Home | History | Annotate | Download | only in ssl
      1 /* ssl/t1_lib.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include <stdio.h>
    113 #include <openssl/objects.h>
    114 #include <openssl/evp.h>
    115 #include <openssl/hmac.h>
    116 #include <openssl/ocsp.h>
    117 #include <openssl/rand.h>
    118 #include "ssl_locl.h"
    119 
    120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
    121 
    122 #ifndef OPENSSL_NO_TLSEXT
    123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
    124 				const unsigned char *sess_id, int sesslen,
    125 				SSL_SESSION **psess);
    126 #endif
    127 
    128 SSL3_ENC_METHOD TLSv1_enc_data={
    129 	tls1_enc,
    130 	tls1_mac,
    131 	tls1_setup_key_block,
    132 	tls1_generate_master_secret,
    133 	tls1_change_cipher_state,
    134 	tls1_final_finish_mac,
    135 	TLS1_FINISH_MAC_LENGTH,
    136 	tls1_cert_verify_mac,
    137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
    138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
    139 	tls1_alert_code,
    140 	tls1_export_keying_material,
    141 	};
    142 
    143 long tls1_default_timeout(void)
    144 	{
    145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
    146 	 * is way too long for http, the cache would over fill */
    147 	return(60*60*2);
    148 	}
    149 
    150 int tls1_new(SSL *s)
    151 	{
    152 	if (!ssl3_new(s)) return(0);
    153 	s->method->ssl_clear(s);
    154 	return(1);
    155 	}
    156 
    157 void tls1_free(SSL *s)
    158 	{
    159 #ifndef OPENSSL_NO_TLSEXT
    160 	if (s->tlsext_session_ticket)
    161 		{
    162 		OPENSSL_free(s->tlsext_session_ticket);
    163 		}
    164 #endif /* OPENSSL_NO_TLSEXT */
    165 	ssl3_free(s);
    166 	}
    167 
    168 void tls1_clear(SSL *s)
    169 	{
    170 	ssl3_clear(s);
    171 	s->version = s->method->version;
    172 	}
    173 
    174 #ifndef OPENSSL_NO_EC
    175 
    176 static int nid_list[] =
    177 	{
    178 		NID_sect163k1, /* sect163k1 (1) */
    179 		NID_sect163r1, /* sect163r1 (2) */
    180 		NID_sect163r2, /* sect163r2 (3) */
    181 		NID_sect193r1, /* sect193r1 (4) */
    182 		NID_sect193r2, /* sect193r2 (5) */
    183 		NID_sect233k1, /* sect233k1 (6) */
    184 		NID_sect233r1, /* sect233r1 (7) */
    185 		NID_sect239k1, /* sect239k1 (8) */
    186 		NID_sect283k1, /* sect283k1 (9) */
    187 		NID_sect283r1, /* sect283r1 (10) */
    188 		NID_sect409k1, /* sect409k1 (11) */
    189 		NID_sect409r1, /* sect409r1 (12) */
    190 		NID_sect571k1, /* sect571k1 (13) */
    191 		NID_sect571r1, /* sect571r1 (14) */
    192 		NID_secp160k1, /* secp160k1 (15) */
    193 		NID_secp160r1, /* secp160r1 (16) */
    194 		NID_secp160r2, /* secp160r2 (17) */
    195 		NID_secp192k1, /* secp192k1 (18) */
    196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    197 		NID_secp224k1, /* secp224k1 (20) */
    198 		NID_secp224r1, /* secp224r1 (21) */
    199 		NID_secp256k1, /* secp256k1 (22) */
    200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    201 		NID_secp384r1, /* secp384r1 (24) */
    202 		NID_secp521r1  /* secp521r1 (25) */
    203 	};
    204 
    205 static int pref_list[] =
    206 	{
    207 		NID_sect571r1, /* sect571r1 (14) */
    208 		NID_sect571k1, /* sect571k1 (13) */
    209 		NID_secp521r1, /* secp521r1 (25) */
    210 		NID_sect409k1, /* sect409k1 (11) */
    211 		NID_sect409r1, /* sect409r1 (12) */
    212 		NID_secp384r1, /* secp384r1 (24) */
    213 		NID_sect283k1, /* sect283k1 (9) */
    214 		NID_sect283r1, /* sect283r1 (10) */
    215 		NID_secp256k1, /* secp256k1 (22) */
    216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    217 		NID_sect239k1, /* sect239k1 (8) */
    218 		NID_sect233k1, /* sect233k1 (6) */
    219 		NID_sect233r1, /* sect233r1 (7) */
    220 		NID_secp224k1, /* secp224k1 (20) */
    221 		NID_secp224r1, /* secp224r1 (21) */
    222 		NID_sect193r1, /* sect193r1 (4) */
    223 		NID_sect193r2, /* sect193r2 (5) */
    224 		NID_secp192k1, /* secp192k1 (18) */
    225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    226 		NID_sect163k1, /* sect163k1 (1) */
    227 		NID_sect163r1, /* sect163r1 (2) */
    228 		NID_sect163r2, /* sect163r2 (3) */
    229 		NID_secp160k1, /* secp160k1 (15) */
    230 		NID_secp160r1, /* secp160r1 (16) */
    231 		NID_secp160r2, /* secp160r2 (17) */
    232 	};
    233 
    234 int tls1_ec_curve_id2nid(int curve_id)
    235 	{
    236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    237 	if ((curve_id < 1) || ((unsigned int)curve_id >
    238 				sizeof(nid_list)/sizeof(nid_list[0])))
    239 		return 0;
    240 	return nid_list[curve_id-1];
    241 	}
    242 
    243 int tls1_ec_nid2curve_id(int nid)
    244 	{
    245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    246 	switch (nid)
    247 		{
    248 	case NID_sect163k1: /* sect163k1 (1) */
    249 		return 1;
    250 	case NID_sect163r1: /* sect163r1 (2) */
    251 		return 2;
    252 	case NID_sect163r2: /* sect163r2 (3) */
    253 		return 3;
    254 	case NID_sect193r1: /* sect193r1 (4) */
    255 		return 4;
    256 	case NID_sect193r2: /* sect193r2 (5) */
    257 		return 5;
    258 	case NID_sect233k1: /* sect233k1 (6) */
    259 		return 6;
    260 	case NID_sect233r1: /* sect233r1 (7) */
    261 		return 7;
    262 	case NID_sect239k1: /* sect239k1 (8) */
    263 		return 8;
    264 	case NID_sect283k1: /* sect283k1 (9) */
    265 		return 9;
    266 	case NID_sect283r1: /* sect283r1 (10) */
    267 		return 10;
    268 	case NID_sect409k1: /* sect409k1 (11) */
    269 		return 11;
    270 	case NID_sect409r1: /* sect409r1 (12) */
    271 		return 12;
    272 	case NID_sect571k1: /* sect571k1 (13) */
    273 		return 13;
    274 	case NID_sect571r1: /* sect571r1 (14) */
    275 		return 14;
    276 	case NID_secp160k1: /* secp160k1 (15) */
    277 		return 15;
    278 	case NID_secp160r1: /* secp160r1 (16) */
    279 		return 16;
    280 	case NID_secp160r2: /* secp160r2 (17) */
    281 		return 17;
    282 	case NID_secp192k1: /* secp192k1 (18) */
    283 		return 18;
    284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
    285 		return 19;
    286 	case NID_secp224k1: /* secp224k1 (20) */
    287 		return 20;
    288 	case NID_secp224r1: /* secp224r1 (21) */
    289 		return 21;
    290 	case NID_secp256k1: /* secp256k1 (22) */
    291 		return 22;
    292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
    293 		return 23;
    294 	case NID_secp384r1: /* secp384r1 (24) */
    295 		return 24;
    296 	case NID_secp521r1:  /* secp521r1 (25) */
    297 		return 25;
    298 	default:
    299 		return 0;
    300 		}
    301 	}
    302 #endif /* OPENSSL_NO_EC */
    303 
    304 #ifndef OPENSSL_NO_TLSEXT
    305 
    306 /* List of supported signature algorithms and hashes. Should make this
    307  * customisable at some point, for now include everything we support.
    308  */
    309 
    310 #ifdef OPENSSL_NO_RSA
    311 #define tlsext_sigalg_rsa(md) /* */
    312 #else
    313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
    314 #endif
    315 
    316 #ifdef OPENSSL_NO_DSA
    317 #define tlsext_sigalg_dsa(md) /* */
    318 #else
    319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
    320 #endif
    321 
    322 #ifdef OPENSSL_NO_ECDSA
    323 #define tlsext_sigalg_ecdsa(md) /* */
    324 #else
    325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
    326 #endif
    327 
    328 #define tlsext_sigalg(md) \
    329 		tlsext_sigalg_rsa(md) \
    330 		tlsext_sigalg_dsa(md) \
    331 		tlsext_sigalg_ecdsa(md)
    332 
    333 static unsigned char tls12_sigalgs[] = {
    334 #ifndef OPENSSL_NO_SHA512
    335 	tlsext_sigalg(TLSEXT_hash_sha512)
    336 	tlsext_sigalg(TLSEXT_hash_sha384)
    337 #endif
    338 #ifndef OPENSSL_NO_SHA256
    339 	tlsext_sigalg(TLSEXT_hash_sha256)
    340 	tlsext_sigalg(TLSEXT_hash_sha224)
    341 #endif
    342 #ifndef OPENSSL_NO_SHA
    343 	tlsext_sigalg(TLSEXT_hash_sha1)
    344 #endif
    345 #ifndef OPENSSL_NO_MD5
    346 	tlsext_sigalg_rsa(TLSEXT_hash_md5)
    347 #endif
    348 };
    349 
    350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
    351 	{
    352 	size_t slen = sizeof(tls12_sigalgs);
    353 #ifdef OPENSSL_FIPS
    354 	/* If FIPS mode don't include MD5 which is last */
    355 	if (FIPS_mode())
    356 		slen -= 2;
    357 #endif
    358 	if (p)
    359 		memcpy(p, tls12_sigalgs, slen);
    360 	return (int)slen;
    361 	}
    362 
    363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
    364 	{
    365 	int extdatalen=0;
    366 	unsigned char *ret = p;
    367 
    368 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
    369 	if (s->client_version == SSL3_VERSION
    370 					&& !s->s3->send_connection_binding)
    371 		return p;
    372 
    373 	ret+=2;
    374 
    375 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    376 
    377  	if (s->tlsext_hostname != NULL)
    378 		{
    379 		/* Add TLS extension servername to the Client Hello message */
    380 		unsigned long size_str;
    381 		long lenmax;
    382 
    383 		/* check for enough space.
    384 		   4 for the servername type and entension length
    385 		   2 for servernamelist length
    386 		   1 for the hostname type
    387 		   2 for hostname length
    388 		   + hostname length
    389 		*/
    390 
    391 		if ((lenmax = limit - ret - 9) < 0
    392 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
    393 			return NULL;
    394 
    395 		/* extension type and length */
    396 		s2n(TLSEXT_TYPE_server_name,ret);
    397 		s2n(size_str+5,ret);
    398 
    399 		/* length of servername list */
    400 		s2n(size_str+3,ret);
    401 
    402 		/* hostname type, length and hostname */
    403 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
    404 		s2n(size_str,ret);
    405 		memcpy(ret, s->tlsext_hostname, size_str);
    406 		ret+=size_str;
    407 		}
    408 
    409         /* Add RI if renegotiating */
    410         if (s->renegotiate)
    411           {
    412           int el;
    413 
    414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
    415               {
    416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    417               return NULL;
    418               }
    419 
    420           if((limit - p - 4 - el) < 0) return NULL;
    421 
    422           s2n(TLSEXT_TYPE_renegotiate,ret);
    423           s2n(el,ret);
    424 
    425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
    426               {
    427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    428               return NULL;
    429               }
    430 
    431           ret += el;
    432         }
    433 
    434 #ifndef OPENSSL_NO_SRP
    435 	/* Add SRP username if there is one */
    436 	if (s->srp_ctx.login != NULL)
    437 		{ /* Add TLS extension SRP username to the Client Hello message */
    438 
    439 		int login_len = strlen(s->srp_ctx.login);
    440 		if (login_len > 255 || login_len == 0)
    441 			{
    442 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    443 			return NULL;
    444 			}
    445 
    446 		/* check for enough space.
    447 		   4 for the srp type type and entension length
    448 		   1 for the srp user identity
    449 		   + srp user identity length
    450 		*/
    451 		if ((limit - ret - 5 - login_len) < 0) return NULL;
    452 
    453 		/* fill in the extension */
    454 		s2n(TLSEXT_TYPE_srp,ret);
    455 		s2n(login_len+1,ret);
    456 		(*ret++) = (unsigned char) login_len;
    457 		memcpy(ret, s->srp_ctx.login, login_len);
    458 		ret+=login_len;
    459 		}
    460 #endif
    461 
    462 #ifndef OPENSSL_NO_EC
    463 	if (s->tlsext_ecpointformatlist != NULL &&
    464 	    s->version != DTLS1_VERSION)
    465 		{
    466 		/* Add TLS extension ECPointFormats to the ClientHello message */
    467 		long lenmax;
    468 
    469 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    470 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    471 		if (s->tlsext_ecpointformatlist_length > 255)
    472 			{
    473 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    474 			return NULL;
    475 			}
    476 
    477 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    478 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    479 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    480 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    481 		ret+=s->tlsext_ecpointformatlist_length;
    482 		}
    483 	if (s->tlsext_ellipticcurvelist != NULL &&
    484 	    s->version != DTLS1_VERSION)
    485 		{
    486 		/* Add TLS extension EllipticCurves to the ClientHello message */
    487 		long lenmax;
    488 
    489 		if ((lenmax = limit - ret - 6) < 0) return NULL;
    490 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
    491 		if (s->tlsext_ellipticcurvelist_length > 65532)
    492 			{
    493 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    494 			return NULL;
    495 			}
    496 
    497 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
    498 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
    499 
    500 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
    501 		 * elliptic_curve_list, but the examples use two bytes.
    502 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
    503 		 * resolves this to two bytes.
    504 		 */
    505 		s2n(s->tlsext_ellipticcurvelist_length, ret);
    506 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
    507 		ret+=s->tlsext_ellipticcurvelist_length;
    508 		}
    509 #endif /* OPENSSL_NO_EC */
    510 
    511 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
    512 		{
    513 		int ticklen;
    514 		if (!s->new_session && s->session && s->session->tlsext_tick)
    515 			ticklen = s->session->tlsext_ticklen;
    516 		else if (s->session && s->tlsext_session_ticket &&
    517 			 s->tlsext_session_ticket->data)
    518 			{
    519 			ticklen = s->tlsext_session_ticket->length;
    520 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
    521 			if (!s->session->tlsext_tick)
    522 				return NULL;
    523 			memcpy(s->session->tlsext_tick,
    524 			       s->tlsext_session_ticket->data,
    525 			       ticklen);
    526 			s->session->tlsext_ticklen = ticklen;
    527 			}
    528 		else
    529 			ticklen = 0;
    530 		if (ticklen == 0 && s->tlsext_session_ticket &&
    531 		    s->tlsext_session_ticket->data == NULL)
    532 			goto skip_ext;
    533 		/* Check for enough room 2 for extension type, 2 for len
    534  		 * rest for ticket
    535   		 */
    536 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
    537 		s2n(TLSEXT_TYPE_session_ticket,ret);
    538 		s2n(ticklen,ret);
    539 		if (ticklen)
    540 			{
    541 			memcpy(ret, s->session->tlsext_tick, ticklen);
    542 			ret += ticklen;
    543 			}
    544 		}
    545 		skip_ext:
    546 
    547 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
    548 		{
    549 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
    550 			return NULL;
    551 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
    552 		s2n(sizeof(tls12_sigalgs) + 2, ret);
    553 		s2n(sizeof(tls12_sigalgs), ret);
    554 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
    555 		ret += sizeof(tls12_sigalgs);
    556 		}
    557 
    558 #ifdef TLSEXT_TYPE_opaque_prf_input
    559 	if (s->s3->client_opaque_prf_input != NULL &&
    560 	    s->version != DTLS1_VERSION)
    561 		{
    562 		size_t col = s->s3->client_opaque_prf_input_len;
    563 
    564 		if ((long)(limit - ret - 6 - col < 0))
    565 			return NULL;
    566 		if (col > 0xFFFD) /* can't happen */
    567 			return NULL;
    568 
    569 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    570 		s2n(col + 2, ret);
    571 		s2n(col, ret);
    572 		memcpy(ret, s->s3->client_opaque_prf_input, col);
    573 		ret += col;
    574 		}
    575 #endif
    576 
    577 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
    578 	    s->version != DTLS1_VERSION)
    579 		{
    580 		int i;
    581 		long extlen, idlen, itmp;
    582 		OCSP_RESPID *id;
    583 
    584 		idlen = 0;
    585 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    586 			{
    587 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    588 			itmp = i2d_OCSP_RESPID(id, NULL);
    589 			if (itmp <= 0)
    590 				return NULL;
    591 			idlen += itmp + 2;
    592 			}
    593 
    594 		if (s->tlsext_ocsp_exts)
    595 			{
    596 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
    597 			if (extlen < 0)
    598 				return NULL;
    599 			}
    600 		else
    601 			extlen = 0;
    602 
    603 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
    604 		s2n(TLSEXT_TYPE_status_request, ret);
    605 		if (extlen + idlen > 0xFFF0)
    606 			return NULL;
    607 		s2n(extlen + idlen + 5, ret);
    608 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
    609 		s2n(idlen, ret);
    610 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    611 			{
    612 			/* save position of id len */
    613 			unsigned char *q = ret;
    614 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    615 			/* skip over id len */
    616 			ret += 2;
    617 			itmp = i2d_OCSP_RESPID(id, &ret);
    618 			/* write id len */
    619 			s2n(itmp, q);
    620 			}
    621 		s2n(extlen, ret);
    622 		if (extlen > 0)
    623 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
    624 		}
    625 
    626 #ifndef OPENSSL_NO_HEARTBEATS
    627 	/* Add Heartbeat extension */
    628 	s2n(TLSEXT_TYPE_heartbeat,ret);
    629 	s2n(1,ret);
    630 	/* Set mode:
    631 	 * 1: peer may send requests
    632 	 * 2: peer not allowed to send requests
    633 	 */
    634 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    635 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    636 	else
    637 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
    638 #endif
    639 
    640 #ifndef OPENSSL_NO_NEXTPROTONEG
    641 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
    642 		{
    643 		/* The client advertises an emtpy extension to indicate its
    644 		 * support for Next Protocol Negotiation */
    645 		if (limit - ret - 4 < 0)
    646 			return NULL;
    647 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
    648 		s2n(0,ret);
    649 		}
    650 #endif
    651 
    652 	if (s->tlsext_channel_id_enabled)
    653 		{
    654 		/* The client advertises an emtpy extension to indicate its
    655 		 * support for Channel ID. */
    656 		if (limit - ret - 4 < 0)
    657 			return NULL;
    658 		s2n(TLSEXT_TYPE_channel_id,ret);
    659 		s2n(0,ret);
    660 		}
    661 
    662 #ifndef OPENSSL_NO_SRTP
    663         if(SSL_get_srtp_profiles(s))
    664                 {
    665                 int el;
    666 
    667                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
    668 
    669                 if((limit - p - 4 - el) < 0) return NULL;
    670 
    671                 s2n(TLSEXT_TYPE_use_srtp,ret);
    672                 s2n(el,ret);
    673 
    674                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
    675 			{
    676 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    677 			return NULL;
    678 			}
    679                 ret += el;
    680                 }
    681 #endif
    682 
    683 	if ((extdatalen = ret-p-2)== 0)
    684 		return p;
    685 
    686 	s2n(extdatalen,p);
    687 	return ret;
    688 	}
    689 
    690 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
    691 	{
    692 	int extdatalen=0;
    693 	unsigned char *ret = p;
    694 #ifndef OPENSSL_NO_NEXTPROTONEG
    695 	int next_proto_neg_seen;
    696 #endif
    697 
    698 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
    699 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
    700 		return p;
    701 
    702 	ret+=2;
    703 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    704 
    705 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
    706 		{
    707 		if ((long)(limit - ret - 4) < 0) return NULL;
    708 
    709 		s2n(TLSEXT_TYPE_server_name,ret);
    710 		s2n(0,ret);
    711 		}
    712 
    713 	if(s->s3->send_connection_binding)
    714         {
    715           int el;
    716 
    717           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
    718               {
    719               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    720               return NULL;
    721               }
    722 
    723           if((limit - p - 4 - el) < 0) return NULL;
    724 
    725           s2n(TLSEXT_TYPE_renegotiate,ret);
    726           s2n(el,ret);
    727 
    728           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
    729               {
    730               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    731               return NULL;
    732               }
    733 
    734           ret += el;
    735         }
    736 
    737 #ifndef OPENSSL_NO_EC
    738 	if (s->tlsext_ecpointformatlist != NULL &&
    739 	    s->version != DTLS1_VERSION)
    740 		{
    741 		/* Add TLS extension ECPointFormats to the ServerHello message */
    742 		long lenmax;
    743 
    744 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    745 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    746 		if (s->tlsext_ecpointformatlist_length > 255)
    747 			{
    748 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    749 			return NULL;
    750 			}
    751 
    752 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    753 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    754 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    755 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    756 		ret+=s->tlsext_ecpointformatlist_length;
    757 
    758 		}
    759 	/* Currently the server should not respond with a SupportedCurves extension */
    760 #endif /* OPENSSL_NO_EC */
    761 
    762 	if (s->tlsext_ticket_expected
    763 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
    764 		{
    765 		if ((long)(limit - ret - 4) < 0) return NULL;
    766 		s2n(TLSEXT_TYPE_session_ticket,ret);
    767 		s2n(0,ret);
    768 		}
    769 
    770 	if (s->tlsext_status_expected)
    771 		{
    772 		if ((long)(limit - ret - 4) < 0) return NULL;
    773 		s2n(TLSEXT_TYPE_status_request,ret);
    774 		s2n(0,ret);
    775 		}
    776 
    777 #ifdef TLSEXT_TYPE_opaque_prf_input
    778 	if (s->s3->server_opaque_prf_input != NULL &&
    779 	    s->version != DTLS1_VERSION)
    780 		{
    781 		size_t sol = s->s3->server_opaque_prf_input_len;
    782 
    783 		if ((long)(limit - ret - 6 - sol) < 0)
    784 			return NULL;
    785 		if (sol > 0xFFFD) /* can't happen */
    786 			return NULL;
    787 
    788 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    789 		s2n(sol + 2, ret);
    790 		s2n(sol, ret);
    791 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
    792 		ret += sol;
    793 		}
    794 #endif
    795 
    796 #ifndef OPENSSL_NO_SRTP
    797         if(s->srtp_profile)
    798                 {
    799                 int el;
    800 
    801                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
    802 
    803                 if((limit - p - 4 - el) < 0) return NULL;
    804 
    805                 s2n(TLSEXT_TYPE_use_srtp,ret);
    806                 s2n(el,ret);
    807 
    808                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
    809 			{
    810 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    811 			return NULL;
    812 			}
    813                 ret+=el;
    814                 }
    815 #endif
    816 
    817 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
    818 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
    819 		{ const unsigned char cryptopro_ext[36] = {
    820 			0xfd, 0xe8, /*65000*/
    821 			0x00, 0x20, /*32 bytes length*/
    822 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
    823 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
    824 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
    825 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
    826 			if (limit-ret<36) return NULL;
    827 			memcpy(ret,cryptopro_ext,36);
    828 			ret+=36;
    829 
    830 		}
    831 
    832 #ifndef OPENSSL_NO_HEARTBEATS
    833 	/* Add Heartbeat extension if we've received one */
    834 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
    835 		{
    836 		s2n(TLSEXT_TYPE_heartbeat,ret);
    837 		s2n(1,ret);
    838 		/* Set mode:
    839 		 * 1: peer may send requests
    840 		 * 2: peer not allowed to send requests
    841 		 */
    842 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    843 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    844 		else
    845 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
    846 
    847 		}
    848 #endif
    849 
    850 #ifndef OPENSSL_NO_NEXTPROTONEG
    851 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
    852 	s->s3->next_proto_neg_seen = 0;
    853 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
    854 		{
    855 		const unsigned char *npa;
    856 		unsigned int npalen;
    857 		int r;
    858 
    859 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
    860 		if (r == SSL_TLSEXT_ERR_OK)
    861 			{
    862 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
    863 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
    864 			s2n(npalen,ret);
    865 			memcpy(ret, npa, npalen);
    866 			ret += npalen;
    867 			s->s3->next_proto_neg_seen = 1;
    868 			}
    869 		}
    870 #endif
    871 
    872 	/* If the client advertised support for Channel ID, and we have it
    873 	 * enabled, then we want to echo it back. */
    874 	if (s->s3->tlsext_channel_id_valid)
    875 		{
    876 		if (limit - ret - 4 < 0)
    877 			return NULL;
    878 		s2n(TLSEXT_TYPE_channel_id,ret);
    879 		s2n(0,ret);
    880 		}
    881 
    882 	if ((extdatalen = ret-p-2)== 0)
    883 		return p;
    884 
    885 	s2n(extdatalen,p);
    886 	return ret;
    887 	}
    888 
    889 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
    890 	{
    891 	unsigned short type;
    892 	unsigned short size;
    893 	unsigned short len;
    894 	unsigned char *data = *p;
    895 	int renegotiate_seen = 0;
    896 	int sigalg_seen = 0;
    897 
    898 	s->servername_done = 0;
    899 	s->tlsext_status_type = -1;
    900 #ifndef OPENSSL_NO_NEXTPROTONEG
    901 	s->s3->next_proto_neg_seen = 0;
    902 #endif
    903 
    904 #ifndef OPENSSL_NO_HEARTBEATS
    905 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
    906 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
    907 #endif
    908 
    909 	if (data >= (d+n-2))
    910 		goto ri_check;
    911 	n2s(data,len);
    912 
    913 	if (data > (d+n-len))
    914 		goto ri_check;
    915 
    916 	while (data <= (d+n-4))
    917 		{
    918 		n2s(data,type);
    919 		n2s(data,size);
    920 
    921 		if (data+size > (d+n))
    922 	   		goto ri_check;
    923 #if 0
    924 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
    925 #endif
    926 		if (s->tlsext_debug_cb)
    927 			s->tlsext_debug_cb(s, 0, type, data, size,
    928 						s->tlsext_debug_arg);
    929 /* The servername extension is treated as follows:
    930 
    931    - Only the hostname type is supported with a maximum length of 255.
    932    - The servername is rejected if too long or if it contains zeros,
    933      in which case an fatal alert is generated.
    934    - The servername field is maintained together with the session cache.
    935    - When a session is resumed, the servername call back invoked in order
    936      to allow the application to position itself to the right context.
    937    - The servername is acknowledged if it is new for a session or when
    938      it is identical to a previously used for the same session.
    939      Applications can control the behaviour.  They can at any time
    940      set a 'desirable' servername for a new SSL object. This can be the
    941      case for example with HTTPS when a Host: header field is received and
    942      a renegotiation is requested. In this case, a possible servername
    943      presented in the new client hello is only acknowledged if it matches
    944      the value of the Host: field.
    945    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
    946      if they provide for changing an explicit servername context for the session,
    947      i.e. when the session has been established with a servername extension.
    948    - On session reconnect, the servername extension may be absent.
    949 
    950 */
    951 
    952 		if (type == TLSEXT_TYPE_server_name)
    953 			{
    954 			unsigned char *sdata;
    955 			int servname_type;
    956 			int dsize;
    957 
    958 			if (size < 2)
    959 				{
    960 				*al = SSL_AD_DECODE_ERROR;
    961 				return 0;
    962 				}
    963 			n2s(data,dsize);
    964 			size -= 2;
    965 			if (dsize > size  )
    966 				{
    967 				*al = SSL_AD_DECODE_ERROR;
    968 				return 0;
    969 				}
    970 
    971 			sdata = data;
    972 			while (dsize > 3)
    973 				{
    974 	 			servname_type = *(sdata++);
    975 				n2s(sdata,len);
    976 				dsize -= 3;
    977 
    978 				if (len > dsize)
    979 					{
    980 					*al = SSL_AD_DECODE_ERROR;
    981 					return 0;
    982 					}
    983 				if (s->servername_done == 0)
    984 				switch (servname_type)
    985 					{
    986 				case TLSEXT_NAMETYPE_host_name:
    987 					if (!s->hit)
    988 						{
    989 						if(s->session->tlsext_hostname)
    990 							{
    991 							*al = SSL_AD_DECODE_ERROR;
    992 							return 0;
    993 							}
    994 						if (len > TLSEXT_MAXLEN_host_name)
    995 							{
    996 							*al = TLS1_AD_UNRECOGNIZED_NAME;
    997 							return 0;
    998 							}
    999 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
   1000 							{
   1001 							*al = TLS1_AD_INTERNAL_ERROR;
   1002 							return 0;
   1003 							}
   1004 						memcpy(s->session->tlsext_hostname, sdata, len);
   1005 						s->session->tlsext_hostname[len]='\0';
   1006 						if (strlen(s->session->tlsext_hostname) != len) {
   1007 							OPENSSL_free(s->session->tlsext_hostname);
   1008 							s->session->tlsext_hostname = NULL;
   1009 							*al = TLS1_AD_UNRECOGNIZED_NAME;
   1010 							return 0;
   1011 						}
   1012 						s->servername_done = 1;
   1013 
   1014 						}
   1015 					else
   1016 						s->servername_done = s->session->tlsext_hostname
   1017 							&& strlen(s->session->tlsext_hostname) == len
   1018 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
   1019 
   1020 					break;
   1021 
   1022 				default:
   1023 					break;
   1024 					}
   1025 
   1026 				dsize -= len;
   1027 				}
   1028 			if (dsize != 0)
   1029 				{
   1030 				*al = SSL_AD_DECODE_ERROR;
   1031 				return 0;
   1032 				}
   1033 
   1034 			}
   1035 #ifndef OPENSSL_NO_SRP
   1036 		else if (type == TLSEXT_TYPE_srp)
   1037 			{
   1038 			if (size <= 0 || ((len = data[0])) != (size -1))
   1039 				{
   1040 				*al = SSL_AD_DECODE_ERROR;
   1041 				return 0;
   1042 				}
   1043 			if (s->srp_ctx.login != NULL)
   1044 				{
   1045 				*al = SSL_AD_DECODE_ERROR;
   1046 				return 0;
   1047 				}
   1048 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
   1049 				return -1;
   1050 			memcpy(s->srp_ctx.login, &data[1], len);
   1051 			s->srp_ctx.login[len]='\0';
   1052 
   1053 			if (strlen(s->srp_ctx.login) != len)
   1054 				{
   1055 				*al = SSL_AD_DECODE_ERROR;
   1056 				return 0;
   1057 				}
   1058 			}
   1059 #endif
   1060 
   1061 #ifndef OPENSSL_NO_EC
   1062 		else if (type == TLSEXT_TYPE_ec_point_formats &&
   1063 	             s->version != DTLS1_VERSION)
   1064 			{
   1065 			unsigned char *sdata = data;
   1066 			int ecpointformatlist_length = *(sdata++);
   1067 
   1068 			if (ecpointformatlist_length != size - 1)
   1069 				{
   1070 				*al = TLS1_AD_DECODE_ERROR;
   1071 				return 0;
   1072 				}
   1073 			if (!s->hit)
   1074 				{
   1075 				if(s->session->tlsext_ecpointformatlist)
   1076 					{
   1077 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1078 					s->session->tlsext_ecpointformatlist = NULL;
   1079 					}
   1080 				s->session->tlsext_ecpointformatlist_length = 0;
   1081 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1082 					{
   1083 					*al = TLS1_AD_INTERNAL_ERROR;
   1084 					return 0;
   1085 					}
   1086 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1087 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1088 				}
   1089 #if 0
   1090 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
   1091 			sdata = s->session->tlsext_ecpointformatlist;
   1092 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1093 				fprintf(stderr,"%i ",*(sdata++));
   1094 			fprintf(stderr,"\n");
   1095 #endif
   1096 			}
   1097 		else if (type == TLSEXT_TYPE_elliptic_curves &&
   1098 	             s->version != DTLS1_VERSION)
   1099 			{
   1100 			unsigned char *sdata = data;
   1101 			int ellipticcurvelist_length = (*(sdata++) << 8);
   1102 			ellipticcurvelist_length += (*(sdata++));
   1103 
   1104 			if (ellipticcurvelist_length != size - 2 ||
   1105 				ellipticcurvelist_length < 1)
   1106 				{
   1107 				*al = TLS1_AD_DECODE_ERROR;
   1108 				return 0;
   1109 				}
   1110 			if (!s->hit)
   1111 				{
   1112 				if(s->session->tlsext_ellipticcurvelist)
   1113 					{
   1114 					*al = TLS1_AD_DECODE_ERROR;
   1115 					return 0;
   1116 					}
   1117 				s->session->tlsext_ellipticcurvelist_length = 0;
   1118 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
   1119 					{
   1120 					*al = TLS1_AD_INTERNAL_ERROR;
   1121 					return 0;
   1122 					}
   1123 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
   1124 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
   1125 				}
   1126 #if 0
   1127 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
   1128 			sdata = s->session->tlsext_ellipticcurvelist;
   1129 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
   1130 				fprintf(stderr,"%i ",*(sdata++));
   1131 			fprintf(stderr,"\n");
   1132 #endif
   1133 			}
   1134 #endif /* OPENSSL_NO_EC */
   1135 #ifdef TLSEXT_TYPE_opaque_prf_input
   1136 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1137 	             s->version != DTLS1_VERSION)
   1138 			{
   1139 			unsigned char *sdata = data;
   1140 
   1141 			if (size < 2)
   1142 				{
   1143 				*al = SSL_AD_DECODE_ERROR;
   1144 				return 0;
   1145 				}
   1146 			n2s(sdata, s->s3->client_opaque_prf_input_len);
   1147 			if (s->s3->client_opaque_prf_input_len != size - 2)
   1148 				{
   1149 				*al = SSL_AD_DECODE_ERROR;
   1150 				return 0;
   1151 				}
   1152 
   1153 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   1154 				OPENSSL_free(s->s3->client_opaque_prf_input);
   1155 			if (s->s3->client_opaque_prf_input_len == 0)
   1156 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1157 			else
   1158 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
   1159 			if (s->s3->client_opaque_prf_input == NULL)
   1160 				{
   1161 				*al = TLS1_AD_INTERNAL_ERROR;
   1162 				return 0;
   1163 				}
   1164 			}
   1165 #endif
   1166 		else if (type == TLSEXT_TYPE_session_ticket)
   1167 			{
   1168 			if (s->tls_session_ticket_ext_cb &&
   1169 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1170 				{
   1171 				*al = TLS1_AD_INTERNAL_ERROR;
   1172 				return 0;
   1173 				}
   1174 			}
   1175 		else if (type == TLSEXT_TYPE_renegotiate)
   1176 			{
   1177 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
   1178 				return 0;
   1179 			renegotiate_seen = 1;
   1180 			}
   1181 		else if (type == TLSEXT_TYPE_signature_algorithms)
   1182 			{
   1183 			int dsize;
   1184 			if (sigalg_seen || size < 2)
   1185 				{
   1186 				*al = SSL_AD_DECODE_ERROR;
   1187 				return 0;
   1188 				}
   1189 			sigalg_seen = 1;
   1190 			n2s(data,dsize);
   1191 			size -= 2;
   1192 			if (dsize != size || dsize & 1)
   1193 				{
   1194 				*al = SSL_AD_DECODE_ERROR;
   1195 				return 0;
   1196 				}
   1197 			if (!tls1_process_sigalgs(s, data, dsize))
   1198 				{
   1199 				*al = SSL_AD_DECODE_ERROR;
   1200 				return 0;
   1201 				}
   1202 			}
   1203 		else if (type == TLSEXT_TYPE_status_request &&
   1204 		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
   1205 			{
   1206 
   1207 			if (size < 5)
   1208 				{
   1209 				*al = SSL_AD_DECODE_ERROR;
   1210 				return 0;
   1211 				}
   1212 
   1213 			s->tlsext_status_type = *data++;
   1214 			size--;
   1215 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
   1216 				{
   1217 				const unsigned char *sdata;
   1218 				int dsize;
   1219 				/* Read in responder_id_list */
   1220 				n2s(data,dsize);
   1221 				size -= 2;
   1222 				if (dsize > size  )
   1223 					{
   1224 					*al = SSL_AD_DECODE_ERROR;
   1225 					return 0;
   1226 					}
   1227 				while (dsize > 0)
   1228 					{
   1229 					OCSP_RESPID *id;
   1230 					int idsize;
   1231 					if (dsize < 4)
   1232 						{
   1233 						*al = SSL_AD_DECODE_ERROR;
   1234 						return 0;
   1235 						}
   1236 					n2s(data, idsize);
   1237 					dsize -= 2 + idsize;
   1238 					size -= 2 + idsize;
   1239 					if (dsize < 0)
   1240 						{
   1241 						*al = SSL_AD_DECODE_ERROR;
   1242 						return 0;
   1243 						}
   1244 					sdata = data;
   1245 					data += idsize;
   1246 					id = d2i_OCSP_RESPID(NULL,
   1247 								&sdata, idsize);
   1248 					if (!id)
   1249 						{
   1250 						*al = SSL_AD_DECODE_ERROR;
   1251 						return 0;
   1252 						}
   1253 					if (data != sdata)
   1254 						{
   1255 						OCSP_RESPID_free(id);
   1256 						*al = SSL_AD_DECODE_ERROR;
   1257 						return 0;
   1258 						}
   1259 					if (!s->tlsext_ocsp_ids
   1260 						&& !(s->tlsext_ocsp_ids =
   1261 						sk_OCSP_RESPID_new_null()))
   1262 						{
   1263 						OCSP_RESPID_free(id);
   1264 						*al = SSL_AD_INTERNAL_ERROR;
   1265 						return 0;
   1266 						}
   1267 					if (!sk_OCSP_RESPID_push(
   1268 							s->tlsext_ocsp_ids, id))
   1269 						{
   1270 						OCSP_RESPID_free(id);
   1271 						*al = SSL_AD_INTERNAL_ERROR;
   1272 						return 0;
   1273 						}
   1274 					}
   1275 
   1276 				/* Read in request_extensions */
   1277 				if (size < 2)
   1278 					{
   1279 					*al = SSL_AD_DECODE_ERROR;
   1280 					return 0;
   1281 					}
   1282 				n2s(data,dsize);
   1283 				size -= 2;
   1284 				if (dsize != size)
   1285 					{
   1286 					*al = SSL_AD_DECODE_ERROR;
   1287 					return 0;
   1288 					}
   1289 				sdata = data;
   1290 				if (dsize > 0)
   1291 					{
   1292 					if (s->tlsext_ocsp_exts)
   1293 						{
   1294 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
   1295 									   X509_EXTENSION_free);
   1296 						}
   1297 
   1298 					s->tlsext_ocsp_exts =
   1299 						d2i_X509_EXTENSIONS(NULL,
   1300 							&sdata, dsize);
   1301 					if (!s->tlsext_ocsp_exts
   1302 						|| (data + dsize != sdata))
   1303 						{
   1304 						*al = SSL_AD_DECODE_ERROR;
   1305 						return 0;
   1306 						}
   1307 					}
   1308 				}
   1309 				/* We don't know what to do with any other type
   1310  			 	* so ignore it.
   1311  			 	*/
   1312 				else
   1313 					s->tlsext_status_type = -1;
   1314 			}
   1315 #ifndef OPENSSL_NO_HEARTBEATS
   1316 		else if (type == TLSEXT_TYPE_heartbeat)
   1317 			{
   1318 			switch(data[0])
   1319 				{
   1320 				case 0x01:	/* Client allows us to send HB requests */
   1321 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1322 							break;
   1323 				case 0x02:	/* Client doesn't accept HB requests */
   1324 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1325 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1326 							break;
   1327 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1328 							return 0;
   1329 				}
   1330 			}
   1331 #endif
   1332 #ifndef OPENSSL_NO_NEXTPROTONEG
   1333 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1334 			 s->s3->tmp.finish_md_len == 0)
   1335 			{
   1336 			/* We shouldn't accept this extension on a
   1337 			 * renegotiation.
   1338 			 *
   1339 			 * s->new_session will be set on renegotiation, but we
   1340 			 * probably shouldn't rely that it couldn't be set on
   1341 			 * the initial renegotation too in certain cases (when
   1342 			 * there's some other reason to disallow resuming an
   1343 			 * earlier session -- the current code won't be doing
   1344 			 * anything like that, but this might change).
   1345 
   1346 			 * A valid sign that there's been a previous handshake
   1347 			 * in this connection is if s->s3->tmp.finish_md_len >
   1348 			 * 0.  (We are talking about a check that will happen
   1349 			 * in the Hello protocol round, well before a new
   1350 			 * Finished message could have been computed.) */
   1351 			s->s3->next_proto_neg_seen = 1;
   1352 			}
   1353 #endif
   1354 
   1355 		else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
   1356 			s->s3->tlsext_channel_id_valid = 1;
   1357 
   1358 		/* session ticket processed earlier */
   1359 #ifndef OPENSSL_NO_SRTP
   1360 		else if (type == TLSEXT_TYPE_use_srtp)
   1361 			{
   1362 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
   1363 							      al))
   1364 				return 0;
   1365 			}
   1366 #endif
   1367 
   1368 		data+=size;
   1369 		}
   1370 
   1371 	*p = data;
   1372 
   1373 	ri_check:
   1374 
   1375 	/* Need RI if renegotiating */
   1376 
   1377 	if (!renegotiate_seen && s->renegotiate &&
   1378 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1379 		{
   1380 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1381 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
   1382 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1383 		return 0;
   1384 		}
   1385 
   1386 	return 1;
   1387 	}
   1388 
   1389 #ifndef OPENSSL_NO_NEXTPROTONEG
   1390 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
   1391  * elements of zero length are allowed and the set of elements must exactly fill
   1392  * the length of the block. */
   1393 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
   1394 	{
   1395 	unsigned int off = 0;
   1396 
   1397 	while (off < len)
   1398 		{
   1399 		if (d[off] == 0)
   1400 			return 0;
   1401 		off += d[off];
   1402 		off++;
   1403 		}
   1404 
   1405 	return off == len;
   1406 	}
   1407 #endif
   1408 
   1409 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
   1410 	{
   1411 	unsigned short length;
   1412 	unsigned short type;
   1413 	unsigned short size;
   1414 	unsigned char *data = *p;
   1415 	int tlsext_servername = 0;
   1416 	int renegotiate_seen = 0;
   1417 
   1418 #ifndef OPENSSL_NO_NEXTPROTONEG
   1419 	s->s3->next_proto_neg_seen = 0;
   1420 #endif
   1421 
   1422 #ifndef OPENSSL_NO_HEARTBEATS
   1423 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
   1424 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
   1425 #endif
   1426 
   1427 	if (data >= (d+n-2))
   1428 		goto ri_check;
   1429 
   1430 	n2s(data,length);
   1431 	if (data+length != d+n)
   1432 		{
   1433 		*al = SSL_AD_DECODE_ERROR;
   1434 		return 0;
   1435 		}
   1436 
   1437 	while(data <= (d+n-4))
   1438 		{
   1439 		n2s(data,type);
   1440 		n2s(data,size);
   1441 
   1442 		if (data+size > (d+n))
   1443 	   		goto ri_check;
   1444 
   1445 		if (s->tlsext_debug_cb)
   1446 			s->tlsext_debug_cb(s, 1, type, data, size,
   1447 						s->tlsext_debug_arg);
   1448 
   1449 		if (type == TLSEXT_TYPE_server_name)
   1450 			{
   1451 			if (s->tlsext_hostname == NULL || size > 0)
   1452 				{
   1453 				*al = TLS1_AD_UNRECOGNIZED_NAME;
   1454 				return 0;
   1455 				}
   1456 			tlsext_servername = 1;
   1457 			}
   1458 
   1459 #ifndef OPENSSL_NO_EC
   1460 		else if (type == TLSEXT_TYPE_ec_point_formats &&
   1461 	             s->version != DTLS1_VERSION)
   1462 			{
   1463 			unsigned char *sdata = data;
   1464 			int ecpointformatlist_length = *(sdata++);
   1465 
   1466 			if (ecpointformatlist_length != size - 1 ||
   1467 				ecpointformatlist_length < 1)
   1468 				{
   1469 				*al = TLS1_AD_DECODE_ERROR;
   1470 				return 0;
   1471 				}
   1472 			s->session->tlsext_ecpointformatlist_length = 0;
   1473 			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1474 			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1475 				{
   1476 				*al = TLS1_AD_INTERNAL_ERROR;
   1477 				return 0;
   1478 				}
   1479 			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1480 			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1481 #if 0
   1482 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
   1483 			sdata = s->session->tlsext_ecpointformatlist;
   1484 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1485 				fprintf(stderr,"%i ",*(sdata++));
   1486 			fprintf(stderr,"\n");
   1487 #endif
   1488 			}
   1489 #endif /* OPENSSL_NO_EC */
   1490 
   1491 		else if (type == TLSEXT_TYPE_session_ticket)
   1492 			{
   1493 			if (s->tls_session_ticket_ext_cb &&
   1494 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1495 				{
   1496 				*al = TLS1_AD_INTERNAL_ERROR;
   1497 				return 0;
   1498 				}
   1499 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
   1500 				|| (size > 0))
   1501 				{
   1502 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1503 				return 0;
   1504 				}
   1505 			s->tlsext_ticket_expected = 1;
   1506 			}
   1507 #ifdef TLSEXT_TYPE_opaque_prf_input
   1508 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1509 	             s->version != DTLS1_VERSION)
   1510 			{
   1511 			unsigned char *sdata = data;
   1512 
   1513 			if (size < 2)
   1514 				{
   1515 				*al = SSL_AD_DECODE_ERROR;
   1516 				return 0;
   1517 				}
   1518 			n2s(sdata, s->s3->server_opaque_prf_input_len);
   1519 			if (s->s3->server_opaque_prf_input_len != size - 2)
   1520 				{
   1521 				*al = SSL_AD_DECODE_ERROR;
   1522 				return 0;
   1523 				}
   1524 
   1525 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   1526 				OPENSSL_free(s->s3->server_opaque_prf_input);
   1527 			if (s->s3->server_opaque_prf_input_len == 0)
   1528 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1529 			else
   1530 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
   1531 
   1532 			if (s->s3->server_opaque_prf_input == NULL)
   1533 				{
   1534 				*al = TLS1_AD_INTERNAL_ERROR;
   1535 				return 0;
   1536 				}
   1537 			}
   1538 #endif
   1539 		else if (type == TLSEXT_TYPE_status_request &&
   1540 		         s->version != DTLS1_VERSION)
   1541 			{
   1542 			/* MUST be empty and only sent if we've requested
   1543 			 * a status request message.
   1544 			 */
   1545 			if ((s->tlsext_status_type == -1) || (size > 0))
   1546 				{
   1547 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1548 				return 0;
   1549 				}
   1550 			/* Set flag to expect CertificateStatus message */
   1551 			s->tlsext_status_expected = 1;
   1552 			}
   1553 #ifndef OPENSSL_NO_NEXTPROTONEG
   1554 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1555 			 s->s3->tmp.finish_md_len == 0)
   1556 			{
   1557 			unsigned char *selected;
   1558 			unsigned char selected_len;
   1559 
   1560 			/* We must have requested it. */
   1561 			if (s->ctx->next_proto_select_cb == NULL)
   1562 				{
   1563 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1564 				return 0;
   1565 				}
   1566 			/* The data must be valid */
   1567 			if (!ssl_next_proto_validate(data, size))
   1568 				{
   1569 				*al = TLS1_AD_DECODE_ERROR;
   1570 				return 0;
   1571 				}
   1572 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
   1573 				{
   1574 				*al = TLS1_AD_INTERNAL_ERROR;
   1575 				return 0;
   1576 				}
   1577 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
   1578 			if (!s->next_proto_negotiated)
   1579 				{
   1580 				*al = TLS1_AD_INTERNAL_ERROR;
   1581 				return 0;
   1582 				}
   1583 			memcpy(s->next_proto_negotiated, selected, selected_len);
   1584 			s->next_proto_negotiated_len = selected_len;
   1585 			s->s3->next_proto_neg_seen = 1;
   1586 			}
   1587 #endif
   1588 		else if (type == TLSEXT_TYPE_channel_id)
   1589 			s->s3->tlsext_channel_id_valid = 1;
   1590 
   1591 		else if (type == TLSEXT_TYPE_renegotiate)
   1592 			{
   1593 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
   1594 				return 0;
   1595 			renegotiate_seen = 1;
   1596 			}
   1597 #ifndef OPENSSL_NO_HEARTBEATS
   1598 		else if (type == TLSEXT_TYPE_heartbeat)
   1599 			{
   1600 			switch(data[0])
   1601 				{
   1602 				case 0x01:	/* Server allows us to send HB requests */
   1603 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1604 							break;
   1605 				case 0x02:	/* Server doesn't accept HB requests */
   1606 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1607 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1608 							break;
   1609 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1610 							return 0;
   1611 				}
   1612 			}
   1613 #endif
   1614 #ifndef OPENSSL_NO_SRTP
   1615 		else if (type == TLSEXT_TYPE_use_srtp)
   1616 			{
   1617                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
   1618 							      al))
   1619                                 return 0;
   1620 			}
   1621 #endif
   1622 
   1623 		data+=size;
   1624 		}
   1625 
   1626 	if (data != d+n)
   1627 		{
   1628 		*al = SSL_AD_DECODE_ERROR;
   1629 		return 0;
   1630 		}
   1631 
   1632 	if (!s->hit && tlsext_servername == 1)
   1633 		{
   1634  		if (s->tlsext_hostname)
   1635 			{
   1636 			if (s->session->tlsext_hostname == NULL)
   1637 				{
   1638 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
   1639 				if (!s->session->tlsext_hostname)
   1640 					{
   1641 					*al = SSL_AD_UNRECOGNIZED_NAME;
   1642 					return 0;
   1643 					}
   1644 				}
   1645 			else
   1646 				{
   1647 				*al = SSL_AD_DECODE_ERROR;
   1648 				return 0;
   1649 				}
   1650 			}
   1651 		}
   1652 
   1653 	*p = data;
   1654 
   1655 	ri_check:
   1656 
   1657 	/* Determine if we need to see RI. Strictly speaking if we want to
   1658 	 * avoid an attack we should *always* see RI even on initial server
   1659 	 * hello because the client doesn't see any renegotiation during an
   1660 	 * attack. However this would mean we could not connect to any server
   1661 	 * which doesn't support RI so for the immediate future tolerate RI
   1662 	 * absence on initial connect only.
   1663 	 */
   1664 	if (!renegotiate_seen
   1665 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
   1666 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1667 		{
   1668 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1669 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
   1670 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1671 		return 0;
   1672 		}
   1673 
   1674 	return 1;
   1675 	}
   1676 
   1677 
   1678 int ssl_prepare_clienthello_tlsext(SSL *s)
   1679 	{
   1680 #ifndef OPENSSL_NO_EC
   1681 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
   1682 	 * and elliptic curves we support.
   1683 	 */
   1684 	int using_ecc = 0;
   1685 	int i;
   1686 	unsigned char *j;
   1687 	unsigned long alg_k, alg_a;
   1688 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
   1689 
   1690 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
   1691 		{
   1692 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
   1693 
   1694 		alg_k = c->algorithm_mkey;
   1695 		alg_a = c->algorithm_auth;
   1696 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
   1697 			{
   1698 			using_ecc = 1;
   1699 			break;
   1700 			}
   1701 		}
   1702 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
   1703 	if (using_ecc)
   1704 		{
   1705 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   1706 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   1707 			{
   1708 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1709 			return -1;
   1710 			}
   1711 		s->tlsext_ecpointformatlist_length = 3;
   1712 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   1713 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   1714 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   1715 
   1716 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
   1717 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
   1718 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
   1719 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
   1720 			{
   1721 			s->tlsext_ellipticcurvelist_length = 0;
   1722 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1723 			return -1;
   1724 			}
   1725 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
   1726 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
   1727 			{
   1728 			int id = tls1_ec_nid2curve_id(pref_list[i]);
   1729 			s2n(id,j);
   1730 			}
   1731 		}
   1732 #endif /* OPENSSL_NO_EC */
   1733 
   1734 #ifdef TLSEXT_TYPE_opaque_prf_input
   1735  	{
   1736 		int r = 1;
   1737 
   1738 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   1739 			{
   1740 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   1741 			if (!r)
   1742 				return -1;
   1743 			}
   1744 
   1745 		if (s->tlsext_opaque_prf_input != NULL)
   1746 			{
   1747 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   1748 				OPENSSL_free(s->s3->client_opaque_prf_input);
   1749 
   1750 			if (s->tlsext_opaque_prf_input_len == 0)
   1751 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1752 			else
   1753 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   1754 			if (s->s3->client_opaque_prf_input == NULL)
   1755 				{
   1756 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1757 				return -1;
   1758 				}
   1759 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   1760 			}
   1761 
   1762 		if (r == 2)
   1763 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
   1764 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   1765 	}
   1766 #endif
   1767 
   1768 	return 1;
   1769 	}
   1770 
   1771 int ssl_prepare_serverhello_tlsext(SSL *s)
   1772 	{
   1773 #ifndef OPENSSL_NO_EC
   1774 	/* If we are server and using an ECC cipher suite, send the point formats we support
   1775 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
   1776 	 * supposed to send an EllipticCurves extension.
   1777 	 */
   1778 
   1779 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   1780 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   1781 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
   1782 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
   1783 
   1784 	if (using_ecc)
   1785 		{
   1786 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   1787 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   1788 			{
   1789 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1790 			return -1;
   1791 			}
   1792 		s->tlsext_ecpointformatlist_length = 3;
   1793 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   1794 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   1795 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   1796 		}
   1797 #endif /* OPENSSL_NO_EC */
   1798 
   1799 	return 1;
   1800 	}
   1801 
   1802 int ssl_check_clienthello_tlsext_early(SSL *s)
   1803 	{
   1804 	int ret=SSL_TLSEXT_ERR_NOACK;
   1805 	int al = SSL_AD_UNRECOGNIZED_NAME;
   1806 
   1807 #ifndef OPENSSL_NO_EC
   1808 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
   1809 	 * ssl3_choose_cipher in s3_lib.c.
   1810 	 */
   1811 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
   1812 	 * ssl3_choose_cipher in s3_lib.c.
   1813 	 */
   1814 #endif
   1815 
   1816 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   1817 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   1818 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   1819 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   1820 
   1821 #ifdef TLSEXT_TYPE_opaque_prf_input
   1822  	{
   1823 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
   1824 		 * but we might be sending an alert in response to the client hello,
   1825 		 * so this has to happen here in
   1826 		 * ssl_check_clienthello_tlsext_early(). */
   1827 
   1828 		int r = 1;
   1829 
   1830 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   1831 			{
   1832 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   1833 			if (!r)
   1834 				{
   1835 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   1836 				al = SSL_AD_INTERNAL_ERROR;
   1837 				goto err;
   1838 				}
   1839 			}
   1840 
   1841 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   1842 			OPENSSL_free(s->s3->server_opaque_prf_input);
   1843 		s->s3->server_opaque_prf_input = NULL;
   1844 
   1845 		if (s->tlsext_opaque_prf_input != NULL)
   1846 			{
   1847 			if (s->s3->client_opaque_prf_input != NULL &&
   1848 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
   1849 				{
   1850 				/* can only use this extension if we have a server opaque PRF input
   1851 				 * of the same length as the client opaque PRF input! */
   1852 
   1853 				if (s->tlsext_opaque_prf_input_len == 0)
   1854 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1855 				else
   1856 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   1857 				if (s->s3->server_opaque_prf_input == NULL)
   1858 					{
   1859 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   1860 					al = SSL_AD_INTERNAL_ERROR;
   1861 					goto err;
   1862 					}
   1863 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   1864 				}
   1865 			}
   1866 
   1867 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
   1868 			{
   1869 			/* The callback wants to enforce use of the extension,
   1870 			 * but we can't do that with the client opaque PRF input;
   1871 			 * abort the handshake.
   1872 			 */
   1873 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   1874 			al = SSL_AD_HANDSHAKE_FAILURE;
   1875 			}
   1876 	}
   1877 
   1878  err:
   1879 #endif
   1880 	switch (ret)
   1881 		{
   1882 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   1883 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   1884 			return -1;
   1885 
   1886 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   1887 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   1888 			return 1;
   1889 
   1890 		case SSL_TLSEXT_ERR_NOACK:
   1891 			s->servername_done=0;
   1892 			default:
   1893 		return 1;
   1894 		}
   1895 	}
   1896 
   1897 int ssl_check_clienthello_tlsext_late(SSL *s)
   1898 	{
   1899 	int ret = SSL_TLSEXT_ERR_OK;
   1900 	int al;
   1901 
   1902 	/* If status request then ask callback what to do.
   1903  	 * Note: this must be called after servername callbacks in case
   1904  	 * the certificate has changed, and must be called after the cipher
   1905 	 * has been chosen because this may influence which certificate is sent
   1906  	 */
   1907 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
   1908 		{
   1909 		int r;
   1910 		CERT_PKEY *certpkey;
   1911 		certpkey = ssl_get_server_send_pkey(s);
   1912 		/* If no certificate can't return certificate status */
   1913 		if (certpkey == NULL)
   1914 			{
   1915 			s->tlsext_status_expected = 0;
   1916 			return 1;
   1917 			}
   1918 		/* Set current certificate to one we will use so
   1919 		 * SSL_get_certificate et al can pick it up.
   1920 		 */
   1921 		s->cert->key = certpkey;
   1922 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   1923 		switch (r)
   1924 			{
   1925 			/* We don't want to send a status request response */
   1926 			case SSL_TLSEXT_ERR_NOACK:
   1927 				s->tlsext_status_expected = 0;
   1928 				break;
   1929 			/* status request response should be sent */
   1930 			case SSL_TLSEXT_ERR_OK:
   1931 				if (s->tlsext_ocsp_resp)
   1932 					s->tlsext_status_expected = 1;
   1933 				else
   1934 					s->tlsext_status_expected = 0;
   1935 				break;
   1936 			/* something bad happened */
   1937 			case SSL_TLSEXT_ERR_ALERT_FATAL:
   1938 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   1939 				al = SSL_AD_INTERNAL_ERROR;
   1940 				goto err;
   1941 			}
   1942 		}
   1943 	else
   1944 		s->tlsext_status_expected = 0;
   1945 
   1946  err:
   1947 	switch (ret)
   1948 		{
   1949 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   1950 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   1951 			return -1;
   1952 
   1953 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   1954 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   1955 			return 1;
   1956 
   1957 		default:
   1958 			return 1;
   1959 		}
   1960 	}
   1961 
   1962 int ssl_check_serverhello_tlsext(SSL *s)
   1963 	{
   1964 	int ret=SSL_TLSEXT_ERR_NOACK;
   1965 	int al = SSL_AD_UNRECOGNIZED_NAME;
   1966 
   1967 #ifndef OPENSSL_NO_EC
   1968 	/* If we are client and using an elliptic curve cryptography cipher
   1969 	 * suite, then if server returns an EC point formats lists extension
   1970 	 * it must contain uncompressed.
   1971 	 */
   1972 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   1973 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   1974 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
   1975 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
   1976 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
   1977 		{
   1978 		/* we are using an ECC cipher */
   1979 		size_t i;
   1980 		unsigned char *list;
   1981 		int found_uncompressed = 0;
   1982 		list = s->session->tlsext_ecpointformatlist;
   1983 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1984 			{
   1985 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
   1986 				{
   1987 				found_uncompressed = 1;
   1988 				break;
   1989 				}
   1990 			}
   1991 		if (!found_uncompressed)
   1992 			{
   1993 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
   1994 			return -1;
   1995 			}
   1996 		}
   1997 	ret = SSL_TLSEXT_ERR_OK;
   1998 #endif /* OPENSSL_NO_EC */
   1999 
   2000 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   2001 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   2002 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   2003 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   2004 
   2005 #ifdef TLSEXT_TYPE_opaque_prf_input
   2006 	if (s->s3->server_opaque_prf_input_len > 0)
   2007 		{
   2008 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
   2009 		 * So first verify that we really have a value from the server too. */
   2010 
   2011 		if (s->s3->server_opaque_prf_input == NULL)
   2012 			{
   2013 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2014 			al = SSL_AD_HANDSHAKE_FAILURE;
   2015 			}
   2016 
   2017 		/* Anytime the server *has* sent an opaque PRF input, we need to check
   2018 		 * that we have a client opaque PRF input of the same size. */
   2019 		if (s->s3->client_opaque_prf_input == NULL ||
   2020 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
   2021 			{
   2022 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2023 			al = SSL_AD_ILLEGAL_PARAMETER;
   2024 			}
   2025 		}
   2026 #endif
   2027 
   2028 	/* If we've requested certificate status and we wont get one
   2029  	 * tell the callback
   2030  	 */
   2031 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
   2032 			&& s->ctx && s->ctx->tlsext_status_cb)
   2033 		{
   2034 		int r;
   2035 		/* Set resp to NULL, resplen to -1 so callback knows
   2036  		 * there is no response.
   2037  		 */
   2038 		if (s->tlsext_ocsp_resp)
   2039 			{
   2040 			OPENSSL_free(s->tlsext_ocsp_resp);
   2041 			s->tlsext_ocsp_resp = NULL;
   2042 			}
   2043 		s->tlsext_ocsp_resplen = -1;
   2044 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   2045 		if (r == 0)
   2046 			{
   2047 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
   2048 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2049 			}
   2050 		if (r < 0)
   2051 			{
   2052 			al = SSL_AD_INTERNAL_ERROR;
   2053 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2054 			}
   2055 		}
   2056 
   2057 	switch (ret)
   2058 		{
   2059 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2060 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2061 			return -1;
   2062 
   2063 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2064 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2065 			return 1;
   2066 
   2067 		case SSL_TLSEXT_ERR_NOACK:
   2068 			s->servername_done=0;
   2069 			default:
   2070 		return 1;
   2071 		}
   2072 	}
   2073 
   2074 /* Since the server cache lookup is done early on in the processing of the
   2075  * ClientHello, and other operations depend on the result, we need to handle
   2076  * any TLS session ticket extension at the same time.
   2077  *
   2078  *   session_id: points at the session ID in the ClientHello. This code will
   2079  *       read past the end of this in order to parse out the session ticket
   2080  *       extension, if any.
   2081  *   len: the length of the session ID.
   2082  *   limit: a pointer to the first byte after the ClientHello.
   2083  *   ret: (output) on return, if a ticket was decrypted, then this is set to
   2084  *       point to the resulting session.
   2085  *
   2086  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
   2087  * ciphersuite, in which case we have no use for session tickets and one will
   2088  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
   2089  *
   2090  * Returns:
   2091  *   -1: fatal error, either from parsing or decrypting the ticket.
   2092  *    0: no ticket was found (or was ignored, based on settings).
   2093  *    1: a zero length extension was found, indicating that the client supports
   2094  *       session tickets but doesn't currently have one to offer.
   2095  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
   2096  *       couldn't be decrypted because of a non-fatal error.
   2097  *    3: a ticket was successfully decrypted and *ret was set.
   2098  *
   2099  * Side effects:
   2100  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
   2101  *   a new session ticket to the client because the client indicated support
   2102  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
   2103  *   a session ticket or we couldn't use the one it gave us, or if
   2104  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
   2105  *   Otherwise, s->tlsext_ticket_expected is set to 0.
   2106  */
   2107 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
   2108 			const unsigned char *limit, SSL_SESSION **ret)
   2109 	{
   2110 	/* Point after session ID in client hello */
   2111 	const unsigned char *p = session_id + len;
   2112 	unsigned short i;
   2113 
   2114 	*ret = NULL;
   2115 	s->tlsext_ticket_expected = 0;
   2116 
   2117 	/* If tickets disabled behave as if no ticket present
   2118 	 * to permit stateful resumption.
   2119 	 */
   2120 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
   2121 		return 0;
   2122 	if ((s->version <= SSL3_VERSION) || !limit)
   2123 		return 0;
   2124 	if (p >= limit)
   2125 		return -1;
   2126 	/* Skip past DTLS cookie */
   2127 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
   2128 		{
   2129 		i = *(p++);
   2130 		p+= i;
   2131 		if (p >= limit)
   2132 			return -1;
   2133 		}
   2134 	/* Skip past cipher list */
   2135 	n2s(p, i);
   2136 	p+= i;
   2137 	if (p >= limit)
   2138 		return -1;
   2139 	/* Skip past compression algorithm list */
   2140 	i = *(p++);
   2141 	p += i;
   2142 	if (p > limit)
   2143 		return -1;
   2144 	/* Now at start of extensions */
   2145 	if ((p + 2) >= limit)
   2146 		return 0;
   2147 	n2s(p, i);
   2148 	while ((p + 4) <= limit)
   2149 		{
   2150 		unsigned short type, size;
   2151 		n2s(p, type);
   2152 		n2s(p, size);
   2153 		if (p + size > limit)
   2154 			return 0;
   2155 		if (type == TLSEXT_TYPE_session_ticket)
   2156 			{
   2157 			int r;
   2158 			if (size == 0)
   2159 				{
   2160 				/* The client will accept a ticket but doesn't
   2161 				 * currently have one. */
   2162 				s->tlsext_ticket_expected = 1;
   2163 				return 1;
   2164 				}
   2165 			if (s->tls_session_secret_cb)
   2166 				{
   2167 				/* Indicate that the ticket couldn't be
   2168 				 * decrypted rather than generating the session
   2169 				 * from ticket now, trigger abbreviated
   2170 				 * handshake based on external mechanism to
   2171 				 * calculate the master secret later. */
   2172 				return 2;
   2173 				}
   2174 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
   2175 			switch (r)
   2176 				{
   2177 				case 2: /* ticket couldn't be decrypted */
   2178 					s->tlsext_ticket_expected = 1;
   2179 					return 2;
   2180 				case 3: /* ticket was decrypted */
   2181 					return r;
   2182 				case 4: /* ticket decrypted but need to renew */
   2183 					s->tlsext_ticket_expected = 1;
   2184 					return 3;
   2185 				default: /* fatal error */
   2186 					return -1;
   2187 				}
   2188 			}
   2189 		p += size;
   2190 		}
   2191 	return 0;
   2192 	}
   2193 
   2194 /* tls_decrypt_ticket attempts to decrypt a session ticket.
   2195  *
   2196  *   etick: points to the body of the session ticket extension.
   2197  *   eticklen: the length of the session tickets extenion.
   2198  *   sess_id: points at the session ID.
   2199  *   sesslen: the length of the session ID.
   2200  *   psess: (output) on return, if a ticket was decrypted, then this is set to
   2201  *       point to the resulting session.
   2202  *
   2203  * Returns:
   2204  *   -1: fatal error, either from parsing or decrypting the ticket.
   2205  *    2: the ticket couldn't be decrypted.
   2206  *    3: a ticket was successfully decrypted and *psess was set.
   2207  *    4: same as 3, but the ticket needs to be renewed.
   2208  */
   2209 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
   2210 				const unsigned char *sess_id, int sesslen,
   2211 				SSL_SESSION **psess)
   2212 	{
   2213 	SSL_SESSION *sess;
   2214 	unsigned char *sdec;
   2215 	const unsigned char *p;
   2216 	int slen, mlen, renew_ticket = 0;
   2217 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
   2218 	HMAC_CTX hctx;
   2219 	EVP_CIPHER_CTX ctx;
   2220 	SSL_CTX *tctx = s->initial_ctx;
   2221 	/* Need at least keyname + iv + some encrypted data */
   2222 	if (eticklen < 48)
   2223 		return 2;
   2224 	/* Initialize session ticket encryption and HMAC contexts */
   2225 	HMAC_CTX_init(&hctx);
   2226 	EVP_CIPHER_CTX_init(&ctx);
   2227 	if (tctx->tlsext_ticket_key_cb)
   2228 		{
   2229 		unsigned char *nctick = (unsigned char *)etick;
   2230 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
   2231 							&ctx, &hctx, 0);
   2232 		if (rv < 0)
   2233 			return -1;
   2234 		if (rv == 0)
   2235 			return 2;
   2236 		if (rv == 2)
   2237 			renew_ticket = 1;
   2238 		}
   2239 	else
   2240 		{
   2241 		/* Check key name matches */
   2242 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
   2243 			return 2;
   2244 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
   2245 					tlsext_tick_md(), NULL);
   2246 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
   2247 				tctx->tlsext_tick_aes_key, etick + 16);
   2248 		}
   2249 	/* Attempt to process session ticket, first conduct sanity and
   2250 	 * integrity checks on ticket.
   2251 	 */
   2252 	mlen = HMAC_size(&hctx);
   2253 	if (mlen < 0)
   2254 		{
   2255 		EVP_CIPHER_CTX_cleanup(&ctx);
   2256 		return -1;
   2257 		}
   2258 	eticklen -= mlen;
   2259 	/* Check HMAC of encrypted ticket */
   2260 	HMAC_Update(&hctx, etick, eticklen);
   2261 	HMAC_Final(&hctx, tick_hmac, NULL);
   2262 	HMAC_CTX_cleanup(&hctx);
   2263 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
   2264 		return 2;
   2265 	/* Attempt to decrypt session data */
   2266 	/* Move p after IV to start of encrypted ticket, update length */
   2267 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2268 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2269 	sdec = OPENSSL_malloc(eticklen);
   2270 	if (!sdec)
   2271 		{
   2272 		EVP_CIPHER_CTX_cleanup(&ctx);
   2273 		return -1;
   2274 		}
   2275 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
   2276 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
   2277 		return 2;
   2278 	slen += mlen;
   2279 	EVP_CIPHER_CTX_cleanup(&ctx);
   2280 	p = sdec;
   2281 
   2282 	sess = d2i_SSL_SESSION(NULL, &p, slen);
   2283 	OPENSSL_free(sdec);
   2284 	if (sess)
   2285 		{
   2286 		/* The session ID, if non-empty, is used by some clients to
   2287 		 * detect that the ticket has been accepted. So we copy it to
   2288 		 * the session structure. If it is empty set length to zero
   2289 		 * as required by standard.
   2290 		 */
   2291 		if (sesslen)
   2292 			memcpy(sess->session_id, sess_id, sesslen);
   2293 		sess->session_id_length = sesslen;
   2294 		*psess = sess;
   2295 		if (renew_ticket)
   2296 			return 4;
   2297 		else
   2298 			return 3;
   2299 		}
   2300         ERR_clear_error();
   2301 	/* For session parse failure, indicate that we need to send a new
   2302 	 * ticket. */
   2303 	return 2;
   2304 	}
   2305 
   2306 /* Tables to translate from NIDs to TLS v1.2 ids */
   2307 
   2308 typedef struct
   2309 	{
   2310 	int nid;
   2311 	int id;
   2312 	} tls12_lookup;
   2313 
   2314 static tls12_lookup tls12_md[] = {
   2315 #ifndef OPENSSL_NO_MD5
   2316 	{NID_md5, TLSEXT_hash_md5},
   2317 #endif
   2318 #ifndef OPENSSL_NO_SHA
   2319 	{NID_sha1, TLSEXT_hash_sha1},
   2320 #endif
   2321 #ifndef OPENSSL_NO_SHA256
   2322 	{NID_sha224, TLSEXT_hash_sha224},
   2323 	{NID_sha256, TLSEXT_hash_sha256},
   2324 #endif
   2325 #ifndef OPENSSL_NO_SHA512
   2326 	{NID_sha384, TLSEXT_hash_sha384},
   2327 	{NID_sha512, TLSEXT_hash_sha512}
   2328 #endif
   2329 };
   2330 
   2331 static tls12_lookup tls12_sig[] = {
   2332 #ifndef OPENSSL_NO_RSA
   2333 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
   2334 #endif
   2335 #ifndef OPENSSL_NO_DSA
   2336 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
   2337 #endif
   2338 #ifndef OPENSSL_NO_ECDSA
   2339 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
   2340 #endif
   2341 };
   2342 
   2343 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
   2344 	{
   2345 	size_t i;
   2346 	for (i = 0; i < tlen; i++)
   2347 		{
   2348 		if (table[i].nid == nid)
   2349 			return table[i].id;
   2350 		}
   2351 	return -1;
   2352 	}
   2353 #if 0
   2354 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
   2355 	{
   2356 	size_t i;
   2357 	for (i = 0; i < tlen; i++)
   2358 		{
   2359 		if (table[i].id == id)
   2360 			return table[i].nid;
   2361 		}
   2362 	return -1;
   2363 	}
   2364 #endif
   2365 
   2366 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
   2367 	{
   2368 	int sig_id, md_id;
   2369 	if (!md)
   2370 		return 0;
   2371 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
   2372 				sizeof(tls12_md)/sizeof(tls12_lookup));
   2373 	if (md_id == -1)
   2374 		return 0;
   2375 	sig_id = tls12_get_sigid(pk);
   2376 	if (sig_id == -1)
   2377 		return 0;
   2378 	p[0] = (unsigned char)md_id;
   2379 	p[1] = (unsigned char)sig_id;
   2380 	return 1;
   2381 	}
   2382 
   2383 int tls12_get_sigid(const EVP_PKEY *pk)
   2384 	{
   2385 	return tls12_find_id(pk->type, tls12_sig,
   2386 				sizeof(tls12_sig)/sizeof(tls12_lookup));
   2387 	}
   2388 
   2389 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
   2390 	{
   2391 	switch(hash_alg)
   2392 		{
   2393 #ifndef OPENSSL_NO_MD5
   2394 		case TLSEXT_hash_md5:
   2395 #ifdef OPENSSL_FIPS
   2396 		if (FIPS_mode())
   2397 			return NULL;
   2398 #endif
   2399 		return EVP_md5();
   2400 #endif
   2401 #ifndef OPENSSL_NO_SHA
   2402 		case TLSEXT_hash_sha1:
   2403 		return EVP_sha1();
   2404 #endif
   2405 #ifndef OPENSSL_NO_SHA256
   2406 		case TLSEXT_hash_sha224:
   2407 		return EVP_sha224();
   2408 
   2409 		case TLSEXT_hash_sha256:
   2410 		return EVP_sha256();
   2411 #endif
   2412 #ifndef OPENSSL_NO_SHA512
   2413 		case TLSEXT_hash_sha384:
   2414 		return EVP_sha384();
   2415 
   2416 		case TLSEXT_hash_sha512:
   2417 		return EVP_sha512();
   2418 #endif
   2419 		default:
   2420 		return NULL;
   2421 
   2422 		}
   2423 	}
   2424 
   2425 /* Set preferred digest for each key type */
   2426 
   2427 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
   2428 	{
   2429 	int i, idx;
   2430 	const EVP_MD *md;
   2431 	CERT *c = s->cert;
   2432 	/* Extension ignored for TLS versions below 1.2 */
   2433 	if (TLS1_get_version(s) < TLS1_2_VERSION)
   2434 		return 1;
   2435 	/* Should never happen */
   2436 	if (!c)
   2437 		return 0;
   2438 
   2439 	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
   2440 	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
   2441 	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
   2442 	c->pkeys[SSL_PKEY_ECC].digest = NULL;
   2443 
   2444 	for (i = 0; i < dsize; i += 2)
   2445 		{
   2446 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
   2447 
   2448 		switch(sig_alg)
   2449 			{
   2450 #ifndef OPENSSL_NO_RSA
   2451 			case TLSEXT_signature_rsa:
   2452 			idx = SSL_PKEY_RSA_SIGN;
   2453 			break;
   2454 #endif
   2455 #ifndef OPENSSL_NO_DSA
   2456 			case TLSEXT_signature_dsa:
   2457 			idx = SSL_PKEY_DSA_SIGN;
   2458 			break;
   2459 #endif
   2460 #ifndef OPENSSL_NO_ECDSA
   2461 			case TLSEXT_signature_ecdsa:
   2462 			idx = SSL_PKEY_ECC;
   2463 			break;
   2464 #endif
   2465 			default:
   2466 			continue;
   2467 			}
   2468 
   2469 		if (c->pkeys[idx].digest == NULL)
   2470 			{
   2471 			md = tls12_get_hash(hash_alg);
   2472 			if (md)
   2473 				{
   2474 				c->pkeys[idx].digest = md;
   2475 				if (idx == SSL_PKEY_RSA_SIGN)
   2476 					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
   2477 				}
   2478 			}
   2479 
   2480 		}
   2481 
   2482 
   2483 	/* Set any remaining keys to default values. NOTE: if alg is not
   2484 	 * supported it stays as NULL.
   2485 	 */
   2486 #ifndef OPENSSL_NO_DSA
   2487 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
   2488 		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
   2489 #endif
   2490 #ifndef OPENSSL_NO_RSA
   2491 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
   2492 		{
   2493 		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
   2494 		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
   2495 		}
   2496 #endif
   2497 #ifndef OPENSSL_NO_ECDSA
   2498 	if (!c->pkeys[SSL_PKEY_ECC].digest)
   2499 		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
   2500 #endif
   2501 	return 1;
   2502 	}
   2503 
   2504 #endif
   2505 
   2506 #ifndef OPENSSL_NO_HEARTBEATS
   2507 int
   2508 tls1_process_heartbeat(SSL *s)
   2509 	{
   2510 	unsigned char *p = &s->s3->rrec.data[0], *pl;
   2511 	unsigned short hbtype;
   2512 	unsigned int payload;
   2513 	unsigned int padding = 16; /* Use minimum padding */
   2514 
   2515 	/* Read type and payload length first */
   2516 	hbtype = *p++;
   2517 	n2s(p, payload);
   2518 	pl = p;
   2519 
   2520 	if (s->msg_callback)
   2521 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
   2522 			&s->s3->rrec.data[0], s->s3->rrec.length,
   2523 			s, s->msg_callback_arg);
   2524 
   2525 	if (hbtype == TLS1_HB_REQUEST)
   2526 		{
   2527 		unsigned char *buffer, *bp;
   2528 		int r;
   2529 
   2530 		/* Allocate memory for the response, size is 1 bytes
   2531 		 * message type, plus 2 bytes payload length, plus
   2532 		 * payload, plus padding
   2533 		 */
   2534 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
   2535 		bp = buffer;
   2536 
   2537 		/* Enter response type, length and copy payload */
   2538 		*bp++ = TLS1_HB_RESPONSE;
   2539 		s2n(payload, bp);
   2540 		memcpy(bp, pl, payload);
   2541 		bp += payload;
   2542 		/* Random padding */
   2543 		RAND_pseudo_bytes(bp, padding);
   2544 
   2545 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
   2546 
   2547 		if (r >= 0 && s->msg_callback)
   2548 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2549 				buffer, 3 + payload + padding,
   2550 				s, s->msg_callback_arg);
   2551 
   2552 		OPENSSL_free(buffer);
   2553 
   2554 		if (r < 0)
   2555 			return r;
   2556 		}
   2557 	else if (hbtype == TLS1_HB_RESPONSE)
   2558 		{
   2559 		unsigned int seq;
   2560 
   2561 		/* We only send sequence numbers (2 bytes unsigned int),
   2562 		 * and 16 random bytes, so we just try to read the
   2563 		 * sequence number */
   2564 		n2s(pl, seq);
   2565 
   2566 		if (payload == 18 && seq == s->tlsext_hb_seq)
   2567 			{
   2568 			s->tlsext_hb_seq++;
   2569 			s->tlsext_hb_pending = 0;
   2570 			}
   2571 		}
   2572 
   2573 	return 0;
   2574 	}
   2575 
   2576 int
   2577 tls1_heartbeat(SSL *s)
   2578 	{
   2579 	unsigned char *buf, *p;
   2580 	int ret;
   2581 	unsigned int payload = 18; /* Sequence number + random bytes */
   2582 	unsigned int padding = 16; /* Use minimum padding */
   2583 
   2584 	/* Only send if peer supports and accepts HB requests... */
   2585 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
   2586 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
   2587 		{
   2588 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
   2589 		return -1;
   2590 		}
   2591 
   2592 	/* ...and there is none in flight yet... */
   2593 	if (s->tlsext_hb_pending)
   2594 		{
   2595 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
   2596 		return -1;
   2597 		}
   2598 
   2599 	/* ...and no handshake in progress. */
   2600 	if (SSL_in_init(s) || s->in_handshake)
   2601 		{
   2602 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
   2603 		return -1;
   2604 		}
   2605 
   2606 	/* Check if padding is too long, payload and padding
   2607 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
   2608 	 */
   2609 	OPENSSL_assert(payload + padding <= 16381);
   2610 
   2611 	/* Create HeartBeat message, we just use a sequence number
   2612 	 * as payload to distuingish different messages and add
   2613 	 * some random stuff.
   2614 	 *  - Message Type, 1 byte
   2615 	 *  - Payload Length, 2 bytes (unsigned int)
   2616 	 *  - Payload, the sequence number (2 bytes uint)
   2617 	 *  - Payload, random bytes (16 bytes uint)
   2618 	 *  - Padding
   2619 	 */
   2620 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
   2621 	p = buf;
   2622 	/* Message Type */
   2623 	*p++ = TLS1_HB_REQUEST;
   2624 	/* Payload length (18 bytes here) */
   2625 	s2n(payload, p);
   2626 	/* Sequence number */
   2627 	s2n(s->tlsext_hb_seq, p);
   2628 	/* 16 random bytes */
   2629 	RAND_pseudo_bytes(p, 16);
   2630 	p += 16;
   2631 	/* Random padding */
   2632 	RAND_pseudo_bytes(p, padding);
   2633 
   2634 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
   2635 	if (ret >= 0)
   2636 		{
   2637 		if (s->msg_callback)
   2638 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2639 				buf, 3 + payload + padding,
   2640 				s, s->msg_callback_arg);
   2641 
   2642 		s->tlsext_hb_pending = 1;
   2643 		}
   2644 
   2645 	OPENSSL_free(buf);
   2646 
   2647 	return ret;
   2648 	}
   2649 #endif
   2650 
   2651 #if !defined(OPENSSL_NO_TLSEXT)
   2652 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
   2653  * SSL connection and writes it to |md|.
   2654  */
   2655 int
   2656 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
   2657 	{
   2658 	EVP_MD_CTX ctx;
   2659 	unsigned char temp_digest[EVP_MAX_MD_SIZE];
   2660 	unsigned temp_digest_len;
   2661 	int i;
   2662 	static const char kClientIDMagic[] = "TLS Channel ID signature";
   2663 
   2664 	if (s->s3->handshake_buffer)
   2665 		if (!ssl3_digest_cached_records(s))
   2666 			return 0;
   2667 
   2668 	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
   2669 
   2670 	EVP_MD_CTX_init(&ctx);
   2671 	for (i = 0; i < SSL_MAX_DIGEST; i++)
   2672 		{
   2673 		if (s->s3->handshake_dgst[i] == NULL)
   2674 			continue;
   2675 		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
   2676 		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
   2677 		EVP_DigestUpdate(md, temp_digest, temp_digest_len);
   2678 		}
   2679 	EVP_MD_CTX_cleanup(&ctx);
   2680 
   2681 	return 1;
   2682 	}
   2683 #endif
   2684