
1398 				}
1399 				/* We don't know what to do with any other type
1400  			 	* so ignore it.
1401  			 	*/
1402 				else
1403 					s->tlsext_status_type = -1;
1404 			}
1405 #ifndef OPENSSL_NO_HEARTBEATS
1406 		else if (type == TLSEXT_TYPE_heartbeat)
1407 			{
1408 			switch(data[0])
1409 				{
1410 				case 0x01:	/* Client allows us to send HB requests */
1411 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1412 							break;
1413 				case 0x02:	/* Client doesn't accept HB requests */
1414 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1415 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1416 							break;
1417 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1418 							return 0;
1419 				}
1420 			}
1421 #endif
1422 #ifndef OPENSSL_NO_NEXTPROTONEG
1423 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1424 			 s->s3->tmp.finish_md_len == 0)
1425 			{
1426 			/* We shouldn't accept this extension on a
1427 			 * renegotiation.
1428 			 *
1429 			 * s->new_session will be set on renegotiation, but we
1430 			 * probably shouldn't rely that it couldn't be set on
1431 			 * the initial renegotation too in certain cases (when
1432 			 * there's some other reason to disallow resuming an
1433 			 * earlier session -- the current code won't be doing
1434 			 * anything like that, but this might change).
1435 
1436 			 * A valid sign that there's been a previous handshake
1437 			 * in this connection is if s->s3->tmp.finish_md_len >
1438 			 * 0.  (We are talking about a check that will happen
1439 			 * in the Hello protocol round, well before a new
1440 			 * Finished message could have been computed.) */
1441 			s->s3->next_proto_neg_seen = 1;
1442 			}
1443 #endif
1444 
1445 		/* session ticket processed earlier */
1446 #ifndef OPENSSL_NO_SRTP
1447 		else if (type == TLSEXT_TYPE_use_srtp)
1448 			{
1449 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1450 							      al))
1451 				return 0;
1452 			}
1453 #endif
1454 
1455 		data+=size;
1456 		}
1457 
1458 	*p = data;
1459 
1460 	ri_check:
1461 
1462 	/* Need RI if renegotiating */
1463 
1464 	if (!renegotiate_seen && s->renegotiate &&
1465 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1466 		{
1467 		*al = SSL_AD_HANDSHAKE_FAILURE;
1468 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1469 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1470 		return 0;
1471 		}
1472 
1473 	return 1;
1474 	}
1475 
1476 #ifndef OPENSSL_NO_NEXTPROTONEG
1477 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1478  * elements of zero length are allowed and the set of elements must exactly fill
1479  * the length of the block. */
1480 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1481 	{
1482 	unsigned int off = 0;
1483 
1484 	while (off < len)
1485 		{
1486 		if (d[off] == 0)
1487 			return 0;
1488 		off += d[off];
1489 		off++;
1490 		}
1491 
1492 	return off == len;
1493 	}
1494 #endif
1495 
1496 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1497 	{
1498 	unsigned short length;
1499 	unsigned short type;
1500 	unsigned short size;
1501 	unsigned char *data = *p;
1502 	int tlsext_servername = 0;
1503 	int renegotiate_seen = 0;
1504 
1505 #ifndef OPENSSL_NO_NEXTPROTONEG
1506 	s->s3->next_proto_neg_seen = 0;
1507 #endif
1508 
1509 #ifndef OPENSSL_NO_HEARTBEATS
1510 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1511 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1512 #endif
1513 
1514 	if (data >= (d+n-2))
1515 		goto ri_check;
1516 
1517 	n2s(data,length);
1518 	if (data+length != d+n)
1519 		{
1520 		*al = SSL_AD_DECODE_ERROR;
1521 		return 0;
1522 		}
1523 
1524 	while(data <= (d+n-4))
1525 		{
1526 		n2s(data,type);
1527 		n2s(data,size);
1528 
1529 		if (data+size > (d+n))
1530 	   		goto ri_check;
1531 
1532 		if (s->tlsext_debug_cb)
1533 			s->tlsext_debug_cb(s, 1, type, data, size,
1534 						s->tlsext_debug_arg);
1535 
1536 		if (type == TLSEXT_TYPE_server_name)
1537 			{
1538 			if (s->tlsext_hostname == NULL || size > 0)
1539 				{
1540 				*al = TLS1_AD_UNRECOGNIZED_NAME;
1541 				return 0;
1542 				}
1543 			tlsext_servername = 1;
1544 			}
1545 
1546 #ifndef OPENSSL_NO_EC
1547 		else if (type == TLSEXT_TYPE_ec_point_formats)
1548 			{
1549 			unsigned char *sdata = data;
1550 			int ecpointformatlist_length = *(sdata++);
1551 
1552 			if (ecpointformatlist_length != size - 1 ||
1553 				ecpointformatlist_length < 1)
1554 				{
1555 				*al = TLS1_AD_DECODE_ERROR;
1556 				return 0;
1557 				}
1558 			if (!s->hit)
1559 				{
1560 				s->session->tlsext_ecpointformatlist_length = 0;
1561 				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1562 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1563 					{
1564 					*al = TLS1_AD_INTERNAL_ERROR;
1565 					return 0;
1566 					}
1567 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1568 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1569 				}
1570 #if 0
1571 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1572 			sdata = s->session->tlsext_ecpointformatlist;
1573 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1574 				fprintf(stderr,"%i ",*(sdata++));
1575 			fprintf(stderr,"\n");
1576 #endif
1577 			}
1578 #endif /* OPENSSL_NO_EC */
1579 
1580 		else if (type == TLSEXT_TYPE_session_ticket)
1581 			{
1582 			if (s->tls_session_ticket_ext_cb &&
1583 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1584 				{
1585 				*al = TLS1_AD_INTERNAL_ERROR;
1586 				return 0;
1587 				}
1588 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1589 				|| (size > 0))
1590 				{
1591 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1592 				return 0;
1593 				}
1594 			s->tlsext_ticket_expected = 1;
1595 			}
1596 #ifdef TLSEXT_TYPE_opaque_prf_input
1597 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1598 	             s->version != DTLS1_VERSION)
1599 			{
1600 			unsigned char *sdata = data;
1601 
1602 			if (size < 2)
1603 				{
1604 				*al = SSL_AD_DECODE_ERROR;
1605 				return 0;
1606 				}
1607 			n2s(sdata, s->s3->server_opaque_prf_input_len);
1608 			if (s->s3->server_opaque_prf_input_len != size - 2)
1609 				{
1610 				*al = SSL_AD_DECODE_ERROR;
1611 				return 0;
1612 				}
1613 
1614 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1615 				OPENSSL_free(s->s3->server_opaque_prf_input);
1616 			if (s->s3->server_opaque_prf_input_len == 0)
1617 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1618 			else
1619 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1620 
1621 			if (s->s3->server_opaque_prf_input == NULL)
1622 				{
1623 				*al = TLS1_AD_INTERNAL_ERROR;
1624 				return 0;
1625 				}
1626 			}
1627 #endif
1628 		else if (type == TLSEXT_TYPE_status_request &&
1629 		         s->version != DTLS1_VERSION)
1630 			{
1631 			/* MUST be empty and only sent if we've requested
1632 			 * a status request message.
1633 			 */
1634 			if ((s->tlsext_status_type == -1) || (size > 0))
1635 				{
1636 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1637 				return 0;
1638 				}
1639 			/* Set flag to expect CertificateStatus message */
1640 			s->tlsext_status_expected = 1;
1641 			}
1642 #ifndef OPENSSL_NO_NEXTPROTONEG
1643 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1644 			 s->s3->tmp.finish_md_len == 0)
1645 			{
1646 			unsigned char *selected;
1647 			unsigned char selected_len;
1648 
1649 			/* We must have requested it. */
1650 			if (s->ctx->next_proto_select_cb == NULL)
1651 				{
1652 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1653 				return 0;
1654 				}
1655 			/* The data must be valid */
1656 			if (!ssl_next_proto_validate(data, size))
1657 				{
1658 				*al = TLS1_AD_DECODE_ERROR;
1659 				return 0;
1660 				}
1661 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1662 				{
1663 				*al = TLS1_AD_INTERNAL_ERROR;
1664 				return 0;
1665 				}
1666 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1667 			if (!s->next_proto_negotiated)
1668 				{
1669 				*al = TLS1_AD_INTERNAL_ERROR;
1670 				return 0;
1671 				}
1672 			memcpy(s->next_proto_negotiated, selected, selected_len);
1673 			s->next_proto_negotiated_len = selected_len;
1674 			s->s3->next_proto_neg_seen = 1;
1675 			}
1676 #endif
1677 		else if (type == TLSEXT_TYPE_renegotiate)
1678 			{
1679 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1680 				return 0;
1681 			renegotiate_seen = 1;
1682 			}
1683 #ifndef OPENSSL_NO_HEARTBEATS
1684 		else if (type == TLSEXT_TYPE_heartbeat)
1685 			{
1686 			switch(data[0])
1687 				{
1688 				case 0x01:	/* Server allows us to send HB requests */
1689 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1690 							break;
1691 				case 0x02:	/* Server doesn't accept HB requests */
1692 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1693 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1694 							break;
1695 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1696 							return 0;
1697 				}
1698 			}
1699 #endif
1700 #ifndef OPENSSL_NO_SRTP
1701 		else if (type == TLSEXT_TYPE_use_srtp)
1702 			{
1703                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1704 							      al))
1705                                 return 0;
1706 			}
1707 #endif
1708 
1709 		data+=size;
1710 		}
1711 
1712 	if (data != d+n)
1713 		{
1714 		*al = SSL_AD_DECODE_ERROR;
1715 		return 0;
1716 		}
1717 
1718 	if (!s->hit && tlsext_servername == 1)
1719 		{
1720  		if (s->tlsext_hostname)
1721 			{
1722 			if (s->session->tlsext_hostname == NULL)
1723 				{
1724 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1725 				if (!s->session->tlsext_hostname)
1726 					{
1727 					*al = SSL_AD_UNRECOGNIZED_NAME;
1728 					return 0;
1729 					}
1730 				}
1731 			else
1732 				{
1733 				*al = SSL_AD_DECODE_ERROR;
1734 				return 0;
1735 				}
1736 			}
1737 		}
1738 
1739 	*p = data;
1740 
1741 	ri_check:
1742 
1743 	/* Determine if we need to see RI. Strictly speaking if we want to
1744 	 * avoid an attack we should *always* see RI even on initial server
1745 	 * hello because the client doesn't see any renegotiation during an
1746 	 * attack. However this would mean we could not connect to any server
1747 	 * which doesn't support RI so for the immediate future tolerate RI
1748 	 * absence on initial connect only.
1749 	 */
1750 	if (!renegotiate_seen
1751 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1752 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1753 		{
1754 		*al = SSL_AD_HANDSHAKE_FAILURE;
1755 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1756 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1757 		return 0;
1758 		}
1759 
1760 	return 1;
1761 	}
1762 
1763 
1764 int ssl_prepare_clienthello_tlsext(SSL *s)
1765 	{
1766 #ifndef OPENSSL_NO_EC
1767 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1768 	 * and elliptic curves we support.
1769 	 */
1770 	int using_ecc = 0;
1771 	int i;
1772 	unsigned char *j;
1773 	unsigned long alg_k, alg_a;
1774 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1775 
1776 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1777 		{
1778 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1779 
1780 		alg_k = c->algorithm_mkey;
1781 		alg_a = c->algorithm_auth;
1782 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1783 			{
1784 			using_ecc = 1;
1785 			break;
1786 			}
1787 		}
1788 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1789 	if (using_ecc)
1790 		{
1791 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1792 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1793 			{
1794 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1795 			return -1;
1796 			}
1797 		s->tlsext_ecpointformatlist_length = 3;
1798 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1799 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1800 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1801 
1802 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1803 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1804 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1805 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1806 			{
1807 			s->tlsext_ellipticcurvelist_length = 0;
1808 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1809 			return -1;
1810 			}
1811 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1812 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1813 			{
1814 			int id = tls1_ec_nid2curve_id(pref_list[i]);
1815 			s2n(id,j);
1816 			}
1817 		}
1818 #endif /* OPENSSL_NO_EC */
1819 
1820 #ifdef TLSEXT_TYPE_opaque_prf_input
1821  	{
1822 		int r = 1;
1823 
1824 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1825 			{
1826 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1827 			if (!r)
1828 				return -1;
1829 			}
1830 
1831 		if (s->tlsext_opaque_prf_input != NULL)
1832 			{
1833 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1834 				OPENSSL_free(s->s3->client_opaque_prf_input);
1835 
1836 			if (s->tlsext_opaque_prf_input_len == 0)
1837 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1838 			else
1839 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1840 			if (s->s3->client_opaque_prf_input == NULL)
1841 				{
1842 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1843 				return -1;
1844 				}
1845 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1846 			}
1847 
1848 		if (r == 2)
1849 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1850 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1851 	}
1852 #endif
1853 
1854 	return 1;
1855 	}
1856 
1857 int ssl_prepare_serverhello_tlsext(SSL *s)
1858 	{
1859 #ifndef OPENSSL_NO_EC
1860 	/* If we are server and using an ECC cipher suite, send the point formats we support
1861 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1862 	 * supposed to send an EllipticCurves extension.
1863 	 */
1864 
1865 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1866 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1867 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1868 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1869 
1870 	if (using_ecc)
1871 		{
1872 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1873 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1874 			{
1875 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1876 			return -1;
1877 			}
1878 		s->tlsext_ecpointformatlist_length = 3;
1879 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1880 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1881 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1882 		}
1883 #endif /* OPENSSL_NO_EC */
1884 
1885 	return 1;
1886 	}
1887 
1888 int ssl_check_clienthello_tlsext_early(SSL *s)
1889 	{
1890 	int ret=SSL_TLSEXT_ERR_NOACK;
1891 	int al = SSL_AD_UNRECOGNIZED_NAME;
1892 
1893 #ifndef OPENSSL_NO_EC
1894 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1895 	 * ssl3_choose_cipher in s3_lib.c.
1896 	 */
1897 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1898 	 * ssl3_choose_cipher in s3_lib.c.
1899 	 */
1900 #endif
1901 
1902 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1903 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1904 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1905 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1906 
1907 #ifdef TLSEXT_TYPE_opaque_prf_input
1908  	{
1909 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1910 		 * but we might be sending an alert in response to the client hello,
1911 		 * so this has to happen here in
1912 		 * ssl_check_clienthello_tlsext_early(). */
1913 
1914 		int r = 1;
1915 
1916 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1917 			{
1918 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1919 			if (!r)
1920 				{
1921 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1922 				al = SSL_AD_INTERNAL_ERROR;
1923 				goto err;
1924 				}
1925 			}
1926 
1927 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1928 			OPENSSL_free(s->s3->server_opaque_prf_input);
1929 		s->s3->server_opaque_prf_input = NULL;
1930 
1931 		if (s->tlsext_opaque_prf_input != NULL)
1932 			{
1933 			if (s->s3->client_opaque_prf_input != NULL &&
1934 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1935 				{
1936 				/* can only use this extension if we have a server opaque PRF input
1937 				 * of the same length as the client opaque PRF input! */
1938 
1939 				if (s->tlsext_opaque_prf_input_len == 0)
1940 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1941 				else
1942 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1943 				if (s->s3->server_opaque_prf_input == NULL)
1944 					{
1945 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1946 					al = SSL_AD_INTERNAL_ERROR;
1947 					goto err;
1948 					}
1949 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1950 				}
1951 			}
1952 
1953 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1954 			{
1955 			/* The callback wants to enforce use of the extension,
1956 			 * but we can't do that with the client opaque PRF input;
1957 			 * abort the handshake.
1958 			 */
1959 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1960 			al = SSL_AD_HANDSHAKE_FAILURE;
1961 			}
1962 	}
1963 
1964  err:
1965 #endif
1966 	switch (ret)
1967 		{
1968 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1969 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1970 			return -1;
1971 
1972 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1973 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1974 			return 1;
1975 
1976 		case SSL_TLSEXT_ERR_NOACK:
1977 			s->servername_done=0;
1978 			default:
1979 		return 1;
1980 		}
1981 	}
1982 
1983 int ssl_check_clienthello_tlsext_late(SSL *s)
1984 	{
1985 	int ret = SSL_TLSEXT_ERR_OK;
1986 	int al;
1987 
1988 	/* If status request then ask callback what to do.
1989  	 * Note: this must be called after servername callbacks in case
1990  	 * the certificate has changed, and must be called after the cipher
1991 	 * has been chosen because this may influence which certificate is sent
1992  	 */
1993 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1994 		{
1995 		int r;
1996 		CERT_PKEY *certpkey;
1997 		certpkey = ssl_get_server_send_pkey(s);
1998 		/* If no certificate can't return certificate status */
1999 		if (certpkey == NULL)
2000 			{
2001 			s->tlsext_status_expected = 0;
2002 			return 1;
2003 			}
2004 		/* Set current certificate to one we will use so
2005 		 * SSL_get_certificate et al can pick it up.
2006 		 */
2007 		s->cert->key = certpkey;
2008 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2009 		switch (r)
2010 			{
2011 			/* We don't want to send a status request response */
2012 			case SSL_TLSEXT_ERR_NOACK:
2013 				s->tlsext_status_expected = 0;
2014 				break;
2015 			/* status request response should be sent */
2016 			case SSL_TLSEXT_ERR_OK:
2017 				if (s->tlsext_ocsp_resp)
2018 					s->tlsext_status_expected = 1;
2019 				else
2020 					s->tlsext_status_expected = 0;
2021 				break;
2022 			/* something bad happened */
2023 			case SSL_TLSEXT_ERR_ALERT_FATAL:
2024 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2025 				al = SSL_AD_INTERNAL_ERROR;
2026 				goto err;
2027 			}
2028 		}
2029 	else
2030 		s->tlsext_status_expected = 0;
2031 
2032  err:
2033 	switch (ret)
2034 		{
2035 		case SSL_TLSEXT_ERR_ALERT_FATAL:
2036 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2037 			return -1;
2038 
2039 		case SSL_TLSEXT_ERR_ALERT_WARNING:
2040 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2041 			return 1;
2042 
2043 		default:
2044 			return 1;
2045 		}
2046 	}
2047 
2048 int ssl_check_serverhello_tlsext(SSL *s)
2049 	{
2050 	int ret=SSL_TLSEXT_ERR_NOACK;
2051 	int al = SSL_AD_UNRECOGNIZED_NAME;
2052 
2053 #ifndef OPENSSL_NO_EC
2054 	/* If we are client and using an elliptic curve cryptography cipher
2055 	 * suite, then if server returns an EC point formats lists extension
2056 	 * it must contain uncompressed.
2057 	 */
2058 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2059 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2060 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2061 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2062 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2063 		{
2064 		/* we are using an ECC cipher */
2065 		size_t i;
2066 		unsigned char *list;
2067 		int found_uncompressed = 0;
2068 		list = s->session->tlsext_ecpointformatlist;
2069 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2070 			{
2071 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2072 				{
2073 				found_uncompressed = 1;
2074 				break;
2075 				}
2076 			}
2077 		if (!found_uncompressed)
2078 			{
2079 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2080 			return -1;
2081 			}
2082 		}
2083 	ret = SSL_TLSEXT_ERR_OK;
2084 #endif /* OPENSSL_NO_EC */
2085 
2086 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2087 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2088 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2089 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2090 
2091 #ifdef TLSEXT_TYPE_opaque_prf_input
2092 	if (s->s3->server_opaque_prf_input_len > 0)
2093 		{
2094 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2095 		 * So first verify that we really have a value from the server too. */
2096 
2097 		if (s->s3->server_opaque_prf_input == NULL)
2098 			{
2099 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2100 			al = SSL_AD_HANDSHAKE_FAILURE;
2101 			}
2102 
2103 		/* Anytime the server *has* sent an opaque PRF input, we need to check
2104 		 * that we have a client opaque PRF input of the same size. */
2105 		if (s->s3->client_opaque_prf_input == NULL ||
2106 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2107 			{
2108 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2109 			al = SSL_AD_ILLEGAL_PARAMETER;
2110 			}
2111 		}
2112 #endif
2113 
2114 	/* If we've requested certificate status and we wont get one
2115  	 * tell the callback
2116  	 */
2117 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2118 			&& s->ctx && s->ctx->tlsext_status_cb)
2119 		{
2120 		int r;
2121 		/* Set resp to NULL, resplen to -1 so callback knows
2122  		 * there is no response.
2123  		 */
2124 		if (s->tlsext_ocsp_resp)
2125 			{
2126 			OPENSSL_free(s->tlsext_ocsp_resp);
2127 			s->tlsext_ocsp_resp = NULL;
2128 			}
2129 		s->tlsext_ocsp_resplen = -1;
2130 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2131 		if (r == 0)
2132 			{
2133 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2134 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2135 			}
2136 		if (r < 0)
2137 			{
2138 			al = SSL_AD_INTERNAL_ERROR;
2139 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2140 			}
2141 		}
2142 
2143 	switch (ret)
2144 		{
2145 		case SSL_TLSEXT_ERR_ALERT_FATAL:
2146 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2147 			return -1;
2148 
2149 		case SSL_TLSEXT_ERR_ALERT_WARNING:
2150 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2151 			return 1;
2152 
2153 		case SSL_TLSEXT_ERR_NOACK:
2154 			s->servername_done=0;
2155 			default:
2156 		return 1;
2157 		}
2158 	}
2159 
2160 /* Since the server cache lookup is done early on in the processing of the
2161  * ClientHello, and other operations depend on the result, we need to handle
2162  * any TLS session ticket extension at the same time.
2163  *
2164  *   session_id: points at the session ID in the ClientHello. This code will
2165  *       read past the end of this in order to parse out the session ticket
2166  *       extension, if any.
2167  *   len: the length of the session ID.
2168  *   limit: a pointer to the first byte after the ClientHello.
2169  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2170  *       point to the resulting session.
2171  *
2172  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2173  * ciphersuite, in which case we have no use for session tickets and one will
2174  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2175  *
2176  * Returns:
2177  *   -1: fatal error, either from parsing or decrypting the ticket.
2178  *    0: no ticket was found (or was ignored, based on settings).
2179  *    1: a zero length extension was found, indicating that the client supports
2180  *       session tickets but doesn't currently have one to offer.
2181  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2182  *       couldn't be decrypted because of a non-fatal error.
2183  *    3: a ticket was successfully decrypted and *ret was set.
2184  *
2185  * Side effects:
2186  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2187  *   a new session ticket to the client because the client indicated support
2188  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2189  *   a session ticket or we couldn't use the one it gave us, or if
2190  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2191  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2192  */
2193 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2194 			const unsigned char *limit, SSL_SESSION **ret)
2195 	{
2196 	/* Point after session ID in client hello */
2197 	const unsigned char *p = session_id + len;
2198 	unsigned short i;
2199 
2200 	*ret = NULL;
2201 	s->tlsext_ticket_expected = 0;
2202 
2203 	/* If tickets disabled behave as if no ticket present
2204 	 * to permit stateful resumption.
2205 	 */
2206 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2207 		return 0;
2208 	if ((s->version <= SSL3_VERSION) || !limit)
2209 		return 0;
2210 	if (p >= limit)
2211 		return -1;
2212 	/* Skip past DTLS cookie */
2213 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2214 		{
2215 		i = *(p++);
2216 		p+= i;
2217 		if (p >= limit)
2218 			return -1;
2219 		}
2220 	/* Skip past cipher list */
2221 	n2s(p, i);
2222 	p+= i;
2223 	if (p >= limit)
2224 		return -1;
2225 	/* Skip past compression algorithm list */
2226 	i = *(p++);
2227 	p += i;
2228 	if (p > limit)
2229 		return -1;
2230 	/* Now at start of extensions */
2231 	if ((p + 2) >= limit)
2232 		return 0;
2233 	n2s(p, i);
2234 	while ((p + 4) <= limit)
2235 		{
2236 		unsigned short type, size;
2237 		n2s(p, type);
2238 		n2s(p, size);
2239 		if (p + size > limit)
2240 			return 0;
2241 		if (type == TLSEXT_TYPE_session_ticket)
2242 			{
2243 			int r;
2244 			if (size == 0)
2245 				{
2246 				/* The client will accept a ticket but doesn't
2247 				 * currently have one. */
2248 				s->tlsext_ticket_expected = 1;
2249 				return 1;
2250 				}
2251 			if (s->tls_session_secret_cb)
2252 				{
2253 				/* Indicate that the ticket couldn't be
2254 				 * decrypted rather than generating the session
2255 				 * from ticket now, trigger abbreviated
2256 				 * handshake based on external mechanism to
2257 				 * calculate the master secret later. */
2258 				return 2;
2259 				}
2260 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2261 			switch (r)
2262 				{
2263 				case 2: /* ticket couldn't be decrypted */
2264 					s->tlsext_ticket_expected = 1;
2265 					return 2;
2266 				case 3: /* ticket was decrypted */
2267 					return r;
2268 				case 4: /* ticket decrypted but need to renew */
2269 					s->tlsext_ticket_expected = 1;
2270 					return 3;
2271 				default: /* fatal error */
2272 					return -1;
2273 				}
2274 			}
2275 		p += size;
2276 		}
2277 	return 0;
2278 	}
2279 
2280 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2281  *
2282  *   etick: points to the body of the session ticket extension.
2283  *   eticklen: the length of the session tickets extenion.
2284  *   sess_id: points at the session ID.
2285  *   sesslen: the length of the session ID.
2286  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2287  *       point to the resulting session.
2288  *
2289  * Returns:
2290  *   -1: fatal error, either from parsing or decrypting the ticket.
2291  *    2: the ticket couldn't be decrypted.
2292  *    3: a ticket was successfully decrypted and *psess was set.
2293  *    4: same as 3, but the ticket needs to be renewed.
2294  */
2295 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2296 				const unsigned char *sess_id, int sesslen,
2297 				SSL_SESSION **psess)
2298 	{
2299 	SSL_SESSION *sess;
2300 	unsigned char *sdec;
2301 	const unsigned char *p;
2302 	int slen, mlen, renew_ticket = 0;
2303 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2304 	HMAC_CTX hctx;
2305 	EVP_CIPHER_CTX ctx;
2306 	SSL_CTX *tctx = s->initial_ctx;
2307 	/* Need at least keyname + iv + some encrypted data */
2308 	if (eticklen < 48)
2309 		return 2;
2310 	/* Initialize session ticket encryption and HMAC contexts */
2311 	HMAC_CTX_init(&hctx);
2312 	EVP_CIPHER_CTX_init(&ctx);
2313 	if (tctx->tlsext_ticket_key_cb)
2314 		{
2315 		unsigned char *nctick = (unsigned char *)etick;
2316 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2317 							&ctx, &hctx, 0);
2318 		if (rv < 0)
2319 			return -1;
2320 		if (rv == 0)
2321 			return 2;
2322 		if (rv == 2)
2323 			renew_ticket = 1;
2324 		}
2325 	else
2326 		{
2327 		/* Check key name matches */
2328 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2329 			return 2;
2330 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2331 					tlsext_tick_md(), NULL);
2332 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2333 				tctx->tlsext_tick_aes_key, etick + 16);
2334 		}
2335 	/* Attempt to process session ticket, first conduct sanity and
2336 	 * integrity checks on ticket.
2337 	 */
2338 	mlen = HMAC_size(&hctx);
2339 	if (mlen < 0)
2340 		{
2341 		EVP_CIPHER_CTX_cleanup(&ctx);
2342 		return -1;
2343 		}
2344 	eticklen -= mlen;
2345 	/* Check HMAC of encrypted ticket */
2346 	HMAC_Update(&hctx, etick, eticklen);
2347 	HMAC_Final(&hctx, tick_hmac, NULL);
2348 	HMAC_CTX_cleanup(&hctx);
2349 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2350 		return 2;
2351 	/* Attempt to decrypt session data */
2352 	/* Move p after IV to start of encrypted ticket, update length */
2353 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2354 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2355 	sdec = OPENSSL_malloc(eticklen);
2356 	if (!sdec)
2357 		{
2358 		EVP_CIPHER_CTX_cleanup(&ctx);
2359 		return -1;
2360 		}
2361 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2362 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2363 		{
2364 		EVP_CIPHER_CTX_cleanup(&ctx);
2365 		OPENSSL_free(sdec);
2366 		return 2;
2367 		}
2368 	slen += mlen;
2369 	EVP_CIPHER_CTX_cleanup(&ctx);
2370 	p = sdec;
2371 
2372 	sess = d2i_SSL_SESSION(NULL, &p, slen);
2373 	OPENSSL_free(sdec);
2374 	if (sess)
2375 		{
2376 		/* The session ID, if non-empty, is used by some clients to
2377 		 * detect that the ticket has been accepted. So we copy it to
2378 		 * the session structure. If it is empty set length to zero
2379 		 * as required by standard.
2380 		 */
2381 		if (sesslen)
2382 			memcpy(sess->session_id, sess_id, sesslen);
2383 		sess->session_id_length = sesslen;
2384 		*psess = sess;
2385 		if (renew_ticket)
2386 			return 4;
2387 		else
2388 			return 3;
2389 		}
2390         ERR_clear_error();
2391 	/* For session parse failure, indicate that we need to send a new
2392 	 * ticket. */
2393 	return 2;
2394 	}
2395 
2396 /* Tables to translate from NIDs to TLS v1.2 ids */
2397 
2398 typedef struct
2399 	{
2400 	int nid;
2401 	int id;
2402 	} tls12_lookup;
2403 
2404 static tls12_lookup tls12_md[] = {
2405 #ifndef OPENSSL_NO_MD5
2406 	{NID_md5, TLSEXT_hash_md5},
2407 #endif
2408 #ifndef OPENSSL_NO_SHA
2409 	{NID_sha1, TLSEXT_hash_sha1},
2410 #endif
2411 #ifndef OPENSSL_NO_SHA256
2412 	{NID_sha224, TLSEXT_hash_sha224},
2413 	{NID_sha256, TLSEXT_hash_sha256},
2414 #endif
2415 #ifndef OPENSSL_NO_SHA512
2416 	{NID_sha384, TLSEXT_hash_sha384},
2417 	{NID_sha512, TLSEXT_hash_sha512}
2418 #endif
2419 };
2420 
2421 static tls12_lookup tls12_sig[] = {
2422 #ifndef OPENSSL_NO_RSA
2423 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2424 #endif
2425 #ifndef OPENSSL_NO_DSA
2426 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2427 #endif
2428 #ifndef OPENSSL_NO_ECDSA
2429 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2430 #endif
2431 };
2432 
2433 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2434 	{
2435 	size_t i;
2436 	for (i = 0; i < tlen; i++)
2437 		{
2438 		if (table[i].nid == nid)
2439 			return table[i].id;
2440 		}
2441 	return -1;
2442 	}
2443 #if 0
2444 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2445 	{
2446 	size_t i;
2447 	for (i = 0; i < tlen; i++)
2448 		{
2449 		if (table[i].id == id)
2450 			return table[i].nid;
2451 		}
2452 	return -1;
2453 	}
2454 #endif
2455 
2456 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2457 	{
2458 	int sig_id, md_id;
2459 	if (!md)
2460 		return 0;
2461 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2462 				sizeof(tls12_md)/sizeof(tls12_lookup));
2463 	if (md_id == -1)
2464 		return 0;
2465 	sig_id = tls12_get_sigid(pk);
2466 	if (sig_id == -1)
2467 		return 0;
2468 	p[0] = (unsigned char)md_id;
2469 	p[1] = (unsigned char)sig_id;
2470 	return 1;
2471 	}
2472 
2473 int tls12_get_sigid(const EVP_PKEY *pk)
2474 	{
2475 	return tls12_find_id(pk->type, tls12_sig,
2476 				sizeof(tls12_sig)/sizeof(tls12_lookup));
2477 	}
2478 
2479 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2480 	{
2481 	switch(hash_alg)
2482 		{
2483 #ifndef OPENSSL_NO_SHA
2484 		case TLSEXT_hash_sha1:
2485 		return EVP_sha1();
2486 #endif
2487 #ifndef OPENSSL_NO_SHA256
2488 		case TLSEXT_hash_sha224:
2489 		return EVP_sha224();
2490 
2491 		case TLSEXT_hash_sha256:
2492 		return EVP_sha256();
2493 #endif
2494 #ifndef OPENSSL_NO_SHA512
2495 		case TLSEXT_hash_sha384:
2496 		return EVP_sha384();
2497 
2498 		case TLSEXT_hash_sha512:
2499 		return EVP_sha512();
2500 #endif
2501 		default:
2502 		return NULL;
2503 
2504 		}
2505 	}
2506 
2507 /* Set preferred digest for each key type */
2508 
2509 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2510 	{
2511 	int i, idx;
2512 	const EVP_MD *md;
2513 	CERT *c = s->cert;
2514 	/* Extension ignored for TLS versions below 1.2 */
2515 	if (TLS1_get_version(s) < TLS1_2_VERSION)
2516 		return 1;
2517 	/* Should never happen */
2518 	if (!c)
2519 		return 0;
2520 
2521 	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2522 	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2523 	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2524 	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2525 
2526 	for (i = 0; i < dsize; i += 2)
2527 		{
2528 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2529 
2530 		switch(sig_alg)
2531 			{
2532 #ifndef OPENSSL_NO_RSA
2533 			case TLSEXT_signature_rsa:
2534 			idx = SSL_PKEY_RSA_SIGN;
2535 			break;
2536 #endif
2537 #ifndef OPENSSL_NO_DSA
2538 			case TLSEXT_signature_dsa:
2539 			idx = SSL_PKEY_DSA_SIGN;
2540 			break;
2541 #endif
2542 #ifndef OPENSSL_NO_ECDSA
2543 			case TLSEXT_signature_ecdsa:
2544 			idx = SSL_PKEY_ECC;
2545 			break;
2546 #endif
2547 			default:
2548 			continue;
2549 			}
2550 
2551 		if (c->pkeys[idx].digest == NULL)
2552 			{
2553 			md = tls12_get_hash(hash_alg);
2554 			if (md)
2555 				{
2556 				c->pkeys[idx].digest = md;
2557 				if (idx == SSL_PKEY_RSA_SIGN)
2558 					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2559 				}
2560 			}
2561 
2562 		}
2563 
2564 
2565 	/* Set any remaining keys to default values. NOTE: if alg is not
2566 	 * supported it stays as NULL.
2567 	 */
2568 #ifndef OPENSSL_NO_DSA
2569 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2570 		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2571 #endif
2572 #ifndef OPENSSL_NO_RSA
2573 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2574 		{
2575 		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2576 		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2577 		}
2578 #endif
2579 #ifndef OPENSSL_NO_ECDSA
2580 	if (!c->pkeys[SSL_PKEY_ECC].digest)
2581 		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2582 #endif
2583 	return 1;
2584 	}
2585 
2586 #endif
2587 
2588 #ifndef OPENSSL_NO_HEARTBEATS
2589 int
2590 tls1_process_heartbeat(SSL *s)
2591 	{
2592 	unsigned char *p = &s->s3->rrec.data[0], *pl;
2593 	unsigned short hbtype;
2594 	unsigned int payload;
2595 	unsigned int padding = 16; /* Use minimum padding */
2596 
2597 	if (s->msg_callback)
2598 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2599 			&s->s3->rrec.data[0], s->s3->rrec.length,
2600 			s, s->msg_callback_arg);
2601 
2602 	/* Read type and payload length first */
2603 	if (1 + 2 + 16 > s->s3->rrec.length)
2604 		return 0; /* silently discard */
2605 	hbtype = *p++;
2606 	n2s(p, payload);
2607 	if (1 + 2 + payload + 16 > s->s3->rrec.length)
2608 		return 0; /* silently discard per RFC 6520 sec. 4 */
2609 	pl = p;
2610 
2611 	if (hbtype == TLS1_HB_REQUEST)
2612 		{
2613 		unsigned char *buffer, *bp;
2614 		int r;
2615 
2616 		/* Allocate memory for the response, size is 1 bytes
2617 		 * message type, plus 2 bytes payload length, plus
2618 		 * payload, plus padding
2619 		 */
2620 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2621 		bp = buffer;
2622 
2623 		/* Enter response type, length and copy payload */
2624 		*bp++ = TLS1_HB_RESPONSE;
2625 		s2n(payload, bp);
2626 		memcpy(bp, pl, payload);
2627 		bp += payload;
2628 		/* Random padding */
2629 		RAND_pseudo_bytes(bp, padding);
2630 
2631 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2632 
2633 		if (r >= 0 && s->msg_callback)
2634 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2635 				buffer, 3 + payload + padding,
2636 				s, s->msg_callback_arg);
2637 
2638 		OPENSSL_free(buffer);
2639 
2640 		if (r < 0)
2641 			return r;
2642 		}
2643 	else if (hbtype == TLS1_HB_RESPONSE)
2644 		{
2645 		unsigned int seq;
2646 
2647 		/* We only send sequence numbers (2 bytes unsigned int),
2648 		 * and 16 random bytes, so we just try to read the
2649 		 * sequence number */
2650 		n2s(pl, seq);
2651 
2652 		if (payload == 18 && seq == s->tlsext_hb_seq)
2653 			{
2654 			s->tlsext_hb_seq++;
2655 			s->tlsext_hb_pending = 0;
2656 			}
2657 		}
2658 
2659 	return 0;
2660 	}
2661 
2662 int
2663 tls1_heartbeat(SSL *s)
2664 	{
2665 	unsigned char *buf, *p;
2666 	int ret;
2667 	unsigned int payload = 18; /* Sequence number + random bytes */
2668 	unsigned int padding = 16; /* Use minimum padding */
2669 
2670 	/* Only send if peer supports and accepts HB requests... */
2671 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2672 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2673 		{
2674 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2675 		return -1;
2676 		}
2677 
2678 	/* ...and there is none in flight yet... */
2679 	if (s->tlsext_hb_pending)
2680 		{
2681 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2682 		return -1;
2683 		}
2684 
2685 	/* ...and no handshake in progress. */
2686 	if (SSL_in_init(s) || s->in_handshake)
2687 		{
2688 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2689 		return -1;
2690 		}
2691 
2692 	/* Check if padding is too long, payload and padding
2693 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2694 	 */
2695 	OPENSSL_assert(payload + padding <= 16381);
2696 
2697 	/* Create HeartBeat message, we just use a sequence number
2698 	 * as payload to distuingish different messages and add
2699 	 * some random stuff.
2700 	 *  - Message Type, 1 byte
2701 	 *  - Payload Length, 2 bytes (unsigned int)
2702 	 *  - Payload, the sequence number (2 bytes uint)
2703 	 *  - Payload, random bytes (16 bytes uint)
2704 	 *  - Padding
2705 	 */
2706 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2707 	p = buf;
2708 	/* Message Type */
2709 	*p++ = TLS1_HB_REQUEST;
2710 	/* Payload length (18 bytes here) */
2711 	s2n(payload, p);
2712 	/* Sequence number */
2713 	s2n(s->tlsext_hb_seq, p);
2714 	/* 16 random bytes */
2715 	RAND_pseudo_bytes(p, 16);
2716 	p += 16;
2717 	/* Random padding */
2718 	RAND_pseudo_bytes(p, padding);
2719 
2720 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2721 	if (ret >= 0)
2722 		{
2723 		if (s->msg_callback)
2724 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2725 				buf, 3 + payload + padding,
2726 				s, s->msg_callback_arg);
2727 
2728 		s->tlsext_hb_pending = 1;
2729 		}
2730 
2731 	OPENSSL_free(buf);
2732 
2733 	return ret;
2734 	}
2735 #endif
2736