t1_lib.c revision 269686
1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112#include <stdio.h>
113#include <openssl/objects.h>
114#include <openssl/evp.h>
115#include <openssl/hmac.h>
116#include <openssl/ocsp.h>
117#include <openssl/rand.h>
118#include "ssl_locl.h"
119
120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
121
122#ifndef OPENSSL_NO_TLSEXT
123static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124				const unsigned char *sess_id, int sesslen,
125				SSL_SESSION **psess);
126#endif
127
128SSL3_ENC_METHOD TLSv1_enc_data={
129	tls1_enc,
130	tls1_mac,
131	tls1_setup_key_block,
132	tls1_generate_master_secret,
133	tls1_change_cipher_state,
134	tls1_final_finish_mac,
135	TLS1_FINISH_MAC_LENGTH,
136	tls1_cert_verify_mac,
137	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
138	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
139	tls1_alert_code,
140	tls1_export_keying_material,
141	};
142
143long tls1_default_timeout(void)
144	{
145	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
146	 * is way too long for http, the cache would over fill */
147	return(60*60*2);
148	}
149
150int tls1_new(SSL *s)
151	{
152	if (!ssl3_new(s)) return(0);
153	s->method->ssl_clear(s);
154	return(1);
155	}
156
157void tls1_free(SSL *s)
158	{
159#ifndef OPENSSL_NO_TLSEXT
160	if (s->tlsext_session_ticket)
161		{
162		OPENSSL_free(s->tlsext_session_ticket);
163		}
164#endif /* OPENSSL_NO_TLSEXT */
165	ssl3_free(s);
166	}
167
168void tls1_clear(SSL *s)
169	{
170	ssl3_clear(s);
171	s->version = s->method->version;
172	}
173
174#ifndef OPENSSL_NO_EC
175
176static int nid_list[] =
177	{
178		NID_sect163k1, /* sect163k1 (1) */
179		NID_sect163r1, /* sect163r1 (2) */
180		NID_sect163r2, /* sect163r2 (3) */
181		NID_sect193r1, /* sect193r1 (4) */
182		NID_sect193r2, /* sect193r2 (5) */
183		NID_sect233k1, /* sect233k1 (6) */
184		NID_sect233r1, /* sect233r1 (7) */
185		NID_sect239k1, /* sect239k1 (8) */
186		NID_sect283k1, /* sect283k1 (9) */
187		NID_sect283r1, /* sect283r1 (10) */
188		NID_sect409k1, /* sect409k1 (11) */
189		NID_sect409r1, /* sect409r1 (12) */
190		NID_sect571k1, /* sect571k1 (13) */
191		NID_sect571r1, /* sect571r1 (14) */
192		NID_secp160k1, /* secp160k1 (15) */
193		NID_secp160r1, /* secp160r1 (16) */
194		NID_secp160r2, /* secp160r2 (17) */
195		NID_secp192k1, /* secp192k1 (18) */
196		NID_X9_62_prime192v1, /* secp192r1 (19) */
197		NID_secp224k1, /* secp224k1 (20) */
198		NID_secp224r1, /* secp224r1 (21) */
199		NID_secp256k1, /* secp256k1 (22) */
200		NID_X9_62_prime256v1, /* secp256r1 (23) */
201		NID_secp384r1, /* secp384r1 (24) */
202		NID_secp521r1  /* secp521r1 (25) */
203	};
204
205static int pref_list[] =
206	{
207		NID_sect571r1, /* sect571r1 (14) */
208		NID_sect571k1, /* sect571k1 (13) */
209		NID_secp521r1, /* secp521r1 (25) */
210		NID_sect409k1, /* sect409k1 (11) */
211		NID_sect409r1, /* sect409r1 (12) */
212		NID_secp384r1, /* secp384r1 (24) */
213		NID_sect283k1, /* sect283k1 (9) */
214		NID_sect283r1, /* sect283r1 (10) */
215		NID_secp256k1, /* secp256k1 (22) */
216		NID_X9_62_prime256v1, /* secp256r1 (23) */
217		NID_sect239k1, /* sect239k1 (8) */
218		NID_sect233k1, /* sect233k1 (6) */
219		NID_sect233r1, /* sect233r1 (7) */
220		NID_secp224k1, /* secp224k1 (20) */
221		NID_secp224r1, /* secp224r1 (21) */
222		NID_sect193r1, /* sect193r1 (4) */
223		NID_sect193r2, /* sect193r2 (5) */
224		NID_secp192k1, /* secp192k1 (18) */
225		NID_X9_62_prime192v1, /* secp192r1 (19) */
226		NID_sect163k1, /* sect163k1 (1) */
227		NID_sect163r1, /* sect163r1 (2) */
228		NID_sect163r2, /* sect163r2 (3) */
229		NID_secp160k1, /* secp160k1 (15) */
230		NID_secp160r1, /* secp160r1 (16) */
231		NID_secp160r2, /* secp160r2 (17) */
232	};
233
234int tls1_ec_curve_id2nid(int curve_id)
235	{
236	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
237	if ((curve_id < 1) || ((unsigned int)curve_id >
238				sizeof(nid_list)/sizeof(nid_list[0])))
239		return 0;
240	return nid_list[curve_id-1];
241	}
242
243int tls1_ec_nid2curve_id(int nid)
244	{
245	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
246	switch (nid)
247		{
248	case NID_sect163k1: /* sect163k1 (1) */
249		return 1;
250	case NID_sect163r1: /* sect163r1 (2) */
251		return 2;
252	case NID_sect163r2: /* sect163r2 (3) */
253		return 3;
254	case NID_sect193r1: /* sect193r1 (4) */
255		return 4;
256	case NID_sect193r2: /* sect193r2 (5) */
257		return 5;
258	case NID_sect233k1: /* sect233k1 (6) */
259		return 6;
260	case NID_sect233r1: /* sect233r1 (7) */
261		return 7;
262	case NID_sect239k1: /* sect239k1 (8) */
263		return 8;
264	case NID_sect283k1: /* sect283k1 (9) */
265		return 9;
266	case NID_sect283r1: /* sect283r1 (10) */
267		return 10;
268	case NID_sect409k1: /* sect409k1 (11) */
269		return 11;
270	case NID_sect409r1: /* sect409r1 (12) */
271		return 12;
272	case NID_sect571k1: /* sect571k1 (13) */
273		return 13;
274	case NID_sect571r1: /* sect571r1 (14) */
275		return 14;
276	case NID_secp160k1: /* secp160k1 (15) */
277		return 15;
278	case NID_secp160r1: /* secp160r1 (16) */
279		return 16;
280	case NID_secp160r2: /* secp160r2 (17) */
281		return 17;
282	case NID_secp192k1: /* secp192k1 (18) */
283		return 18;
284	case NID_X9_62_prime192v1: /* secp192r1 (19) */
285		return 19;
286	case NID_secp224k1: /* secp224k1 (20) */
287		return 20;
288	case NID_secp224r1: /* secp224r1 (21) */
289		return 21;
290	case NID_secp256k1: /* secp256k1 (22) */
291		return 22;
292	case NID_X9_62_prime256v1: /* secp256r1 (23) */
293		return 23;
294	case NID_secp384r1: /* secp384r1 (24) */
295		return 24;
296	case NID_secp521r1:  /* secp521r1 (25) */
297		return 25;
298	default:
299		return 0;
300		}
301	}
302#endif /* OPENSSL_NO_EC */
303
304#ifndef OPENSSL_NO_TLSEXT
305
306/* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310#ifdef OPENSSL_NO_RSA
311#define tlsext_sigalg_rsa(md) /* */
312#else
313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314#endif
315
316#ifdef OPENSSL_NO_DSA
317#define tlsext_sigalg_dsa(md) /* */
318#else
319#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320#endif
321
322#ifdef OPENSSL_NO_ECDSA
323#define tlsext_sigalg_ecdsa(md) /* */
324#else
325#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326#endif
327
328#define tlsext_sigalg(md) \
329		tlsext_sigalg_rsa(md) \
330		tlsext_sigalg_dsa(md) \
331		tlsext_sigalg_ecdsa(md)
332
333static unsigned char tls12_sigalgs[] = {
334#ifndef OPENSSL_NO_SHA512
335	tlsext_sigalg(TLSEXT_hash_sha512)
336	tlsext_sigalg(TLSEXT_hash_sha384)
337#endif
338#ifndef OPENSSL_NO_SHA256
339	tlsext_sigalg(TLSEXT_hash_sha256)
340	tlsext_sigalg(TLSEXT_hash_sha224)
341#endif
342#ifndef OPENSSL_NO_SHA
343	tlsext_sigalg(TLSEXT_hash_sha1)
344#endif
345};
346
347int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
348	{
349	size_t slen = sizeof(tls12_sigalgs);
350	if (p)
351		memcpy(p, tls12_sigalgs, slen);
352	return (int)slen;
353	}
354
355unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
356	{
357	int extdatalen=0;
358	unsigned char *orig = buf;
359	unsigned char *ret = buf;
360
361	/* don't add extensions for SSLv3 unless doing secure renegotiation */
362	if (s->client_version == SSL3_VERSION
363					&& !s->s3->send_connection_binding)
364		return orig;
365
366	ret+=2;
367
368	if (ret>=limit) return NULL; /* this really never occurs, but ... */
369
370 	if (s->tlsext_hostname != NULL)
371		{
372		/* Add TLS extension servername to the Client Hello message */
373		unsigned long size_str;
374		long lenmax;
375
376		/* check for enough space.
377		   4 for the servername type and entension length
378		   2 for servernamelist length
379		   1 for the hostname type
380		   2 for hostname length
381		   + hostname length
382		*/
383
384		if ((lenmax = limit - ret - 9) < 0
385		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
386			return NULL;
387
388		/* extension type and length */
389		s2n(TLSEXT_TYPE_server_name,ret);
390		s2n(size_str+5,ret);
391
392		/* length of servername list */
393		s2n(size_str+3,ret);
394
395		/* hostname type, length and hostname */
396		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
397		s2n(size_str,ret);
398		memcpy(ret, s->tlsext_hostname, size_str);
399		ret+=size_str;
400		}
401
402        /* Add RI if renegotiating */
403        if (s->renegotiate)
404          {
405          int el;
406
407          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
408              {
409              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
410              return NULL;
411              }
412
413          if((limit - ret - 4 - el) < 0) return NULL;
414
415          s2n(TLSEXT_TYPE_renegotiate,ret);
416          s2n(el,ret);
417
418          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
419              {
420              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
421              return NULL;
422              }
423
424          ret += el;
425        }
426
427#ifndef OPENSSL_NO_SRP
428	/* Add SRP username if there is one */
429	if (s->srp_ctx.login != NULL)
430		{ /* Add TLS extension SRP username to the Client Hello message */
431
432		int login_len = strlen(s->srp_ctx.login);
433		if (login_len > 255 || login_len == 0)
434			{
435			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
436			return NULL;
437			}
438
439		/* check for enough space.
440		   4 for the srp type type and entension length
441		   1 for the srp user identity
442		   + srp user identity length
443		*/
444		if ((limit - ret - 5 - login_len) < 0) return NULL;
445
446		/* fill in the extension */
447		s2n(TLSEXT_TYPE_srp,ret);
448		s2n(login_len+1,ret);
449		(*ret++) = (unsigned char) login_len;
450		memcpy(ret, s->srp_ctx.login, login_len);
451		ret+=login_len;
452		}
453#endif
454
455#ifndef OPENSSL_NO_EC
456	if (s->tlsext_ecpointformatlist != NULL)
457		{
458		/* Add TLS extension ECPointFormats to the ClientHello message */
459		long lenmax;
460
461		if ((lenmax = limit - ret - 5) < 0) return NULL;
462		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
463		if (s->tlsext_ecpointformatlist_length > 255)
464			{
465			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
466			return NULL;
467			}
468
469		s2n(TLSEXT_TYPE_ec_point_formats,ret);
470		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
471		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
472		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
473		ret+=s->tlsext_ecpointformatlist_length;
474		}
475	if (s->tlsext_ellipticcurvelist != NULL)
476		{
477		/* Add TLS extension EllipticCurves to the ClientHello message */
478		long lenmax;
479
480		if ((lenmax = limit - ret - 6) < 0) return NULL;
481		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
482		if (s->tlsext_ellipticcurvelist_length > 65532)
483			{
484			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
485			return NULL;
486			}
487
488		s2n(TLSEXT_TYPE_elliptic_curves,ret);
489		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
490
491		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
492		 * elliptic_curve_list, but the examples use two bytes.
493		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
494		 * resolves this to two bytes.
495		 */
496		s2n(s->tlsext_ellipticcurvelist_length, ret);
497		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
498		ret+=s->tlsext_ellipticcurvelist_length;
499		}
500#endif /* OPENSSL_NO_EC */
501
502	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
503		{
504		int ticklen;
505		if (!s->new_session && s->session && s->session->tlsext_tick)
506			ticklen = s->session->tlsext_ticklen;
507		else if (s->session && s->tlsext_session_ticket &&
508			 s->tlsext_session_ticket->data)
509			{
510			ticklen = s->tlsext_session_ticket->length;
511			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
512			if (!s->session->tlsext_tick)
513				return NULL;
514			memcpy(s->session->tlsext_tick,
515			       s->tlsext_session_ticket->data,
516			       ticklen);
517			s->session->tlsext_ticklen = ticklen;
518			}
519		else
520			ticklen = 0;
521		if (ticklen == 0 && s->tlsext_session_ticket &&
522		    s->tlsext_session_ticket->data == NULL)
523			goto skip_ext;
524		/* Check for enough room 2 for extension type, 2 for len
525 		 * rest for ticket
526  		 */
527		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
528		s2n(TLSEXT_TYPE_session_ticket,ret);
529		s2n(ticklen,ret);
530		if (ticklen)
531			{
532			memcpy(ret, s->session->tlsext_tick, ticklen);
533			ret += ticklen;
534			}
535		}
536		skip_ext:
537
538	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
539		{
540		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
541			return NULL;
542		s2n(TLSEXT_TYPE_signature_algorithms,ret);
543		s2n(sizeof(tls12_sigalgs) + 2, ret);
544		s2n(sizeof(tls12_sigalgs), ret);
545		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
546		ret += sizeof(tls12_sigalgs);
547		}
548
549#ifdef TLSEXT_TYPE_opaque_prf_input
550	if (s->s3->client_opaque_prf_input != NULL &&
551	    s->version != DTLS1_VERSION)
552		{
553		size_t col = s->s3->client_opaque_prf_input_len;
554
555		if ((long)(limit - ret - 6 - col < 0))
556			return NULL;
557		if (col > 0xFFFD) /* can't happen */
558			return NULL;
559
560		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
561		s2n(col + 2, ret);
562		s2n(col, ret);
563		memcpy(ret, s->s3->client_opaque_prf_input, col);
564		ret += col;
565		}
566#endif
567
568	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
569	    s->version != DTLS1_VERSION)
570		{
571		int i;
572		long extlen, idlen, itmp;
573		OCSP_RESPID *id;
574
575		idlen = 0;
576		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
577			{
578			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
579			itmp = i2d_OCSP_RESPID(id, NULL);
580			if (itmp <= 0)
581				return NULL;
582			idlen += itmp + 2;
583			}
584
585		if (s->tlsext_ocsp_exts)
586			{
587			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
588			if (extlen < 0)
589				return NULL;
590			}
591		else
592			extlen = 0;
593
594		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
595		s2n(TLSEXT_TYPE_status_request, ret);
596		if (extlen + idlen > 0xFFF0)
597			return NULL;
598		s2n(extlen + idlen + 5, ret);
599		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
600		s2n(idlen, ret);
601		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
602			{
603			/* save position of id len */
604			unsigned char *q = ret;
605			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
606			/* skip over id len */
607			ret += 2;
608			itmp = i2d_OCSP_RESPID(id, &ret);
609			/* write id len */
610			s2n(itmp, q);
611			}
612		s2n(extlen, ret);
613		if (extlen > 0)
614			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
615		}
616
617#ifndef OPENSSL_NO_HEARTBEATS
618	/* Add Heartbeat extension */
619	if ((limit - ret - 4 - 1) < 0)
620		return NULL;
621	s2n(TLSEXT_TYPE_heartbeat,ret);
622	s2n(1,ret);
623	/* Set mode:
624	 * 1: peer may send requests
625	 * 2: peer not allowed to send requests
626	 */
627	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
628		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
629	else
630		*(ret++) = SSL_TLSEXT_HB_ENABLED;
631#endif
632
633#ifndef OPENSSL_NO_NEXTPROTONEG
634	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
635		{
636		/* The client advertises an emtpy extension to indicate its
637		 * support for Next Protocol Negotiation */
638		if (limit - ret - 4 < 0)
639			return NULL;
640		s2n(TLSEXT_TYPE_next_proto_neg,ret);
641		s2n(0,ret);
642		}
643#endif
644
645#ifndef OPENSSL_NO_SRTP
646        if(SSL_get_srtp_profiles(s))
647                {
648                int el;
649
650                ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
651
652                if((limit - ret - 4 - el) < 0) return NULL;
653
654                s2n(TLSEXT_TYPE_use_srtp,ret);
655                s2n(el,ret);
656
657                if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
658			{
659			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
660			return NULL;
661			}
662                ret += el;
663                }
664#endif
665	/* Add padding to workaround bugs in F5 terminators.
666	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
667	 *
668	 * NB: because this code works out the length of all existing
669	 * extensions it MUST always appear last.
670	 */
671	if (s->options & SSL_OP_TLSEXT_PADDING)
672		{
673		int hlen = ret - (unsigned char *)s->init_buf->data;
674		/* The code in s23_clnt.c to build ClientHello messages
675		 * includes the 5-byte record header in the buffer, while
676		 * the code in s3_clnt.c does not.
677		 */
678		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
679			hlen -= 5;
680		if (hlen > 0xff && hlen < 0x200)
681			{
682			hlen = 0x200 - hlen;
683			if (hlen >= 4)
684				hlen -= 4;
685			else
686				hlen = 0;
687
688			s2n(TLSEXT_TYPE_padding, ret);
689			s2n(hlen, ret);
690			memset(ret, 0, hlen);
691			ret += hlen;
692			}
693		}
694
695	if ((extdatalen = ret-orig-2)== 0)
696		return orig;
697
698	s2n(extdatalen, orig);
699	return ret;
700	}
701
702unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
703	{
704	int extdatalen=0;
705	unsigned char *orig = buf;
706	unsigned char *ret = buf;
707#ifndef OPENSSL_NO_NEXTPROTONEG
708	int next_proto_neg_seen;
709#endif
710
711	/* don't add extensions for SSLv3, unless doing secure renegotiation */
712	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
713		return orig;
714
715	ret+=2;
716	if (ret>=limit) return NULL; /* this really never occurs, but ... */
717
718	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
719		{
720		if ((long)(limit - ret - 4) < 0) return NULL;
721
722		s2n(TLSEXT_TYPE_server_name,ret);
723		s2n(0,ret);
724		}
725
726	if(s->s3->send_connection_binding)
727        {
728          int el;
729
730          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
731              {
732              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
733              return NULL;
734              }
735
736          if((limit - ret - 4 - el) < 0) return NULL;
737
738          s2n(TLSEXT_TYPE_renegotiate,ret);
739          s2n(el,ret);
740
741          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
742              {
743              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
744              return NULL;
745              }
746
747          ret += el;
748        }
749
750#ifndef OPENSSL_NO_EC
751	if (s->tlsext_ecpointformatlist != NULL)
752		{
753		/* Add TLS extension ECPointFormats to the ServerHello message */
754		long lenmax;
755
756		if ((lenmax = limit - ret - 5) < 0) return NULL;
757		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
758		if (s->tlsext_ecpointformatlist_length > 255)
759			{
760			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
761			return NULL;
762			}
763
764		s2n(TLSEXT_TYPE_ec_point_formats,ret);
765		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
766		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
767		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
768		ret+=s->tlsext_ecpointformatlist_length;
769
770		}
771	/* Currently the server should not respond with a SupportedCurves extension */
772#endif /* OPENSSL_NO_EC */
773
774	if (s->tlsext_ticket_expected
775		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
776		{
777		if ((long)(limit - ret - 4) < 0) return NULL;
778		s2n(TLSEXT_TYPE_session_ticket,ret);
779		s2n(0,ret);
780		}
781
782	if (s->tlsext_status_expected)
783		{
784		if ((long)(limit - ret - 4) < 0) return NULL;
785		s2n(TLSEXT_TYPE_status_request,ret);
786		s2n(0,ret);
787		}
788
789#ifdef TLSEXT_TYPE_opaque_prf_input
790	if (s->s3->server_opaque_prf_input != NULL &&
791	    s->version != DTLS1_VERSION)
792		{
793		size_t sol = s->s3->server_opaque_prf_input_len;
794
795		if ((long)(limit - ret - 6 - sol) < 0)
796			return NULL;
797		if (sol > 0xFFFD) /* can't happen */
798			return NULL;
799
800		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
801		s2n(sol + 2, ret);
802		s2n(sol, ret);
803		memcpy(ret, s->s3->server_opaque_prf_input, sol);
804		ret += sol;
805		}
806#endif
807
808#ifndef OPENSSL_NO_SRTP
809        if(s->srtp_profile)
810                {
811                int el;
812
813                ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
814
815                if((limit - ret - 4 - el) < 0) return NULL;
816
817                s2n(TLSEXT_TYPE_use_srtp,ret);
818                s2n(el,ret);
819
820                if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
821			{
822			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
823			return NULL;
824			}
825                ret+=el;
826                }
827#endif
828
829	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
830		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
831		{ const unsigned char cryptopro_ext[36] = {
832			0xfd, 0xe8, /*65000*/
833			0x00, 0x20, /*32 bytes length*/
834			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
835			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
836			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
837			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
838			if (limit-ret<36) return NULL;
839			memcpy(ret,cryptopro_ext,36);
840			ret+=36;
841
842		}
843
844#ifndef OPENSSL_NO_HEARTBEATS
845	/* Add Heartbeat extension if we've received one */
846	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
847		{
848		if ((limit - ret - 4 - 1) < 0)
849			return NULL;
850		s2n(TLSEXT_TYPE_heartbeat,ret);
851		s2n(1,ret);
852		/* Set mode:
853		 * 1: peer may send requests
854		 * 2: peer not allowed to send requests
855		 */
856		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
857			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
858		else
859			*(ret++) = SSL_TLSEXT_HB_ENABLED;
860
861		}
862#endif
863
864#ifndef OPENSSL_NO_NEXTPROTONEG
865	next_proto_neg_seen = s->s3->next_proto_neg_seen;
866	s->s3->next_proto_neg_seen = 0;
867	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
868		{
869		const unsigned char *npa;
870		unsigned int npalen;
871		int r;
872
873		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
874		if (r == SSL_TLSEXT_ERR_OK)
875			{
876			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
877			s2n(TLSEXT_TYPE_next_proto_neg,ret);
878			s2n(npalen,ret);
879			memcpy(ret, npa, npalen);
880			ret += npalen;
881			s->s3->next_proto_neg_seen = 1;
882			}
883		}
884#endif
885
886	if ((extdatalen = ret-orig-2)== 0)
887		return orig;
888
889	s2n(extdatalen, orig);
890	return ret;
891	}
892
893#ifndef OPENSSL_NO_EC
894/* ssl_check_for_safari attempts to fingerprint Safari using OS X
895 * SecureTransport using the TLS extension block in |d|, of length |n|.
896 * Safari, since 10.6, sends exactly these extensions, in this order:
897 *   SNI,
898 *   elliptic_curves
899 *   ec_point_formats
900 *
901 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
902 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
903 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
904 * 10.8..10.8.3 (which don't work).
905 */
906static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
907	unsigned short type, size;
908	static const unsigned char kSafariExtensionsBlock[] = {
909		0x00, 0x0a,  /* elliptic_curves extension */
910		0x00, 0x08,  /* 8 bytes */
911		0x00, 0x06,  /* 6 bytes of curve ids */
912		0x00, 0x17,  /* P-256 */
913		0x00, 0x18,  /* P-384 */
914		0x00, 0x19,  /* P-521 */
915
916		0x00, 0x0b,  /* ec_point_formats */
917		0x00, 0x02,  /* 2 bytes */
918		0x01,        /* 1 point format */
919		0x00,        /* uncompressed */
920	};
921
922	/* The following is only present in TLS 1.2 */
923	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
924		0x00, 0x0d,  /* signature_algorithms */
925		0x00, 0x0c,  /* 12 bytes */
926		0x00, 0x0a,  /* 10 bytes */
927		0x05, 0x01,  /* SHA-384/RSA */
928		0x04, 0x01,  /* SHA-256/RSA */
929		0x02, 0x01,  /* SHA-1/RSA */
930		0x04, 0x03,  /* SHA-256/ECDSA */
931		0x02, 0x03,  /* SHA-1/ECDSA */
932	};
933
934	if (data >= (d+n-2))
935		return;
936	data += 2;
937
938	if (data > (d+n-4))
939		return;
940	n2s(data,type);
941	n2s(data,size);
942
943	if (type != TLSEXT_TYPE_server_name)
944		return;
945
946	if (data+size > d+n)
947		return;
948	data += size;
949
950	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
951		{
952		const size_t len1 = sizeof(kSafariExtensionsBlock);
953		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
954
955		if (data + len1 + len2 != d+n)
956			return;
957		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
958			return;
959		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
960			return;
961		}
962	else
963		{
964		const size_t len = sizeof(kSafariExtensionsBlock);
965
966		if (data + len != d+n)
967			return;
968		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
969			return;
970		}
971
972	s->s3->is_probably_safari = 1;
973}
974#endif /* !OPENSSL_NO_EC */
975
976int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
977	{
978	unsigned short type;
979	unsigned short size;
980	unsigned short len;
981	unsigned char *data = *p;
982	int renegotiate_seen = 0;
983	int sigalg_seen = 0;
984
985	s->servername_done = 0;
986	s->tlsext_status_type = -1;
987#ifndef OPENSSL_NO_NEXTPROTONEG
988	s->s3->next_proto_neg_seen = 0;
989#endif
990
991#ifndef OPENSSL_NO_HEARTBEATS
992	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
993	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
994#endif
995
996#ifndef OPENSSL_NO_EC
997	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
998		ssl_check_for_safari(s, data, d, n);
999#endif /* !OPENSSL_NO_EC */
1000
1001	if (data >= (d+n-2))
1002		goto ri_check;
1003	n2s(data,len);
1004
1005	if (data > (d+n-len))
1006		goto ri_check;
1007
1008	while (data <= (d+n-4))
1009		{
1010		n2s(data,type);
1011		n2s(data,size);
1012
1013		if (data+size > (d+n))
1014	   		goto ri_check;
1015#if 0
1016		fprintf(stderr,"Received extension type %d size %d\n",type,size);
1017#endif
1018		if (s->tlsext_debug_cb)
1019			s->tlsext_debug_cb(s, 0, type, data, size,
1020						s->tlsext_debug_arg);
1021/* The servername extension is treated as follows:
1022
1023   - Only the hostname type is supported with a maximum length of 255.
1024   - The servername is rejected if too long or if it contains zeros,
1025     in which case an fatal alert is generated.
1026   - The servername field is maintained together with the session cache.
1027   - When a session is resumed, the servername call back invoked in order
1028     to allow the application to position itself to the right context.
1029   - The servername is acknowledged if it is new for a session or when
1030     it is identical to a previously used for the same session.
1031     Applications can control the behaviour.  They can at any time
1032     set a 'desirable' servername for a new SSL object. This can be the
1033     case for example with HTTPS when a Host: header field is received and
1034     a renegotiation is requested. In this case, a possible servername
1035     presented in the new client hello is only acknowledged if it matches
1036     the value of the Host: field.
1037   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1038     if they provide for changing an explicit servername context for the session,
1039     i.e. when the session has been established with a servername extension.
1040   - On session reconnect, the servername extension may be absent.
1041
1042*/
1043
1044		if (type == TLSEXT_TYPE_server_name)
1045			{
1046			unsigned char *sdata;
1047			int servname_type;
1048			int dsize;
1049
1050			if (size < 2)
1051				{
1052				*al = SSL_AD_DECODE_ERROR;
1053				return 0;
1054				}
1055			n2s(data,dsize);
1056			size -= 2;
1057			if (dsize > size  )
1058				{
1059				*al = SSL_AD_DECODE_ERROR;
1060				return 0;
1061				}
1062
1063			sdata = data;
1064			while (dsize > 3)
1065				{
1066	 			servname_type = *(sdata++);
1067				n2s(sdata,len);
1068				dsize -= 3;
1069
1070				if (len > dsize)
1071					{
1072					*al = SSL_AD_DECODE_ERROR;
1073					return 0;
1074					}
1075				if (s->servername_done == 0)
1076				switch (servname_type)
1077					{
1078				case TLSEXT_NAMETYPE_host_name:
1079					if (!s->hit)
1080						{
1081						if(s->session->tlsext_hostname)
1082							{
1083							*al = SSL_AD_DECODE_ERROR;
1084							return 0;
1085							}
1086						if (len > TLSEXT_MAXLEN_host_name)
1087							{
1088							*al = TLS1_AD_UNRECOGNIZED_NAME;
1089							return 0;
1090							}
1091						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1092							{
1093							*al = TLS1_AD_INTERNAL_ERROR;
1094							return 0;
1095							}
1096						memcpy(s->session->tlsext_hostname, sdata, len);
1097						s->session->tlsext_hostname[len]='\0';
1098						if (strlen(s->session->tlsext_hostname) != len) {
1099							OPENSSL_free(s->session->tlsext_hostname);
1100							s->session->tlsext_hostname = NULL;
1101							*al = TLS1_AD_UNRECOGNIZED_NAME;
1102							return 0;
1103						}
1104						s->servername_done = 1;
1105
1106						}
1107					else
1108						s->servername_done = s->session->tlsext_hostname
1109							&& strlen(s->session->tlsext_hostname) == len
1110							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1111
1112					break;
1113
1114				default:
1115					break;
1116					}
1117
1118				dsize -= len;
1119				}
1120			if (dsize != 0)
1121				{
1122				*al = SSL_AD_DECODE_ERROR;
1123				return 0;
1124				}
1125
1126			}
1127#ifndef OPENSSL_NO_SRP
1128		else if (type == TLSEXT_TYPE_srp)
1129			{
1130			if (size <= 0 || ((len = data[0])) != (size -1))
1131				{
1132				*al = SSL_AD_DECODE_ERROR;
1133				return 0;
1134				}
1135			if (s->srp_ctx.login != NULL)
1136				{
1137				*al = SSL_AD_DECODE_ERROR;
1138				return 0;
1139				}
1140			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1141				return -1;
1142			memcpy(s->srp_ctx.login, &data[1], len);
1143			s->srp_ctx.login[len]='\0';
1144
1145			if (strlen(s->srp_ctx.login) != len)
1146				{
1147				*al = SSL_AD_DECODE_ERROR;
1148				return 0;
1149				}
1150			}
1151#endif
1152
1153#ifndef OPENSSL_NO_EC
1154		else if (type == TLSEXT_TYPE_ec_point_formats)
1155			{
1156			unsigned char *sdata = data;
1157			int ecpointformatlist_length = *(sdata++);
1158
1159			if (ecpointformatlist_length != size - 1)
1160				{
1161				*al = TLS1_AD_DECODE_ERROR;
1162				return 0;
1163				}
1164			if (!s->hit)
1165				{
1166				if(s->session->tlsext_ecpointformatlist)
1167					{
1168					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1169					s->session->tlsext_ecpointformatlist = NULL;
1170					}
1171				s->session->tlsext_ecpointformatlist_length = 0;
1172				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1173					{
1174					*al = TLS1_AD_INTERNAL_ERROR;
1175					return 0;
1176					}
1177				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1178				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1179				}
1180#if 0
1181			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1182			sdata = s->session->tlsext_ecpointformatlist;
1183			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1184				fprintf(stderr,"%i ",*(sdata++));
1185			fprintf(stderr,"\n");
1186#endif
1187			}
1188		else if (type == TLSEXT_TYPE_elliptic_curves)
1189			{
1190			unsigned char *sdata = data;
1191			int ellipticcurvelist_length = (*(sdata++) << 8);
1192			ellipticcurvelist_length += (*(sdata++));
1193
1194			if (ellipticcurvelist_length != size - 2 ||
1195				ellipticcurvelist_length < 1)
1196				{
1197				*al = TLS1_AD_DECODE_ERROR;
1198				return 0;
1199				}
1200			if (!s->hit)
1201				{
1202				if(s->session->tlsext_ellipticcurvelist)
1203					{
1204					*al = TLS1_AD_DECODE_ERROR;
1205					return 0;
1206					}
1207				s->session->tlsext_ellipticcurvelist_length = 0;
1208				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1209					{
1210					*al = TLS1_AD_INTERNAL_ERROR;
1211					return 0;
1212					}
1213				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1214				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1215				}
1216#if 0
1217			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1218			sdata = s->session->tlsext_ellipticcurvelist;
1219			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1220				fprintf(stderr,"%i ",*(sdata++));
1221			fprintf(stderr,"\n");
1222#endif
1223			}
1224#endif /* OPENSSL_NO_EC */
1225#ifdef TLSEXT_TYPE_opaque_prf_input
1226		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1227	             s->version != DTLS1_VERSION)
1228			{
1229			unsigned char *sdata = data;
1230
1231			if (size < 2)
1232				{
1233				*al = SSL_AD_DECODE_ERROR;
1234				return 0;
1235				}
1236			n2s(sdata, s->s3->client_opaque_prf_input_len);
1237			if (s->s3->client_opaque_prf_input_len != size - 2)
1238				{
1239				*al = SSL_AD_DECODE_ERROR;
1240				return 0;
1241				}
1242
1243			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1244				OPENSSL_free(s->s3->client_opaque_prf_input);
1245			if (s->s3->client_opaque_prf_input_len == 0)
1246				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1247			else
1248				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1249			if (s->s3->client_opaque_prf_input == NULL)
1250				{
1251				*al = TLS1_AD_INTERNAL_ERROR;
1252				return 0;
1253				}
1254			}
1255#endif
1256		else if (type == TLSEXT_TYPE_session_ticket)
1257			{
1258			if (s->tls_session_ticket_ext_cb &&
1259			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1260				{
1261				*al = TLS1_AD_INTERNAL_ERROR;
1262				return 0;
1263				}
1264			}
1265		else if (type == TLSEXT_TYPE_renegotiate)
1266			{
1267			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1268				return 0;
1269			renegotiate_seen = 1;
1270			}
1271		else if (type == TLSEXT_TYPE_signature_algorithms)
1272			{
1273			int dsize;
1274			if (sigalg_seen || size < 2)
1275				{
1276				*al = SSL_AD_DECODE_ERROR;
1277				return 0;
1278				}
1279			sigalg_seen = 1;
1280			n2s(data,dsize);
1281			size -= 2;
1282			if (dsize != size || dsize & 1)
1283				{
1284				*al = SSL_AD_DECODE_ERROR;
1285				return 0;
1286				}
1287			if (!tls1_process_sigalgs(s, data, dsize))
1288				{
1289				*al = SSL_AD_DECODE_ERROR;
1290				return 0;
1291				}
1292			}
1293		else if (type == TLSEXT_TYPE_status_request &&
1294		         s->version != DTLS1_VERSION)
1295			{
1296
1297			if (size < 5)
1298				{
1299				*al = SSL_AD_DECODE_ERROR;
1300				return 0;
1301				}
1302
1303			s->tlsext_status_type = *data++;
1304			size--;
1305			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1306				{
1307				const unsigned char *sdata;
1308				int dsize;
1309				/* Read in responder_id_list */
1310				n2s(data,dsize);
1311				size -= 2;
1312				if (dsize > size  )
1313					{
1314					*al = SSL_AD_DECODE_ERROR;
1315					return 0;
1316					}
1317				while (dsize > 0)
1318					{
1319					OCSP_RESPID *id;
1320					int idsize;
1321					if (dsize < 4)
1322						{
1323						*al = SSL_AD_DECODE_ERROR;
1324						return 0;
1325						}
1326					n2s(data, idsize);
1327					dsize -= 2 + idsize;
1328					size -= 2 + idsize;
1329					if (dsize < 0)
1330						{
1331						*al = SSL_AD_DECODE_ERROR;
1332						return 0;
1333						}
1334					sdata = data;
1335					data += idsize;
1336					id = d2i_OCSP_RESPID(NULL,
1337								&sdata, idsize);
1338					if (!id)
1339						{
1340						*al = SSL_AD_DECODE_ERROR;
1341						return 0;
1342						}
1343					if (data != sdata)
1344						{
1345						OCSP_RESPID_free(id);
1346						*al = SSL_AD_DECODE_ERROR;
1347						return 0;
1348						}
1349					if (!s->tlsext_ocsp_ids
1350						&& !(s->tlsext_ocsp_ids =
1351						sk_OCSP_RESPID_new_null()))
1352						{
1353						OCSP_RESPID_free(id);
1354						*al = SSL_AD_INTERNAL_ERROR;
1355						return 0;
1356						}
1357					if (!sk_OCSP_RESPID_push(
1358							s->tlsext_ocsp_ids, id))
1359						{
1360						OCSP_RESPID_free(id);
1361						*al = SSL_AD_INTERNAL_ERROR;
1362						return 0;
1363						}
1364					}
1365
1366				/* Read in request_extensions */
1367				if (size < 2)
1368					{
1369					*al = SSL_AD_DECODE_ERROR;
1370					return 0;
1371					}
1372				n2s(data,dsize);
1373				size -= 2;
1374				if (dsize != size)
1375					{
1376					*al = SSL_AD_DECODE_ERROR;
1377					return 0;
1378					}
1379				sdata = data;
1380				if (dsize > 0)
1381					{
1382					if (s->tlsext_ocsp_exts)
1383						{
1384						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1385									   X509_EXTENSION_free);
1386						}
1387
1388					s->tlsext_ocsp_exts =
1389						d2i_X509_EXTENSIONS(NULL,
1390							&sdata, dsize);
1391					if (!s->tlsext_ocsp_exts
1392						|| (data + dsize != sdata))
1393						{
1394						*al = SSL_AD_DECODE_ERROR;
1395						return 0;
1396						}
1397					}
1398				}
1399				/* We don't know what to do with any other type
1400 			 	* so ignore it.
1401 			 	*/
1402				else
1403					s->tlsext_status_type = -1;
1404			}
1405#ifndef OPENSSL_NO_HEARTBEATS
1406		else if (type == TLSEXT_TYPE_heartbeat)
1407			{
1408			switch(data[0])
1409				{
1410				case 0x01:	/* Client allows us to send HB requests */
1411							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1412							break;
1413				case 0x02:	/* Client doesn't accept HB requests */
1414							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1415							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1416							break;
1417				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1418							return 0;
1419				}
1420			}
1421#endif
1422#ifndef OPENSSL_NO_NEXTPROTONEG
1423		else if (type == TLSEXT_TYPE_next_proto_neg &&
1424			 s->s3->tmp.finish_md_len == 0)
1425			{
1426			/* We shouldn't accept this extension on a
1427			 * renegotiation.
1428			 *
1429			 * s->new_session will be set on renegotiation, but we
1430			 * probably shouldn't rely that it couldn't be set on
1431			 * the initial renegotation too in certain cases (when
1432			 * there's some other reason to disallow resuming an
1433			 * earlier session -- the current code won't be doing
1434			 * anything like that, but this might change).
1435
1436			 * A valid sign that there's been a previous handshake
1437			 * in this connection is if s->s3->tmp.finish_md_len >
1438			 * 0.  (We are talking about a check that will happen
1439			 * in the Hello protocol round, well before a new
1440			 * Finished message could have been computed.) */
1441			s->s3->next_proto_neg_seen = 1;
1442			}
1443#endif
1444
1445		/* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP
1447		else if (type == TLSEXT_TYPE_use_srtp)
1448			{
1449			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1450							      al))
1451				return 0;
1452			}
1453#endif
1454
1455		data+=size;
1456		}
1457
1458	*p = data;
1459
1460	ri_check:
1461
1462	/* Need RI if renegotiating */
1463
1464	if (!renegotiate_seen && s->renegotiate &&
1465		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1466		{
1467		*al = SSL_AD_HANDSHAKE_FAILURE;
1468	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1469				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1470		return 0;
1471		}
1472
1473	return 1;
1474	}
1475
1476#ifndef OPENSSL_NO_NEXTPROTONEG
1477/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1478 * elements of zero length are allowed and the set of elements must exactly fill
1479 * the length of the block. */
1480static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1481	{
1482	unsigned int off = 0;
1483
1484	while (off < len)
1485		{
1486		if (d[off] == 0)
1487			return 0;
1488		off += d[off];
1489		off++;
1490		}
1491
1492	return off == len;
1493	}
1494#endif
1495
1496int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1497	{
1498	unsigned short length;
1499	unsigned short type;
1500	unsigned short size;
1501	unsigned char *data = *p;
1502	int tlsext_servername = 0;
1503	int renegotiate_seen = 0;
1504
1505#ifndef OPENSSL_NO_NEXTPROTONEG
1506	s->s3->next_proto_neg_seen = 0;
1507#endif
1508
1509#ifndef OPENSSL_NO_HEARTBEATS
1510	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1511	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1512#endif
1513
1514	if (data >= (d+n-2))
1515		goto ri_check;
1516
1517	n2s(data,length);
1518	if (data+length != d+n)
1519		{
1520		*al = SSL_AD_DECODE_ERROR;
1521		return 0;
1522		}
1523
1524	while(data <= (d+n-4))
1525		{
1526		n2s(data,type);
1527		n2s(data,size);
1528
1529		if (data+size > (d+n))
1530	   		goto ri_check;
1531
1532		if (s->tlsext_debug_cb)
1533			s->tlsext_debug_cb(s, 1, type, data, size,
1534						s->tlsext_debug_arg);
1535
1536		if (type == TLSEXT_TYPE_server_name)
1537			{
1538			if (s->tlsext_hostname == NULL || size > 0)
1539				{
1540				*al = TLS1_AD_UNRECOGNIZED_NAME;
1541				return 0;
1542				}
1543			tlsext_servername = 1;
1544			}
1545
1546#ifndef OPENSSL_NO_EC
1547		else if (type == TLSEXT_TYPE_ec_point_formats)
1548			{
1549			unsigned char *sdata = data;
1550			int ecpointformatlist_length = *(sdata++);
1551
1552			if (ecpointformatlist_length != size - 1 ||
1553				ecpointformatlist_length < 1)
1554				{
1555				*al = TLS1_AD_DECODE_ERROR;
1556				return 0;
1557				}
1558			if (!s->hit)
1559				{
1560				s->session->tlsext_ecpointformatlist_length = 0;
1561				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1562				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1563					{
1564					*al = TLS1_AD_INTERNAL_ERROR;
1565					return 0;
1566					}
1567				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1568				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1569				}
1570#if 0
1571			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1572			sdata = s->session->tlsext_ecpointformatlist;
1573			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1574				fprintf(stderr,"%i ",*(sdata++));
1575			fprintf(stderr,"\n");
1576#endif
1577			}
1578#endif /* OPENSSL_NO_EC */
1579
1580		else if (type == TLSEXT_TYPE_session_ticket)
1581			{
1582			if (s->tls_session_ticket_ext_cb &&
1583			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1584				{
1585				*al = TLS1_AD_INTERNAL_ERROR;
1586				return 0;
1587				}
1588			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1589				|| (size > 0))
1590				{
1591				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1592				return 0;
1593				}
1594			s->tlsext_ticket_expected = 1;
1595			}
1596#ifdef TLSEXT_TYPE_opaque_prf_input
1597		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1598	             s->version != DTLS1_VERSION)
1599			{
1600			unsigned char *sdata = data;
1601
1602			if (size < 2)
1603				{
1604				*al = SSL_AD_DECODE_ERROR;
1605				return 0;
1606				}
1607			n2s(sdata, s->s3->server_opaque_prf_input_len);
1608			if (s->s3->server_opaque_prf_input_len != size - 2)
1609				{
1610				*al = SSL_AD_DECODE_ERROR;
1611				return 0;
1612				}
1613
1614			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1615				OPENSSL_free(s->s3->server_opaque_prf_input);
1616			if (s->s3->server_opaque_prf_input_len == 0)
1617				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1618			else
1619				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1620
1621			if (s->s3->server_opaque_prf_input == NULL)
1622				{
1623				*al = TLS1_AD_INTERNAL_ERROR;
1624				return 0;
1625				}
1626			}
1627#endif
1628		else if (type == TLSEXT_TYPE_status_request &&
1629		         s->version != DTLS1_VERSION)
1630			{
1631			/* MUST be empty and only sent if we've requested
1632			 * a status request message.
1633			 */
1634			if ((s->tlsext_status_type == -1) || (size > 0))
1635				{
1636				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1637				return 0;
1638				}
1639			/* Set flag to expect CertificateStatus message */
1640			s->tlsext_status_expected = 1;
1641			}
1642#ifndef OPENSSL_NO_NEXTPROTONEG
1643		else if (type == TLSEXT_TYPE_next_proto_neg &&
1644			 s->s3->tmp.finish_md_len == 0)
1645			{
1646			unsigned char *selected;
1647			unsigned char selected_len;
1648
1649			/* We must have requested it. */
1650			if (s->ctx->next_proto_select_cb == NULL)
1651				{
1652				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1653				return 0;
1654				}
1655			/* The data must be valid */
1656			if (!ssl_next_proto_validate(data, size))
1657				{
1658				*al = TLS1_AD_DECODE_ERROR;
1659				return 0;
1660				}
1661			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1662				{
1663				*al = TLS1_AD_INTERNAL_ERROR;
1664				return 0;
1665				}
1666			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1667			if (!s->next_proto_negotiated)
1668				{
1669				*al = TLS1_AD_INTERNAL_ERROR;
1670				return 0;
1671				}
1672			memcpy(s->next_proto_negotiated, selected, selected_len);
1673			s->next_proto_negotiated_len = selected_len;
1674			s->s3->next_proto_neg_seen = 1;
1675			}
1676#endif
1677		else if (type == TLSEXT_TYPE_renegotiate)
1678			{
1679			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1680				return 0;
1681			renegotiate_seen = 1;
1682			}
1683#ifndef OPENSSL_NO_HEARTBEATS
1684		else if (type == TLSEXT_TYPE_heartbeat)
1685			{
1686			switch(data[0])
1687				{
1688				case 0x01:	/* Server allows us to send HB requests */
1689							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1690							break;
1691				case 0x02:	/* Server doesn't accept HB requests */
1692							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1693							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1694							break;
1695				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1696							return 0;
1697				}
1698			}
1699#endif
1700#ifndef OPENSSL_NO_SRTP
1701		else if (type == TLSEXT_TYPE_use_srtp)
1702			{
1703                        if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1704							      al))
1705                                return 0;
1706			}
1707#endif
1708
1709		data+=size;
1710		}
1711
1712	if (data != d+n)
1713		{
1714		*al = SSL_AD_DECODE_ERROR;
1715		return 0;
1716		}
1717
1718	if (!s->hit && tlsext_servername == 1)
1719		{
1720 		if (s->tlsext_hostname)
1721			{
1722			if (s->session->tlsext_hostname == NULL)
1723				{
1724				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1725				if (!s->session->tlsext_hostname)
1726					{
1727					*al = SSL_AD_UNRECOGNIZED_NAME;
1728					return 0;
1729					}
1730				}
1731			else
1732				{
1733				*al = SSL_AD_DECODE_ERROR;
1734				return 0;
1735				}
1736			}
1737		}
1738
1739	*p = data;
1740
1741	ri_check:
1742
1743	/* Determine if we need to see RI. Strictly speaking if we want to
1744	 * avoid an attack we should *always* see RI even on initial server
1745	 * hello because the client doesn't see any renegotiation during an
1746	 * attack. However this would mean we could not connect to any server
1747	 * which doesn't support RI so for the immediate future tolerate RI
1748	 * absence on initial connect only.
1749	 */
1750	if (!renegotiate_seen
1751		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1752		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1753		{
1754		*al = SSL_AD_HANDSHAKE_FAILURE;
1755		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1756				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1757		return 0;
1758		}
1759
1760	return 1;
1761	}
1762
1763
1764int ssl_prepare_clienthello_tlsext(SSL *s)
1765	{
1766#ifndef OPENSSL_NO_EC
1767	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1768	 * and elliptic curves we support.
1769	 */
1770	int using_ecc = 0;
1771	int i;
1772	unsigned char *j;
1773	unsigned long alg_k, alg_a;
1774	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1775
1776	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1777		{
1778		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1779
1780		alg_k = c->algorithm_mkey;
1781		alg_a = c->algorithm_auth;
1782		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1783			{
1784			using_ecc = 1;
1785			break;
1786			}
1787		}
1788	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1789	if (using_ecc)
1790		{
1791		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1792		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1793			{
1794			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1795			return -1;
1796			}
1797		s->tlsext_ecpointformatlist_length = 3;
1798		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1799		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1800		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1801
1802		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1803		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1804		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1805		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1806			{
1807			s->tlsext_ellipticcurvelist_length = 0;
1808			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1809			return -1;
1810			}
1811		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1812				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1813			{
1814			int id = tls1_ec_nid2curve_id(pref_list[i]);
1815			s2n(id,j);
1816			}
1817		}
1818#endif /* OPENSSL_NO_EC */
1819
1820#ifdef TLSEXT_TYPE_opaque_prf_input
1821 	{
1822		int r = 1;
1823
1824		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1825			{
1826			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1827			if (!r)
1828				return -1;
1829			}
1830
1831		if (s->tlsext_opaque_prf_input != NULL)
1832			{
1833			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1834				OPENSSL_free(s->s3->client_opaque_prf_input);
1835
1836			if (s->tlsext_opaque_prf_input_len == 0)
1837				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1838			else
1839				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1840			if (s->s3->client_opaque_prf_input == NULL)
1841				{
1842				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1843				return -1;
1844				}
1845			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1846			}
1847
1848		if (r == 2)
1849			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1850			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1851	}
1852#endif
1853
1854	return 1;
1855	}
1856
1857int ssl_prepare_serverhello_tlsext(SSL *s)
1858	{
1859#ifndef OPENSSL_NO_EC
1860	/* If we are server and using an ECC cipher suite, send the point formats we support
1861	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1862	 * supposed to send an EllipticCurves extension.
1863	 */
1864
1865	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1866	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1867	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1868	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1869
1870	if (using_ecc)
1871		{
1872		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1873		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1874			{
1875			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1876			return -1;
1877			}
1878		s->tlsext_ecpointformatlist_length = 3;
1879		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1880		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1881		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1882		}
1883#endif /* OPENSSL_NO_EC */
1884
1885	return 1;
1886	}
1887
1888int ssl_check_clienthello_tlsext_early(SSL *s)
1889	{
1890	int ret=SSL_TLSEXT_ERR_NOACK;
1891	int al = SSL_AD_UNRECOGNIZED_NAME;
1892
1893#ifndef OPENSSL_NO_EC
1894	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1895	 * ssl3_choose_cipher in s3_lib.c.
1896	 */
1897	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1898	 * ssl3_choose_cipher in s3_lib.c.
1899	 */
1900#endif
1901
1902	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1903		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1904	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1905		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1906
1907#ifdef TLSEXT_TYPE_opaque_prf_input
1908 	{
1909		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1910		 * but we might be sending an alert in response to the client hello,
1911		 * so this has to happen here in
1912		 * ssl_check_clienthello_tlsext_early(). */
1913
1914		int r = 1;
1915
1916		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1917			{
1918			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1919			if (!r)
1920				{
1921				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1922				al = SSL_AD_INTERNAL_ERROR;
1923				goto err;
1924				}
1925			}
1926
1927		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1928			OPENSSL_free(s->s3->server_opaque_prf_input);
1929		s->s3->server_opaque_prf_input = NULL;
1930
1931		if (s->tlsext_opaque_prf_input != NULL)
1932			{
1933			if (s->s3->client_opaque_prf_input != NULL &&
1934				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1935				{
1936				/* can only use this extension if we have a server opaque PRF input
1937				 * of the same length as the client opaque PRF input! */
1938
1939				if (s->tlsext_opaque_prf_input_len == 0)
1940					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1941				else
1942					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1943				if (s->s3->server_opaque_prf_input == NULL)
1944					{
1945					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1946					al = SSL_AD_INTERNAL_ERROR;
1947					goto err;
1948					}
1949				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1950				}
1951			}
1952
1953		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1954			{
1955			/* The callback wants to enforce use of the extension,
1956			 * but we can't do that with the client opaque PRF input;
1957			 * abort the handshake.
1958			 */
1959			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1960			al = SSL_AD_HANDSHAKE_FAILURE;
1961			}
1962	}
1963
1964 err:
1965#endif
1966	switch (ret)
1967		{
1968		case SSL_TLSEXT_ERR_ALERT_FATAL:
1969			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1970			return -1;
1971
1972		case SSL_TLSEXT_ERR_ALERT_WARNING:
1973			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1974			return 1;
1975
1976		case SSL_TLSEXT_ERR_NOACK:
1977			s->servername_done=0;
1978			default:
1979		return 1;
1980		}
1981	}
1982
1983int ssl_check_clienthello_tlsext_late(SSL *s)
1984	{
1985	int ret = SSL_TLSEXT_ERR_OK;
1986	int al;
1987
1988	/* If status request then ask callback what to do.
1989 	 * Note: this must be called after servername callbacks in case
1990 	 * the certificate has changed, and must be called after the cipher
1991	 * has been chosen because this may influence which certificate is sent
1992 	 */
1993	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1994		{
1995		int r;
1996		CERT_PKEY *certpkey;
1997		certpkey = ssl_get_server_send_pkey(s);
1998		/* If no certificate can't return certificate status */
1999		if (certpkey == NULL)
2000			{
2001			s->tlsext_status_expected = 0;
2002			return 1;
2003			}
2004		/* Set current certificate to one we will use so
2005		 * SSL_get_certificate et al can pick it up.
2006		 */
2007		s->cert->key = certpkey;
2008		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2009		switch (r)
2010			{
2011			/* We don't want to send a status request response */
2012			case SSL_TLSEXT_ERR_NOACK:
2013				s->tlsext_status_expected = 0;
2014				break;
2015			/* status request response should be sent */
2016			case SSL_TLSEXT_ERR_OK:
2017				if (s->tlsext_ocsp_resp)
2018					s->tlsext_status_expected = 1;
2019				else
2020					s->tlsext_status_expected = 0;
2021				break;
2022			/* something bad happened */
2023			case SSL_TLSEXT_ERR_ALERT_FATAL:
2024				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2025				al = SSL_AD_INTERNAL_ERROR;
2026				goto err;
2027			}
2028		}
2029	else
2030		s->tlsext_status_expected = 0;
2031
2032 err:
2033	switch (ret)
2034		{
2035		case SSL_TLSEXT_ERR_ALERT_FATAL:
2036			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2037			return -1;
2038
2039		case SSL_TLSEXT_ERR_ALERT_WARNING:
2040			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2041			return 1;
2042
2043		default:
2044			return 1;
2045		}
2046	}
2047
2048int ssl_check_serverhello_tlsext(SSL *s)
2049	{
2050	int ret=SSL_TLSEXT_ERR_NOACK;
2051	int al = SSL_AD_UNRECOGNIZED_NAME;
2052
2053#ifndef OPENSSL_NO_EC
2054	/* If we are client and using an elliptic curve cryptography cipher
2055	 * suite, then if server returns an EC point formats lists extension
2056	 * it must contain uncompressed.
2057	 */
2058	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2059	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2060	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2061	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2062	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2063		{
2064		/* we are using an ECC cipher */
2065		size_t i;
2066		unsigned char *list;
2067		int found_uncompressed = 0;
2068		list = s->session->tlsext_ecpointformatlist;
2069		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2070			{
2071			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2072				{
2073				found_uncompressed = 1;
2074				break;
2075				}
2076			}
2077		if (!found_uncompressed)
2078			{
2079			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2080			return -1;
2081			}
2082		}
2083	ret = SSL_TLSEXT_ERR_OK;
2084#endif /* OPENSSL_NO_EC */
2085
2086	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2087		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2088	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2089		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2090
2091#ifdef TLSEXT_TYPE_opaque_prf_input
2092	if (s->s3->server_opaque_prf_input_len > 0)
2093		{
2094		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2095		 * So first verify that we really have a value from the server too. */
2096
2097		if (s->s3->server_opaque_prf_input == NULL)
2098			{
2099			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2100			al = SSL_AD_HANDSHAKE_FAILURE;
2101			}
2102
2103		/* Anytime the server *has* sent an opaque PRF input, we need to check
2104		 * that we have a client opaque PRF input of the same size. */
2105		if (s->s3->client_opaque_prf_input == NULL ||
2106		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2107			{
2108			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2109			al = SSL_AD_ILLEGAL_PARAMETER;
2110			}
2111		}
2112#endif
2113
2114	/* If we've requested certificate status and we wont get one
2115 	 * tell the callback
2116 	 */
2117	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2118			&& s->ctx && s->ctx->tlsext_status_cb)
2119		{
2120		int r;
2121		/* Set resp to NULL, resplen to -1 so callback knows
2122 		 * there is no response.
2123 		 */
2124		if (s->tlsext_ocsp_resp)
2125			{
2126			OPENSSL_free(s->tlsext_ocsp_resp);
2127			s->tlsext_ocsp_resp = NULL;
2128			}
2129		s->tlsext_ocsp_resplen = -1;
2130		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2131		if (r == 0)
2132			{
2133			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2134			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2135			}
2136		if (r < 0)
2137			{
2138			al = SSL_AD_INTERNAL_ERROR;
2139			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2140			}
2141		}
2142
2143	switch (ret)
2144		{
2145		case SSL_TLSEXT_ERR_ALERT_FATAL:
2146			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2147			return -1;
2148
2149		case SSL_TLSEXT_ERR_ALERT_WARNING:
2150			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2151			return 1;
2152
2153		case SSL_TLSEXT_ERR_NOACK:
2154			s->servername_done=0;
2155			default:
2156		return 1;
2157		}
2158	}
2159
2160/* Since the server cache lookup is done early on in the processing of the
2161 * ClientHello, and other operations depend on the result, we need to handle
2162 * any TLS session ticket extension at the same time.
2163 *
2164 *   session_id: points at the session ID in the ClientHello. This code will
2165 *       read past the end of this in order to parse out the session ticket
2166 *       extension, if any.
2167 *   len: the length of the session ID.
2168 *   limit: a pointer to the first byte after the ClientHello.
2169 *   ret: (output) on return, if a ticket was decrypted, then this is set to
2170 *       point to the resulting session.
2171 *
2172 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2173 * ciphersuite, in which case we have no use for session tickets and one will
2174 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2175 *
2176 * Returns:
2177 *   -1: fatal error, either from parsing or decrypting the ticket.
2178 *    0: no ticket was found (or was ignored, based on settings).
2179 *    1: a zero length extension was found, indicating that the client supports
2180 *       session tickets but doesn't currently have one to offer.
2181 *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2182 *       couldn't be decrypted because of a non-fatal error.
2183 *    3: a ticket was successfully decrypted and *ret was set.
2184 *
2185 * Side effects:
2186 *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2187 *   a new session ticket to the client because the client indicated support
2188 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2189 *   a session ticket or we couldn't use the one it gave us, or if
2190 *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2191 *   Otherwise, s->tlsext_ticket_expected is set to 0.
2192 */
2193int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2194			const unsigned char *limit, SSL_SESSION **ret)
2195	{
2196	/* Point after session ID in client hello */
2197	const unsigned char *p = session_id + len;
2198	unsigned short i;
2199
2200	*ret = NULL;
2201	s->tlsext_ticket_expected = 0;
2202
2203	/* If tickets disabled behave as if no ticket present
2204	 * to permit stateful resumption.
2205	 */
2206	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2207		return 0;
2208	if ((s->version <= SSL3_VERSION) || !limit)
2209		return 0;
2210	if (p >= limit)
2211		return -1;
2212	/* Skip past DTLS cookie */
2213	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2214		{
2215		i = *(p++);
2216		p+= i;
2217		if (p >= limit)
2218			return -1;
2219		}
2220	/* Skip past cipher list */
2221	n2s(p, i);
2222	p+= i;
2223	if (p >= limit)
2224		return -1;
2225	/* Skip past compression algorithm list */
2226	i = *(p++);
2227	p += i;
2228	if (p > limit)
2229		return -1;
2230	/* Now at start of extensions */
2231	if ((p + 2) >= limit)
2232		return 0;
2233	n2s(p, i);
2234	while ((p + 4) <= limit)
2235		{
2236		unsigned short type, size;
2237		n2s(p, type);
2238		n2s(p, size);
2239		if (p + size > limit)
2240			return 0;
2241		if (type == TLSEXT_TYPE_session_ticket)
2242			{
2243			int r;
2244			if (size == 0)
2245				{
2246				/* The client will accept a ticket but doesn't
2247				 * currently have one. */
2248				s->tlsext_ticket_expected = 1;
2249				return 1;
2250				}
2251			if (s->tls_session_secret_cb)
2252				{
2253				/* Indicate that the ticket couldn't be
2254				 * decrypted rather than generating the session
2255				 * from ticket now, trigger abbreviated
2256				 * handshake based on external mechanism to
2257				 * calculate the master secret later. */
2258				return 2;
2259				}
2260			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2261			switch (r)
2262				{
2263				case 2: /* ticket couldn't be decrypted */
2264					s->tlsext_ticket_expected = 1;
2265					return 2;
2266				case 3: /* ticket was decrypted */
2267					return r;
2268				case 4: /* ticket decrypted but need to renew */
2269					s->tlsext_ticket_expected = 1;
2270					return 3;
2271				default: /* fatal error */
2272					return -1;
2273				}
2274			}
2275		p += size;
2276		}
2277	return 0;
2278	}
2279
2280/* tls_decrypt_ticket attempts to decrypt a session ticket.
2281 *
2282 *   etick: points to the body of the session ticket extension.
2283 *   eticklen: the length of the session tickets extenion.
2284 *   sess_id: points at the session ID.
2285 *   sesslen: the length of the session ID.
2286 *   psess: (output) on return, if a ticket was decrypted, then this is set to
2287 *       point to the resulting session.
2288 *
2289 * Returns:
2290 *   -1: fatal error, either from parsing or decrypting the ticket.
2291 *    2: the ticket couldn't be decrypted.
2292 *    3: a ticket was successfully decrypted and *psess was set.
2293 *    4: same as 3, but the ticket needs to be renewed.
2294 */
2295static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2296				const unsigned char *sess_id, int sesslen,
2297				SSL_SESSION **psess)
2298	{
2299	SSL_SESSION *sess;
2300	unsigned char *sdec;
2301	const unsigned char *p;
2302	int slen, mlen, renew_ticket = 0;
2303	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2304	HMAC_CTX hctx;
2305	EVP_CIPHER_CTX ctx;
2306	SSL_CTX *tctx = s->initial_ctx;
2307	/* Need at least keyname + iv + some encrypted data */
2308	if (eticklen < 48)
2309		return 2;
2310	/* Initialize session ticket encryption and HMAC contexts */
2311	HMAC_CTX_init(&hctx);
2312	EVP_CIPHER_CTX_init(&ctx);
2313	if (tctx->tlsext_ticket_key_cb)
2314		{
2315		unsigned char *nctick = (unsigned char *)etick;
2316		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2317							&ctx, &hctx, 0);
2318		if (rv < 0)
2319			return -1;
2320		if (rv == 0)
2321			return 2;
2322		if (rv == 2)
2323			renew_ticket = 1;
2324		}
2325	else
2326		{
2327		/* Check key name matches */
2328		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2329			return 2;
2330		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2331					tlsext_tick_md(), NULL);
2332		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2333				tctx->tlsext_tick_aes_key, etick + 16);
2334		}
2335	/* Attempt to process session ticket, first conduct sanity and
2336	 * integrity checks on ticket.
2337	 */
2338	mlen = HMAC_size(&hctx);
2339	if (mlen < 0)
2340		{
2341		EVP_CIPHER_CTX_cleanup(&ctx);
2342		return -1;
2343		}
2344	eticklen -= mlen;
2345	/* Check HMAC of encrypted ticket */
2346	HMAC_Update(&hctx, etick, eticklen);
2347	HMAC_Final(&hctx, tick_hmac, NULL);
2348	HMAC_CTX_cleanup(&hctx);
2349	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2350		return 2;
2351	/* Attempt to decrypt session data */
2352	/* Move p after IV to start of encrypted ticket, update length */
2353	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2354	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2355	sdec = OPENSSL_malloc(eticklen);
2356	if (!sdec)
2357		{
2358		EVP_CIPHER_CTX_cleanup(&ctx);
2359		return -1;
2360		}
2361	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2362	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2363		{
2364		EVP_CIPHER_CTX_cleanup(&ctx);
2365		OPENSSL_free(sdec);
2366		return 2;
2367		}
2368	slen += mlen;
2369	EVP_CIPHER_CTX_cleanup(&ctx);
2370	p = sdec;
2371
2372	sess = d2i_SSL_SESSION(NULL, &p, slen);
2373	OPENSSL_free(sdec);
2374	if (sess)
2375		{
2376		/* The session ID, if non-empty, is used by some clients to
2377		 * detect that the ticket has been accepted. So we copy it to
2378		 * the session structure. If it is empty set length to zero
2379		 * as required by standard.
2380		 */
2381		if (sesslen)
2382			memcpy(sess->session_id, sess_id, sesslen);
2383		sess->session_id_length = sesslen;
2384		*psess = sess;
2385		if (renew_ticket)
2386			return 4;
2387		else
2388			return 3;
2389		}
2390        ERR_clear_error();
2391	/* For session parse failure, indicate that we need to send a new
2392	 * ticket. */
2393	return 2;
2394	}
2395
2396/* Tables to translate from NIDs to TLS v1.2 ids */
2397
2398typedef struct
2399	{
2400	int nid;
2401	int id;
2402	} tls12_lookup;
2403
2404static tls12_lookup tls12_md[] = {
2405#ifndef OPENSSL_NO_MD5
2406	{NID_md5, TLSEXT_hash_md5},
2407#endif
2408#ifndef OPENSSL_NO_SHA
2409	{NID_sha1, TLSEXT_hash_sha1},
2410#endif
2411#ifndef OPENSSL_NO_SHA256
2412	{NID_sha224, TLSEXT_hash_sha224},
2413	{NID_sha256, TLSEXT_hash_sha256},
2414#endif
2415#ifndef OPENSSL_NO_SHA512
2416	{NID_sha384, TLSEXT_hash_sha384},
2417	{NID_sha512, TLSEXT_hash_sha512}
2418#endif
2419};
2420
2421static tls12_lookup tls12_sig[] = {
2422#ifndef OPENSSL_NO_RSA
2423	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2424#endif
2425#ifndef OPENSSL_NO_DSA
2426	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2427#endif
2428#ifndef OPENSSL_NO_ECDSA
2429	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2430#endif
2431};
2432
2433static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2434	{
2435	size_t i;
2436	for (i = 0; i < tlen; i++)
2437		{
2438		if (table[i].nid == nid)
2439			return table[i].id;
2440		}
2441	return -1;
2442	}
2443#if 0
2444static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2445	{
2446	size_t i;
2447	for (i = 0; i < tlen; i++)
2448		{
2449		if (table[i].id == id)
2450			return table[i].nid;
2451		}
2452	return -1;
2453	}
2454#endif
2455
2456int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2457	{
2458	int sig_id, md_id;
2459	if (!md)
2460		return 0;
2461	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2462				sizeof(tls12_md)/sizeof(tls12_lookup));
2463	if (md_id == -1)
2464		return 0;
2465	sig_id = tls12_get_sigid(pk);
2466	if (sig_id == -1)
2467		return 0;
2468	p[0] = (unsigned char)md_id;
2469	p[1] = (unsigned char)sig_id;
2470	return 1;
2471	}
2472
2473int tls12_get_sigid(const EVP_PKEY *pk)
2474	{
2475	return tls12_find_id(pk->type, tls12_sig,
2476				sizeof(tls12_sig)/sizeof(tls12_lookup));
2477	}
2478
2479const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2480	{
2481	switch(hash_alg)
2482		{
2483#ifndef OPENSSL_NO_SHA
2484		case TLSEXT_hash_sha1:
2485		return EVP_sha1();
2486#endif
2487#ifndef OPENSSL_NO_SHA256
2488		case TLSEXT_hash_sha224:
2489		return EVP_sha224();
2490
2491		case TLSEXT_hash_sha256:
2492		return EVP_sha256();
2493#endif
2494#ifndef OPENSSL_NO_SHA512
2495		case TLSEXT_hash_sha384:
2496		return EVP_sha384();
2497
2498		case TLSEXT_hash_sha512:
2499		return EVP_sha512();
2500#endif
2501		default:
2502		return NULL;
2503
2504		}
2505	}
2506
2507/* Set preferred digest for each key type */
2508
2509int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2510	{
2511	int i, idx;
2512	const EVP_MD *md;
2513	CERT *c = s->cert;
2514	/* Extension ignored for TLS versions below 1.2 */
2515	if (TLS1_get_version(s) < TLS1_2_VERSION)
2516		return 1;
2517	/* Should never happen */
2518	if (!c)
2519		return 0;
2520
2521	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2522	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2523	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2524	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2525
2526	for (i = 0; i < dsize; i += 2)
2527		{
2528		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2529
2530		switch(sig_alg)
2531			{
2532#ifndef OPENSSL_NO_RSA
2533			case TLSEXT_signature_rsa:
2534			idx = SSL_PKEY_RSA_SIGN;
2535			break;
2536#endif
2537#ifndef OPENSSL_NO_DSA
2538			case TLSEXT_signature_dsa:
2539			idx = SSL_PKEY_DSA_SIGN;
2540			break;
2541#endif
2542#ifndef OPENSSL_NO_ECDSA
2543			case TLSEXT_signature_ecdsa:
2544			idx = SSL_PKEY_ECC;
2545			break;
2546#endif
2547			default:
2548			continue;
2549			}
2550
2551		if (c->pkeys[idx].digest == NULL)
2552			{
2553			md = tls12_get_hash(hash_alg);
2554			if (md)
2555				{
2556				c->pkeys[idx].digest = md;
2557				if (idx == SSL_PKEY_RSA_SIGN)
2558					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2559				}
2560			}
2561
2562		}
2563
2564
2565	/* Set any remaining keys to default values. NOTE: if alg is not
2566	 * supported it stays as NULL.
2567	 */
2568#ifndef OPENSSL_NO_DSA
2569	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2570		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2571#endif
2572#ifndef OPENSSL_NO_RSA
2573	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2574		{
2575		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2576		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2577		}
2578#endif
2579#ifndef OPENSSL_NO_ECDSA
2580	if (!c->pkeys[SSL_PKEY_ECC].digest)
2581		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2582#endif
2583	return 1;
2584	}
2585
2586#endif
2587
2588#ifndef OPENSSL_NO_HEARTBEATS
2589int
2590tls1_process_heartbeat(SSL *s)
2591	{
2592	unsigned char *p = &s->s3->rrec.data[0], *pl;
2593	unsigned short hbtype;
2594	unsigned int payload;
2595	unsigned int padding = 16; /* Use minimum padding */
2596
2597	if (s->msg_callback)
2598		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2599			&s->s3->rrec.data[0], s->s3->rrec.length,
2600			s, s->msg_callback_arg);
2601
2602	/* Read type and payload length first */
2603	if (1 + 2 + 16 > s->s3->rrec.length)
2604		return 0; /* silently discard */
2605	hbtype = *p++;
2606	n2s(p, payload);
2607	if (1 + 2 + payload + 16 > s->s3->rrec.length)
2608		return 0; /* silently discard per RFC 6520 sec. 4 */
2609	pl = p;
2610
2611	if (hbtype == TLS1_HB_REQUEST)
2612		{
2613		unsigned char *buffer, *bp;
2614		int r;
2615
2616		/* Allocate memory for the response, size is 1 bytes
2617		 * message type, plus 2 bytes payload length, plus
2618		 * payload, plus padding
2619		 */
2620		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2621		bp = buffer;
2622
2623		/* Enter response type, length and copy payload */
2624		*bp++ = TLS1_HB_RESPONSE;
2625		s2n(payload, bp);
2626		memcpy(bp, pl, payload);
2627		bp += payload;
2628		/* Random padding */
2629		RAND_pseudo_bytes(bp, padding);
2630
2631		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2632
2633		if (r >= 0 && s->msg_callback)
2634			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2635				buffer, 3 + payload + padding,
2636				s, s->msg_callback_arg);
2637
2638		OPENSSL_free(buffer);
2639
2640		if (r < 0)
2641			return r;
2642		}
2643	else if (hbtype == TLS1_HB_RESPONSE)
2644		{
2645		unsigned int seq;
2646
2647		/* We only send sequence numbers (2 bytes unsigned int),
2648		 * and 16 random bytes, so we just try to read the
2649		 * sequence number */
2650		n2s(pl, seq);
2651
2652		if (payload == 18 && seq == s->tlsext_hb_seq)
2653			{
2654			s->tlsext_hb_seq++;
2655			s->tlsext_hb_pending = 0;
2656			}
2657		}
2658
2659	return 0;
2660	}
2661
2662int
2663tls1_heartbeat(SSL *s)
2664	{
2665	unsigned char *buf, *p;
2666	int ret;
2667	unsigned int payload = 18; /* Sequence number + random bytes */
2668	unsigned int padding = 16; /* Use minimum padding */
2669
2670	/* Only send if peer supports and accepts HB requests... */
2671	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2672	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2673		{
2674		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2675		return -1;
2676		}
2677
2678	/* ...and there is none in flight yet... */
2679	if (s->tlsext_hb_pending)
2680		{
2681		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2682		return -1;
2683		}
2684
2685	/* ...and no handshake in progress. */
2686	if (SSL_in_init(s) || s->in_handshake)
2687		{
2688		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2689		return -1;
2690		}
2691
2692	/* Check if padding is too long, payload and padding
2693	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2694	 */
2695	OPENSSL_assert(payload + padding <= 16381);
2696
2697	/* Create HeartBeat message, we just use a sequence number
2698	 * as payload to distuingish different messages and add
2699	 * some random stuff.
2700	 *  - Message Type, 1 byte
2701	 *  - Payload Length, 2 bytes (unsigned int)
2702	 *  - Payload, the sequence number (2 bytes uint)
2703	 *  - Payload, random bytes (16 bytes uint)
2704	 *  - Padding
2705	 */
2706	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2707	p = buf;
2708	/* Message Type */
2709	*p++ = TLS1_HB_REQUEST;
2710	/* Payload length (18 bytes here) */
2711	s2n(payload, p);
2712	/* Sequence number */
2713	s2n(s->tlsext_hb_seq, p);
2714	/* 16 random bytes */
2715	RAND_pseudo_bytes(p, 16);
2716	p += 16;
2717	/* Random padding */
2718	RAND_pseudo_bytes(p, padding);
2719
2720	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2721	if (ret >= 0)
2722		{
2723		if (s->msg_callback)
2724			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2725				buf, 3 + payload + padding,
2726				s, s->msg_callback_arg);
2727
2728		s->tlsext_hb_pending = 1;
2729		}
2730
2731	OPENSSL_free(buf);
2732
2733	return ret;
2734	}
2735#endif
2736