xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision bd81e07d2761cf1c13063eb49a5c0cb4a6951318)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/ocsp.h>
117 #include <openssl/rand.h>
118 #include "ssl_locl.h"
119 
120 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
121 
122 #ifndef OPENSSL_NO_TLSEXT
123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124                               const unsigned char *sess_id, int sesslen,
125                               SSL_SESSION **psess);
126 #endif
127 
128 SSL3_ENC_METHOD TLSv1_enc_data = {
129     tls1_enc,
130     tls1_mac,
131     tls1_setup_key_block,
132     tls1_generate_master_secret,
133     tls1_change_cipher_state,
134     tls1_final_finish_mac,
135     TLS1_FINISH_MAC_LENGTH,
136     tls1_cert_verify_mac,
137     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
138     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
139     tls1_alert_code,
140     tls1_export_keying_material,
141 };
142 
143 long tls1_default_timeout(void)
144 {
145     /*
146      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
147      * http, the cache would over fill
148      */
149     return (60 * 60 * 2);
150 }
151 
152 int tls1_new(SSL *s)
153 {
154     if (!ssl3_new(s))
155         return (0);
156     s->method->ssl_clear(s);
157     return (1);
158 }
159 
160 void tls1_free(SSL *s)
161 {
162 #ifndef OPENSSL_NO_TLSEXT
163     if (s->tlsext_session_ticket) {
164         OPENSSL_free(s->tlsext_session_ticket);
165     }
166 #endif                          /* OPENSSL_NO_TLSEXT */
167     ssl3_free(s);
168 }
169 
170 void tls1_clear(SSL *s)
171 {
172     ssl3_clear(s);
173     s->version = s->method->version;
174 }
175 
176 #ifndef OPENSSL_NO_EC
177 
178 static int nid_list[] = {
179     NID_sect163k1,              /* sect163k1 (1) */
180     NID_sect163r1,              /* sect163r1 (2) */
181     NID_sect163r2,              /* sect163r2 (3) */
182     NID_sect193r1,              /* sect193r1 (4) */
183     NID_sect193r2,              /* sect193r2 (5) */
184     NID_sect233k1,              /* sect233k1 (6) */
185     NID_sect233r1,              /* sect233r1 (7) */
186     NID_sect239k1,              /* sect239k1 (8) */
187     NID_sect283k1,              /* sect283k1 (9) */
188     NID_sect283r1,              /* sect283r1 (10) */
189     NID_sect409k1,              /* sect409k1 (11) */
190     NID_sect409r1,              /* sect409r1 (12) */
191     NID_sect571k1,              /* sect571k1 (13) */
192     NID_sect571r1,              /* sect571r1 (14) */
193     NID_secp160k1,              /* secp160k1 (15) */
194     NID_secp160r1,              /* secp160r1 (16) */
195     NID_secp160r2,              /* secp160r2 (17) */
196     NID_secp192k1,              /* secp192k1 (18) */
197     NID_X9_62_prime192v1,       /* secp192r1 (19) */
198     NID_secp224k1,              /* secp224k1 (20) */
199     NID_secp224r1,              /* secp224r1 (21) */
200     NID_secp256k1,              /* secp256k1 (22) */
201     NID_X9_62_prime256v1,       /* secp256r1 (23) */
202     NID_secp384r1,              /* secp384r1 (24) */
203     NID_secp521r1               /* secp521r1 (25) */
204 };
205 
206 static int pref_list[] = {
207 # ifndef OPENSSL_NO_EC2M
208     NID_sect571r1,              /* sect571r1 (14) */
209     NID_sect571k1,              /* sect571k1 (13) */
210 # endif
211     NID_secp521r1,              /* secp521r1 (25) */
212 # ifndef OPENSSL_NO_EC2M
213     NID_sect409k1,              /* sect409k1 (11) */
214     NID_sect409r1,              /* sect409r1 (12) */
215 # endif
216     NID_secp384r1,              /* secp384r1 (24) */
217 # ifndef OPENSSL_NO_EC2M
218     NID_sect283k1,              /* sect283k1 (9) */
219     NID_sect283r1,              /* sect283r1 (10) */
220 # endif
221     NID_secp256k1,              /* secp256k1 (22) */
222     NID_X9_62_prime256v1,       /* secp256r1 (23) */
223 # ifndef OPENSSL_NO_EC2M
224     NID_sect239k1,              /* sect239k1 (8) */
225     NID_sect233k1,              /* sect233k1 (6) */
226     NID_sect233r1,              /* sect233r1 (7) */
227 # endif
228     NID_secp224k1,              /* secp224k1 (20) */
229     NID_secp224r1,              /* secp224r1 (21) */
230 # ifndef OPENSSL_NO_EC2M
231     NID_sect193r1,              /* sect193r1 (4) */
232     NID_sect193r2,              /* sect193r2 (5) */
233 # endif
234     NID_secp192k1,              /* secp192k1 (18) */
235     NID_X9_62_prime192v1,       /* secp192r1 (19) */
236 # ifndef OPENSSL_NO_EC2M
237     NID_sect163k1,              /* sect163k1 (1) */
238     NID_sect163r1,              /* sect163r1 (2) */
239     NID_sect163r2,              /* sect163r2 (3) */
240 # endif
241     NID_secp160k1,              /* secp160k1 (15) */
242     NID_secp160r1,              /* secp160r1 (16) */
243     NID_secp160r2,              /* secp160r2 (17) */
244 };
245 
246 int tls1_ec_curve_id2nid(int curve_id)
247 {
248     /* ECC curves from RFC 4492 */
249     if ((curve_id < 1) || ((unsigned int)curve_id >
250                            sizeof(nid_list) / sizeof(nid_list[0])))
251         return 0;
252     return nid_list[curve_id - 1];
253 }
254 
255 int tls1_ec_nid2curve_id(int nid)
256 {
257     /* ECC curves from RFC 4492 */
258     switch (nid) {
259     case NID_sect163k1:        /* sect163k1 (1) */
260         return 1;
261     case NID_sect163r1:        /* sect163r1 (2) */
262         return 2;
263     case NID_sect163r2:        /* sect163r2 (3) */
264         return 3;
265     case NID_sect193r1:        /* sect193r1 (4) */
266         return 4;
267     case NID_sect193r2:        /* sect193r2 (5) */
268         return 5;
269     case NID_sect233k1:        /* sect233k1 (6) */
270         return 6;
271     case NID_sect233r1:        /* sect233r1 (7) */
272         return 7;
273     case NID_sect239k1:        /* sect239k1 (8) */
274         return 8;
275     case NID_sect283k1:        /* sect283k1 (9) */
276         return 9;
277     case NID_sect283r1:        /* sect283r1 (10) */
278         return 10;
279     case NID_sect409k1:        /* sect409k1 (11) */
280         return 11;
281     case NID_sect409r1:        /* sect409r1 (12) */
282         return 12;
283     case NID_sect571k1:        /* sect571k1 (13) */
284         return 13;
285     case NID_sect571r1:        /* sect571r1 (14) */
286         return 14;
287     case NID_secp160k1:        /* secp160k1 (15) */
288         return 15;
289     case NID_secp160r1:        /* secp160r1 (16) */
290         return 16;
291     case NID_secp160r2:        /* secp160r2 (17) */
292         return 17;
293     case NID_secp192k1:        /* secp192k1 (18) */
294         return 18;
295     case NID_X9_62_prime192v1: /* secp192r1 (19) */
296         return 19;
297     case NID_secp224k1:        /* secp224k1 (20) */
298         return 20;
299     case NID_secp224r1:        /* secp224r1 (21) */
300         return 21;
301     case NID_secp256k1:        /* secp256k1 (22) */
302         return 22;
303     case NID_X9_62_prime256v1: /* secp256r1 (23) */
304         return 23;
305     case NID_secp384r1:        /* secp384r1 (24) */
306         return 24;
307     case NID_secp521r1:        /* secp521r1 (25) */
308         return 25;
309     default:
310         return 0;
311     }
312 }
313 #endif                          /* OPENSSL_NO_EC */
314 
315 #ifndef OPENSSL_NO_TLSEXT
316 
317 /*
318  * List of supported signature algorithms and hashes. Should make this
319  * customisable at some point, for now include everything we support.
320  */
321 
322 # ifdef OPENSSL_NO_RSA
323 #  define tlsext_sigalg_rsa(md) /* */
324 # else
325 #  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
326 # endif
327 
328 # ifdef OPENSSL_NO_DSA
329 #  define tlsext_sigalg_dsa(md) /* */
330 # else
331 #  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
332 # endif
333 
334 # ifdef OPENSSL_NO_ECDSA
335 #  define tlsext_sigalg_ecdsa(md)
336                                 /* */
337 # else
338 #  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
339 # endif
340 
341 # define tlsext_sigalg(md) \
342                 tlsext_sigalg_rsa(md) \
343                 tlsext_sigalg_dsa(md) \
344                 tlsext_sigalg_ecdsa(md)
345 
346 static unsigned char tls12_sigalgs[] = {
347 # ifndef OPENSSL_NO_SHA512
348     tlsext_sigalg(TLSEXT_hash_sha512)
349         tlsext_sigalg(TLSEXT_hash_sha384)
350 # endif
351 # ifndef OPENSSL_NO_SHA256
352         tlsext_sigalg(TLSEXT_hash_sha256)
353         tlsext_sigalg(TLSEXT_hash_sha224)
354 # endif
355 # ifndef OPENSSL_NO_SHA
356         tlsext_sigalg(TLSEXT_hash_sha1)
357 # endif
358 };
359 
360 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
361 {
362     size_t slen = sizeof(tls12_sigalgs);
363     if (p)
364         memcpy(p, tls12_sigalgs, slen);
365     return (int)slen;
366 }
367 
368 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
369                                           unsigned char *limit)
370 {
371     int extdatalen = 0;
372     unsigned char *orig = buf;
373     unsigned char *ret = buf;
374 
375     /* don't add extensions for SSLv3 unless doing secure renegotiation */
376     if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
377         return orig;
378 
379     ret += 2;
380 
381     if (ret >= limit)
382         return NULL;            /* this really never occurs, but ... */
383 
384     if (s->tlsext_hostname != NULL) {
385         /* Add TLS extension servername to the Client Hello message */
386         unsigned long size_str;
387         long lenmax;
388 
389         /*-
390          * check for enough space.
391          * 4 for the servername type and entension length
392          * 2 for servernamelist length
393          * 1 for the hostname type
394          * 2 for hostname length
395          * + hostname length
396          */
397 
398         if ((lenmax = limit - ret - 9) < 0
399             || (size_str =
400                 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
401             return NULL;
402 
403         /* extension type and length */
404         s2n(TLSEXT_TYPE_server_name, ret);
405         s2n(size_str + 5, ret);
406 
407         /* length of servername list */
408         s2n(size_str + 3, ret);
409 
410         /* hostname type, length and hostname */
411         *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
412         s2n(size_str, ret);
413         memcpy(ret, s->tlsext_hostname, size_str);
414         ret += size_str;
415     }
416 
417     /* Add RI if renegotiating */
418     if (s->renegotiate) {
419         int el;
420 
421         if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
422             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
423             return NULL;
424         }
425 
426         if ((limit - ret - 4 - el) < 0)
427             return NULL;
428 
429         s2n(TLSEXT_TYPE_renegotiate, ret);
430         s2n(el, ret);
431 
432         if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
433             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
434             return NULL;
435         }
436 
437         ret += el;
438     }
439 # ifndef OPENSSL_NO_SRP
440     /* Add SRP username if there is one */
441     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
442                                      * Client Hello message */
443 
444         int login_len = strlen(s->srp_ctx.login);
445         if (login_len > 255 || login_len == 0) {
446             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
447             return NULL;
448         }
449 
450         /*-
451          * check for enough space.
452          * 4 for the srp type type and entension length
453          * 1 for the srp user identity
454          * + srp user identity length
455          */
456         if ((limit - ret - 5 - login_len) < 0)
457             return NULL;
458 
459         /* fill in the extension */
460         s2n(TLSEXT_TYPE_srp, ret);
461         s2n(login_len + 1, ret);
462         (*ret++) = (unsigned char)login_len;
463         memcpy(ret, s->srp_ctx.login, login_len);
464         ret += login_len;
465     }
466 # endif
467 
468 # ifndef OPENSSL_NO_EC
469     if (s->tlsext_ecpointformatlist != NULL) {
470         /*
471          * Add TLS extension ECPointFormats to the ClientHello message
472          */
473         long lenmax;
474 
475         if ((lenmax = limit - ret - 5) < 0)
476             return NULL;
477         if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
478             return NULL;
479         if (s->tlsext_ecpointformatlist_length > 255) {
480             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
481             return NULL;
482         }
483 
484         s2n(TLSEXT_TYPE_ec_point_formats, ret);
485         s2n(s->tlsext_ecpointformatlist_length + 1, ret);
486         *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length;
487         memcpy(ret, s->tlsext_ecpointformatlist,
488                s->tlsext_ecpointformatlist_length);
489         ret += s->tlsext_ecpointformatlist_length;
490     }
491     if (s->tlsext_ellipticcurvelist != NULL) {
492         /*
493          * Add TLS extension EllipticCurves to the ClientHello message
494          */
495         long lenmax;
496 
497         if ((lenmax = limit - ret - 6) < 0)
498             return NULL;
499         if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax)
500             return NULL;
501         if (s->tlsext_ellipticcurvelist_length > 65532) {
502             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
503             return NULL;
504         }
505 
506         s2n(TLSEXT_TYPE_elliptic_curves, ret);
507         s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
508 
509         s2n(s->tlsext_ellipticcurvelist_length, ret);
510         memcpy(ret, s->tlsext_ellipticcurvelist,
511                s->tlsext_ellipticcurvelist_length);
512         ret += s->tlsext_ellipticcurvelist_length;
513     }
514 # endif                         /* OPENSSL_NO_EC */
515 
516     if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
517         int ticklen;
518         if (!s->new_session && s->session && s->session->tlsext_tick)
519             ticklen = s->session->tlsext_ticklen;
520         else if (s->session && s->tlsext_session_ticket &&
521                  s->tlsext_session_ticket->data) {
522             ticklen = s->tlsext_session_ticket->length;
523             s->session->tlsext_tick = OPENSSL_malloc(ticklen);
524             if (!s->session->tlsext_tick)
525                 return NULL;
526             memcpy(s->session->tlsext_tick,
527                    s->tlsext_session_ticket->data, ticklen);
528             s->session->tlsext_ticklen = ticklen;
529         } else
530             ticklen = 0;
531         if (ticklen == 0 && s->tlsext_session_ticket &&
532             s->tlsext_session_ticket->data == NULL)
533             goto skip_ext;
534         /*
535          * Check for enough room 2 for extension type, 2 for len rest for
536          * ticket
537          */
538         if ((long)(limit - ret - 4 - ticklen) < 0)
539             return NULL;
540         s2n(TLSEXT_TYPE_session_ticket, ret);
541         s2n(ticklen, ret);
542         if (ticklen) {
543             memcpy(ret, s->session->tlsext_tick, ticklen);
544             ret += ticklen;
545         }
546     }
547  skip_ext:
548 
549     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
550         if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
551             return NULL;
552         s2n(TLSEXT_TYPE_signature_algorithms, ret);
553         s2n(sizeof(tls12_sigalgs) + 2, ret);
554         s2n(sizeof(tls12_sigalgs), ret);
555         memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
556         ret += sizeof(tls12_sigalgs);
557     }
558 # ifdef TLSEXT_TYPE_opaque_prf_input
559     if (s->s3->client_opaque_prf_input != NULL && s->version != DTLS1_VERSION) {
560         size_t col = s->s3->client_opaque_prf_input_len;
561 
562         if ((long)(limit - ret - 6 - col < 0))
563             return NULL;
564         if (col > 0xFFFD)       /* can't happen */
565             return NULL;
566 
567         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
568         s2n(col + 2, ret);
569         s2n(col, ret);
570         memcpy(ret, s->s3->client_opaque_prf_input, col);
571         ret += col;
572     }
573 # endif
574 
575     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
576         s->version != DTLS1_VERSION) {
577         int i;
578         long extlen, idlen, itmp;
579         OCSP_RESPID *id;
580 
581         idlen = 0;
582         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
583             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
584             itmp = i2d_OCSP_RESPID(id, NULL);
585             if (itmp <= 0)
586                 return NULL;
587             idlen += itmp + 2;
588         }
589 
590         if (s->tlsext_ocsp_exts) {
591             extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
592             if (extlen < 0)
593                 return NULL;
594         } else
595             extlen = 0;
596 
597         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
598             return NULL;
599         s2n(TLSEXT_TYPE_status_request, ret);
600         if (extlen + idlen > 0xFFF0)
601             return NULL;
602         s2n(extlen + idlen + 5, ret);
603         *(ret++) = TLSEXT_STATUSTYPE_ocsp;
604         s2n(idlen, ret);
605         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
606             /* save position of id len */
607             unsigned char *q = ret;
608             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
609             /* skip over id len */
610             ret += 2;
611             itmp = i2d_OCSP_RESPID(id, &ret);
612             /* write id len */
613             s2n(itmp, q);
614         }
615         s2n(extlen, ret);
616         if (extlen > 0)
617             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
618     }
619 # ifndef OPENSSL_NO_HEARTBEATS
620     /* Add Heartbeat extension */
621     if ((limit - ret - 4 - 1) < 0)
622         return NULL;
623     s2n(TLSEXT_TYPE_heartbeat, ret);
624     s2n(1, ret);
625     /*-
626      * Set mode:
627      * 1: peer may send requests
628      * 2: peer not allowed to send requests
629      */
630     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
631         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
632     else
633         *(ret++) = SSL_TLSEXT_HB_ENABLED;
634 # endif
635 
636 # ifndef OPENSSL_NO_NEXTPROTONEG
637     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
638         /*
639          * The client advertises an emtpy extension to indicate its support
640          * for Next Protocol Negotiation
641          */
642         if (limit - ret - 4 < 0)
643             return NULL;
644         s2n(TLSEXT_TYPE_next_proto_neg, ret);
645         s2n(0, ret);
646     }
647 # endif
648 
649 # ifndef OPENSSL_NO_SRTP
650     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
651         int el;
652 
653         ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
654 
655         if ((limit - ret - 4 - el) < 0)
656             return NULL;
657 
658         s2n(TLSEXT_TYPE_use_srtp, ret);
659         s2n(el, ret);
660 
661         if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
662             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
663             return NULL;
664         }
665         ret += el;
666     }
667 # endif
668     /*
669      * Add padding to workaround bugs in F5 terminators. See
670      * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
671      * code works out the length of all existing extensions it MUST always
672      * appear last.
673      */
674     if (s->options & SSL_OP_TLSEXT_PADDING) {
675         int hlen = ret - (unsigned char *)s->init_buf->data;
676         /*
677          * The code in s23_clnt.c to build ClientHello messages includes the
678          * 5-byte record header in the buffer, while the code in s3_clnt.c
679          * does not.
680          */
681         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
682             hlen -= 5;
683         if (hlen > 0xff && hlen < 0x200) {
684             hlen = 0x200 - hlen;
685             if (hlen >= 4)
686                 hlen -= 4;
687             else
688                 hlen = 0;
689 
690             s2n(TLSEXT_TYPE_padding, ret);
691             s2n(hlen, ret);
692             memset(ret, 0, hlen);
693             ret += hlen;
694         }
695     }
696 
697     if ((extdatalen = ret - orig - 2) == 0)
698         return orig;
699 
700     s2n(extdatalen, orig);
701     return ret;
702 }
703 
704 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
705                                           unsigned char *limit)
706 {
707     int extdatalen = 0;
708     unsigned char *orig = buf;
709     unsigned char *ret = buf;
710 # ifndef OPENSSL_NO_NEXTPROTONEG
711     int next_proto_neg_seen;
712 # endif
713 
714     /*
715      * don't add extensions for SSLv3, unless doing secure renegotiation
716      */
717     if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
718         return orig;
719 
720     ret += 2;
721     if (ret >= limit)
722         return NULL;            /* this really never occurs, but ... */
723 
724     if (!s->hit && s->servername_done == 1
725         && s->session->tlsext_hostname != NULL) {
726         if ((long)(limit - ret - 4) < 0)
727             return NULL;
728 
729         s2n(TLSEXT_TYPE_server_name, ret);
730         s2n(0, ret);
731     }
732 
733     if (s->s3->send_connection_binding) {
734         int el;
735 
736         if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
737             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
738             return NULL;
739         }
740 
741         if ((limit - ret - 4 - el) < 0)
742             return NULL;
743 
744         s2n(TLSEXT_TYPE_renegotiate, ret);
745         s2n(el, ret);
746 
747         if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
748             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
749             return NULL;
750         }
751 
752         ret += el;
753     }
754 # ifndef OPENSSL_NO_EC
755     if (s->tlsext_ecpointformatlist != NULL) {
756         /*
757          * Add TLS extension ECPointFormats to the ServerHello message
758          */
759         long lenmax;
760 
761         if ((lenmax = limit - ret - 5) < 0)
762             return NULL;
763         if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
764             return NULL;
765         if (s->tlsext_ecpointformatlist_length > 255) {
766             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
767             return NULL;
768         }
769 
770         s2n(TLSEXT_TYPE_ec_point_formats, ret);
771         s2n(s->tlsext_ecpointformatlist_length + 1, ret);
772         *(ret++) = (unsigned char)s->tlsext_ecpointformatlist_length;
773         memcpy(ret, s->tlsext_ecpointformatlist,
774                s->tlsext_ecpointformatlist_length);
775         ret += s->tlsext_ecpointformatlist_length;
776 
777     }
778     /*
779      * Currently the server should not respond with a SupportedCurves
780      * extension
781      */
782 # endif                         /* OPENSSL_NO_EC */
783 
784     if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
785         if ((long)(limit - ret - 4) < 0)
786             return NULL;
787         s2n(TLSEXT_TYPE_session_ticket, ret);
788         s2n(0, ret);
789     }
790 
791     if (s->tlsext_status_expected) {
792         if ((long)(limit - ret - 4) < 0)
793             return NULL;
794         s2n(TLSEXT_TYPE_status_request, ret);
795         s2n(0, ret);
796     }
797 # ifdef TLSEXT_TYPE_opaque_prf_input
798     if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) {
799         size_t sol = s->s3->server_opaque_prf_input_len;
800 
801         if ((long)(limit - ret - 6 - sol) < 0)
802             return NULL;
803         if (sol > 0xFFFD)       /* can't happen */
804             return NULL;
805 
806         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
807         s2n(sol + 2, ret);
808         s2n(sol, ret);
809         memcpy(ret, s->s3->server_opaque_prf_input, sol);
810         ret += sol;
811     }
812 # endif
813 
814 # ifndef OPENSSL_NO_SRTP
815     if (SSL_IS_DTLS(s) && s->srtp_profile) {
816         int el;
817 
818         ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
819 
820         if ((limit - ret - 4 - el) < 0)
821             return NULL;
822 
823         s2n(TLSEXT_TYPE_use_srtp, ret);
824         s2n(el, ret);
825 
826         if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
827             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
828             return NULL;
829         }
830         ret += el;
831     }
832 # endif
833 
834     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
835          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
836         && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
837         const unsigned char cryptopro_ext[36] = {
838             0xfd, 0xe8,         /* 65000 */
839             0x00, 0x20,         /* 32 bytes length */
840             0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
841             0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
842             0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
843             0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
844         };
845         if (limit - ret < 36)
846             return NULL;
847         memcpy(ret, cryptopro_ext, 36);
848         ret += 36;
849 
850     }
851 # ifndef OPENSSL_NO_HEARTBEATS
852     /* Add Heartbeat extension if we've received one */
853     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
854         if ((limit - ret - 4 - 1) < 0)
855             return NULL;
856         s2n(TLSEXT_TYPE_heartbeat, ret);
857         s2n(1, ret);
858         /*-
859          * Set mode:
860          * 1: peer may send requests
861          * 2: peer not allowed to send requests
862          */
863         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
864             *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
865         else
866             *(ret++) = SSL_TLSEXT_HB_ENABLED;
867 
868     }
869 # endif
870 
871 # ifndef OPENSSL_NO_NEXTPROTONEG
872     next_proto_neg_seen = s->s3->next_proto_neg_seen;
873     s->s3->next_proto_neg_seen = 0;
874     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
875         const unsigned char *npa;
876         unsigned int npalen;
877         int r;
878 
879         r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
880                                               s->
881                                               ctx->next_protos_advertised_cb_arg);
882         if (r == SSL_TLSEXT_ERR_OK) {
883             if ((long)(limit - ret - 4 - npalen) < 0)
884                 return NULL;
885             s2n(TLSEXT_TYPE_next_proto_neg, ret);
886             s2n(npalen, ret);
887             memcpy(ret, npa, npalen);
888             ret += npalen;
889             s->s3->next_proto_neg_seen = 1;
890         }
891     }
892 # endif
893 
894     if ((extdatalen = ret - orig - 2) == 0)
895         return orig;
896 
897     s2n(extdatalen, orig);
898     return ret;
899 }
900 
901 # ifndef OPENSSL_NO_EC
902 /*-
903  * ssl_check_for_safari attempts to fingerprint Safari using OS X
904  * SecureTransport using the TLS extension block in |d|, of length |n|.
905  * Safari, since 10.6, sends exactly these extensions, in this order:
906  *   SNI,
907  *   elliptic_curves
908  *   ec_point_formats
909  *
910  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
911  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
912  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
913  * 10.8..10.8.3 (which don't work).
914  */
915 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
916                                  const unsigned char *d, int n)
917 {
918     unsigned short type, size;
919     static const unsigned char kSafariExtensionsBlock[] = {
920         0x00, 0x0a,             /* elliptic_curves extension */
921         0x00, 0x08,             /* 8 bytes */
922         0x00, 0x06,             /* 6 bytes of curve ids */
923         0x00, 0x17,             /* P-256 */
924         0x00, 0x18,             /* P-384 */
925         0x00, 0x19,             /* P-521 */
926 
927         0x00, 0x0b,             /* ec_point_formats */
928         0x00, 0x02,             /* 2 bytes */
929         0x01,                   /* 1 point format */
930         0x00,                   /* uncompressed */
931     };
932 
933     /* The following is only present in TLS 1.2 */
934     static const unsigned char kSafariTLS12ExtensionsBlock[] = {
935         0x00, 0x0d,             /* signature_algorithms */
936         0x00, 0x0c,             /* 12 bytes */
937         0x00, 0x0a,             /* 10 bytes */
938         0x05, 0x01,             /* SHA-384/RSA */
939         0x04, 0x01,             /* SHA-256/RSA */
940         0x02, 0x01,             /* SHA-1/RSA */
941         0x04, 0x03,             /* SHA-256/ECDSA */
942         0x02, 0x03,             /* SHA-1/ECDSA */
943     };
944 
945     if (data >= (d + n - 2))
946         return;
947     data += 2;
948 
949     if (data > (d + n - 4))
950         return;
951     n2s(data, type);
952     n2s(data, size);
953 
954     if (type != TLSEXT_TYPE_server_name)
955         return;
956 
957     if (data + size > d + n)
958         return;
959     data += size;
960 
961     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
962         const size_t len1 = sizeof(kSafariExtensionsBlock);
963         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
964 
965         if (data + len1 + len2 != d + n)
966             return;
967         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
968             return;
969         if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
970             return;
971     } else {
972         const size_t len = sizeof(kSafariExtensionsBlock);
973 
974         if (data + len != d + n)
975             return;
976         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
977             return;
978     }
979 
980     s->s3->is_probably_safari = 1;
981 }
982 # endif                         /* !OPENSSL_NO_EC */
983 
984 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
985                                  int n, int *al)
986 {
987     unsigned short type;
988     unsigned short size;
989     unsigned short len;
990     unsigned char *data = *p;
991     int renegotiate_seen = 0;
992     int sigalg_seen = 0;
993 
994     s->servername_done = 0;
995     s->tlsext_status_type = -1;
996 # ifndef OPENSSL_NO_NEXTPROTONEG
997     s->s3->next_proto_neg_seen = 0;
998 # endif
999 
1000 # ifndef OPENSSL_NO_HEARTBEATS
1001     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1002                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1003 # endif
1004 
1005 # ifndef OPENSSL_NO_EC
1006     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1007         ssl_check_for_safari(s, data, d, n);
1008 # endif                         /* !OPENSSL_NO_EC */
1009 
1010 # ifndef OPENSSL_NO_SRP
1011     if (s->srp_ctx.login != NULL) {
1012         OPENSSL_free(s->srp_ctx.login);
1013         s->srp_ctx.login = NULL;
1014     }
1015 # endif
1016 
1017     s->srtp_profile = NULL;
1018 
1019     if (data == d + n)
1020         goto ri_check;
1021 
1022     if (data > (d + n - 2))
1023         goto err;
1024 
1025     n2s(data, len);
1026 
1027     if (data > (d + n - len))
1028         goto err;
1029 
1030     while (data <= (d + n - 4)) {
1031         n2s(data, type);
1032         n2s(data, size);
1033 
1034         if (data + size > (d + n))
1035             goto err;
1036 # if 0
1037         fprintf(stderr, "Received extension type %d size %d\n", type, size);
1038 # endif
1039         if (s->tlsext_debug_cb)
1040             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
1041 /*-
1042  * The servername extension is treated as follows:
1043  *
1044  * - Only the hostname type is supported with a maximum length of 255.
1045  * - The servername is rejected if too long or if it contains zeros,
1046  *   in which case an fatal alert is generated.
1047  * - The servername field is maintained together with the session cache.
1048  * - When a session is resumed, the servername call back invoked in order
1049  *   to allow the application to position itself to the right context.
1050  * - The servername is acknowledged if it is new for a session or when
1051  *   it is identical to a previously used for the same session.
1052  *   Applications can control the behaviour.  They can at any time
1053  *   set a 'desirable' servername for a new SSL object. This can be the
1054  *   case for example with HTTPS when a Host: header field is received and
1055  *   a renegotiation is requested. In this case, a possible servername
1056  *   presented in the new client hello is only acknowledged if it matches
1057  *   the value of the Host: field.
1058  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1059  *   if they provide for changing an explicit servername context for the
1060  *   session, i.e. when the session has been established with a servername
1061  *   extension.
1062  * - On session reconnect, the servername extension may be absent.
1063  *
1064  */
1065 
1066         if (type == TLSEXT_TYPE_server_name) {
1067             unsigned char *sdata;
1068             int servname_type;
1069             int dsize;
1070 
1071             if (size < 2)
1072                 goto err;
1073             n2s(data, dsize);
1074             size -= 2;
1075             if (dsize > size)
1076                 goto err;
1077 
1078             sdata = data;
1079             while (dsize > 3) {
1080                 servname_type = *(sdata++);
1081                 n2s(sdata, len);
1082                 dsize -= 3;
1083 
1084                 if (len > dsize)
1085                     goto err;
1086 
1087                 if (s->servername_done == 0)
1088                     switch (servname_type) {
1089                     case TLSEXT_NAMETYPE_host_name:
1090                         if (!s->hit) {
1091                             if (s->session->tlsext_hostname)
1092                                 goto err;
1093 
1094                             if (len > TLSEXT_MAXLEN_host_name) {
1095                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1096                                 return 0;
1097                             }
1098                             if ((s->session->tlsext_hostname =
1099                                  OPENSSL_malloc(len + 1)) == NULL) {
1100                                 *al = TLS1_AD_INTERNAL_ERROR;
1101                                 return 0;
1102                             }
1103                             memcpy(s->session->tlsext_hostname, sdata, len);
1104                             s->session->tlsext_hostname[len] = '\0';
1105                             if (strlen(s->session->tlsext_hostname) != len) {
1106                                 OPENSSL_free(s->session->tlsext_hostname);
1107                                 s->session->tlsext_hostname = NULL;
1108                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1109                                 return 0;
1110                             }
1111                             s->servername_done = 1;
1112 
1113                         } else
1114                             s->servername_done = s->session->tlsext_hostname
1115                                 && strlen(s->session->tlsext_hostname) == len
1116                                 && strncmp(s->session->tlsext_hostname,
1117                                            (char *)sdata, len) == 0;
1118 
1119                         break;
1120 
1121                     default:
1122                         break;
1123                     }
1124 
1125                 dsize -= len;
1126             }
1127             if (dsize != 0)
1128                 goto err;
1129 
1130         }
1131 # ifndef OPENSSL_NO_SRP
1132         else if (type == TLSEXT_TYPE_srp) {
1133             if (size == 0 || ((len = data[0])) != (size - 1))
1134                 goto err;
1135             if (s->srp_ctx.login != NULL)
1136                 goto err;
1137             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1138                 return -1;
1139             memcpy(s->srp_ctx.login, &data[1], len);
1140             s->srp_ctx.login[len] = '\0';
1141 
1142             if (strlen(s->srp_ctx.login) != len)
1143                 goto err;
1144         }
1145 # endif
1146 
1147 # ifndef OPENSSL_NO_EC
1148         else if (type == TLSEXT_TYPE_ec_point_formats) {
1149             unsigned char *sdata = data;
1150             int ecpointformatlist_length = *(sdata++);
1151 
1152             if (ecpointformatlist_length != size - 1)
1153                 goto err;
1154             if (!s->hit) {
1155                 if (s->session->tlsext_ecpointformatlist) {
1156                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
1157                     s->session->tlsext_ecpointformatlist = NULL;
1158                 }
1159                 s->session->tlsext_ecpointformatlist_length = 0;
1160                 if ((s->session->tlsext_ecpointformatlist =
1161                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1162                     *al = TLS1_AD_INTERNAL_ERROR;
1163                     return 0;
1164                 }
1165                 s->session->tlsext_ecpointformatlist_length =
1166                     ecpointformatlist_length;
1167                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
1168                        ecpointformatlist_length);
1169             }
1170 #  if 0
1171             fprintf(stderr,
1172                     "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
1173                     s->session->tlsext_ecpointformatlist_length);
1174             sdata = s->session->tlsext_ecpointformatlist;
1175             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1176                 fprintf(stderr, "%i ", *(sdata++));
1177             fprintf(stderr, "\n");
1178 #  endif
1179         } else if (type == TLSEXT_TYPE_elliptic_curves) {
1180             unsigned char *sdata = data;
1181             int ellipticcurvelist_length = (*(sdata++) << 8);
1182             ellipticcurvelist_length += (*(sdata++));
1183 
1184             if (ellipticcurvelist_length != size - 2 ||
1185                 ellipticcurvelist_length < 1 ||
1186                 /* Each NamedCurve is 2 bytes. */
1187                 ellipticcurvelist_length & 1)
1188                     goto err;
1189 
1190             if (!s->hit) {
1191                 if (s->session->tlsext_ellipticcurvelist)
1192                     goto err;
1193 
1194                 s->session->tlsext_ellipticcurvelist_length = 0;
1195                 if ((s->session->tlsext_ellipticcurvelist =
1196                      OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
1197                     *al = TLS1_AD_INTERNAL_ERROR;
1198                     return 0;
1199                 }
1200                 s->session->tlsext_ellipticcurvelist_length =
1201                     ellipticcurvelist_length;
1202                 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
1203                        ellipticcurvelist_length);
1204             }
1205 #  if 0
1206             fprintf(stderr,
1207                     "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
1208                     s->session->tlsext_ellipticcurvelist_length);
1209             sdata = s->session->tlsext_ellipticcurvelist;
1210             for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1211                 fprintf(stderr, "%i ", *(sdata++));
1212             fprintf(stderr, "\n");
1213 #  endif
1214         }
1215 # endif                         /* OPENSSL_NO_EC */
1216 # ifdef TLSEXT_TYPE_opaque_prf_input
1217         else if (type == TLSEXT_TYPE_opaque_prf_input &&
1218                  s->version != DTLS1_VERSION) {
1219             unsigned char *sdata = data;
1220 
1221             if (size < 2) {
1222                 *al = SSL_AD_DECODE_ERROR;
1223                 return 0;
1224             }
1225             n2s(sdata, s->s3->client_opaque_prf_input_len);
1226             if (s->s3->client_opaque_prf_input_len != size - 2) {
1227                 *al = SSL_AD_DECODE_ERROR;
1228                 return 0;
1229             }
1230 
1231             if (s->s3->client_opaque_prf_input != NULL) {
1232                 /* shouldn't really happen */
1233                 OPENSSL_free(s->s3->client_opaque_prf_input);
1234             }
1235 
1236             /* dummy byte just to get non-NULL */
1237             if (s->s3->client_opaque_prf_input_len == 0)
1238                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
1239             else
1240                 s->s3->client_opaque_prf_input =
1241                     BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1242             if (s->s3->client_opaque_prf_input == NULL) {
1243                 *al = TLS1_AD_INTERNAL_ERROR;
1244                 return 0;
1245             }
1246         }
1247 # endif
1248         else if (type == TLSEXT_TYPE_session_ticket) {
1249             if (s->tls_session_ticket_ext_cb &&
1250                 !s->tls_session_ticket_ext_cb(s, data, size,
1251                                               s->tls_session_ticket_ext_cb_arg))
1252             {
1253                 *al = TLS1_AD_INTERNAL_ERROR;
1254                 return 0;
1255             }
1256         } else if (type == TLSEXT_TYPE_renegotiate) {
1257             if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1258                 return 0;
1259             renegotiate_seen = 1;
1260         } else if (type == TLSEXT_TYPE_signature_algorithms) {
1261             int dsize;
1262             if (sigalg_seen || size < 2)
1263                 goto err;
1264             sigalg_seen = 1;
1265             n2s(data, dsize);
1266             size -= 2;
1267             if (dsize != size || dsize & 1)
1268                 goto err;
1269             if (!tls1_process_sigalgs(s, data, dsize))
1270                 goto err;
1271         } else if (type == TLSEXT_TYPE_status_request &&
1272                    s->version != DTLS1_VERSION) {
1273 
1274             if (size < 5)
1275                 goto err;
1276 
1277             s->tlsext_status_type = *data++;
1278             size--;
1279             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1280                 const unsigned char *sdata;
1281                 int dsize;
1282                 /* Read in responder_id_list */
1283                 n2s(data, dsize);
1284                 size -= 2;
1285                 if (dsize > size)
1286                     goto err;
1287                 while (dsize > 0) {
1288                     OCSP_RESPID *id;
1289                     int idsize;
1290                     if (dsize < 4)
1291                         goto err;
1292                     n2s(data, idsize);
1293                     dsize -= 2 + idsize;
1294                     size -= 2 + idsize;
1295                     if (dsize < 0)
1296                         goto err;
1297                     sdata = data;
1298                     data += idsize;
1299                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
1300                     if (!id)
1301                         goto err;
1302                     if (data != sdata) {
1303                         OCSP_RESPID_free(id);
1304                         goto err;
1305                     }
1306                     if (!s->tlsext_ocsp_ids
1307                         && !(s->tlsext_ocsp_ids =
1308                              sk_OCSP_RESPID_new_null())) {
1309                         OCSP_RESPID_free(id);
1310                         *al = SSL_AD_INTERNAL_ERROR;
1311                         return 0;
1312                     }
1313                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
1314                         OCSP_RESPID_free(id);
1315                         *al = SSL_AD_INTERNAL_ERROR;
1316                         return 0;
1317                     }
1318                 }
1319 
1320                 /* Read in request_extensions */
1321                 if (size < 2)
1322                     goto err;
1323                 n2s(data, dsize);
1324                 size -= 2;
1325                 if (dsize != size)
1326                     goto err;
1327                 sdata = data;
1328                 if (dsize > 0) {
1329                     if (s->tlsext_ocsp_exts) {
1330                         sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1331                                                    X509_EXTENSION_free);
1332                     }
1333 
1334                     s->tlsext_ocsp_exts =
1335                         d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
1336                     if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
1337                         goto err;
1338                 }
1339             }
1340             /*
1341              * We don't know what to do with any other type * so ignore it.
1342              */
1343             else
1344                 s->tlsext_status_type = -1;
1345         }
1346 # ifndef OPENSSL_NO_HEARTBEATS
1347         else if (type == TLSEXT_TYPE_heartbeat) {
1348             switch (data[0]) {
1349             case 0x01:         /* Client allows us to send HB requests */
1350                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1351                 break;
1352             case 0x02:         /* Client doesn't accept HB requests */
1353                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1354                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1355                 break;
1356             default:
1357                 *al = SSL_AD_ILLEGAL_PARAMETER;
1358                 return 0;
1359             }
1360         }
1361 # endif
1362 # ifndef OPENSSL_NO_NEXTPROTONEG
1363         else if (type == TLSEXT_TYPE_next_proto_neg &&
1364                  s->s3->tmp.finish_md_len == 0) {
1365             /*-
1366              * We shouldn't accept this extension on a
1367              * renegotiation.
1368              *
1369              * s->new_session will be set on renegotiation, but we
1370              * probably shouldn't rely that it couldn't be set on
1371              * the initial renegotation too in certain cases (when
1372              * there's some other reason to disallow resuming an
1373              * earlier session -- the current code won't be doing
1374              * anything like that, but this might change).
1375              *
1376              * A valid sign that there's been a previous handshake
1377              * in this connection is if s->s3->tmp.finish_md_len >
1378              * 0.  (We are talking about a check that will happen
1379              * in the Hello protocol round, well before a new
1380              * Finished message could have been computed.)
1381              */
1382             s->s3->next_proto_neg_seen = 1;
1383         }
1384 # endif
1385 
1386         /* session ticket processed earlier */
1387 # ifndef OPENSSL_NO_SRTP
1388         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1389                  && type == TLSEXT_TYPE_use_srtp) {
1390             if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1391                 return 0;
1392         }
1393 # endif
1394 
1395         data += size;
1396     }
1397 
1398     /* Spurious data on the end */
1399     if (data != d + n)
1400         goto err;
1401 
1402     *p = data;
1403 
1404  ri_check:
1405 
1406     /* Need RI if renegotiating */
1407 
1408     if (!renegotiate_seen && s->renegotiate &&
1409         !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1410         *al = SSL_AD_HANDSHAKE_FAILURE;
1411         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1412                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1413         return 0;
1414     }
1415 
1416     return 1;
1417 err:
1418     *al = SSL_AD_DECODE_ERROR;
1419     return 0;
1420 }
1421 
1422 # ifndef OPENSSL_NO_NEXTPROTONEG
1423 /*
1424  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1425  * elements of zero length are allowed and the set of elements must exactly
1426  * fill the length of the block.
1427  */
1428 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1429 {
1430     unsigned int off = 0;
1431 
1432     while (off < len) {
1433         if (d[off] == 0)
1434             return 0;
1435         off += d[off];
1436         off++;
1437     }
1438 
1439     return off == len;
1440 }
1441 # endif
1442 
1443 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1444                                  int n, int *al)
1445 {
1446     unsigned short length;
1447     unsigned short type;
1448     unsigned short size;
1449     unsigned char *data = *p;
1450     int tlsext_servername = 0;
1451     int renegotiate_seen = 0;
1452 
1453 # ifndef OPENSSL_NO_NEXTPROTONEG
1454     s->s3->next_proto_neg_seen = 0;
1455 # endif
1456     s->tlsext_ticket_expected = 0;
1457 
1458 # ifndef OPENSSL_NO_HEARTBEATS
1459     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1460                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1461 # endif
1462 
1463     if (data >= (d + n - 2))
1464         goto ri_check;
1465 
1466     n2s(data, length);
1467     if (data + length != d + n) {
1468         *al = SSL_AD_DECODE_ERROR;
1469         return 0;
1470     }
1471 
1472     while (data <= (d + n - 4)) {
1473         n2s(data, type);
1474         n2s(data, size);
1475 
1476         if (data + size > (d + n))
1477             goto ri_check;
1478 
1479         if (s->tlsext_debug_cb)
1480             s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
1481 
1482         if (type == TLSEXT_TYPE_server_name) {
1483             if (s->tlsext_hostname == NULL || size > 0) {
1484                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1485                 return 0;
1486             }
1487             tlsext_servername = 1;
1488         }
1489 # ifndef OPENSSL_NO_EC
1490         else if (type == TLSEXT_TYPE_ec_point_formats) {
1491             unsigned char *sdata = data;
1492             int ecpointformatlist_length = *(sdata++);
1493 
1494             if (ecpointformatlist_length != size - 1 ||
1495                 ecpointformatlist_length < 1) {
1496                 *al = TLS1_AD_DECODE_ERROR;
1497                 return 0;
1498             }
1499             if (!s->hit) {
1500                 s->session->tlsext_ecpointformatlist_length = 0;
1501                 if (s->session->tlsext_ecpointformatlist != NULL)
1502                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
1503                 if ((s->session->tlsext_ecpointformatlist =
1504                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
1505                     *al = TLS1_AD_INTERNAL_ERROR;
1506                     return 0;
1507                 }
1508                 s->session->tlsext_ecpointformatlist_length =
1509                     ecpointformatlist_length;
1510                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
1511                        ecpointformatlist_length);
1512             }
1513 #  if 0
1514             fprintf(stderr,
1515                     "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1516             sdata = s->session->tlsext_ecpointformatlist;
1517             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1518                 fprintf(stderr, "%i ", *(sdata++));
1519             fprintf(stderr, "\n");
1520 #  endif
1521         }
1522 # endif                         /* OPENSSL_NO_EC */
1523 
1524         else if (type == TLSEXT_TYPE_session_ticket) {
1525             if (s->tls_session_ticket_ext_cb &&
1526                 !s->tls_session_ticket_ext_cb(s, data, size,
1527                                               s->tls_session_ticket_ext_cb_arg))
1528             {
1529                 *al = TLS1_AD_INTERNAL_ERROR;
1530                 return 0;
1531             }
1532             if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1533                 || (size > 0)) {
1534                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1535                 return 0;
1536             }
1537             s->tlsext_ticket_expected = 1;
1538         }
1539 # ifdef TLSEXT_TYPE_opaque_prf_input
1540         else if (type == TLSEXT_TYPE_opaque_prf_input &&
1541                  s->version != DTLS1_VERSION) {
1542             unsigned char *sdata = data;
1543 
1544             if (size < 2) {
1545                 *al = SSL_AD_DECODE_ERROR;
1546                 return 0;
1547             }
1548             n2s(sdata, s->s3->server_opaque_prf_input_len);
1549             if (s->s3->server_opaque_prf_input_len != size - 2) {
1550                 *al = SSL_AD_DECODE_ERROR;
1551                 return 0;
1552             }
1553 
1554             if (s->s3->server_opaque_prf_input != NULL) {
1555                 /* shouldn't really happen */
1556                 OPENSSL_free(s->s3->server_opaque_prf_input);
1557             }
1558             if (s->s3->server_opaque_prf_input_len == 0) {
1559                 /* dummy byte just to get non-NULL */
1560                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
1561             } else {
1562                 s->s3->server_opaque_prf_input =
1563                     BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1564             }
1565 
1566             if (s->s3->server_opaque_prf_input == NULL) {
1567                 *al = TLS1_AD_INTERNAL_ERROR;
1568                 return 0;
1569             }
1570         }
1571 # endif
1572         else if (type == TLSEXT_TYPE_status_request &&
1573                  s->version != DTLS1_VERSION) {
1574             /*
1575              * MUST be empty and only sent if we've requested a status
1576              * request message.
1577              */
1578             if ((s->tlsext_status_type == -1) || (size > 0)) {
1579                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1580                 return 0;
1581             }
1582             /* Set flag to expect CertificateStatus message */
1583             s->tlsext_status_expected = 1;
1584         }
1585 # ifndef OPENSSL_NO_NEXTPROTONEG
1586         else if (type == TLSEXT_TYPE_next_proto_neg &&
1587                  s->s3->tmp.finish_md_len == 0) {
1588             unsigned char *selected;
1589             unsigned char selected_len;
1590 
1591             /* We must have requested it. */
1592             if (s->ctx->next_proto_select_cb == NULL) {
1593                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1594                 return 0;
1595             }
1596             /* The data must be valid */
1597             if (!ssl_next_proto_validate(data, size)) {
1598                 *al = TLS1_AD_DECODE_ERROR;
1599                 return 0;
1600             }
1601             if (s->
1602                 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
1603                                           size,
1604                                           s->ctx->next_proto_select_cb_arg) !=
1605                 SSL_TLSEXT_ERR_OK) {
1606                 *al = TLS1_AD_INTERNAL_ERROR;
1607                 return 0;
1608             }
1609             s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1610             if (!s->next_proto_negotiated) {
1611                 *al = TLS1_AD_INTERNAL_ERROR;
1612                 return 0;
1613             }
1614             memcpy(s->next_proto_negotiated, selected, selected_len);
1615             s->next_proto_negotiated_len = selected_len;
1616             s->s3->next_proto_neg_seen = 1;
1617         }
1618 # endif
1619         else if (type == TLSEXT_TYPE_renegotiate) {
1620             if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1621                 return 0;
1622             renegotiate_seen = 1;
1623         }
1624 # ifndef OPENSSL_NO_HEARTBEATS
1625         else if (type == TLSEXT_TYPE_heartbeat) {
1626             switch (data[0]) {
1627             case 0x01:         /* Server allows us to send HB requests */
1628                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1629                 break;
1630             case 0x02:         /* Server doesn't accept HB requests */
1631                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1632                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1633                 break;
1634             default:
1635                 *al = SSL_AD_ILLEGAL_PARAMETER;
1636                 return 0;
1637             }
1638         }
1639 # endif
1640 # ifndef OPENSSL_NO_SRTP
1641         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
1642             if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
1643                 return 0;
1644         }
1645 # endif
1646 
1647         data += size;
1648     }
1649 
1650     if (data != d + n) {
1651         *al = SSL_AD_DECODE_ERROR;
1652         return 0;
1653     }
1654 
1655     if (!s->hit && tlsext_servername == 1) {
1656         if (s->tlsext_hostname) {
1657             if (s->session->tlsext_hostname == NULL) {
1658                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1659                 if (!s->session->tlsext_hostname) {
1660                     *al = SSL_AD_UNRECOGNIZED_NAME;
1661                     return 0;
1662                 }
1663             } else {
1664                 *al = SSL_AD_DECODE_ERROR;
1665                 return 0;
1666             }
1667         }
1668     }
1669 
1670     *p = data;
1671 
1672  ri_check:
1673 
1674     /*
1675      * Determine if we need to see RI. Strictly speaking if we want to avoid
1676      * an attack we should *always* see RI even on initial server hello
1677      * because the client doesn't see any renegotiation during an attack.
1678      * However this would mean we could not connect to any server which
1679      * doesn't support RI so for the immediate future tolerate RI absence on
1680      * initial connect only.
1681      */
1682     if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1683         && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
1684         *al = SSL_AD_HANDSHAKE_FAILURE;
1685         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1686                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1687         return 0;
1688     }
1689 
1690     return 1;
1691 }
1692 
1693 int ssl_prepare_clienthello_tlsext(SSL *s)
1694 {
1695 # ifndef OPENSSL_NO_EC
1696     /*
1697      * If we are client and using an elliptic curve cryptography cipher
1698      * suite, send the point formats and elliptic curves we support.
1699      */
1700     int using_ecc = 0;
1701     int i;
1702     unsigned char *j;
1703     unsigned long alg_k, alg_a;
1704     STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1705 
1706     for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1707         SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1708 
1709         alg_k = c->algorithm_mkey;
1710         alg_a = c->algorithm_auth;
1711         if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)
1712              || (alg_a & SSL_aECDSA))) {
1713             using_ecc = 1;
1714             break;
1715         }
1716     }
1717     using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1718     if (using_ecc) {
1719         if (s->tlsext_ecpointformatlist != NULL)
1720             OPENSSL_free(s->tlsext_ecpointformatlist);
1721         if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1722             SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
1723                    ERR_R_MALLOC_FAILURE);
1724             return -1;
1725         }
1726         s->tlsext_ecpointformatlist_length = 3;
1727         s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1728         s->tlsext_ecpointformatlist[1] =
1729             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1730         s->tlsext_ecpointformatlist[2] =
1731             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1732 
1733         /* we support all named elliptic curves in RFC 4492 */
1734         if (s->tlsext_ellipticcurvelist != NULL)
1735             OPENSSL_free(s->tlsext_ellipticcurvelist);
1736         s->tlsext_ellipticcurvelist_length =
1737             sizeof(pref_list) / sizeof(pref_list[0]) * 2;
1738         if ((s->tlsext_ellipticcurvelist =
1739              OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) {
1740             s->tlsext_ellipticcurvelist_length = 0;
1741             SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
1742                    ERR_R_MALLOC_FAILURE);
1743             return -1;
1744         }
1745         for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1746              sizeof(pref_list) / sizeof(pref_list[0]); i++) {
1747             int id = tls1_ec_nid2curve_id(pref_list[i]);
1748             s2n(id, j);
1749         }
1750     }
1751 # endif                         /* OPENSSL_NO_EC */
1752 
1753 # ifdef TLSEXT_TYPE_opaque_prf_input
1754     {
1755         int r = 1;
1756 
1757         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1758             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
1759                                                          s->
1760                                                          ctx->tlsext_opaque_prf_input_callback_arg);
1761             if (!r)
1762                 return -1;
1763         }
1764 
1765         if (s->tlsext_opaque_prf_input != NULL) {
1766             if (s->s3->client_opaque_prf_input != NULL) {
1767                 /* shouldn't really happen */
1768                 OPENSSL_free(s->s3->client_opaque_prf_input);
1769             }
1770 
1771             if (s->tlsext_opaque_prf_input_len == 0) {
1772                 /* dummy byte just to get non-NULL */
1773                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
1774             } else {
1775                 s->s3->client_opaque_prf_input =
1776                     BUF_memdup(s->tlsext_opaque_prf_input,
1777                                s->tlsext_opaque_prf_input_len);
1778             }
1779             if (s->s3->client_opaque_prf_input == NULL) {
1780                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
1781                        ERR_R_MALLOC_FAILURE);
1782                 return -1;
1783             }
1784             s->s3->client_opaque_prf_input_len =
1785                 s->tlsext_opaque_prf_input_len;
1786         }
1787 
1788         if (r == 2)
1789             /*
1790              * at callback's request, insist on receiving an appropriate
1791              * server opaque PRF input
1792              */
1793             s->s3->server_opaque_prf_input_len =
1794                 s->tlsext_opaque_prf_input_len;
1795     }
1796 # endif
1797 
1798     return 1;
1799 }
1800 
1801 int ssl_prepare_serverhello_tlsext(SSL *s)
1802 {
1803 # ifndef OPENSSL_NO_EC
1804     /*
1805      * If we are server and using an ECC cipher suite, send the point formats
1806      * we support if the client sent us an ECPointsFormat extension.  Note
1807      * that the server is not supposed to send an EllipticCurves extension.
1808      */
1809 
1810     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1811     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1812     int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
1813         || (alg_a & SSL_aECDSA);
1814     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1815 
1816     if (using_ecc) {
1817         if (s->tlsext_ecpointformatlist != NULL)
1818             OPENSSL_free(s->tlsext_ecpointformatlist);
1819         if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) {
1820             SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,
1821                    ERR_R_MALLOC_FAILURE);
1822             return -1;
1823         }
1824         s->tlsext_ecpointformatlist_length = 3;
1825         s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1826         s->tlsext_ecpointformatlist[1] =
1827             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1828         s->tlsext_ecpointformatlist[2] =
1829             TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1830     }
1831 # endif                         /* OPENSSL_NO_EC */
1832 
1833     return 1;
1834 }
1835 
1836 int ssl_check_clienthello_tlsext_early(SSL *s)
1837 {
1838     int ret = SSL_TLSEXT_ERR_NOACK;
1839     int al = SSL_AD_UNRECOGNIZED_NAME;
1840 
1841 # ifndef OPENSSL_NO_EC
1842     /*
1843      * The handling of the ECPointFormats extension is done elsewhere, namely
1844      * in ssl3_choose_cipher in s3_lib.c.
1845      */
1846     /*
1847      * The handling of the EllipticCurves extension is done elsewhere, namely
1848      * in ssl3_choose_cipher in s3_lib.c.
1849      */
1850 # endif
1851 
1852     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1853         ret =
1854             s->ctx->tlsext_servername_callback(s, &al,
1855                                                s->ctx->tlsext_servername_arg);
1856     else if (s->initial_ctx != NULL
1857              && s->initial_ctx->tlsext_servername_callback != 0)
1858         ret =
1859             s->initial_ctx->tlsext_servername_callback(s, &al,
1860                                                        s->
1861                                                        initial_ctx->tlsext_servername_arg);
1862 
1863 # ifdef TLSEXT_TYPE_opaque_prf_input
1864     {
1865         /*
1866          * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
1867          * might be sending an alert in response to the client hello, so this
1868          * has to happen here in ssl_check_clienthello_tlsext_early().
1869          */
1870 
1871         int r = 1;
1872 
1873         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
1874             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
1875                                                          s->
1876                                                          ctx->tlsext_opaque_prf_input_callback_arg);
1877             if (!r) {
1878                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1879                 al = SSL_AD_INTERNAL_ERROR;
1880                 goto err;
1881             }
1882         }
1883 
1884         if (s->s3->server_opaque_prf_input != NULL) {
1885             /* shouldn't really happen */
1886             OPENSSL_free(s->s3->server_opaque_prf_input);
1887         }
1888         s->s3->server_opaque_prf_input = NULL;
1889 
1890         if (s->tlsext_opaque_prf_input != NULL) {
1891             if (s->s3->client_opaque_prf_input != NULL &&
1892                 s->s3->client_opaque_prf_input_len ==
1893                 s->tlsext_opaque_prf_input_len) {
1894                 /*
1895                  * can only use this extension if we have a server opaque PRF
1896                  * input of the same length as the client opaque PRF input!
1897                  */
1898 
1899                 if (s->tlsext_opaque_prf_input_len == 0) {
1900                     /* dummy byte just to get non-NULL */
1901                     s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
1902                 } else {
1903                     s->s3->server_opaque_prf_input =
1904                         BUF_memdup(s->tlsext_opaque_prf_input,
1905                                    s->tlsext_opaque_prf_input_len);
1906                 }
1907                 if (s->s3->server_opaque_prf_input == NULL) {
1908                     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1909                     al = SSL_AD_INTERNAL_ERROR;
1910                     goto err;
1911                 }
1912                 s->s3->server_opaque_prf_input_len =
1913                     s->tlsext_opaque_prf_input_len;
1914             }
1915         }
1916 
1917         if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
1918             /*
1919              * The callback wants to enforce use of the extension, but we
1920              * can't do that with the client opaque PRF input; abort the
1921              * handshake.
1922              */
1923             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1924             al = SSL_AD_HANDSHAKE_FAILURE;
1925         }
1926     }
1927 
1928  err:
1929 # endif
1930     switch (ret) {
1931     case SSL_TLSEXT_ERR_ALERT_FATAL:
1932         ssl3_send_alert(s, SSL3_AL_FATAL, al);
1933         return -1;
1934 
1935     case SSL_TLSEXT_ERR_ALERT_WARNING:
1936         ssl3_send_alert(s, SSL3_AL_WARNING, al);
1937         return 1;
1938 
1939     case SSL_TLSEXT_ERR_NOACK:
1940         s->servername_done = 0;
1941     default:
1942         return 1;
1943     }
1944 }
1945 
1946 int ssl_check_clienthello_tlsext_late(SSL *s)
1947 {
1948     int ret = SSL_TLSEXT_ERR_OK;
1949     int al;
1950 
1951     /*
1952      * If status request then ask callback what to do. Note: this must be
1953      * called after servername callbacks in case the certificate has
1954      * changed, and must be called after the cipher has been chosen because
1955      * this may influence which certificate is sent
1956      */
1957     if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
1958         int r;
1959         CERT_PKEY *certpkey;
1960         certpkey = ssl_get_server_send_pkey(s);
1961         /* If no certificate can't return certificate status */
1962         if (certpkey == NULL) {
1963             s->tlsext_status_expected = 0;
1964             return 1;
1965         }
1966         /*
1967          * Set current certificate to one we will use so SSL_get_certificate
1968          * et al can pick it up.
1969          */
1970         s->cert->key = certpkey;
1971         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1972         switch (r) {
1973             /* We don't want to send a status request response */
1974         case SSL_TLSEXT_ERR_NOACK:
1975             s->tlsext_status_expected = 0;
1976             break;
1977             /* status request response should be sent */
1978         case SSL_TLSEXT_ERR_OK:
1979             if (s->tlsext_ocsp_resp)
1980                 s->tlsext_status_expected = 1;
1981             else
1982                 s->tlsext_status_expected = 0;
1983             break;
1984             /* something bad happened */
1985         case SSL_TLSEXT_ERR_ALERT_FATAL:
1986             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1987             al = SSL_AD_INTERNAL_ERROR;
1988             goto err;
1989         }
1990     } else
1991         s->tlsext_status_expected = 0;
1992 
1993  err:
1994     switch (ret) {
1995     case SSL_TLSEXT_ERR_ALERT_FATAL:
1996         ssl3_send_alert(s, SSL3_AL_FATAL, al);
1997         return -1;
1998 
1999     case SSL_TLSEXT_ERR_ALERT_WARNING:
2000         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2001         return 1;
2002 
2003     default:
2004         return 1;
2005     }
2006 }
2007 
2008 int ssl_check_serverhello_tlsext(SSL *s)
2009 {
2010     int ret = SSL_TLSEXT_ERR_NOACK;
2011     int al = SSL_AD_UNRECOGNIZED_NAME;
2012 
2013 # ifndef OPENSSL_NO_EC
2014     /*
2015      * If we are client and using an elliptic curve cryptography cipher
2016      * suite, then if server returns an EC point formats lists extension it
2017      * must contain uncompressed.
2018      */
2019     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2020     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2021     if ((s->tlsext_ecpointformatlist != NULL)
2022         && (s->tlsext_ecpointformatlist_length > 0)
2023         && (s->session->tlsext_ecpointformatlist != NULL)
2024         && (s->session->tlsext_ecpointformatlist_length > 0)
2025         && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
2026             || (alg_a & SSL_aECDSA))) {
2027         /* we are using an ECC cipher */
2028         size_t i;
2029         unsigned char *list;
2030         int found_uncompressed = 0;
2031         list = s->session->tlsext_ecpointformatlist;
2032         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
2033             if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
2034                 found_uncompressed = 1;
2035                 break;
2036             }
2037         }
2038         if (!found_uncompressed) {
2039             SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
2040                    SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2041             return -1;
2042         }
2043     }
2044     ret = SSL_TLSEXT_ERR_OK;
2045 # endif                         /* OPENSSL_NO_EC */
2046 
2047     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2048         ret =
2049             s->ctx->tlsext_servername_callback(s, &al,
2050                                                s->ctx->tlsext_servername_arg);
2051     else if (s->initial_ctx != NULL
2052              && s->initial_ctx->tlsext_servername_callback != 0)
2053         ret =
2054             s->initial_ctx->tlsext_servername_callback(s, &al,
2055                                                        s->
2056                                                        initial_ctx->tlsext_servername_arg);
2057 
2058 # ifdef TLSEXT_TYPE_opaque_prf_input
2059     if (s->s3->server_opaque_prf_input_len > 0) {
2060         /*
2061          * This case may indicate that we, as a client, want to insist on
2062          * using opaque PRF inputs. So first verify that we really have a
2063          * value from the server too.
2064          */
2065 
2066         if (s->s3->server_opaque_prf_input == NULL) {
2067             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2068             al = SSL_AD_HANDSHAKE_FAILURE;
2069         }
2070 
2071         /*
2072          * Anytime the server *has* sent an opaque PRF input, we need to
2073          * check that we have a client opaque PRF input of the same size.
2074          */
2075         if (s->s3->client_opaque_prf_input == NULL ||
2076             s->s3->client_opaque_prf_input_len !=
2077             s->s3->server_opaque_prf_input_len) {
2078             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2079             al = SSL_AD_ILLEGAL_PARAMETER;
2080         }
2081     }
2082 # endif
2083 
2084     /*
2085      * If we've requested certificate status and we wont get one tell the
2086      * callback
2087      */
2088     if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2089         && s->ctx && s->ctx->tlsext_status_cb) {
2090         int r;
2091         /*
2092          * Set resp to NULL, resplen to -1 so callback knows there is no
2093          * response.
2094          */
2095         if (s->tlsext_ocsp_resp) {
2096             OPENSSL_free(s->tlsext_ocsp_resp);
2097             s->tlsext_ocsp_resp = NULL;
2098         }
2099         s->tlsext_ocsp_resplen = -1;
2100         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2101         if (r == 0) {
2102             al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2103             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2104         }
2105         if (r < 0) {
2106             al = SSL_AD_INTERNAL_ERROR;
2107             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2108         }
2109     }
2110 
2111     switch (ret) {
2112     case SSL_TLSEXT_ERR_ALERT_FATAL:
2113         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2114         return -1;
2115 
2116     case SSL_TLSEXT_ERR_ALERT_WARNING:
2117         ssl3_send_alert(s, SSL3_AL_WARNING, al);
2118         return 1;
2119 
2120     case SSL_TLSEXT_ERR_NOACK:
2121         s->servername_done = 0;
2122     default:
2123         return 1;
2124     }
2125 }
2126 
2127 /*-
2128  * Since the server cache lookup is done early on in the processing of the
2129  * ClientHello, and other operations depend on the result, we need to handle
2130  * any TLS session ticket extension at the same time.
2131  *
2132  *   session_id: points at the session ID in the ClientHello. This code will
2133  *       read past the end of this in order to parse out the session ticket
2134  *       extension, if any.
2135  *   len: the length of the session ID.
2136  *   limit: a pointer to the first byte after the ClientHello.
2137  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2138  *       point to the resulting session.
2139  *
2140  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2141  * ciphersuite, in which case we have no use for session tickets and one will
2142  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2143  *
2144  * Returns:
2145  *   -1: fatal error, either from parsing or decrypting the ticket.
2146  *    0: no ticket was found (or was ignored, based on settings).
2147  *    1: a zero length extension was found, indicating that the client supports
2148  *       session tickets but doesn't currently have one to offer.
2149  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2150  *       couldn't be decrypted because of a non-fatal error.
2151  *    3: a ticket was successfully decrypted and *ret was set.
2152  *
2153  * Side effects:
2154  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2155  *   a new session ticket to the client because the client indicated support
2156  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2157  *   a session ticket or we couldn't use the one it gave us, or if
2158  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2159  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2160  */
2161 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2162                         const unsigned char *limit, SSL_SESSION **ret)
2163 {
2164     /* Point after session ID in client hello */
2165     const unsigned char *p = session_id + len;
2166     unsigned short i;
2167 
2168     *ret = NULL;
2169     s->tlsext_ticket_expected = 0;
2170 
2171     /*
2172      * If tickets disabled behave as if no ticket present to permit stateful
2173      * resumption.
2174      */
2175     if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2176         return 0;
2177     if ((s->version <= SSL3_VERSION) || !limit)
2178         return 0;
2179     if (p >= limit)
2180         return -1;
2181     /* Skip past DTLS cookie */
2182     if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
2183         i = *(p++);
2184         p += i;
2185         if (p >= limit)
2186             return -1;
2187     }
2188     /* Skip past cipher list */
2189     n2s(p, i);
2190     p += i;
2191     if (p >= limit)
2192         return -1;
2193     /* Skip past compression algorithm list */
2194     i = *(p++);
2195     p += i;
2196     if (p > limit)
2197         return -1;
2198     /* Now at start of extensions */
2199     if ((p + 2) >= limit)
2200         return 0;
2201     n2s(p, i);
2202     while ((p + 4) <= limit) {
2203         unsigned short type, size;
2204         n2s(p, type);
2205         n2s(p, size);
2206         if (p + size > limit)
2207             return 0;
2208         if (type == TLSEXT_TYPE_session_ticket) {
2209             int r;
2210             if (size == 0) {
2211                 /*
2212                  * The client will accept a ticket but doesn't currently have
2213                  * one.
2214                  */
2215                 s->tlsext_ticket_expected = 1;
2216                 return 1;
2217             }
2218             if (s->tls_session_secret_cb) {
2219                 /*
2220                  * Indicate that the ticket couldn't be decrypted rather than
2221                  * generating the session from ticket now, trigger
2222                  * abbreviated handshake based on external mechanism to
2223                  * calculate the master secret later.
2224                  */
2225                 return 2;
2226             }
2227             r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2228             switch (r) {
2229             case 2:            /* ticket couldn't be decrypted */
2230                 s->tlsext_ticket_expected = 1;
2231                 return 2;
2232             case 3:            /* ticket was decrypted */
2233                 return r;
2234             case 4:            /* ticket decrypted but need to renew */
2235                 s->tlsext_ticket_expected = 1;
2236                 return 3;
2237             default:           /* fatal error */
2238                 return -1;
2239             }
2240         }
2241         p += size;
2242     }
2243     return 0;
2244 }
2245 
2246 /*-
2247  * tls_decrypt_ticket attempts to decrypt a session ticket.
2248  *
2249  *   etick: points to the body of the session ticket extension.
2250  *   eticklen: the length of the session tickets extenion.
2251  *   sess_id: points at the session ID.
2252  *   sesslen: the length of the session ID.
2253  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2254  *       point to the resulting session.
2255  *
2256  * Returns:
2257  *   -1: fatal error, either from parsing or decrypting the ticket.
2258  *    2: the ticket couldn't be decrypted.
2259  *    3: a ticket was successfully decrypted and *psess was set.
2260  *    4: same as 3, but the ticket needs to be renewed.
2261  */
2262 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
2263                               int eticklen, const unsigned char *sess_id,
2264                               int sesslen, SSL_SESSION **psess)
2265 {
2266     SSL_SESSION *sess;
2267     unsigned char *sdec;
2268     const unsigned char *p;
2269     int slen, mlen, renew_ticket = 0;
2270     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2271     HMAC_CTX hctx;
2272     EVP_CIPHER_CTX ctx;
2273     SSL_CTX *tctx = s->initial_ctx;
2274     /* Need at least keyname + iv + some encrypted data */
2275     if (eticklen < 48)
2276         return 2;
2277     /* Initialize session ticket encryption and HMAC contexts */
2278     HMAC_CTX_init(&hctx);
2279     EVP_CIPHER_CTX_init(&ctx);
2280     if (tctx->tlsext_ticket_key_cb) {
2281         unsigned char *nctick = (unsigned char *)etick;
2282         int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2283                                             &ctx, &hctx, 0);
2284         if (rv < 0)
2285             return -1;
2286         if (rv == 0)
2287             return 2;
2288         if (rv == 2)
2289             renew_ticket = 1;
2290     } else {
2291         /* Check key name matches */
2292         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2293             return 2;
2294         HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2295                      tlsext_tick_md(), NULL);
2296         EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2297                            tctx->tlsext_tick_aes_key, etick + 16);
2298     }
2299     /*
2300      * Attempt to process session ticket, first conduct sanity and integrity
2301      * checks on ticket.
2302      */
2303     mlen = HMAC_size(&hctx);
2304     if (mlen < 0) {
2305         EVP_CIPHER_CTX_cleanup(&ctx);
2306         return -1;
2307     }
2308     eticklen -= mlen;
2309     /* Check HMAC of encrypted ticket */
2310     HMAC_Update(&hctx, etick, eticklen);
2311     HMAC_Final(&hctx, tick_hmac, NULL);
2312     HMAC_CTX_cleanup(&hctx);
2313     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
2314         EVP_CIPHER_CTX_cleanup(&ctx);
2315         return 2;
2316     }
2317     /* Attempt to decrypt session data */
2318     /* Move p after IV to start of encrypted ticket, update length */
2319     p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2320     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2321     sdec = OPENSSL_malloc(eticklen);
2322     if (!sdec) {
2323         EVP_CIPHER_CTX_cleanup(&ctx);
2324         return -1;
2325     }
2326     EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2327     if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
2328         EVP_CIPHER_CTX_cleanup(&ctx);
2329         OPENSSL_free(sdec);
2330         return 2;
2331     }
2332     slen += mlen;
2333     EVP_CIPHER_CTX_cleanup(&ctx);
2334     p = sdec;
2335 
2336     sess = d2i_SSL_SESSION(NULL, &p, slen);
2337     OPENSSL_free(sdec);
2338     if (sess) {
2339         /*
2340          * The session ID, if non-empty, is used by some clients to detect
2341          * that the ticket has been accepted. So we copy it to the session
2342          * structure. If it is empty set length to zero as required by
2343          * standard.
2344          */
2345         if (sesslen)
2346             memcpy(sess->session_id, sess_id, sesslen);
2347         sess->session_id_length = sesslen;
2348         *psess = sess;
2349         if (renew_ticket)
2350             return 4;
2351         else
2352             return 3;
2353     }
2354     ERR_clear_error();
2355     /*
2356      * For session parse failure, indicate that we need to send a new ticket.
2357      */
2358     return 2;
2359 }
2360 
2361 /* Tables to translate from NIDs to TLS v1.2 ids */
2362 
2363 typedef struct {
2364     int nid;
2365     int id;
2366 } tls12_lookup;
2367 
2368 static tls12_lookup tls12_md[] = {
2369 # ifndef OPENSSL_NO_MD5
2370     {NID_md5, TLSEXT_hash_md5},
2371 # endif
2372 # ifndef OPENSSL_NO_SHA
2373     {NID_sha1, TLSEXT_hash_sha1},
2374 # endif
2375 # ifndef OPENSSL_NO_SHA256
2376     {NID_sha224, TLSEXT_hash_sha224},
2377     {NID_sha256, TLSEXT_hash_sha256},
2378 # endif
2379 # ifndef OPENSSL_NO_SHA512
2380     {NID_sha384, TLSEXT_hash_sha384},
2381     {NID_sha512, TLSEXT_hash_sha512}
2382 # endif
2383 };
2384 
2385 static tls12_lookup tls12_sig[] = {
2386 # ifndef OPENSSL_NO_RSA
2387     {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2388 # endif
2389 # ifndef OPENSSL_NO_DSA
2390     {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2391 # endif
2392 # ifndef OPENSSL_NO_ECDSA
2393     {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2394 # endif
2395 };
2396 
2397 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2398 {
2399     size_t i;
2400     for (i = 0; i < tlen; i++) {
2401         if (table[i].nid == nid)
2402             return table[i].id;
2403     }
2404     return -1;
2405 }
2406 
2407 # if 0
2408 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2409 {
2410     size_t i;
2411     for (i = 0; i < tlen; i++) {
2412         if (table[i].id == id)
2413             return table[i].nid;
2414     }
2415     return -1;
2416 }
2417 # endif
2418 
2419 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
2420                          const EVP_MD *md)
2421 {
2422     int sig_id, md_id;
2423     if (!md)
2424         return 0;
2425     md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2426                           sizeof(tls12_md) / sizeof(tls12_lookup));
2427     if (md_id == -1)
2428         return 0;
2429     sig_id = tls12_get_sigid(pk);
2430     if (sig_id == -1)
2431         return 0;
2432     p[0] = (unsigned char)md_id;
2433     p[1] = (unsigned char)sig_id;
2434     return 1;
2435 }
2436 
2437 int tls12_get_sigid(const EVP_PKEY *pk)
2438 {
2439     return tls12_find_id(pk->type, tls12_sig,
2440                          sizeof(tls12_sig) / sizeof(tls12_lookup));
2441 }
2442 
2443 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2444 {
2445     switch (hash_alg) {
2446 # ifndef OPENSSL_NO_SHA
2447     case TLSEXT_hash_sha1:
2448         return EVP_sha1();
2449 # endif
2450 # ifndef OPENSSL_NO_SHA256
2451     case TLSEXT_hash_sha224:
2452         return EVP_sha224();
2453 
2454     case TLSEXT_hash_sha256:
2455         return EVP_sha256();
2456 # endif
2457 # ifndef OPENSSL_NO_SHA512
2458     case TLSEXT_hash_sha384:
2459         return EVP_sha384();
2460 
2461     case TLSEXT_hash_sha512:
2462         return EVP_sha512();
2463 # endif
2464     default:
2465         return NULL;
2466 
2467     }
2468 }
2469 
2470 /* Set preferred digest for each key type */
2471 
2472 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2473 {
2474     int i, idx;
2475     const EVP_MD *md;
2476     CERT *c = s->cert;
2477     /* Extension ignored for TLS versions below 1.2 */
2478     if (TLS1_get_version(s) < TLS1_2_VERSION)
2479         return 1;
2480     /* Should never happen */
2481     if (!c)
2482         return 0;
2483 
2484     c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2485     c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2486     c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2487     c->pkeys[SSL_PKEY_ECC].digest = NULL;
2488 
2489     for (i = 0; i < dsize; i += 2) {
2490         unsigned char hash_alg = data[i], sig_alg = data[i + 1];
2491 
2492         switch (sig_alg) {
2493 # ifndef OPENSSL_NO_RSA
2494         case TLSEXT_signature_rsa:
2495             idx = SSL_PKEY_RSA_SIGN;
2496             break;
2497 # endif
2498 # ifndef OPENSSL_NO_DSA
2499         case TLSEXT_signature_dsa:
2500             idx = SSL_PKEY_DSA_SIGN;
2501             break;
2502 # endif
2503 # ifndef OPENSSL_NO_ECDSA
2504         case TLSEXT_signature_ecdsa:
2505             idx = SSL_PKEY_ECC;
2506             break;
2507 # endif
2508         default:
2509             continue;
2510         }
2511 
2512         if (c->pkeys[idx].digest == NULL) {
2513             md = tls12_get_hash(hash_alg);
2514             if (md) {
2515                 c->pkeys[idx].digest = md;
2516                 if (idx == SSL_PKEY_RSA_SIGN)
2517                     c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2518             }
2519         }
2520 
2521     }
2522 
2523     /*
2524      * Set any remaining keys to default values. NOTE: if alg is not
2525      * supported it stays as NULL.
2526      */
2527 # ifndef OPENSSL_NO_DSA
2528     if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2529         c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2530 # endif
2531 # ifndef OPENSSL_NO_RSA
2532     if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
2533         c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2534         c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2535     }
2536 # endif
2537 # ifndef OPENSSL_NO_ECDSA
2538     if (!c->pkeys[SSL_PKEY_ECC].digest)
2539         c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2540 # endif
2541     return 1;
2542 }
2543 
2544 #endif
2545 
2546 #ifndef OPENSSL_NO_HEARTBEATS
2547 int tls1_process_heartbeat(SSL *s)
2548 {
2549     unsigned char *p = &s->s3->rrec.data[0], *pl;
2550     unsigned short hbtype;
2551     unsigned int payload;
2552     unsigned int padding = 16;  /* Use minimum padding */
2553 
2554     if (s->msg_callback)
2555         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2556                         &s->s3->rrec.data[0], s->s3->rrec.length,
2557                         s, s->msg_callback_arg);
2558 
2559     /* Read type and payload length first */
2560     if (1 + 2 + 16 > s->s3->rrec.length)
2561         return 0;               /* silently discard */
2562     hbtype = *p++;
2563     n2s(p, payload);
2564     if (1 + 2 + payload + 16 > s->s3->rrec.length)
2565         return 0;               /* silently discard per RFC 6520 sec. 4 */
2566     pl = p;
2567 
2568     if (hbtype == TLS1_HB_REQUEST) {
2569         unsigned char *buffer, *bp;
2570         int r;
2571 
2572         /*
2573          * Allocate memory for the response, size is 1 bytes message type,
2574          * plus 2 bytes payload length, plus payload, plus padding
2575          */
2576         buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2577         bp = buffer;
2578 
2579         /* Enter response type, length and copy payload */
2580         *bp++ = TLS1_HB_RESPONSE;
2581         s2n(payload, bp);
2582         memcpy(bp, pl, payload);
2583         bp += payload;
2584         /* Random padding */
2585         if (RAND_pseudo_bytes(bp, padding) < 0) {
2586             OPENSSL_free(buffer);
2587             return -1;
2588         }
2589 
2590         r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
2591                              3 + payload + padding);
2592 
2593         if (r >= 0 && s->msg_callback)
2594             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2595                             buffer, 3 + payload + padding,
2596                             s, s->msg_callback_arg);
2597 
2598         OPENSSL_free(buffer);
2599 
2600         if (r < 0)
2601             return r;
2602     } else if (hbtype == TLS1_HB_RESPONSE) {
2603         unsigned int seq;
2604 
2605         /*
2606          * We only send sequence numbers (2 bytes unsigned int), and 16
2607          * random bytes, so we just try to read the sequence number
2608          */
2609         n2s(pl, seq);
2610 
2611         if (payload == 18 && seq == s->tlsext_hb_seq) {
2612             s->tlsext_hb_seq++;
2613             s->tlsext_hb_pending = 0;
2614         }
2615     }
2616 
2617     return 0;
2618 }
2619 
2620 int tls1_heartbeat(SSL *s)
2621 {
2622     unsigned char *buf, *p;
2623     int ret = -1;
2624     unsigned int payload = 18;  /* Sequence number + random bytes */
2625     unsigned int padding = 16;  /* Use minimum padding */
2626 
2627     /* Only send if peer supports and accepts HB requests... */
2628     if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2629         s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
2630         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2631         return -1;
2632     }
2633 
2634     /* ...and there is none in flight yet... */
2635     if (s->tlsext_hb_pending) {
2636         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
2637         return -1;
2638     }
2639 
2640     /* ...and no handshake in progress. */
2641     if (SSL_in_init(s) || s->in_handshake) {
2642         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
2643         return -1;
2644     }
2645 
2646     /*
2647      * Check if padding is too long, payload and padding must not exceed 2^14
2648      * - 3 = 16381 bytes in total.
2649      */
2650     OPENSSL_assert(payload + padding <= 16381);
2651 
2652     /*-
2653      * Create HeartBeat message, we just use a sequence number
2654      * as payload to distuingish different messages and add
2655      * some random stuff.
2656      *  - Message Type, 1 byte
2657      *  - Payload Length, 2 bytes (unsigned int)
2658      *  - Payload, the sequence number (2 bytes uint)
2659      *  - Payload, random bytes (16 bytes uint)
2660      *  - Padding
2661      */
2662     buf = OPENSSL_malloc(1 + 2 + payload + padding);
2663     p = buf;
2664     /* Message Type */
2665     *p++ = TLS1_HB_REQUEST;
2666     /* Payload length (18 bytes here) */
2667     s2n(payload, p);
2668     /* Sequence number */
2669     s2n(s->tlsext_hb_seq, p);
2670     /* 16 random bytes */
2671     if (RAND_pseudo_bytes(p, 16) < 0) {
2672         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
2673         goto err;
2674     }
2675     p += 16;
2676     /* Random padding */
2677     if (RAND_pseudo_bytes(p, padding) < 0) {
2678         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
2679         goto err;
2680     }
2681 
2682     ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2683     if (ret >= 0) {
2684         if (s->msg_callback)
2685             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2686                             buf, 3 + payload + padding,
2687                             s, s->msg_callback_arg);
2688 
2689         s->tlsext_hb_pending = 1;
2690     }
2691 
2692 err:
2693     OPENSSL_free(buf);
2694 
2695     return ret;
2696 }
2697 #endif
2698