xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision 7e00348e7605b9906601438008341ffc37c00e2c)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124 				const unsigned char *sess_id, int sesslen,
125 				SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data={
129 	tls1_enc,
130 	tls1_mac,
131 	tls1_setup_key_block,
132 	tls1_generate_master_secret,
133 	tls1_change_cipher_state,
134 	tls1_final_finish_mac,
135 	TLS1_FINISH_MAC_LENGTH,
136 	tls1_cert_verify_mac,
137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139 	tls1_alert_code,
140 	tls1_export_keying_material,
141 	};
142 
143 long tls1_default_timeout(void)
144 	{
145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
146 	 * is way too long for http, the cache would over fill */
147 	return(60*60*2);
148 	}
149 
150 int tls1_new(SSL *s)
151 	{
152 	if (!ssl3_new(s)) return(0);
153 	s->method->ssl_clear(s);
154 	return(1);
155 	}
156 
157 void tls1_free(SSL *s)
158 	{
159 #ifndef OPENSSL_NO_TLSEXT
160 	if (s->tlsext_session_ticket)
161 		{
162 		OPENSSL_free(s->tlsext_session_ticket);
163 		}
164 #endif /* OPENSSL_NO_TLSEXT */
165 	ssl3_free(s);
166 	}
167 
168 void tls1_clear(SSL *s)
169 	{
170 	ssl3_clear(s);
171 	s->version = s->method->version;
172 	}
173 
174 #ifndef OPENSSL_NO_EC
175 
176 static int nid_list[] =
177 	{
178 		NID_sect163k1, /* sect163k1 (1) */
179 		NID_sect163r1, /* sect163r1 (2) */
180 		NID_sect163r2, /* sect163r2 (3) */
181 		NID_sect193r1, /* sect193r1 (4) */
182 		NID_sect193r2, /* sect193r2 (5) */
183 		NID_sect233k1, /* sect233k1 (6) */
184 		NID_sect233r1, /* sect233r1 (7) */
185 		NID_sect239k1, /* sect239k1 (8) */
186 		NID_sect283k1, /* sect283k1 (9) */
187 		NID_sect283r1, /* sect283r1 (10) */
188 		NID_sect409k1, /* sect409k1 (11) */
189 		NID_sect409r1, /* sect409r1 (12) */
190 		NID_sect571k1, /* sect571k1 (13) */
191 		NID_sect571r1, /* sect571r1 (14) */
192 		NID_secp160k1, /* secp160k1 (15) */
193 		NID_secp160r1, /* secp160r1 (16) */
194 		NID_secp160r2, /* secp160r2 (17) */
195 		NID_secp192k1, /* secp192k1 (18) */
196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
197 		NID_secp224k1, /* secp224k1 (20) */
198 		NID_secp224r1, /* secp224r1 (21) */
199 		NID_secp256k1, /* secp256k1 (22) */
200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
201 		NID_secp384r1, /* secp384r1 (24) */
202 		NID_secp521r1  /* secp521r1 (25) */
203 	};
204 
205 static int pref_list[] =
206 	{
207 		NID_sect571r1, /* sect571r1 (14) */
208 		NID_sect571k1, /* sect571k1 (13) */
209 		NID_secp521r1, /* secp521r1 (25) */
210 		NID_sect409k1, /* sect409k1 (11) */
211 		NID_sect409r1, /* sect409r1 (12) */
212 		NID_secp384r1, /* secp384r1 (24) */
213 		NID_sect283k1, /* sect283k1 (9) */
214 		NID_sect283r1, /* sect283r1 (10) */
215 		NID_secp256k1, /* secp256k1 (22) */
216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
217 		NID_sect239k1, /* sect239k1 (8) */
218 		NID_sect233k1, /* sect233k1 (6) */
219 		NID_sect233r1, /* sect233r1 (7) */
220 		NID_secp224k1, /* secp224k1 (20) */
221 		NID_secp224r1, /* secp224r1 (21) */
222 		NID_sect193r1, /* sect193r1 (4) */
223 		NID_sect193r2, /* sect193r2 (5) */
224 		NID_secp192k1, /* secp192k1 (18) */
225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
226 		NID_sect163k1, /* sect163k1 (1) */
227 		NID_sect163r1, /* sect163r1 (2) */
228 		NID_sect163r2, /* sect163r2 (3) */
229 		NID_secp160k1, /* secp160k1 (15) */
230 		NID_secp160r1, /* secp160r1 (16) */
231 		NID_secp160r2, /* secp160r2 (17) */
232 	};
233 
234 int tls1_ec_curve_id2nid(int curve_id)
235 	{
236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237 	if ((curve_id < 1) || ((unsigned int)curve_id >
238 				sizeof(nid_list)/sizeof(nid_list[0])))
239 		return 0;
240 	return nid_list[curve_id-1];
241 	}
242 
243 int tls1_ec_nid2curve_id(int nid)
244 	{
245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246 	switch (nid)
247 		{
248 	case NID_sect163k1: /* sect163k1 (1) */
249 		return 1;
250 	case NID_sect163r1: /* sect163r1 (2) */
251 		return 2;
252 	case NID_sect163r2: /* sect163r2 (3) */
253 		return 3;
254 	case NID_sect193r1: /* sect193r1 (4) */
255 		return 4;
256 	case NID_sect193r2: /* sect193r2 (5) */
257 		return 5;
258 	case NID_sect233k1: /* sect233k1 (6) */
259 		return 6;
260 	case NID_sect233r1: /* sect233r1 (7) */
261 		return 7;
262 	case NID_sect239k1: /* sect239k1 (8) */
263 		return 8;
264 	case NID_sect283k1: /* sect283k1 (9) */
265 		return 9;
266 	case NID_sect283r1: /* sect283r1 (10) */
267 		return 10;
268 	case NID_sect409k1: /* sect409k1 (11) */
269 		return 11;
270 	case NID_sect409r1: /* sect409r1 (12) */
271 		return 12;
272 	case NID_sect571k1: /* sect571k1 (13) */
273 		return 13;
274 	case NID_sect571r1: /* sect571r1 (14) */
275 		return 14;
276 	case NID_secp160k1: /* secp160k1 (15) */
277 		return 15;
278 	case NID_secp160r1: /* secp160r1 (16) */
279 		return 16;
280 	case NID_secp160r2: /* secp160r2 (17) */
281 		return 17;
282 	case NID_secp192k1: /* secp192k1 (18) */
283 		return 18;
284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
285 		return 19;
286 	case NID_secp224k1: /* secp224k1 (20) */
287 		return 20;
288 	case NID_secp224r1: /* secp224r1 (21) */
289 		return 21;
290 	case NID_secp256k1: /* secp256k1 (22) */
291 		return 22;
292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
293 		return 23;
294 	case NID_secp384r1: /* secp384r1 (24) */
295 		return 24;
296 	case NID_secp521r1:  /* secp521r1 (25) */
297 		return 25;
298 	default:
299 		return 0;
300 		}
301 	}
302 #endif /* OPENSSL_NO_EC */
303 
304 #ifndef OPENSSL_NO_TLSEXT
305 
306 /* List of supported signature algorithms and hashes. Should make this
307  * customisable at some point, for now include everything we support.
308  */
309 
310 #ifdef OPENSSL_NO_RSA
311 #define tlsext_sigalg_rsa(md) /* */
312 #else
313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314 #endif
315 
316 #ifdef OPENSSL_NO_DSA
317 #define tlsext_sigalg_dsa(md) /* */
318 #else
319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320 #endif
321 
322 #ifdef OPENSSL_NO_ECDSA
323 #define tlsext_sigalg_ecdsa(md) /* */
324 #else
325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326 #endif
327 
328 #define tlsext_sigalg(md) \
329 		tlsext_sigalg_rsa(md) \
330 		tlsext_sigalg_dsa(md) \
331 		tlsext_sigalg_ecdsa(md)
332 
333 static unsigned char tls12_sigalgs[] = {
334 #ifndef OPENSSL_NO_SHA512
335 	tlsext_sigalg(TLSEXT_hash_sha512)
336 	tlsext_sigalg(TLSEXT_hash_sha384)
337 #endif
338 #ifndef OPENSSL_NO_SHA256
339 	tlsext_sigalg(TLSEXT_hash_sha256)
340 	tlsext_sigalg(TLSEXT_hash_sha224)
341 #endif
342 #ifndef OPENSSL_NO_SHA
343 	tlsext_sigalg(TLSEXT_hash_sha1)
344 #endif
345 };
346 
347 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
348 	{
349 	size_t slen = sizeof(tls12_sigalgs);
350 	if (p)
351 		memcpy(p, tls12_sigalgs, slen);
352 	return (int)slen;
353 	}
354 
355 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
356 	{
357 	int extdatalen=0;
358 	unsigned char *orig = buf;
359 	unsigned char *ret = buf;
360 
361 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
362 	if (s->client_version == SSL3_VERSION
363 					&& !s->s3->send_connection_binding)
364 		return orig;
365 
366 	ret+=2;
367 
368 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
369 
370  	if (s->tlsext_hostname != NULL)
371 		{
372 		/* Add TLS extension servername to the Client Hello message */
373 		unsigned long size_str;
374 		long lenmax;
375 
376 		/* check for enough space.
377 		   4 for the servername type and entension length
378 		   2 for servernamelist length
379 		   1 for the hostname type
380 		   2 for hostname length
381 		   + hostname length
382 		*/
383 
384 		if ((lenmax = limit - ret - 9) < 0
385 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
386 			return NULL;
387 
388 		/* extension type and length */
389 		s2n(TLSEXT_TYPE_server_name,ret);
390 		s2n(size_str+5,ret);
391 
392 		/* length of servername list */
393 		s2n(size_str+3,ret);
394 
395 		/* hostname type, length and hostname */
396 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
397 		s2n(size_str,ret);
398 		memcpy(ret, s->tlsext_hostname, size_str);
399 		ret+=size_str;
400 		}
401 
402         /* Add RI if renegotiating */
403         if (s->renegotiate)
404           {
405           int el;
406 
407           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
408               {
409               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
410               return NULL;
411               }
412 
413           if((limit - ret - 4 - el) < 0) return NULL;
414 
415           s2n(TLSEXT_TYPE_renegotiate,ret);
416           s2n(el,ret);
417 
418           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
419               {
420               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
421               return NULL;
422               }
423 
424           ret += el;
425         }
426 
427 #ifndef OPENSSL_NO_SRP
428 	/* Add SRP username if there is one */
429 	if (s->srp_ctx.login != NULL)
430 		{ /* Add TLS extension SRP username to the Client Hello message */
431 
432 		int login_len = strlen(s->srp_ctx.login);
433 		if (login_len > 255 || login_len == 0)
434 			{
435 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
436 			return NULL;
437 			}
438 
439 		/* check for enough space.
440 		   4 for the srp type type and entension length
441 		   1 for the srp user identity
442 		   + srp user identity length
443 		*/
444 		if ((limit - ret - 5 - login_len) < 0) return NULL;
445 
446 		/* fill in the extension */
447 		s2n(TLSEXT_TYPE_srp,ret);
448 		s2n(login_len+1,ret);
449 		(*ret++) = (unsigned char) login_len;
450 		memcpy(ret, s->srp_ctx.login, login_len);
451 		ret+=login_len;
452 		}
453 #endif
454 
455 #ifndef OPENSSL_NO_EC
456 	if (s->tlsext_ecpointformatlist != NULL)
457 		{
458 		/* Add TLS extension ECPointFormats to the ClientHello message */
459 		long lenmax;
460 
461 		if ((lenmax = limit - ret - 5) < 0) return NULL;
462 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463 		if (s->tlsext_ecpointformatlist_length > 255)
464 			{
465 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466 			return NULL;
467 			}
468 
469 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
470 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
471 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473 		ret+=s->tlsext_ecpointformatlist_length;
474 		}
475 	if (s->tlsext_ellipticcurvelist != NULL)
476 		{
477 		/* Add TLS extension EllipticCurves to the ClientHello message */
478 		long lenmax;
479 
480 		if ((lenmax = limit - ret - 6) < 0) return NULL;
481 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
482 		if (s->tlsext_ellipticcurvelist_length > 65532)
483 			{
484 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
485 			return NULL;
486 			}
487 
488 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
489 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
490 
491 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
492 		 * elliptic_curve_list, but the examples use two bytes.
493 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
494 		 * resolves this to two bytes.
495 		 */
496 		s2n(s->tlsext_ellipticcurvelist_length, ret);
497 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
498 		ret+=s->tlsext_ellipticcurvelist_length;
499 		}
500 #endif /* OPENSSL_NO_EC */
501 
502 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
503 		{
504 		int ticklen;
505 		if (!s->new_session && s->session && s->session->tlsext_tick)
506 			ticklen = s->session->tlsext_ticklen;
507 		else if (s->session && s->tlsext_session_ticket &&
508 			 s->tlsext_session_ticket->data)
509 			{
510 			ticklen = s->tlsext_session_ticket->length;
511 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
512 			if (!s->session->tlsext_tick)
513 				return NULL;
514 			memcpy(s->session->tlsext_tick,
515 			       s->tlsext_session_ticket->data,
516 			       ticklen);
517 			s->session->tlsext_ticklen = ticklen;
518 			}
519 		else
520 			ticklen = 0;
521 		if (ticklen == 0 && s->tlsext_session_ticket &&
522 		    s->tlsext_session_ticket->data == NULL)
523 			goto skip_ext;
524 		/* Check for enough room 2 for extension type, 2 for len
525  		 * rest for ticket
526   		 */
527 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
528 		s2n(TLSEXT_TYPE_session_ticket,ret);
529 		s2n(ticklen,ret);
530 		if (ticklen)
531 			{
532 			memcpy(ret, s->session->tlsext_tick, ticklen);
533 			ret += ticklen;
534 			}
535 		}
536 		skip_ext:
537 
538 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
539 		{
540 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
541 			return NULL;
542 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
543 		s2n(sizeof(tls12_sigalgs) + 2, ret);
544 		s2n(sizeof(tls12_sigalgs), ret);
545 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
546 		ret += sizeof(tls12_sigalgs);
547 		}
548 
549 #ifdef TLSEXT_TYPE_opaque_prf_input
550 	if (s->s3->client_opaque_prf_input != NULL &&
551 	    s->version != DTLS1_VERSION)
552 		{
553 		size_t col = s->s3->client_opaque_prf_input_len;
554 
555 		if ((long)(limit - ret - 6 - col < 0))
556 			return NULL;
557 		if (col > 0xFFFD) /* can't happen */
558 			return NULL;
559 
560 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
561 		s2n(col + 2, ret);
562 		s2n(col, ret);
563 		memcpy(ret, s->s3->client_opaque_prf_input, col);
564 		ret += col;
565 		}
566 #endif
567 
568 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
569 	    s->version != DTLS1_VERSION)
570 		{
571 		int i;
572 		long extlen, idlen, itmp;
573 		OCSP_RESPID *id;
574 
575 		idlen = 0;
576 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
577 			{
578 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
579 			itmp = i2d_OCSP_RESPID(id, NULL);
580 			if (itmp <= 0)
581 				return NULL;
582 			idlen += itmp + 2;
583 			}
584 
585 		if (s->tlsext_ocsp_exts)
586 			{
587 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
588 			if (extlen < 0)
589 				return NULL;
590 			}
591 		else
592 			extlen = 0;
593 
594 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
595 		s2n(TLSEXT_TYPE_status_request, ret);
596 		if (extlen + idlen > 0xFFF0)
597 			return NULL;
598 		s2n(extlen + idlen + 5, ret);
599 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
600 		s2n(idlen, ret);
601 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
602 			{
603 			/* save position of id len */
604 			unsigned char *q = ret;
605 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
606 			/* skip over id len */
607 			ret += 2;
608 			itmp = i2d_OCSP_RESPID(id, &ret);
609 			/* write id len */
610 			s2n(itmp, q);
611 			}
612 		s2n(extlen, ret);
613 		if (extlen > 0)
614 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
615 		}
616 
617 #ifndef OPENSSL_NO_HEARTBEATS
618 	/* Add Heartbeat extension */
619 	if ((limit - ret - 4 - 1) < 0)
620 		return NULL;
621 	s2n(TLSEXT_TYPE_heartbeat,ret);
622 	s2n(1,ret);
623 	/* Set mode:
624 	 * 1: peer may send requests
625 	 * 2: peer not allowed to send requests
626 	 */
627 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
628 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
629 	else
630 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
631 #endif
632 
633 #ifndef OPENSSL_NO_NEXTPROTONEG
634 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
635 		{
636 		/* The client advertises an emtpy extension to indicate its
637 		 * support for Next Protocol Negotiation */
638 		if (limit - ret - 4 < 0)
639 			return NULL;
640 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
641 		s2n(0,ret);
642 		}
643 #endif
644 
645 #ifndef OPENSSL_NO_SRTP
646 	if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
647                 {
648                 int el;
649 
650                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
651 
652                 if((limit - ret - 4 - el) < 0) return NULL;
653 
654                 s2n(TLSEXT_TYPE_use_srtp,ret);
655                 s2n(el,ret);
656 
657                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
658 			{
659 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
660 			return NULL;
661 			}
662                 ret += el;
663                 }
664 #endif
665 	/* Add padding to workaround bugs in F5 terminators.
666 	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
667 	 *
668 	 * NB: because this code works out the length of all existing
669 	 * extensions it MUST always appear last.
670 	 */
671 	if (s->options & SSL_OP_TLSEXT_PADDING)
672 		{
673 		int hlen = ret - (unsigned char *)s->init_buf->data;
674 		/* The code in s23_clnt.c to build ClientHello messages
675 		 * includes the 5-byte record header in the buffer, while
676 		 * the code in s3_clnt.c does not.
677 		 */
678 		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
679 			hlen -= 5;
680 		if (hlen > 0xff && hlen < 0x200)
681 			{
682 			hlen = 0x200 - hlen;
683 			if (hlen >= 4)
684 				hlen -= 4;
685 			else
686 				hlen = 0;
687 
688 			s2n(TLSEXT_TYPE_padding, ret);
689 			s2n(hlen, ret);
690 			memset(ret, 0, hlen);
691 			ret += hlen;
692 			}
693 		}
694 
695 	if ((extdatalen = ret-orig-2)== 0)
696 		return orig;
697 
698 	s2n(extdatalen, orig);
699 	return ret;
700 	}
701 
702 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
703 	{
704 	int extdatalen=0;
705 	unsigned char *orig = buf;
706 	unsigned char *ret = buf;
707 #ifndef OPENSSL_NO_NEXTPROTONEG
708 	int next_proto_neg_seen;
709 #endif
710 
711 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
712 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
713 		return orig;
714 
715 	ret+=2;
716 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
717 
718 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
719 		{
720 		if ((long)(limit - ret - 4) < 0) return NULL;
721 
722 		s2n(TLSEXT_TYPE_server_name,ret);
723 		s2n(0,ret);
724 		}
725 
726 	if(s->s3->send_connection_binding)
727         {
728           int el;
729 
730           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
731               {
732               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733               return NULL;
734               }
735 
736           if((limit - ret - 4 - el) < 0) return NULL;
737 
738           s2n(TLSEXT_TYPE_renegotiate,ret);
739           s2n(el,ret);
740 
741           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
742               {
743               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
744               return NULL;
745               }
746 
747           ret += el;
748         }
749 
750 #ifndef OPENSSL_NO_EC
751 	if (s->tlsext_ecpointformatlist != NULL)
752 		{
753 		/* Add TLS extension ECPointFormats to the ServerHello message */
754 		long lenmax;
755 
756 		if ((lenmax = limit - ret - 5) < 0) return NULL;
757 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758 		if (s->tlsext_ecpointformatlist_length > 255)
759 			{
760 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761 			return NULL;
762 			}
763 
764 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
765 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
766 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768 		ret+=s->tlsext_ecpointformatlist_length;
769 
770 		}
771 	/* Currently the server should not respond with a SupportedCurves extension */
772 #endif /* OPENSSL_NO_EC */
773 
774 	if (s->tlsext_ticket_expected
775 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
776 		{
777 		if ((long)(limit - ret - 4) < 0) return NULL;
778 		s2n(TLSEXT_TYPE_session_ticket,ret);
779 		s2n(0,ret);
780 		}
781 
782 	if (s->tlsext_status_expected)
783 		{
784 		if ((long)(limit - ret - 4) < 0) return NULL;
785 		s2n(TLSEXT_TYPE_status_request,ret);
786 		s2n(0,ret);
787 		}
788 
789 #ifdef TLSEXT_TYPE_opaque_prf_input
790 	if (s->s3->server_opaque_prf_input != NULL &&
791 	    s->version != DTLS1_VERSION)
792 		{
793 		size_t sol = s->s3->server_opaque_prf_input_len;
794 
795 		if ((long)(limit - ret - 6 - sol) < 0)
796 			return NULL;
797 		if (sol > 0xFFFD) /* can't happen */
798 			return NULL;
799 
800 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
801 		s2n(sol + 2, ret);
802 		s2n(sol, ret);
803 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
804 		ret += sol;
805 		}
806 #endif
807 
808 #ifndef OPENSSL_NO_SRTP
809 	if(SSL_IS_DTLS(s) && s->srtp_profile)
810                 {
811                 int el;
812 
813                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814 
815                 if((limit - ret - 4 - el) < 0) return NULL;
816 
817                 s2n(TLSEXT_TYPE_use_srtp,ret);
818                 s2n(el,ret);
819 
820                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
821 			{
822 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823 			return NULL;
824 			}
825                 ret+=el;
826                 }
827 #endif
828 
829 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
830 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
831 		{ const unsigned char cryptopro_ext[36] = {
832 			0xfd, 0xe8, /*65000*/
833 			0x00, 0x20, /*32 bytes length*/
834 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
838 			if (limit-ret<36) return NULL;
839 			memcpy(ret,cryptopro_ext,36);
840 			ret+=36;
841 
842 		}
843 
844 #ifndef OPENSSL_NO_HEARTBEATS
845 	/* Add Heartbeat extension if we've received one */
846 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
847 		{
848 		if ((limit - ret - 4 - 1) < 0)
849 			return NULL;
850 		s2n(TLSEXT_TYPE_heartbeat,ret);
851 		s2n(1,ret);
852 		/* Set mode:
853 		 * 1: peer may send requests
854 		 * 2: peer not allowed to send requests
855 		 */
856 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
857 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
858 		else
859 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
860 
861 		}
862 #endif
863 
864 #ifndef OPENSSL_NO_NEXTPROTONEG
865 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
866 	s->s3->next_proto_neg_seen = 0;
867 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
868 		{
869 		const unsigned char *npa;
870 		unsigned int npalen;
871 		int r;
872 
873 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
874 		if (r == SSL_TLSEXT_ERR_OK)
875 			{
876 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
877 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
878 			s2n(npalen,ret);
879 			memcpy(ret, npa, npalen);
880 			ret += npalen;
881 			s->s3->next_proto_neg_seen = 1;
882 			}
883 		}
884 #endif
885 
886 	if ((extdatalen = ret-orig-2)== 0)
887 		return orig;
888 
889 	s2n(extdatalen, orig);
890 	return ret;
891 	}
892 
893 #ifndef OPENSSL_NO_EC
894 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
895  * SecureTransport using the TLS extension block in |d|, of length |n|.
896  * Safari, since 10.6, sends exactly these extensions, in this order:
897  *   SNI,
898  *   elliptic_curves
899  *   ec_point_formats
900  *
901  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
902  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
903  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
904  * 10.8..10.8.3 (which don't work).
905  */
906 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
907 	unsigned short type, size;
908 	static const unsigned char kSafariExtensionsBlock[] = {
909 		0x00, 0x0a,  /* elliptic_curves extension */
910 		0x00, 0x08,  /* 8 bytes */
911 		0x00, 0x06,  /* 6 bytes of curve ids */
912 		0x00, 0x17,  /* P-256 */
913 		0x00, 0x18,  /* P-384 */
914 		0x00, 0x19,  /* P-521 */
915 
916 		0x00, 0x0b,  /* ec_point_formats */
917 		0x00, 0x02,  /* 2 bytes */
918 		0x01,        /* 1 point format */
919 		0x00,        /* uncompressed */
920 	};
921 
922 	/* The following is only present in TLS 1.2 */
923 	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
924 		0x00, 0x0d,  /* signature_algorithms */
925 		0x00, 0x0c,  /* 12 bytes */
926 		0x00, 0x0a,  /* 10 bytes */
927 		0x05, 0x01,  /* SHA-384/RSA */
928 		0x04, 0x01,  /* SHA-256/RSA */
929 		0x02, 0x01,  /* SHA-1/RSA */
930 		0x04, 0x03,  /* SHA-256/ECDSA */
931 		0x02, 0x03,  /* SHA-1/ECDSA */
932 	};
933 
934 	if (data >= (d+n-2))
935 		return;
936 	data += 2;
937 
938 	if (data > (d+n-4))
939 		return;
940 	n2s(data,type);
941 	n2s(data,size);
942 
943 	if (type != TLSEXT_TYPE_server_name)
944 		return;
945 
946 	if (data+size > d+n)
947 		return;
948 	data += size;
949 
950 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
951 		{
952 		const size_t len1 = sizeof(kSafariExtensionsBlock);
953 		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
954 
955 		if (data + len1 + len2 != d+n)
956 			return;
957 		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
958 			return;
959 		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
960 			return;
961 		}
962 	else
963 		{
964 		const size_t len = sizeof(kSafariExtensionsBlock);
965 
966 		if (data + len != d+n)
967 			return;
968 		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
969 			return;
970 		}
971 
972 	s->s3->is_probably_safari = 1;
973 }
974 #endif /* !OPENSSL_NO_EC */
975 
976 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
977 	{
978 	unsigned short type;
979 	unsigned short size;
980 	unsigned short len;
981 	unsigned char *data = *p;
982 	int renegotiate_seen = 0;
983 	int sigalg_seen = 0;
984 
985 	s->servername_done = 0;
986 	s->tlsext_status_type = -1;
987 #ifndef OPENSSL_NO_NEXTPROTONEG
988 	s->s3->next_proto_neg_seen = 0;
989 #endif
990 
991 #ifndef OPENSSL_NO_HEARTBEATS
992 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
993 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
994 #endif
995 
996 #ifndef OPENSSL_NO_EC
997 	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
998 		ssl_check_for_safari(s, data, d, n);
999 #endif /* !OPENSSL_NO_EC */
1000 
1001 	if (data >= (d+n-2))
1002 		goto ri_check;
1003 	n2s(data,len);
1004 
1005 	if (data > (d+n-len))
1006 		goto ri_check;
1007 
1008 	while (data <= (d+n-4))
1009 		{
1010 		n2s(data,type);
1011 		n2s(data,size);
1012 
1013 		if (data+size > (d+n))
1014 	   		goto ri_check;
1015 #if 0
1016 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
1017 #endif
1018 		if (s->tlsext_debug_cb)
1019 			s->tlsext_debug_cb(s, 0, type, data, size,
1020 						s->tlsext_debug_arg);
1021 /* The servername extension is treated as follows:
1022 
1023    - Only the hostname type is supported with a maximum length of 255.
1024    - The servername is rejected if too long or if it contains zeros,
1025      in which case an fatal alert is generated.
1026    - The servername field is maintained together with the session cache.
1027    - When a session is resumed, the servername call back invoked in order
1028      to allow the application to position itself to the right context.
1029    - The servername is acknowledged if it is new for a session or when
1030      it is identical to a previously used for the same session.
1031      Applications can control the behaviour.  They can at any time
1032      set a 'desirable' servername for a new SSL object. This can be the
1033      case for example with HTTPS when a Host: header field is received and
1034      a renegotiation is requested. In this case, a possible servername
1035      presented in the new client hello is only acknowledged if it matches
1036      the value of the Host: field.
1037    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1038      if they provide for changing an explicit servername context for the session,
1039      i.e. when the session has been established with a servername extension.
1040    - On session reconnect, the servername extension may be absent.
1041 
1042 */
1043 
1044 		if (type == TLSEXT_TYPE_server_name)
1045 			{
1046 			unsigned char *sdata;
1047 			int servname_type;
1048 			int dsize;
1049 
1050 			if (size < 2)
1051 				{
1052 				*al = SSL_AD_DECODE_ERROR;
1053 				return 0;
1054 				}
1055 			n2s(data,dsize);
1056 			size -= 2;
1057 			if (dsize > size  )
1058 				{
1059 				*al = SSL_AD_DECODE_ERROR;
1060 				return 0;
1061 				}
1062 
1063 			sdata = data;
1064 			while (dsize > 3)
1065 				{
1066 	 			servname_type = *(sdata++);
1067 				n2s(sdata,len);
1068 				dsize -= 3;
1069 
1070 				if (len > dsize)
1071 					{
1072 					*al = SSL_AD_DECODE_ERROR;
1073 					return 0;
1074 					}
1075 				if (s->servername_done == 0)
1076 				switch (servname_type)
1077 					{
1078 				case TLSEXT_NAMETYPE_host_name:
1079 					if (!s->hit)
1080 						{
1081 						if(s->session->tlsext_hostname)
1082 							{
1083 							*al = SSL_AD_DECODE_ERROR;
1084 							return 0;
1085 							}
1086 						if (len > TLSEXT_MAXLEN_host_name)
1087 							{
1088 							*al = TLS1_AD_UNRECOGNIZED_NAME;
1089 							return 0;
1090 							}
1091 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1092 							{
1093 							*al = TLS1_AD_INTERNAL_ERROR;
1094 							return 0;
1095 							}
1096 						memcpy(s->session->tlsext_hostname, sdata, len);
1097 						s->session->tlsext_hostname[len]='\0';
1098 						if (strlen(s->session->tlsext_hostname) != len) {
1099 							OPENSSL_free(s->session->tlsext_hostname);
1100 							s->session->tlsext_hostname = NULL;
1101 							*al = TLS1_AD_UNRECOGNIZED_NAME;
1102 							return 0;
1103 						}
1104 						s->servername_done = 1;
1105 
1106 						}
1107 					else
1108 						s->servername_done = s->session->tlsext_hostname
1109 							&& strlen(s->session->tlsext_hostname) == len
1110 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1111 
1112 					break;
1113 
1114 				default:
1115 					break;
1116 					}
1117 
1118 				dsize -= len;
1119 				}
1120 			if (dsize != 0)
1121 				{
1122 				*al = SSL_AD_DECODE_ERROR;
1123 				return 0;
1124 				}
1125 
1126 			}
1127 #ifndef OPENSSL_NO_SRP
1128 		else if (type == TLSEXT_TYPE_srp)
1129 			{
1130 			if (size <= 0 || ((len = data[0])) != (size -1))
1131 				{
1132 				*al = SSL_AD_DECODE_ERROR;
1133 				return 0;
1134 				}
1135 			if (s->srp_ctx.login != NULL)
1136 				{
1137 				*al = SSL_AD_DECODE_ERROR;
1138 				return 0;
1139 				}
1140 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1141 				return -1;
1142 			memcpy(s->srp_ctx.login, &data[1], len);
1143 			s->srp_ctx.login[len]='\0';
1144 
1145 			if (strlen(s->srp_ctx.login) != len)
1146 				{
1147 				*al = SSL_AD_DECODE_ERROR;
1148 				return 0;
1149 				}
1150 			}
1151 #endif
1152 
1153 #ifndef OPENSSL_NO_EC
1154 		else if (type == TLSEXT_TYPE_ec_point_formats)
1155 			{
1156 			unsigned char *sdata = data;
1157 			int ecpointformatlist_length = *(sdata++);
1158 
1159 			if (ecpointformatlist_length != size - 1)
1160 				{
1161 				*al = TLS1_AD_DECODE_ERROR;
1162 				return 0;
1163 				}
1164 			if (!s->hit)
1165 				{
1166 				if(s->session->tlsext_ecpointformatlist)
1167 					{
1168 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1169 					s->session->tlsext_ecpointformatlist = NULL;
1170 					}
1171 				s->session->tlsext_ecpointformatlist_length = 0;
1172 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1173 					{
1174 					*al = TLS1_AD_INTERNAL_ERROR;
1175 					return 0;
1176 					}
1177 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1178 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1179 				}
1180 #if 0
1181 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1182 			sdata = s->session->tlsext_ecpointformatlist;
1183 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1184 				fprintf(stderr,"%i ",*(sdata++));
1185 			fprintf(stderr,"\n");
1186 #endif
1187 			}
1188 		else if (type == TLSEXT_TYPE_elliptic_curves)
1189 			{
1190 			unsigned char *sdata = data;
1191 			int ellipticcurvelist_length = (*(sdata++) << 8);
1192 			ellipticcurvelist_length += (*(sdata++));
1193 
1194 			if (ellipticcurvelist_length != size - 2 ||
1195 				ellipticcurvelist_length < 1)
1196 				{
1197 				*al = TLS1_AD_DECODE_ERROR;
1198 				return 0;
1199 				}
1200 			if (!s->hit)
1201 				{
1202 				if(s->session->tlsext_ellipticcurvelist)
1203 					{
1204 					*al = TLS1_AD_DECODE_ERROR;
1205 					return 0;
1206 					}
1207 				s->session->tlsext_ellipticcurvelist_length = 0;
1208 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1209 					{
1210 					*al = TLS1_AD_INTERNAL_ERROR;
1211 					return 0;
1212 					}
1213 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215 				}
1216 #if 0
1217 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218 			sdata = s->session->tlsext_ellipticcurvelist;
1219 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220 				fprintf(stderr,"%i ",*(sdata++));
1221 			fprintf(stderr,"\n");
1222 #endif
1223 			}
1224 #endif /* OPENSSL_NO_EC */
1225 #ifdef TLSEXT_TYPE_opaque_prf_input
1226 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227 	             s->version != DTLS1_VERSION)
1228 			{
1229 			unsigned char *sdata = data;
1230 
1231 			if (size < 2)
1232 				{
1233 				*al = SSL_AD_DECODE_ERROR;
1234 				return 0;
1235 				}
1236 			n2s(sdata, s->s3->client_opaque_prf_input_len);
1237 			if (s->s3->client_opaque_prf_input_len != size - 2)
1238 				{
1239 				*al = SSL_AD_DECODE_ERROR;
1240 				return 0;
1241 				}
1242 
1243 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244 				OPENSSL_free(s->s3->client_opaque_prf_input);
1245 			if (s->s3->client_opaque_prf_input_len == 0)
1246 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247 			else
1248 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249 			if (s->s3->client_opaque_prf_input == NULL)
1250 				{
1251 				*al = TLS1_AD_INTERNAL_ERROR;
1252 				return 0;
1253 				}
1254 			}
1255 #endif
1256 		else if (type == TLSEXT_TYPE_session_ticket)
1257 			{
1258 			if (s->tls_session_ticket_ext_cb &&
1259 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1260 				{
1261 				*al = TLS1_AD_INTERNAL_ERROR;
1262 				return 0;
1263 				}
1264 			}
1265 		else if (type == TLSEXT_TYPE_renegotiate)
1266 			{
1267 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268 				return 0;
1269 			renegotiate_seen = 1;
1270 			}
1271 		else if (type == TLSEXT_TYPE_signature_algorithms)
1272 			{
1273 			int dsize;
1274 			if (sigalg_seen || size < 2)
1275 				{
1276 				*al = SSL_AD_DECODE_ERROR;
1277 				return 0;
1278 				}
1279 			sigalg_seen = 1;
1280 			n2s(data,dsize);
1281 			size -= 2;
1282 			if (dsize != size || dsize & 1)
1283 				{
1284 				*al = SSL_AD_DECODE_ERROR;
1285 				return 0;
1286 				}
1287 			if (!tls1_process_sigalgs(s, data, dsize))
1288 				{
1289 				*al = SSL_AD_DECODE_ERROR;
1290 				return 0;
1291 				}
1292 			}
1293 		else if (type == TLSEXT_TYPE_status_request &&
1294 		         s->version != DTLS1_VERSION)
1295 			{
1296 
1297 			if (size < 5)
1298 				{
1299 				*al = SSL_AD_DECODE_ERROR;
1300 				return 0;
1301 				}
1302 
1303 			s->tlsext_status_type = *data++;
1304 			size--;
1305 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1306 				{
1307 				const unsigned char *sdata;
1308 				int dsize;
1309 				/* Read in responder_id_list */
1310 				n2s(data,dsize);
1311 				size -= 2;
1312 				if (dsize > size  )
1313 					{
1314 					*al = SSL_AD_DECODE_ERROR;
1315 					return 0;
1316 					}
1317 				while (dsize > 0)
1318 					{
1319 					OCSP_RESPID *id;
1320 					int idsize;
1321 					if (dsize < 4)
1322 						{
1323 						*al = SSL_AD_DECODE_ERROR;
1324 						return 0;
1325 						}
1326 					n2s(data, idsize);
1327 					dsize -= 2 + idsize;
1328 					size -= 2 + idsize;
1329 					if (dsize < 0)
1330 						{
1331 						*al = SSL_AD_DECODE_ERROR;
1332 						return 0;
1333 						}
1334 					sdata = data;
1335 					data += idsize;
1336 					id = d2i_OCSP_RESPID(NULL,
1337 								&sdata, idsize);
1338 					if (!id)
1339 						{
1340 						*al = SSL_AD_DECODE_ERROR;
1341 						return 0;
1342 						}
1343 					if (data != sdata)
1344 						{
1345 						OCSP_RESPID_free(id);
1346 						*al = SSL_AD_DECODE_ERROR;
1347 						return 0;
1348 						}
1349 					if (!s->tlsext_ocsp_ids
1350 						&& !(s->tlsext_ocsp_ids =
1351 						sk_OCSP_RESPID_new_null()))
1352 						{
1353 						OCSP_RESPID_free(id);
1354 						*al = SSL_AD_INTERNAL_ERROR;
1355 						return 0;
1356 						}
1357 					if (!sk_OCSP_RESPID_push(
1358 							s->tlsext_ocsp_ids, id))
1359 						{
1360 						OCSP_RESPID_free(id);
1361 						*al = SSL_AD_INTERNAL_ERROR;
1362 						return 0;
1363 						}
1364 					}
1365 
1366 				/* Read in request_extensions */
1367 				if (size < 2)
1368 					{
1369 					*al = SSL_AD_DECODE_ERROR;
1370 					return 0;
1371 					}
1372 				n2s(data,dsize);
1373 				size -= 2;
1374 				if (dsize != size)
1375 					{
1376 					*al = SSL_AD_DECODE_ERROR;
1377 					return 0;
1378 					}
1379 				sdata = data;
1380 				if (dsize > 0)
1381 					{
1382 					if (s->tlsext_ocsp_exts)
1383 						{
1384 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385 									   X509_EXTENSION_free);
1386 						}
1387 
1388 					s->tlsext_ocsp_exts =
1389 						d2i_X509_EXTENSIONS(NULL,
1390 							&sdata, dsize);
1391 					if (!s->tlsext_ocsp_exts
1392 						|| (data + dsize != sdata))
1393 						{
1394 						*al = SSL_AD_DECODE_ERROR;
1395 						return 0;
1396 						}
1397 					}
1398 				}
1399 				/* We don't know what to do with any other type
1400  			 	* so ignore it.
1401  			 	*/
1402 				else
1403 					s->tlsext_status_type = -1;
1404 			}
1405 #ifndef OPENSSL_NO_HEARTBEATS
1406 		else if (type == TLSEXT_TYPE_heartbeat)
1407 			{
1408 			switch(data[0])
1409 				{
1410 				case 0x01:	/* Client allows us to send HB requests */
1411 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1412 							break;
1413 				case 0x02:	/* Client doesn't accept HB requests */
1414 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1415 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1416 							break;
1417 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1418 							return 0;
1419 				}
1420 			}
1421 #endif
1422 #ifndef OPENSSL_NO_NEXTPROTONEG
1423 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1424 			 s->s3->tmp.finish_md_len == 0)
1425 			{
1426 			/* We shouldn't accept this extension on a
1427 			 * renegotiation.
1428 			 *
1429 			 * s->new_session will be set on renegotiation, but we
1430 			 * probably shouldn't rely that it couldn't be set on
1431 			 * the initial renegotation too in certain cases (when
1432 			 * there's some other reason to disallow resuming an
1433 			 * earlier session -- the current code won't be doing
1434 			 * anything like that, but this might change).
1435 
1436 			 * A valid sign that there's been a previous handshake
1437 			 * in this connection is if s->s3->tmp.finish_md_len >
1438 			 * 0.  (We are talking about a check that will happen
1439 			 * in the Hello protocol round, well before a new
1440 			 * Finished message could have been computed.) */
1441 			s->s3->next_proto_neg_seen = 1;
1442 			}
1443 #endif
1444 
1445 		/* session ticket processed earlier */
1446 #ifndef OPENSSL_NO_SRTP
1447 		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1448 			 && type == TLSEXT_TYPE_use_srtp)
1449 			{
1450 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1451 							      al))
1452 				return 0;
1453 			}
1454 #endif
1455 
1456 		data+=size;
1457 		}
1458 
1459 	*p = data;
1460 
1461 	ri_check:
1462 
1463 	/* Need RI if renegotiating */
1464 
1465 	if (!renegotiate_seen && s->renegotiate &&
1466 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1467 		{
1468 		*al = SSL_AD_HANDSHAKE_FAILURE;
1469 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1470 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1471 		return 0;
1472 		}
1473 
1474 	return 1;
1475 	}
1476 
1477 #ifndef OPENSSL_NO_NEXTPROTONEG
1478 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1479  * elements of zero length are allowed and the set of elements must exactly fill
1480  * the length of the block. */
1481 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1482 	{
1483 	unsigned int off = 0;
1484 
1485 	while (off < len)
1486 		{
1487 		if (d[off] == 0)
1488 			return 0;
1489 		off += d[off];
1490 		off++;
1491 		}
1492 
1493 	return off == len;
1494 	}
1495 #endif
1496 
1497 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1498 	{
1499 	unsigned short length;
1500 	unsigned short type;
1501 	unsigned short size;
1502 	unsigned char *data = *p;
1503 	int tlsext_servername = 0;
1504 	int renegotiate_seen = 0;
1505 
1506 #ifndef OPENSSL_NO_NEXTPROTONEG
1507 	s->s3->next_proto_neg_seen = 0;
1508 #endif
1509 
1510 #ifndef OPENSSL_NO_HEARTBEATS
1511 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1512 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1513 #endif
1514 
1515 	if (data >= (d+n-2))
1516 		goto ri_check;
1517 
1518 	n2s(data,length);
1519 	if (data+length != d+n)
1520 		{
1521 		*al = SSL_AD_DECODE_ERROR;
1522 		return 0;
1523 		}
1524 
1525 	while(data <= (d+n-4))
1526 		{
1527 		n2s(data,type);
1528 		n2s(data,size);
1529 
1530 		if (data+size > (d+n))
1531 	   		goto ri_check;
1532 
1533 		if (s->tlsext_debug_cb)
1534 			s->tlsext_debug_cb(s, 1, type, data, size,
1535 						s->tlsext_debug_arg);
1536 
1537 		if (type == TLSEXT_TYPE_server_name)
1538 			{
1539 			if (s->tlsext_hostname == NULL || size > 0)
1540 				{
1541 				*al = TLS1_AD_UNRECOGNIZED_NAME;
1542 				return 0;
1543 				}
1544 			tlsext_servername = 1;
1545 			}
1546 
1547 #ifndef OPENSSL_NO_EC
1548 		else if (type == TLSEXT_TYPE_ec_point_formats)
1549 			{
1550 			unsigned char *sdata = data;
1551 			int ecpointformatlist_length = *(sdata++);
1552 
1553 			if (ecpointformatlist_length != size - 1 ||
1554 				ecpointformatlist_length < 1)
1555 				{
1556 				*al = TLS1_AD_DECODE_ERROR;
1557 				return 0;
1558 				}
1559 			if (!s->hit)
1560 				{
1561 				s->session->tlsext_ecpointformatlist_length = 0;
1562 				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1563 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1564 					{
1565 					*al = TLS1_AD_INTERNAL_ERROR;
1566 					return 0;
1567 					}
1568 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1569 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1570 				}
1571 #if 0
1572 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1573 			sdata = s->session->tlsext_ecpointformatlist;
1574 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1575 				fprintf(stderr,"%i ",*(sdata++));
1576 			fprintf(stderr,"\n");
1577 #endif
1578 			}
1579 #endif /* OPENSSL_NO_EC */
1580 
1581 		else if (type == TLSEXT_TYPE_session_ticket)
1582 			{
1583 			if (s->tls_session_ticket_ext_cb &&
1584 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1585 				{
1586 				*al = TLS1_AD_INTERNAL_ERROR;
1587 				return 0;
1588 				}
1589 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1590 				|| (size > 0))
1591 				{
1592 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1593 				return 0;
1594 				}
1595 			s->tlsext_ticket_expected = 1;
1596 			}
1597 #ifdef TLSEXT_TYPE_opaque_prf_input
1598 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1599 	             s->version != DTLS1_VERSION)
1600 			{
1601 			unsigned char *sdata = data;
1602 
1603 			if (size < 2)
1604 				{
1605 				*al = SSL_AD_DECODE_ERROR;
1606 				return 0;
1607 				}
1608 			n2s(sdata, s->s3->server_opaque_prf_input_len);
1609 			if (s->s3->server_opaque_prf_input_len != size - 2)
1610 				{
1611 				*al = SSL_AD_DECODE_ERROR;
1612 				return 0;
1613 				}
1614 
1615 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1616 				OPENSSL_free(s->s3->server_opaque_prf_input);
1617 			if (s->s3->server_opaque_prf_input_len == 0)
1618 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1619 			else
1620 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1621 
1622 			if (s->s3->server_opaque_prf_input == NULL)
1623 				{
1624 				*al = TLS1_AD_INTERNAL_ERROR;
1625 				return 0;
1626 				}
1627 			}
1628 #endif
1629 		else if (type == TLSEXT_TYPE_status_request &&
1630 		         s->version != DTLS1_VERSION)
1631 			{
1632 			/* MUST be empty and only sent if we've requested
1633 			 * a status request message.
1634 			 */
1635 			if ((s->tlsext_status_type == -1) || (size > 0))
1636 				{
1637 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1638 				return 0;
1639 				}
1640 			/* Set flag to expect CertificateStatus message */
1641 			s->tlsext_status_expected = 1;
1642 			}
1643 #ifndef OPENSSL_NO_NEXTPROTONEG
1644 		else if (type == TLSEXT_TYPE_next_proto_neg &&
1645 			 s->s3->tmp.finish_md_len == 0)
1646 			{
1647 			unsigned char *selected;
1648 			unsigned char selected_len;
1649 
1650 			/* We must have requested it. */
1651 			if (s->ctx->next_proto_select_cb == NULL)
1652 				{
1653 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1654 				return 0;
1655 				}
1656 			/* The data must be valid */
1657 			if (!ssl_next_proto_validate(data, size))
1658 				{
1659 				*al = TLS1_AD_DECODE_ERROR;
1660 				return 0;
1661 				}
1662 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1663 				{
1664 				*al = TLS1_AD_INTERNAL_ERROR;
1665 				return 0;
1666 				}
1667 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1668 			if (!s->next_proto_negotiated)
1669 				{
1670 				*al = TLS1_AD_INTERNAL_ERROR;
1671 				return 0;
1672 				}
1673 			memcpy(s->next_proto_negotiated, selected, selected_len);
1674 			s->next_proto_negotiated_len = selected_len;
1675 			s->s3->next_proto_neg_seen = 1;
1676 			}
1677 #endif
1678 		else if (type == TLSEXT_TYPE_renegotiate)
1679 			{
1680 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1681 				return 0;
1682 			renegotiate_seen = 1;
1683 			}
1684 #ifndef OPENSSL_NO_HEARTBEATS
1685 		else if (type == TLSEXT_TYPE_heartbeat)
1686 			{
1687 			switch(data[0])
1688 				{
1689 				case 0x01:	/* Server allows us to send HB requests */
1690 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1691 							break;
1692 				case 0x02:	/* Server doesn't accept HB requests */
1693 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1694 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1695 							break;
1696 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1697 							return 0;
1698 				}
1699 			}
1700 #endif
1701 #ifndef OPENSSL_NO_SRTP
1702 		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
1703 			{
1704                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1705 							      al))
1706                                 return 0;
1707 			}
1708 #endif
1709 
1710 		data+=size;
1711 		}
1712 
1713 	if (data != d+n)
1714 		{
1715 		*al = SSL_AD_DECODE_ERROR;
1716 		return 0;
1717 		}
1718 
1719 	if (!s->hit && tlsext_servername == 1)
1720 		{
1721  		if (s->tlsext_hostname)
1722 			{
1723 			if (s->session->tlsext_hostname == NULL)
1724 				{
1725 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1726 				if (!s->session->tlsext_hostname)
1727 					{
1728 					*al = SSL_AD_UNRECOGNIZED_NAME;
1729 					return 0;
1730 					}
1731 				}
1732 			else
1733 				{
1734 				*al = SSL_AD_DECODE_ERROR;
1735 				return 0;
1736 				}
1737 			}
1738 		}
1739 
1740 	*p = data;
1741 
1742 	ri_check:
1743 
1744 	/* Determine if we need to see RI. Strictly speaking if we want to
1745 	 * avoid an attack we should *always* see RI even on initial server
1746 	 * hello because the client doesn't see any renegotiation during an
1747 	 * attack. However this would mean we could not connect to any server
1748 	 * which doesn't support RI so for the immediate future tolerate RI
1749 	 * absence on initial connect only.
1750 	 */
1751 	if (!renegotiate_seen
1752 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1753 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1754 		{
1755 		*al = SSL_AD_HANDSHAKE_FAILURE;
1756 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1757 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1758 		return 0;
1759 		}
1760 
1761 	return 1;
1762 	}
1763 
1764 
1765 int ssl_prepare_clienthello_tlsext(SSL *s)
1766 	{
1767 #ifndef OPENSSL_NO_EC
1768 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1769 	 * and elliptic curves we support.
1770 	 */
1771 	int using_ecc = 0;
1772 	int i;
1773 	unsigned char *j;
1774 	unsigned long alg_k, alg_a;
1775 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1776 
1777 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1778 		{
1779 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1780 
1781 		alg_k = c->algorithm_mkey;
1782 		alg_a = c->algorithm_auth;
1783 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1784 			{
1785 			using_ecc = 1;
1786 			break;
1787 			}
1788 		}
1789 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1790 	if (using_ecc)
1791 		{
1792 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1793 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1794 			{
1795 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1796 			return -1;
1797 			}
1798 		s->tlsext_ecpointformatlist_length = 3;
1799 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1800 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1801 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1802 
1803 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1804 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1805 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1806 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1807 			{
1808 			s->tlsext_ellipticcurvelist_length = 0;
1809 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1810 			return -1;
1811 			}
1812 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1813 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1814 			{
1815 			int id = tls1_ec_nid2curve_id(pref_list[i]);
1816 			s2n(id,j);
1817 			}
1818 		}
1819 #endif /* OPENSSL_NO_EC */
1820 
1821 #ifdef TLSEXT_TYPE_opaque_prf_input
1822  	{
1823 		int r = 1;
1824 
1825 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1826 			{
1827 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1828 			if (!r)
1829 				return -1;
1830 			}
1831 
1832 		if (s->tlsext_opaque_prf_input != NULL)
1833 			{
1834 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1835 				OPENSSL_free(s->s3->client_opaque_prf_input);
1836 
1837 			if (s->tlsext_opaque_prf_input_len == 0)
1838 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1839 			else
1840 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1841 			if (s->s3->client_opaque_prf_input == NULL)
1842 				{
1843 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1844 				return -1;
1845 				}
1846 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1847 			}
1848 
1849 		if (r == 2)
1850 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1851 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1852 	}
1853 #endif
1854 
1855 	return 1;
1856 	}
1857 
1858 int ssl_prepare_serverhello_tlsext(SSL *s)
1859 	{
1860 #ifndef OPENSSL_NO_EC
1861 	/* If we are server and using an ECC cipher suite, send the point formats we support
1862 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1863 	 * supposed to send an EllipticCurves extension.
1864 	 */
1865 
1866 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1867 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1868 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1869 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1870 
1871 	if (using_ecc)
1872 		{
1873 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1874 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1875 			{
1876 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1877 			return -1;
1878 			}
1879 		s->tlsext_ecpointformatlist_length = 3;
1880 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1881 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1882 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1883 		}
1884 #endif /* OPENSSL_NO_EC */
1885 
1886 	return 1;
1887 	}
1888 
1889 int ssl_check_clienthello_tlsext_early(SSL *s)
1890 	{
1891 	int ret=SSL_TLSEXT_ERR_NOACK;
1892 	int al = SSL_AD_UNRECOGNIZED_NAME;
1893 
1894 #ifndef OPENSSL_NO_EC
1895 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1896 	 * ssl3_choose_cipher in s3_lib.c.
1897 	 */
1898 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1899 	 * ssl3_choose_cipher in s3_lib.c.
1900 	 */
1901 #endif
1902 
1903 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1904 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1905 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1906 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1907 
1908 #ifdef TLSEXT_TYPE_opaque_prf_input
1909  	{
1910 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1911 		 * but we might be sending an alert in response to the client hello,
1912 		 * so this has to happen here in
1913 		 * ssl_check_clienthello_tlsext_early(). */
1914 
1915 		int r = 1;
1916 
1917 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1918 			{
1919 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1920 			if (!r)
1921 				{
1922 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1923 				al = SSL_AD_INTERNAL_ERROR;
1924 				goto err;
1925 				}
1926 			}
1927 
1928 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1929 			OPENSSL_free(s->s3->server_opaque_prf_input);
1930 		s->s3->server_opaque_prf_input = NULL;
1931 
1932 		if (s->tlsext_opaque_prf_input != NULL)
1933 			{
1934 			if (s->s3->client_opaque_prf_input != NULL &&
1935 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1936 				{
1937 				/* can only use this extension if we have a server opaque PRF input
1938 				 * of the same length as the client opaque PRF input! */
1939 
1940 				if (s->tlsext_opaque_prf_input_len == 0)
1941 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1942 				else
1943 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1944 				if (s->s3->server_opaque_prf_input == NULL)
1945 					{
1946 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1947 					al = SSL_AD_INTERNAL_ERROR;
1948 					goto err;
1949 					}
1950 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1951 				}
1952 			}
1953 
1954 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1955 			{
1956 			/* The callback wants to enforce use of the extension,
1957 			 * but we can't do that with the client opaque PRF input;
1958 			 * abort the handshake.
1959 			 */
1960 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1961 			al = SSL_AD_HANDSHAKE_FAILURE;
1962 			}
1963 	}
1964 
1965  err:
1966 #endif
1967 	switch (ret)
1968 		{
1969 		case SSL_TLSEXT_ERR_ALERT_FATAL:
1970 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1971 			return -1;
1972 
1973 		case SSL_TLSEXT_ERR_ALERT_WARNING:
1974 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1975 			return 1;
1976 
1977 		case SSL_TLSEXT_ERR_NOACK:
1978 			s->servername_done=0;
1979 			default:
1980 		return 1;
1981 		}
1982 	}
1983 
1984 int ssl_check_clienthello_tlsext_late(SSL *s)
1985 	{
1986 	int ret = SSL_TLSEXT_ERR_OK;
1987 	int al;
1988 
1989 	/* If status request then ask callback what to do.
1990  	 * Note: this must be called after servername callbacks in case
1991  	 * the certificate has changed, and must be called after the cipher
1992 	 * has been chosen because this may influence which certificate is sent
1993  	 */
1994 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1995 		{
1996 		int r;
1997 		CERT_PKEY *certpkey;
1998 		certpkey = ssl_get_server_send_pkey(s);
1999 		/* If no certificate can't return certificate status */
2000 		if (certpkey == NULL)
2001 			{
2002 			s->tlsext_status_expected = 0;
2003 			return 1;
2004 			}
2005 		/* Set current certificate to one we will use so
2006 		 * SSL_get_certificate et al can pick it up.
2007 		 */
2008 		s->cert->key = certpkey;
2009 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2010 		switch (r)
2011 			{
2012 			/* We don't want to send a status request response */
2013 			case SSL_TLSEXT_ERR_NOACK:
2014 				s->tlsext_status_expected = 0;
2015 				break;
2016 			/* status request response should be sent */
2017 			case SSL_TLSEXT_ERR_OK:
2018 				if (s->tlsext_ocsp_resp)
2019 					s->tlsext_status_expected = 1;
2020 				else
2021 					s->tlsext_status_expected = 0;
2022 				break;
2023 			/* something bad happened */
2024 			case SSL_TLSEXT_ERR_ALERT_FATAL:
2025 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2026 				al = SSL_AD_INTERNAL_ERROR;
2027 				goto err;
2028 			}
2029 		}
2030 	else
2031 		s->tlsext_status_expected = 0;
2032 
2033  err:
2034 	switch (ret)
2035 		{
2036 		case SSL_TLSEXT_ERR_ALERT_FATAL:
2037 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2038 			return -1;
2039 
2040 		case SSL_TLSEXT_ERR_ALERT_WARNING:
2041 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2042 			return 1;
2043 
2044 		default:
2045 			return 1;
2046 		}
2047 	}
2048 
2049 int ssl_check_serverhello_tlsext(SSL *s)
2050 	{
2051 	int ret=SSL_TLSEXT_ERR_NOACK;
2052 	int al = SSL_AD_UNRECOGNIZED_NAME;
2053 
2054 #ifndef OPENSSL_NO_EC
2055 	/* If we are client and using an elliptic curve cryptography cipher
2056 	 * suite, then if server returns an EC point formats lists extension
2057 	 * it must contain uncompressed.
2058 	 */
2059 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2060 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2061 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2062 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2063 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2064 		{
2065 		/* we are using an ECC cipher */
2066 		size_t i;
2067 		unsigned char *list;
2068 		int found_uncompressed = 0;
2069 		list = s->session->tlsext_ecpointformatlist;
2070 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2071 			{
2072 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2073 				{
2074 				found_uncompressed = 1;
2075 				break;
2076 				}
2077 			}
2078 		if (!found_uncompressed)
2079 			{
2080 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2081 			return -1;
2082 			}
2083 		}
2084 	ret = SSL_TLSEXT_ERR_OK;
2085 #endif /* OPENSSL_NO_EC */
2086 
2087 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2088 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2089 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2090 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2091 
2092 #ifdef TLSEXT_TYPE_opaque_prf_input
2093 	if (s->s3->server_opaque_prf_input_len > 0)
2094 		{
2095 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2096 		 * So first verify that we really have a value from the server too. */
2097 
2098 		if (s->s3->server_opaque_prf_input == NULL)
2099 			{
2100 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2101 			al = SSL_AD_HANDSHAKE_FAILURE;
2102 			}
2103 
2104 		/* Anytime the server *has* sent an opaque PRF input, we need to check
2105 		 * that we have a client opaque PRF input of the same size. */
2106 		if (s->s3->client_opaque_prf_input == NULL ||
2107 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2108 			{
2109 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2110 			al = SSL_AD_ILLEGAL_PARAMETER;
2111 			}
2112 		}
2113 #endif
2114 
2115 	/* If we've requested certificate status and we wont get one
2116  	 * tell the callback
2117  	 */
2118 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2119 			&& s->ctx && s->ctx->tlsext_status_cb)
2120 		{
2121 		int r;
2122 		/* Set resp to NULL, resplen to -1 so callback knows
2123  		 * there is no response.
2124  		 */
2125 		if (s->tlsext_ocsp_resp)
2126 			{
2127 			OPENSSL_free(s->tlsext_ocsp_resp);
2128 			s->tlsext_ocsp_resp = NULL;
2129 			}
2130 		s->tlsext_ocsp_resplen = -1;
2131 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2132 		if (r == 0)
2133 			{
2134 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2135 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2136 			}
2137 		if (r < 0)
2138 			{
2139 			al = SSL_AD_INTERNAL_ERROR;
2140 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2141 			}
2142 		}
2143 
2144 	switch (ret)
2145 		{
2146 		case SSL_TLSEXT_ERR_ALERT_FATAL:
2147 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2148 			return -1;
2149 
2150 		case SSL_TLSEXT_ERR_ALERT_WARNING:
2151 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2152 			return 1;
2153 
2154 		case SSL_TLSEXT_ERR_NOACK:
2155 			s->servername_done=0;
2156 			default:
2157 		return 1;
2158 		}
2159 	}
2160 
2161 /* Since the server cache lookup is done early on in the processing of the
2162  * ClientHello, and other operations depend on the result, we need to handle
2163  * any TLS session ticket extension at the same time.
2164  *
2165  *   session_id: points at the session ID in the ClientHello. This code will
2166  *       read past the end of this in order to parse out the session ticket
2167  *       extension, if any.
2168  *   len: the length of the session ID.
2169  *   limit: a pointer to the first byte after the ClientHello.
2170  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2171  *       point to the resulting session.
2172  *
2173  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2174  * ciphersuite, in which case we have no use for session tickets and one will
2175  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2176  *
2177  * Returns:
2178  *   -1: fatal error, either from parsing or decrypting the ticket.
2179  *    0: no ticket was found (or was ignored, based on settings).
2180  *    1: a zero length extension was found, indicating that the client supports
2181  *       session tickets but doesn't currently have one to offer.
2182  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2183  *       couldn't be decrypted because of a non-fatal error.
2184  *    3: a ticket was successfully decrypted and *ret was set.
2185  *
2186  * Side effects:
2187  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2188  *   a new session ticket to the client because the client indicated support
2189  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2190  *   a session ticket or we couldn't use the one it gave us, or if
2191  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2192  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2193  */
2194 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2195 			const unsigned char *limit, SSL_SESSION **ret)
2196 	{
2197 	/* Point after session ID in client hello */
2198 	const unsigned char *p = session_id + len;
2199 	unsigned short i;
2200 
2201 	*ret = NULL;
2202 	s->tlsext_ticket_expected = 0;
2203 
2204 	/* If tickets disabled behave as if no ticket present
2205 	 * to permit stateful resumption.
2206 	 */
2207 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2208 		return 0;
2209 	if ((s->version <= SSL3_VERSION) || !limit)
2210 		return 0;
2211 	if (p >= limit)
2212 		return -1;
2213 	/* Skip past DTLS cookie */
2214 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2215 		{
2216 		i = *(p++);
2217 		p+= i;
2218 		if (p >= limit)
2219 			return -1;
2220 		}
2221 	/* Skip past cipher list */
2222 	n2s(p, i);
2223 	p+= i;
2224 	if (p >= limit)
2225 		return -1;
2226 	/* Skip past compression algorithm list */
2227 	i = *(p++);
2228 	p += i;
2229 	if (p > limit)
2230 		return -1;
2231 	/* Now at start of extensions */
2232 	if ((p + 2) >= limit)
2233 		return 0;
2234 	n2s(p, i);
2235 	while ((p + 4) <= limit)
2236 		{
2237 		unsigned short type, size;
2238 		n2s(p, type);
2239 		n2s(p, size);
2240 		if (p + size > limit)
2241 			return 0;
2242 		if (type == TLSEXT_TYPE_session_ticket)
2243 			{
2244 			int r;
2245 			if (size == 0)
2246 				{
2247 				/* The client will accept a ticket but doesn't
2248 				 * currently have one. */
2249 				s->tlsext_ticket_expected = 1;
2250 				return 1;
2251 				}
2252 			if (s->tls_session_secret_cb)
2253 				{
2254 				/* Indicate that the ticket couldn't be
2255 				 * decrypted rather than generating the session
2256 				 * from ticket now, trigger abbreviated
2257 				 * handshake based on external mechanism to
2258 				 * calculate the master secret later. */
2259 				return 2;
2260 				}
2261 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2262 			switch (r)
2263 				{
2264 				case 2: /* ticket couldn't be decrypted */
2265 					s->tlsext_ticket_expected = 1;
2266 					return 2;
2267 				case 3: /* ticket was decrypted */
2268 					return r;
2269 				case 4: /* ticket decrypted but need to renew */
2270 					s->tlsext_ticket_expected = 1;
2271 					return 3;
2272 				default: /* fatal error */
2273 					return -1;
2274 				}
2275 			}
2276 		p += size;
2277 		}
2278 	return 0;
2279 	}
2280 
2281 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2282  *
2283  *   etick: points to the body of the session ticket extension.
2284  *   eticklen: the length of the session tickets extenion.
2285  *   sess_id: points at the session ID.
2286  *   sesslen: the length of the session ID.
2287  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2288  *       point to the resulting session.
2289  *
2290  * Returns:
2291  *   -1: fatal error, either from parsing or decrypting the ticket.
2292  *    2: the ticket couldn't be decrypted.
2293  *    3: a ticket was successfully decrypted and *psess was set.
2294  *    4: same as 3, but the ticket needs to be renewed.
2295  */
2296 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2297 				const unsigned char *sess_id, int sesslen,
2298 				SSL_SESSION **psess)
2299 	{
2300 	SSL_SESSION *sess;
2301 	unsigned char *sdec;
2302 	const unsigned char *p;
2303 	int slen, mlen, renew_ticket = 0;
2304 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2305 	HMAC_CTX hctx;
2306 	EVP_CIPHER_CTX ctx;
2307 	SSL_CTX *tctx = s->initial_ctx;
2308 	/* Need at least keyname + iv + some encrypted data */
2309 	if (eticklen < 48)
2310 		return 2;
2311 	/* Initialize session ticket encryption and HMAC contexts */
2312 	HMAC_CTX_init(&hctx);
2313 	EVP_CIPHER_CTX_init(&ctx);
2314 	if (tctx->tlsext_ticket_key_cb)
2315 		{
2316 		unsigned char *nctick = (unsigned char *)etick;
2317 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2318 							&ctx, &hctx, 0);
2319 		if (rv < 0)
2320 			return -1;
2321 		if (rv == 0)
2322 			return 2;
2323 		if (rv == 2)
2324 			renew_ticket = 1;
2325 		}
2326 	else
2327 		{
2328 		/* Check key name matches */
2329 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2330 			return 2;
2331 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2332 					tlsext_tick_md(), NULL);
2333 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2334 				tctx->tlsext_tick_aes_key, etick + 16);
2335 		}
2336 	/* Attempt to process session ticket, first conduct sanity and
2337 	 * integrity checks on ticket.
2338 	 */
2339 	mlen = HMAC_size(&hctx);
2340 	if (mlen < 0)
2341 		{
2342 		EVP_CIPHER_CTX_cleanup(&ctx);
2343 		return -1;
2344 		}
2345 	eticklen -= mlen;
2346 	/* Check HMAC of encrypted ticket */
2347 	HMAC_Update(&hctx, etick, eticklen);
2348 	HMAC_Final(&hctx, tick_hmac, NULL);
2349 	HMAC_CTX_cleanup(&hctx);
2350 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2351 		{
2352 		EVP_CIPHER_CTX_cleanup(&ctx);
2353 		return 2;
2354 		}
2355 	/* Attempt to decrypt session data */
2356 	/* Move p after IV to start of encrypted ticket, update length */
2357 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2358 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2359 	sdec = OPENSSL_malloc(eticklen);
2360 	if (!sdec)
2361 		{
2362 		EVP_CIPHER_CTX_cleanup(&ctx);
2363 		return -1;
2364 		}
2365 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2366 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2367 		{
2368 		EVP_CIPHER_CTX_cleanup(&ctx);
2369 		OPENSSL_free(sdec);
2370 		return 2;
2371 		}
2372 	slen += mlen;
2373 	EVP_CIPHER_CTX_cleanup(&ctx);
2374 	p = sdec;
2375 
2376 	sess = d2i_SSL_SESSION(NULL, &p, slen);
2377 	OPENSSL_free(sdec);
2378 	if (sess)
2379 		{
2380 		/* The session ID, if non-empty, is used by some clients to
2381 		 * detect that the ticket has been accepted. So we copy it to
2382 		 * the session structure. If it is empty set length to zero
2383 		 * as required by standard.
2384 		 */
2385 		if (sesslen)
2386 			memcpy(sess->session_id, sess_id, sesslen);
2387 		sess->session_id_length = sesslen;
2388 		*psess = sess;
2389 		if (renew_ticket)
2390 			return 4;
2391 		else
2392 			return 3;
2393 		}
2394         ERR_clear_error();
2395 	/* For session parse failure, indicate that we need to send a new
2396 	 * ticket. */
2397 	return 2;
2398 	}
2399 
2400 /* Tables to translate from NIDs to TLS v1.2 ids */
2401 
2402 typedef struct
2403 	{
2404 	int nid;
2405 	int id;
2406 	} tls12_lookup;
2407 
2408 static tls12_lookup tls12_md[] = {
2409 #ifndef OPENSSL_NO_MD5
2410 	{NID_md5, TLSEXT_hash_md5},
2411 #endif
2412 #ifndef OPENSSL_NO_SHA
2413 	{NID_sha1, TLSEXT_hash_sha1},
2414 #endif
2415 #ifndef OPENSSL_NO_SHA256
2416 	{NID_sha224, TLSEXT_hash_sha224},
2417 	{NID_sha256, TLSEXT_hash_sha256},
2418 #endif
2419 #ifndef OPENSSL_NO_SHA512
2420 	{NID_sha384, TLSEXT_hash_sha384},
2421 	{NID_sha512, TLSEXT_hash_sha512}
2422 #endif
2423 };
2424 
2425 static tls12_lookup tls12_sig[] = {
2426 #ifndef OPENSSL_NO_RSA
2427 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2428 #endif
2429 #ifndef OPENSSL_NO_DSA
2430 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2431 #endif
2432 #ifndef OPENSSL_NO_ECDSA
2433 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2434 #endif
2435 };
2436 
2437 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2438 	{
2439 	size_t i;
2440 	for (i = 0; i < tlen; i++)
2441 		{
2442 		if (table[i].nid == nid)
2443 			return table[i].id;
2444 		}
2445 	return -1;
2446 	}
2447 #if 0
2448 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2449 	{
2450 	size_t i;
2451 	for (i = 0; i < tlen; i++)
2452 		{
2453 		if (table[i].id == id)
2454 			return table[i].nid;
2455 		}
2456 	return -1;
2457 	}
2458 #endif
2459 
2460 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2461 	{
2462 	int sig_id, md_id;
2463 	if (!md)
2464 		return 0;
2465 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2466 				sizeof(tls12_md)/sizeof(tls12_lookup));
2467 	if (md_id == -1)
2468 		return 0;
2469 	sig_id = tls12_get_sigid(pk);
2470 	if (sig_id == -1)
2471 		return 0;
2472 	p[0] = (unsigned char)md_id;
2473 	p[1] = (unsigned char)sig_id;
2474 	return 1;
2475 	}
2476 
2477 int tls12_get_sigid(const EVP_PKEY *pk)
2478 	{
2479 	return tls12_find_id(pk->type, tls12_sig,
2480 				sizeof(tls12_sig)/sizeof(tls12_lookup));
2481 	}
2482 
2483 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2484 	{
2485 	switch(hash_alg)
2486 		{
2487 #ifndef OPENSSL_NO_SHA
2488 		case TLSEXT_hash_sha1:
2489 		return EVP_sha1();
2490 #endif
2491 #ifndef OPENSSL_NO_SHA256
2492 		case TLSEXT_hash_sha224:
2493 		return EVP_sha224();
2494 
2495 		case TLSEXT_hash_sha256:
2496 		return EVP_sha256();
2497 #endif
2498 #ifndef OPENSSL_NO_SHA512
2499 		case TLSEXT_hash_sha384:
2500 		return EVP_sha384();
2501 
2502 		case TLSEXT_hash_sha512:
2503 		return EVP_sha512();
2504 #endif
2505 		default:
2506 		return NULL;
2507 
2508 		}
2509 	}
2510 
2511 /* Set preferred digest for each key type */
2512 
2513 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2514 	{
2515 	int i, idx;
2516 	const EVP_MD *md;
2517 	CERT *c = s->cert;
2518 	/* Extension ignored for TLS versions below 1.2 */
2519 	if (TLS1_get_version(s) < TLS1_2_VERSION)
2520 		return 1;
2521 	/* Should never happen */
2522 	if (!c)
2523 		return 0;
2524 
2525 	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2526 	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2527 	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2528 	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2529 
2530 	for (i = 0; i < dsize; i += 2)
2531 		{
2532 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2533 
2534 		switch(sig_alg)
2535 			{
2536 #ifndef OPENSSL_NO_RSA
2537 			case TLSEXT_signature_rsa:
2538 			idx = SSL_PKEY_RSA_SIGN;
2539 			break;
2540 #endif
2541 #ifndef OPENSSL_NO_DSA
2542 			case TLSEXT_signature_dsa:
2543 			idx = SSL_PKEY_DSA_SIGN;
2544 			break;
2545 #endif
2546 #ifndef OPENSSL_NO_ECDSA
2547 			case TLSEXT_signature_ecdsa:
2548 			idx = SSL_PKEY_ECC;
2549 			break;
2550 #endif
2551 			default:
2552 			continue;
2553 			}
2554 
2555 		if (c->pkeys[idx].digest == NULL)
2556 			{
2557 			md = tls12_get_hash(hash_alg);
2558 			if (md)
2559 				{
2560 				c->pkeys[idx].digest = md;
2561 				if (idx == SSL_PKEY_RSA_SIGN)
2562 					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2563 				}
2564 			}
2565 
2566 		}
2567 
2568 
2569 	/* Set any remaining keys to default values. NOTE: if alg is not
2570 	 * supported it stays as NULL.
2571 	 */
2572 #ifndef OPENSSL_NO_DSA
2573 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2574 		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2575 #endif
2576 #ifndef OPENSSL_NO_RSA
2577 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2578 		{
2579 		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2580 		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2581 		}
2582 #endif
2583 #ifndef OPENSSL_NO_ECDSA
2584 	if (!c->pkeys[SSL_PKEY_ECC].digest)
2585 		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2586 #endif
2587 	return 1;
2588 	}
2589 
2590 #endif
2591 
2592 #ifndef OPENSSL_NO_HEARTBEATS
2593 int
2594 tls1_process_heartbeat(SSL *s)
2595 	{
2596 	unsigned char *p = &s->s3->rrec.data[0], *pl;
2597 	unsigned short hbtype;
2598 	unsigned int payload;
2599 	unsigned int padding = 16; /* Use minimum padding */
2600 
2601 	if (s->msg_callback)
2602 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2603 			&s->s3->rrec.data[0], s->s3->rrec.length,
2604 			s, s->msg_callback_arg);
2605 
2606 	/* Read type and payload length first */
2607 	if (1 + 2 + 16 > s->s3->rrec.length)
2608 		return 0; /* silently discard */
2609 	hbtype = *p++;
2610 	n2s(p, payload);
2611 	if (1 + 2 + payload + 16 > s->s3->rrec.length)
2612 		return 0; /* silently discard per RFC 6520 sec. 4 */
2613 	pl = p;
2614 
2615 	if (hbtype == TLS1_HB_REQUEST)
2616 		{
2617 		unsigned char *buffer, *bp;
2618 		int r;
2619 
2620 		/* Allocate memory for the response, size is 1 bytes
2621 		 * message type, plus 2 bytes payload length, plus
2622 		 * payload, plus padding
2623 		 */
2624 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2625 		bp = buffer;
2626 
2627 		/* Enter response type, length and copy payload */
2628 		*bp++ = TLS1_HB_RESPONSE;
2629 		s2n(payload, bp);
2630 		memcpy(bp, pl, payload);
2631 		bp += payload;
2632 		/* Random padding */
2633 		RAND_pseudo_bytes(bp, padding);
2634 
2635 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2636 
2637 		if (r >= 0 && s->msg_callback)
2638 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2639 				buffer, 3 + payload + padding,
2640 				s, s->msg_callback_arg);
2641 
2642 		OPENSSL_free(buffer);
2643 
2644 		if (r < 0)
2645 			return r;
2646 		}
2647 	else if (hbtype == TLS1_HB_RESPONSE)
2648 		{
2649 		unsigned int seq;
2650 
2651 		/* We only send sequence numbers (2 bytes unsigned int),
2652 		 * and 16 random bytes, so we just try to read the
2653 		 * sequence number */
2654 		n2s(pl, seq);
2655 
2656 		if (payload == 18 && seq == s->tlsext_hb_seq)
2657 			{
2658 			s->tlsext_hb_seq++;
2659 			s->tlsext_hb_pending = 0;
2660 			}
2661 		}
2662 
2663 	return 0;
2664 	}
2665 
2666 int
2667 tls1_heartbeat(SSL *s)
2668 	{
2669 	unsigned char *buf, *p;
2670 	int ret;
2671 	unsigned int payload = 18; /* Sequence number + random bytes */
2672 	unsigned int padding = 16; /* Use minimum padding */
2673 
2674 	/* Only send if peer supports and accepts HB requests... */
2675 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2676 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2677 		{
2678 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2679 		return -1;
2680 		}
2681 
2682 	/* ...and there is none in flight yet... */
2683 	if (s->tlsext_hb_pending)
2684 		{
2685 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2686 		return -1;
2687 		}
2688 
2689 	/* ...and no handshake in progress. */
2690 	if (SSL_in_init(s) || s->in_handshake)
2691 		{
2692 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2693 		return -1;
2694 		}
2695 
2696 	/* Check if padding is too long, payload and padding
2697 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2698 	 */
2699 	OPENSSL_assert(payload + padding <= 16381);
2700 
2701 	/* Create HeartBeat message, we just use a sequence number
2702 	 * as payload to distuingish different messages and add
2703 	 * some random stuff.
2704 	 *  - Message Type, 1 byte
2705 	 *  - Payload Length, 2 bytes (unsigned int)
2706 	 *  - Payload, the sequence number (2 bytes uint)
2707 	 *  - Payload, random bytes (16 bytes uint)
2708 	 *  - Padding
2709 	 */
2710 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2711 	p = buf;
2712 	/* Message Type */
2713 	*p++ = TLS1_HB_REQUEST;
2714 	/* Payload length (18 bytes here) */
2715 	s2n(payload, p);
2716 	/* Sequence number */
2717 	s2n(s->tlsext_hb_seq, p);
2718 	/* 16 random bytes */
2719 	RAND_pseudo_bytes(p, 16);
2720 	p += 16;
2721 	/* Random padding */
2722 	RAND_pseudo_bytes(p, padding);
2723 
2724 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2725 	if (ret >= 0)
2726 		{
2727 		if (s->msg_callback)
2728 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2729 				buf, 3 + payload + padding,
2730 				s, s->msg_callback_arg);
2731 
2732 		s->tlsext_hb_pending = 1;
2733 		}
2734 
2735 	OPENSSL_free(buf);
2736 
2737 	return ret;
2738 	}
2739 #endif
2740