Home | History | Annotate | Download | only in ssl
      1 /* ssl/t1_lib.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include <stdio.h>
    113 #include <openssl/objects.h>
    114 #include <openssl/evp.h>
    115 #include <openssl/hmac.h>
    116 #include <openssl/ocsp.h>
    117 #include <openssl/rand.h>
    118 #include "ssl_locl.h"
    119 
    120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
    121 
    122 #ifndef OPENSSL_NO_TLSEXT
    123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
    124 				const unsigned char *sess_id, int sesslen,
    125 				SSL_SESSION **psess);
    126 #endif
    127 
    128 SSL3_ENC_METHOD TLSv1_enc_data={
    129 	tls1_enc,
    130 	tls1_mac,
    131 	tls1_setup_key_block,
    132 	tls1_generate_master_secret,
    133 	tls1_change_cipher_state,
    134 	tls1_final_finish_mac,
    135 	TLS1_FINISH_MAC_LENGTH,
    136 	tls1_cert_verify_mac,
    137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
    138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
    139 	tls1_alert_code,
    140 	tls1_export_keying_material,
    141 	};
    142 
    143 long tls1_default_timeout(void)
    144 	{
    145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
    146 	 * is way too long for http, the cache would over fill */
    147 	return(60*60*2);
    148 	}
    149 
    150 int tls1_new(SSL *s)
    151 	{
    152 	if (!ssl3_new(s)) return(0);
    153 	s->method->ssl_clear(s);
    154 	return(1);
    155 	}
    156 
    157 void tls1_free(SSL *s)
    158 	{
    159 #ifndef OPENSSL_NO_TLSEXT
    160 	if (s->tlsext_session_ticket)
    161 		{
    162 		OPENSSL_free(s->tlsext_session_ticket);
    163 		}
    164 #endif /* OPENSSL_NO_TLSEXT */
    165 	ssl3_free(s);
    166 	}
    167 
    168 void tls1_clear(SSL *s)
    169 	{
    170 	ssl3_clear(s);
    171 	s->version = s->method->version;
    172 	}
    173 
    174 #ifndef OPENSSL_NO_EC
    175 
    176 static int nid_list[] =
    177 	{
    178 		NID_sect163k1, /* sect163k1 (1) */
    179 		NID_sect163r1, /* sect163r1 (2) */
    180 		NID_sect163r2, /* sect163r2 (3) */
    181 		NID_sect193r1, /* sect193r1 (4) */
    182 		NID_sect193r2, /* sect193r2 (5) */
    183 		NID_sect233k1, /* sect233k1 (6) */
    184 		NID_sect233r1, /* sect233r1 (7) */
    185 		NID_sect239k1, /* sect239k1 (8) */
    186 		NID_sect283k1, /* sect283k1 (9) */
    187 		NID_sect283r1, /* sect283r1 (10) */
    188 		NID_sect409k1, /* sect409k1 (11) */
    189 		NID_sect409r1, /* sect409r1 (12) */
    190 		NID_sect571k1, /* sect571k1 (13) */
    191 		NID_sect571r1, /* sect571r1 (14) */
    192 		NID_secp160k1, /* secp160k1 (15) */
    193 		NID_secp160r1, /* secp160r1 (16) */
    194 		NID_secp160r2, /* secp160r2 (17) */
    195 		NID_secp192k1, /* secp192k1 (18) */
    196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    197 		NID_secp224k1, /* secp224k1 (20) */
    198 		NID_secp224r1, /* secp224r1 (21) */
    199 		NID_secp256k1, /* secp256k1 (22) */
    200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    201 		NID_secp384r1, /* secp384r1 (24) */
    202 		NID_secp521r1  /* secp521r1 (25) */
    203 	};
    204 
    205 static int pref_list[] =
    206 	{
    207 		NID_sect571r1, /* sect571r1 (14) */
    208 		NID_sect571k1, /* sect571k1 (13) */
    209 		NID_secp521r1, /* secp521r1 (25) */
    210 		NID_sect409k1, /* sect409k1 (11) */
    211 		NID_sect409r1, /* sect409r1 (12) */
    212 		NID_secp384r1, /* secp384r1 (24) */
    213 		NID_sect283k1, /* sect283k1 (9) */
    214 		NID_sect283r1, /* sect283r1 (10) */
    215 		NID_secp256k1, /* secp256k1 (22) */
    216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    217 		NID_sect239k1, /* sect239k1 (8) */
    218 		NID_sect233k1, /* sect233k1 (6) */
    219 		NID_sect233r1, /* sect233r1 (7) */
    220 		NID_secp224k1, /* secp224k1 (20) */
    221 		NID_secp224r1, /* secp224r1 (21) */
    222 		NID_sect193r1, /* sect193r1 (4) */
    223 		NID_sect193r2, /* sect193r2 (5) */
    224 		NID_secp192k1, /* secp192k1 (18) */
    225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    226 		NID_sect163k1, /* sect163k1 (1) */
    227 		NID_sect163r1, /* sect163r1 (2) */
    228 		NID_sect163r2, /* sect163r2 (3) */
    229 		NID_secp160k1, /* secp160k1 (15) */
    230 		NID_secp160r1, /* secp160r1 (16) */
    231 		NID_secp160r2, /* secp160r2 (17) */
    232 	};
    233 
    234 int tls1_ec_curve_id2nid(int curve_id)
    235 	{
    236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    237 	if ((curve_id < 1) || ((unsigned int)curve_id >
    238 				sizeof(nid_list)/sizeof(nid_list[0])))
    239 		return 0;
    240 	return nid_list[curve_id-1];
    241 	}
    242 
    243 int tls1_ec_nid2curve_id(int nid)
    244 	{
    245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    246 	switch (nid)
    247 		{
    248 	case NID_sect163k1: /* sect163k1 (1) */
    249 		return 1;
    250 	case NID_sect163r1: /* sect163r1 (2) */
    251 		return 2;
    252 	case NID_sect163r2: /* sect163r2 (3) */
    253 		return 3;
    254 	case NID_sect193r1: /* sect193r1 (4) */
    255 		return 4;
    256 	case NID_sect193r2: /* sect193r2 (5) */
    257 		return 5;
    258 	case NID_sect233k1: /* sect233k1 (6) */
    259 		return 6;
    260 	case NID_sect233r1: /* sect233r1 (7) */
    261 		return 7;
    262 	case NID_sect239k1: /* sect239k1 (8) */
    263 		return 8;
    264 	case NID_sect283k1: /* sect283k1 (9) */
    265 		return 9;
    266 	case NID_sect283r1: /* sect283r1 (10) */
    267 		return 10;
    268 	case NID_sect409k1: /* sect409k1 (11) */
    269 		return 11;
    270 	case NID_sect409r1: /* sect409r1 (12) */
    271 		return 12;
    272 	case NID_sect571k1: /* sect571k1 (13) */
    273 		return 13;
    274 	case NID_sect571r1: /* sect571r1 (14) */
    275 		return 14;
    276 	case NID_secp160k1: /* secp160k1 (15) */
    277 		return 15;
    278 	case NID_secp160r1: /* secp160r1 (16) */
    279 		return 16;
    280 	case NID_secp160r2: /* secp160r2 (17) */
    281 		return 17;
    282 	case NID_secp192k1: /* secp192k1 (18) */
    283 		return 18;
    284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
    285 		return 19;
    286 	case NID_secp224k1: /* secp224k1 (20) */
    287 		return 20;
    288 	case NID_secp224r1: /* secp224r1 (21) */
    289 		return 21;
    290 	case NID_secp256k1: /* secp256k1 (22) */
    291 		return 22;
    292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
    293 		return 23;
    294 	case NID_secp384r1: /* secp384r1 (24) */
    295 		return 24;
    296 	case NID_secp521r1:  /* secp521r1 (25) */
    297 		return 25;
    298 	default:
    299 		return 0;
    300 		}
    301 	}
    302 #endif /* OPENSSL_NO_EC */
    303 
    304 #ifndef OPENSSL_NO_TLSEXT
    305 
    306 /* List of supported signature algorithms and hashes. Should make this
    307  * customisable at some point, for now include everything we support.
    308  */
    309 
    310 #ifdef OPENSSL_NO_RSA
    311 #define tlsext_sigalg_rsa(md) /* */
    312 #else
    313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
    314 #endif
    315 
    316 #ifdef OPENSSL_NO_DSA
    317 #define tlsext_sigalg_dsa(md) /* */
    318 #else
    319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
    320 #endif
    321 
    322 #ifdef OPENSSL_NO_ECDSA
    323 #define tlsext_sigalg_ecdsa(md) /* */
    324 #else
    325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
    326 #endif
    327 
    328 #define tlsext_sigalg(md) \
    329 		tlsext_sigalg_rsa(md) \
    330 		tlsext_sigalg_dsa(md) \
    331 		tlsext_sigalg_ecdsa(md)
    332 
    333 static unsigned char tls12_sigalgs[] = {
    334 #ifndef OPENSSL_NO_SHA512
    335 	tlsext_sigalg(TLSEXT_hash_sha512)
    336 	tlsext_sigalg(TLSEXT_hash_sha384)
    337 #endif
    338 #ifndef OPENSSL_NO_SHA256
    339 	tlsext_sigalg(TLSEXT_hash_sha256)
    340 	tlsext_sigalg(TLSEXT_hash_sha224)
    341 #endif
    342 #ifndef OPENSSL_NO_SHA
    343 	tlsext_sigalg(TLSEXT_hash_sha1)
    344 #endif
    345 #ifndef OPENSSL_NO_MD5
    346 	tlsext_sigalg_rsa(TLSEXT_hash_md5)
    347 #endif
    348 };
    349 
    350 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
    351 	{
    352 	size_t slen = sizeof(tls12_sigalgs);
    353 #ifdef OPENSSL_FIPS
    354 	/* If FIPS mode don't include MD5 which is last */
    355 	if (FIPS_mode())
    356 		slen -= 2;
    357 #endif
    358 	if (p)
    359 		memcpy(p, tls12_sigalgs, slen);
    360 	return (int)slen;
    361 	}
    362 
    363 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
    364 	{
    365 	int extdatalen=0;
    366 	unsigned char *ret = p;
    367 
    368 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
    369 	if (s->client_version == SSL3_VERSION
    370 					&& !s->s3->send_connection_binding)
    371 		return p;
    372 
    373 	ret+=2;
    374 
    375 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    376 
    377  	if (s->tlsext_hostname != NULL)
    378 		{
    379 		/* Add TLS extension servername to the Client Hello message */
    380 		unsigned long size_str;
    381 		long lenmax;
    382 
    383 		/* check for enough space.
    384 		   4 for the servername type and entension length
    385 		   2 for servernamelist length
    386 		   1 for the hostname type
    387 		   2 for hostname length
    388 		   + hostname length
    389 		*/
    390 
    391 		if ((lenmax = limit - ret - 9) < 0
    392 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
    393 			return NULL;
    394 
    395 		/* extension type and length */
    396 		s2n(TLSEXT_TYPE_server_name,ret);
    397 		s2n(size_str+5,ret);
    398 
    399 		/* length of servername list */
    400 		s2n(size_str+3,ret);
    401 
    402 		/* hostname type, length and hostname */
    403 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
    404 		s2n(size_str,ret);
    405 		memcpy(ret, s->tlsext_hostname, size_str);
    406 		ret+=size_str;
    407 		}
    408 
    409         /* Add RI if renegotiating */
    410         if (s->renegotiate)
    411           {
    412           int el;
    413 
    414           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
    415               {
    416               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    417               return NULL;
    418               }
    419 
    420           if((limit - p - 4 - el) < 0) return NULL;
    421 
    422           s2n(TLSEXT_TYPE_renegotiate,ret);
    423           s2n(el,ret);
    424 
    425           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
    426               {
    427               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    428               return NULL;
    429               }
    430 
    431           ret += el;
    432         }
    433 
    434 #ifndef OPENSSL_NO_SRP
    435 	/* Add SRP username if there is one */
    436 	if (s->srp_ctx.login != NULL)
    437 		{ /* Add TLS extension SRP username to the Client Hello message */
    438 
    439 		int login_len = strlen(s->srp_ctx.login);
    440 		if (login_len > 255 || login_len == 0)
    441 			{
    442 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    443 			return NULL;
    444 			}
    445 
    446 		/* check for enough space.
    447 		   4 for the srp type type and entension length
    448 		   1 for the srp user identity
    449 		   + srp user identity length
    450 		*/
    451 		if ((limit - ret - 5 - login_len) < 0) return NULL;
    452 
    453 		/* fill in the extension */
    454 		s2n(TLSEXT_TYPE_srp,ret);
    455 		s2n(login_len+1,ret);
    456 		(*ret++) = (unsigned char) login_len;
    457 		memcpy(ret, s->srp_ctx.login, login_len);
    458 		ret+=login_len;
    459 		}
    460 #endif
    461 
    462 #ifndef OPENSSL_NO_EC
    463 	if (s->tlsext_ecpointformatlist != NULL &&
    464 	    s->version != DTLS1_VERSION)
    465 		{
    466 		/* Add TLS extension ECPointFormats to the ClientHello message */
    467 		long lenmax;
    468 
    469 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    470 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    471 		if (s->tlsext_ecpointformatlist_length > 255)
    472 			{
    473 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    474 			return NULL;
    475 			}
    476 
    477 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    478 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    479 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    480 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    481 		ret+=s->tlsext_ecpointformatlist_length;
    482 		}
    483 	if (s->tlsext_ellipticcurvelist != NULL &&
    484 	    s->version != DTLS1_VERSION)
    485 		{
    486 		/* Add TLS extension EllipticCurves to the ClientHello message */
    487 		long lenmax;
    488 
    489 		if ((lenmax = limit - ret - 6) < 0) return NULL;
    490 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
    491 		if (s->tlsext_ellipticcurvelist_length > 65532)
    492 			{
    493 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    494 			return NULL;
    495 			}
    496 
    497 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
    498 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
    499 
    500 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
    501 		 * elliptic_curve_list, but the examples use two bytes.
    502 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
    503 		 * resolves this to two bytes.
    504 		 */
    505 		s2n(s->tlsext_ellipticcurvelist_length, ret);
    506 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
    507 		ret+=s->tlsext_ellipticcurvelist_length;
    508 		}
    509 #endif /* OPENSSL_NO_EC */
    510 
    511 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
    512 		{
    513 		int ticklen;
    514 		if (!s->new_session && s->session && s->session->tlsext_tick)
    515 			ticklen = s->session->tlsext_ticklen;
    516 		else if (s->session && s->tlsext_session_ticket &&
    517 			 s->tlsext_session_ticket->data)
    518 			{
    519 			ticklen = s->tlsext_session_ticket->length;
    520 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
    521 			if (!s->session->tlsext_tick)
    522 				return NULL;
    523 			memcpy(s->session->tlsext_tick,
    524 			       s->tlsext_session_ticket->data,
    525 			       ticklen);
    526 			s->session->tlsext_ticklen = ticklen;
    527 			}
    528 		else
    529 			ticklen = 0;
    530 		if (ticklen == 0 && s->tlsext_session_ticket &&
    531 		    s->tlsext_session_ticket->data == NULL)
    532 			goto skip_ext;
    533 		/* Check for enough room 2 for extension type, 2 for len
    534  		 * rest for ticket
    535   		 */
    536 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
    537 		s2n(TLSEXT_TYPE_session_ticket,ret);
    538 		s2n(ticklen,ret);
    539 		if (ticklen)
    540 			{
    541 			memcpy(ret, s->session->tlsext_tick, ticklen);
    542 			ret += ticklen;
    543 			}
    544 		}
    545 		skip_ext:
    546 
    547 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
    548 		{
    549 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
    550 			return NULL;
    551 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
    552 		s2n(sizeof(tls12_sigalgs) + 2, ret);
    553 		s2n(sizeof(tls12_sigalgs), ret);
    554 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
    555 		ret += sizeof(tls12_sigalgs);
    556 		}
    557 
    558 #ifdef TLSEXT_TYPE_opaque_prf_input
    559 	if (s->s3->client_opaque_prf_input != NULL &&
    560 	    s->version != DTLS1_VERSION)
    561 		{
    562 		size_t col = s->s3->client_opaque_prf_input_len;
    563 
    564 		if ((long)(limit - ret - 6 - col < 0))
    565 			return NULL;
    566 		if (col > 0xFFFD) /* can't happen */
    567 			return NULL;
    568 
    569 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    570 		s2n(col + 2, ret);
    571 		s2n(col, ret);
    572 		memcpy(ret, s->s3->client_opaque_prf_input, col);
    573 		ret += col;
    574 		}
    575 #endif
    576 
    577 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
    578 	    s->version != DTLS1_VERSION)
    579 		{
    580 		int i;
    581 		long extlen, idlen, itmp;
    582 		OCSP_RESPID *id;
    583 
    584 		idlen = 0;
    585 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    586 			{
    587 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    588 			itmp = i2d_OCSP_RESPID(id, NULL);
    589 			if (itmp <= 0)
    590 				return NULL;
    591 			idlen += itmp + 2;
    592 			}
    593 
    594 		if (s->tlsext_ocsp_exts)
    595 			{
    596 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
    597 			if (extlen < 0)
    598 				return NULL;
    599 			}
    600 		else
    601 			extlen = 0;
    602 
    603 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
    604 		s2n(TLSEXT_TYPE_status_request, ret);
    605 		if (extlen + idlen > 0xFFF0)
    606 			return NULL;
    607 		s2n(extlen + idlen + 5, ret);
    608 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
    609 		s2n(idlen, ret);
    610 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    611 			{
    612 			/* save position of id len */
    613 			unsigned char *q = ret;
    614 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    615 			/* skip over id len */
    616 			ret += 2;
    617 			itmp = i2d_OCSP_RESPID(id, &ret);
    618 			/* write id len */
    619 			s2n(itmp, q);
    620 			}
    621 		s2n(extlen, ret);
    622 		if (extlen > 0)
    623 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
    624 		}
    625 
    626 #ifndef OPENSSL_NO_HEARTBEATS
    627 	/* Add Heartbeat extension */
    628 	s2n(TLSEXT_TYPE_heartbeat,ret);
    629 	s2n(1,ret);
    630 	/* Set mode:
    631 	 * 1: peer may send requests
    632 	 * 2: peer not allowed to send requests
    633 	 */
    634 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    635 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    636 	else
    637 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
    638 #endif
    639 
    640 #ifndef OPENSSL_NO_NEXTPROTONEG
    641 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
    642 		{
    643 		/* The client advertises an emtpy extension to indicate its
    644 		 * support for Next Protocol Negotiation */
    645 		if (limit - ret - 4 < 0)
    646 			return NULL;
    647 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
    648 		s2n(0,ret);
    649 		}
    650 #endif
    651 
    652 	if (s->tlsext_channel_id_enabled)
    653 		{
    654 		/* The client advertises an emtpy extension to indicate its
    655 		 * support for Channel ID. */
    656 		if (limit - ret - 4 < 0)
    657 			return NULL;
    658 		s2n(TLSEXT_TYPE_channel_id,ret);
    659 		s2n(0,ret);
    660 		}
    661 
    662 	if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
    663 		{
    664 		if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
    665 			return NULL;
    666 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
    667 		s2n(2 + s->alpn_client_proto_list_len,ret);
    668 		s2n(s->alpn_client_proto_list_len,ret);
    669 		memcpy(ret, s->alpn_client_proto_list,
    670 		       s->alpn_client_proto_list_len);
    671 		ret += s->alpn_client_proto_list_len;
    672 		}
    673 
    674 #ifndef OPENSSL_NO_SRTP
    675         if(SSL_get_srtp_profiles(s))
    676                 {
    677                 int el;
    678 
    679                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
    680 
    681                 if((limit - p - 4 - el) < 0) return NULL;
    682 
    683                 s2n(TLSEXT_TYPE_use_srtp,ret);
    684                 s2n(el,ret);
    685 
    686                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
    687 			{
    688 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    689 			return NULL;
    690 			}
    691                 ret += el;
    692                 }
    693 #endif
    694 
    695 	if ((extdatalen = ret-p-2)== 0)
    696 		return p;
    697 
    698 	s2n(extdatalen,p);
    699 	return ret;
    700 	}
    701 
    702 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
    703 	{
    704 	int extdatalen=0;
    705 	unsigned char *ret = p;
    706 #ifndef OPENSSL_NO_NEXTPROTONEG
    707 	int next_proto_neg_seen;
    708 #endif
    709 
    710 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
    711 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
    712 		return p;
    713 
    714 	ret+=2;
    715 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    716 
    717 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
    718 		{
    719 		if ((long)(limit - ret - 4) < 0) return NULL;
    720 
    721 		s2n(TLSEXT_TYPE_server_name,ret);
    722 		s2n(0,ret);
    723 		}
    724 
    725 	if(s->s3->send_connection_binding)
    726         {
    727           int el;
    728 
    729           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
    730               {
    731               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    732               return NULL;
    733               }
    734 
    735           if((limit - p - 4 - el) < 0) return NULL;
    736 
    737           s2n(TLSEXT_TYPE_renegotiate,ret);
    738           s2n(el,ret);
    739 
    740           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
    741               {
    742               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    743               return NULL;
    744               }
    745 
    746           ret += el;
    747         }
    748 
    749 #ifndef OPENSSL_NO_EC
    750 	if (s->tlsext_ecpointformatlist != NULL &&
    751 	    s->version != DTLS1_VERSION)
    752 		{
    753 		/* Add TLS extension ECPointFormats to the ServerHello message */
    754 		long lenmax;
    755 
    756 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    757 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    758 		if (s->tlsext_ecpointformatlist_length > 255)
    759 			{
    760 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    761 			return NULL;
    762 			}
    763 
    764 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    765 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    766 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    767 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    768 		ret+=s->tlsext_ecpointformatlist_length;
    769 
    770 		}
    771 	/* Currently the server should not respond with a SupportedCurves extension */
    772 #endif /* OPENSSL_NO_EC */
    773 
    774 	if (s->tlsext_ticket_expected
    775 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
    776 		{
    777 		if ((long)(limit - ret - 4) < 0) return NULL;
    778 		s2n(TLSEXT_TYPE_session_ticket,ret);
    779 		s2n(0,ret);
    780 		}
    781 
    782 	if (s->tlsext_status_expected)
    783 		{
    784 		if ((long)(limit - ret - 4) < 0) return NULL;
    785 		s2n(TLSEXT_TYPE_status_request,ret);
    786 		s2n(0,ret);
    787 		}
    788 
    789 #ifdef TLSEXT_TYPE_opaque_prf_input
    790 	if (s->s3->server_opaque_prf_input != NULL &&
    791 	    s->version != DTLS1_VERSION)
    792 		{
    793 		size_t sol = s->s3->server_opaque_prf_input_len;
    794 
    795 		if ((long)(limit - ret - 6 - sol) < 0)
    796 			return NULL;
    797 		if (sol > 0xFFFD) /* can't happen */
    798 			return NULL;
    799 
    800 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    801 		s2n(sol + 2, ret);
    802 		s2n(sol, ret);
    803 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
    804 		ret += sol;
    805 		}
    806 #endif
    807 
    808 #ifndef OPENSSL_NO_SRTP
    809         if(s->srtp_profile)
    810                 {
    811                 int el;
    812 
    813                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
    814 
    815                 if((limit - p - 4 - el) < 0) return NULL;
    816 
    817                 s2n(TLSEXT_TYPE_use_srtp,ret);
    818                 s2n(el,ret);
    819 
    820                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
    821 			{
    822 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    823 			return NULL;
    824 			}
    825                 ret+=el;
    826                 }
    827 #endif
    828 
    829 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
    830 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
    831 		{ const unsigned char cryptopro_ext[36] = {
    832 			0xfd, 0xe8, /*65000*/
    833 			0x00, 0x20, /*32 bytes length*/
    834 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
    835 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
    836 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
    837 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
    838 			if (limit-ret<36) return NULL;
    839 			memcpy(ret,cryptopro_ext,36);
    840 			ret+=36;
    841 
    842 		}
    843 
    844 #ifndef OPENSSL_NO_HEARTBEATS
    845 	/* Add Heartbeat extension if we've received one */
    846 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
    847 		{
    848 		s2n(TLSEXT_TYPE_heartbeat,ret);
    849 		s2n(1,ret);
    850 		/* Set mode:
    851 		 * 1: peer may send requests
    852 		 * 2: peer not allowed to send requests
    853 		 */
    854 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    855 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    856 		else
    857 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
    858 
    859 		}
    860 #endif
    861 
    862 #ifndef OPENSSL_NO_NEXTPROTONEG
    863 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
    864 	s->s3->next_proto_neg_seen = 0;
    865 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
    866 		{
    867 		const unsigned char *npa;
    868 		unsigned int npalen;
    869 		int r;
    870 
    871 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
    872 		if (r == SSL_TLSEXT_ERR_OK)
    873 			{
    874 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
    875 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
    876 			s2n(npalen,ret);
    877 			memcpy(ret, npa, npalen);
    878 			ret += npalen;
    879 			s->s3->next_proto_neg_seen = 1;
    880 			}
    881 		}
    882 #endif
    883 
    884 	/* If the client advertised support for Channel ID, and we have it
    885 	 * enabled, then we want to echo it back. */
    886 	if (s->s3->tlsext_channel_id_valid)
    887 		{
    888 		if (limit - ret - 4 < 0)
    889 			return NULL;
    890 		s2n(TLSEXT_TYPE_channel_id,ret);
    891 		s2n(0,ret);
    892 		}
    893 
    894 	if (s->s3->alpn_selected)
    895 		{
    896 		const unsigned char *selected = s->s3->alpn_selected;
    897 		unsigned len = s->s3->alpn_selected_len;
    898 
    899 		if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
    900 			return NULL;
    901 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
    902 		s2n(3 + len,ret);
    903 		s2n(1 + len,ret);
    904 		*ret++ = len;
    905 		memcpy(ret, selected, len);
    906 		ret += len;
    907 		}
    908 
    909 	if ((extdatalen = ret-p-2)== 0)
    910 		return p;
    911 
    912 	s2n(extdatalen,p);
    913 	return ret;
    914 	}
    915 
    916 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
    917  * ClientHello.
    918  *   data: the contents of the extension, not including the type and length.
    919  *   data_len: the number of bytes in |data|
    920  *   al: a pointer to the alert value to send in the event of a non-zero
    921  *       return.
    922  *
    923  *   returns: 0 on success. */
    924 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
    925 					 unsigned data_len, int *al)
    926 	{
    927 	unsigned i;
    928 	unsigned proto_len;
    929 	const unsigned char *selected;
    930 	unsigned char selected_len;
    931 	int r;
    932 
    933 	if (s->ctx->alpn_select_cb == NULL)
    934 		return 0;
    935 
    936 	if (data_len < 2)
    937 		goto parse_error;
    938 
    939 	/* data should contain a uint16 length followed by a series of 8-bit,
    940 	 * length-prefixed strings. */
    941 	i = ((unsigned) data[0]) << 8 |
    942 	    ((unsigned) data[1]);
    943 	data_len -= 2;
    944 	data += 2;
    945 	if (data_len != i)
    946 		goto parse_error;
    947 
    948 	if (data_len < 2)
    949 		goto parse_error;
    950 
    951 	for (i = 0; i < data_len;)
    952 		{
    953 		proto_len = data[i];
    954 		i++;
    955 
    956 		if (proto_len == 0)
    957 			goto parse_error;
    958 
    959 		if (i + proto_len < i || i + proto_len > data_len)
    960 			goto parse_error;
    961 
    962 		i += proto_len;
    963 		}
    964 
    965 	r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
    966 				   s->ctx->alpn_select_cb_arg);
    967 	if (r == SSL_TLSEXT_ERR_OK) {
    968 		if (s->s3->alpn_selected)
    969 			OPENSSL_free(s->s3->alpn_selected);
    970 		s->s3->alpn_selected = OPENSSL_malloc(selected_len);
    971 		if (!s->s3->alpn_selected)
    972 			{
    973 			*al = SSL_AD_INTERNAL_ERROR;
    974 			return -1;
    975 			}
    976 		memcpy(s->s3->alpn_selected, selected, selected_len);
    977 		s->s3->alpn_selected_len = selected_len;
    978 	}
    979 	return 0;
    980 
    981 parse_error:
    982 	*al = SSL_AD_DECODE_ERROR;
    983 	return -1;
    984 	}
    985 
    986 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
    987 	{
    988 	unsigned short type;
    989 	unsigned short size;
    990 	unsigned short len;
    991 	unsigned char *data = *p;
    992 	int renegotiate_seen = 0;
    993 	int sigalg_seen = 0;
    994 
    995 	s->servername_done = 0;
    996 	s->tlsext_status_type = -1;
    997 
    998 	/* Reset TLS 1.2 digest functions to defaults because they don't carry
    999 	 * over to a renegotiation. */
   1000 	s->s3->digest_rsa = NULL;
   1001 	s->s3->digest_dsa = NULL;
   1002 	s->s3->digest_ecdsa = NULL;
   1003 
   1004 #ifndef OPENSSL_NO_NEXTPROTONEG
   1005 	s->s3->next_proto_neg_seen = 0;
   1006 #endif
   1007 
   1008 	if (s->s3->alpn_selected)
   1009 		{
   1010 		OPENSSL_free(s->s3->alpn_selected);
   1011 		s->s3->alpn_selected = NULL;
   1012 		}
   1013 
   1014 #ifndef OPENSSL_NO_HEARTBEATS
   1015 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
   1016 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
   1017 #endif
   1018 
   1019 	if (data >= (d+n-2))
   1020 		goto ri_check;
   1021 	n2s(data,len);
   1022 
   1023 	if (data > (d+n-len))
   1024 		goto ri_check;
   1025 
   1026 	while (data <= (d+n-4))
   1027 		{
   1028 		n2s(data,type);
   1029 		n2s(data,size);
   1030 
   1031 		if (data+size > (d+n))
   1032 	   		goto ri_check;
   1033 #if 0
   1034 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
   1035 #endif
   1036 		if (s->tlsext_debug_cb)
   1037 			s->tlsext_debug_cb(s, 0, type, data, size,
   1038 						s->tlsext_debug_arg);
   1039 /* The servername extension is treated as follows:
   1040 
   1041    - Only the hostname type is supported with a maximum length of 255.
   1042    - The servername is rejected if too long or if it contains zeros,
   1043      in which case an fatal alert is generated.
   1044    - The servername field is maintained together with the session cache.
   1045    - When a session is resumed, the servername call back invoked in order
   1046      to allow the application to position itself to the right context.
   1047    - The servername is acknowledged if it is new for a session or when
   1048      it is identical to a previously used for the same session.
   1049      Applications can control the behaviour.  They can at any time
   1050      set a 'desirable' servername for a new SSL object. This can be the
   1051      case for example with HTTPS when a Host: header field is received and
   1052      a renegotiation is requested. In this case, a possible servername
   1053      presented in the new client hello is only acknowledged if it matches
   1054      the value of the Host: field.
   1055    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
   1056      if they provide for changing an explicit servername context for the session,
   1057      i.e. when the session has been established with a servername extension.
   1058    - On session reconnect, the servername extension may be absent.
   1059 
   1060 */
   1061 
   1062 		if (type == TLSEXT_TYPE_server_name)
   1063 			{
   1064 			unsigned char *sdata;
   1065 			int servname_type;
   1066 			int dsize;
   1067 
   1068 			if (size < 2)
   1069 				{
   1070 				*al = SSL_AD_DECODE_ERROR;
   1071 				return 0;
   1072 				}
   1073 			n2s(data,dsize);
   1074 			size -= 2;
   1075 			if (dsize > size  )
   1076 				{
   1077 				*al = SSL_AD_DECODE_ERROR;
   1078 				return 0;
   1079 				}
   1080 
   1081 			sdata = data;
   1082 			while (dsize > 3)
   1083 				{
   1084 	 			servname_type = *(sdata++);
   1085 				n2s(sdata,len);
   1086 				dsize -= 3;
   1087 
   1088 				if (len > dsize)
   1089 					{
   1090 					*al = SSL_AD_DECODE_ERROR;
   1091 					return 0;
   1092 					}
   1093 				if (s->servername_done == 0)
   1094 				switch (servname_type)
   1095 					{
   1096 				case TLSEXT_NAMETYPE_host_name:
   1097 					if (!s->hit)
   1098 						{
   1099 						if(s->session->tlsext_hostname)
   1100 							{
   1101 							*al = SSL_AD_DECODE_ERROR;
   1102 							return 0;
   1103 							}
   1104 						if (len > TLSEXT_MAXLEN_host_name)
   1105 							{
   1106 							*al = TLS1_AD_UNRECOGNIZED_NAME;
   1107 							return 0;
   1108 							}
   1109 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
   1110 							{
   1111 							*al = TLS1_AD_INTERNAL_ERROR;
   1112 							return 0;
   1113 							}
   1114 						memcpy(s->session->tlsext_hostname, sdata, len);
   1115 						s->session->tlsext_hostname[len]='\0';
   1116 						if (strlen(s->session->tlsext_hostname) != len) {
   1117 							OPENSSL_free(s->session->tlsext_hostname);
   1118 							s->session->tlsext_hostname = NULL;
   1119 							*al = TLS1_AD_UNRECOGNIZED_NAME;
   1120 							return 0;
   1121 						}
   1122 						s->servername_done = 1;
   1123 
   1124 						}
   1125 					else
   1126 						s->servername_done = s->session->tlsext_hostname
   1127 							&& strlen(s->session->tlsext_hostname) == len
   1128 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
   1129 
   1130 					break;
   1131 
   1132 				default:
   1133 					break;
   1134 					}
   1135 
   1136 				dsize -= len;
   1137 				}
   1138 			if (dsize != 0)
   1139 				{
   1140 				*al = SSL_AD_DECODE_ERROR;
   1141 				return 0;
   1142 				}
   1143 
   1144 			}
   1145 #ifndef OPENSSL_NO_SRP
   1146 		else if (type == TLSEXT_TYPE_srp)
   1147 			{
   1148 			if (size <= 0 || ((len = data[0])) != (size -1))
   1149 				{
   1150 				*al = SSL_AD_DECODE_ERROR;
   1151 				return 0;
   1152 				}
   1153 			if (s->srp_ctx.login != NULL)
   1154 				{
   1155 				*al = SSL_AD_DECODE_ERROR;
   1156 				return 0;
   1157 				}
   1158 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
   1159 				return -1;
   1160 			memcpy(s->srp_ctx.login, &data[1], len);
   1161 			s->srp_ctx.login[len]='\0';
   1162 
   1163 			if (strlen(s->srp_ctx.login) != len)
   1164 				{
   1165 				*al = SSL_AD_DECODE_ERROR;
   1166 				return 0;
   1167 				}
   1168 			}
   1169 #endif
   1170 
   1171 #ifndef OPENSSL_NO_EC
   1172 		else if (type == TLSEXT_TYPE_ec_point_formats &&
   1173 	             s->version != DTLS1_VERSION)
   1174 			{
   1175 			unsigned char *sdata = data;
   1176 			int ecpointformatlist_length = *(sdata++);
   1177 
   1178 			if (ecpointformatlist_length != size - 1)
   1179 				{
   1180 				*al = TLS1_AD_DECODE_ERROR;
   1181 				return 0;
   1182 				}
   1183 			if (!s->hit)
   1184 				{
   1185 				if(s->session->tlsext_ecpointformatlist)
   1186 					{
   1187 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1188 					s->session->tlsext_ecpointformatlist = NULL;
   1189 					}
   1190 				s->session->tlsext_ecpointformatlist_length = 0;
   1191 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1192 					{
   1193 					*al = TLS1_AD_INTERNAL_ERROR;
   1194 					return 0;
   1195 					}
   1196 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1197 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1198 				}
   1199 #if 0
   1200 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
   1201 			sdata = s->session->tlsext_ecpointformatlist;
   1202 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1203 				fprintf(stderr,"%i ",*(sdata++));
   1204 			fprintf(stderr,"\n");
   1205 #endif
   1206 			}
   1207 		else if (type == TLSEXT_TYPE_elliptic_curves &&
   1208 	             s->version != DTLS1_VERSION)
   1209 			{
   1210 			unsigned char *sdata = data;
   1211 			int ellipticcurvelist_length = (*(sdata++) << 8);
   1212 			ellipticcurvelist_length += (*(sdata++));
   1213 
   1214 			if (ellipticcurvelist_length != size - 2 ||
   1215 				ellipticcurvelist_length < 1)
   1216 				{
   1217 				*al = TLS1_AD_DECODE_ERROR;
   1218 				return 0;
   1219 				}
   1220 			if (!s->hit)
   1221 				{
   1222 				if(s->session->tlsext_ellipticcurvelist)
   1223 					{
   1224 					*al = TLS1_AD_DECODE_ERROR;
   1225 					return 0;
   1226 					}
   1227 				s->session->tlsext_ellipticcurvelist_length = 0;
   1228 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
   1229 					{
   1230 					*al = TLS1_AD_INTERNAL_ERROR;
   1231 					return 0;
   1232 					}
   1233 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
   1234 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
   1235 				}
   1236 #if 0
   1237 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
   1238 			sdata = s->session->tlsext_ellipticcurvelist;
   1239 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
   1240 				fprintf(stderr,"%i ",*(sdata++));
   1241 			fprintf(stderr,"\n");
   1242 #endif
   1243 			}
   1244 #endif /* OPENSSL_NO_EC */
   1245 #ifdef TLSEXT_TYPE_opaque_prf_input
   1246 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1247 	             s->version != DTLS1_VERSION)
   1248 			{
   1249 			unsigned char *sdata = data;
   1250 
   1251 			if (size < 2)
   1252 				{
   1253 				*al = SSL_AD_DECODE_ERROR;
   1254 				return 0;
   1255 				}
   1256 			n2s(sdata, s->s3->client_opaque_prf_input_len);
   1257 			if (s->s3->client_opaque_prf_input_len != size - 2)
   1258 				{
   1259 				*al = SSL_AD_DECODE_ERROR;
   1260 				return 0;
   1261 				}
   1262 
   1263 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   1264 				OPENSSL_free(s->s3->client_opaque_prf_input);
   1265 			if (s->s3->client_opaque_prf_input_len == 0)
   1266 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1267 			else
   1268 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
   1269 			if (s->s3->client_opaque_prf_input == NULL)
   1270 				{
   1271 				*al = TLS1_AD_INTERNAL_ERROR;
   1272 				return 0;
   1273 				}
   1274 			}
   1275 #endif
   1276 		else if (type == TLSEXT_TYPE_session_ticket)
   1277 			{
   1278 			if (s->tls_session_ticket_ext_cb &&
   1279 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1280 				{
   1281 				*al = TLS1_AD_INTERNAL_ERROR;
   1282 				return 0;
   1283 				}
   1284 			}
   1285 		else if (type == TLSEXT_TYPE_renegotiate)
   1286 			{
   1287 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
   1288 				return 0;
   1289 			renegotiate_seen = 1;
   1290 			}
   1291 		else if (type == TLSEXT_TYPE_signature_algorithms)
   1292 			{
   1293 			int dsize;
   1294 			if (sigalg_seen || size < 2)
   1295 				{
   1296 				*al = SSL_AD_DECODE_ERROR;
   1297 				return 0;
   1298 				}
   1299 			sigalg_seen = 1;
   1300 			n2s(data,dsize);
   1301 			size -= 2;
   1302 			if (dsize != size || dsize & 1)
   1303 				{
   1304 				*al = SSL_AD_DECODE_ERROR;
   1305 				return 0;
   1306 				}
   1307 			tls1_process_sigalgs(s, data, dsize);
   1308 			}
   1309 		else if (type == TLSEXT_TYPE_status_request &&
   1310 		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
   1311 			{
   1312 
   1313 			if (size < 5)
   1314 				{
   1315 				*al = SSL_AD_DECODE_ERROR;
   1316 				return 0;
   1317 				}
   1318 
   1319 			s->tlsext_status_type = *data++;
   1320 			size--;
   1321 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
   1322 				{
   1323 				const unsigned char *sdata;
   1324 				int dsize;
   1325 				/* Read in responder_id_list */
   1326 				n2s(data,dsize);
   1327 				size -= 2;
   1328 				if (dsize > size  )
   1329 					{
   1330 					*al = SSL_AD_DECODE_ERROR;
   1331 					return 0;
   1332 					}
   1333 				while (dsize > 0)
   1334 					{
   1335 					OCSP_RESPID *id;
   1336 					int idsize;
   1337 					if (dsize < 4)
   1338 						{
   1339 						*al = SSL_AD_DECODE_ERROR;
   1340 						return 0;
   1341 						}
   1342 					n2s(data, idsize);
   1343 					dsize -= 2 + idsize;
   1344 					size -= 2 + idsize;
   1345 					if (dsize < 0)
   1346 						{
   1347 						*al = SSL_AD_DECODE_ERROR;
   1348 						return 0;
   1349 						}
   1350 					sdata = data;
   1351 					data += idsize;
   1352 					id = d2i_OCSP_RESPID(NULL,
   1353 								&sdata, idsize);
   1354 					if (!id)
   1355 						{
   1356 						*al = SSL_AD_DECODE_ERROR;
   1357 						return 0;
   1358 						}
   1359 					if (data != sdata)
   1360 						{
   1361 						OCSP_RESPID_free(id);
   1362 						*al = SSL_AD_DECODE_ERROR;
   1363 						return 0;
   1364 						}
   1365 					if (!s->tlsext_ocsp_ids
   1366 						&& !(s->tlsext_ocsp_ids =
   1367 						sk_OCSP_RESPID_new_null()))
   1368 						{
   1369 						OCSP_RESPID_free(id);
   1370 						*al = SSL_AD_INTERNAL_ERROR;
   1371 						return 0;
   1372 						}
   1373 					if (!sk_OCSP_RESPID_push(
   1374 							s->tlsext_ocsp_ids, id))
   1375 						{
   1376 						OCSP_RESPID_free(id);
   1377 						*al = SSL_AD_INTERNAL_ERROR;
   1378 						return 0;
   1379 						}
   1380 					}
   1381 
   1382 				/* Read in request_extensions */
   1383 				if (size < 2)
   1384 					{
   1385 					*al = SSL_AD_DECODE_ERROR;
   1386 					return 0;
   1387 					}
   1388 				n2s(data,dsize);
   1389 				size -= 2;
   1390 				if (dsize != size)
   1391 					{
   1392 					*al = SSL_AD_DECODE_ERROR;
   1393 					return 0;
   1394 					}
   1395 				sdata = data;
   1396 				if (dsize > 0)
   1397 					{
   1398 					if (s->tlsext_ocsp_exts)
   1399 						{
   1400 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
   1401 									   X509_EXTENSION_free);
   1402 						}
   1403 
   1404 					s->tlsext_ocsp_exts =
   1405 						d2i_X509_EXTENSIONS(NULL,
   1406 							&sdata, dsize);
   1407 					if (!s->tlsext_ocsp_exts
   1408 						|| (data + dsize != sdata))
   1409 						{
   1410 						*al = SSL_AD_DECODE_ERROR;
   1411 						return 0;
   1412 						}
   1413 					}
   1414 				}
   1415 				/* We don't know what to do with any other type
   1416  			 	* so ignore it.
   1417  			 	*/
   1418 				else
   1419 					s->tlsext_status_type = -1;
   1420 			}
   1421 #ifndef OPENSSL_NO_HEARTBEATS
   1422 		else if (type == TLSEXT_TYPE_heartbeat)
   1423 			{
   1424 			switch(data[0])
   1425 				{
   1426 				case 0x01:	/* Client allows us to send HB requests */
   1427 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1428 							break;
   1429 				case 0x02:	/* Client doesn't accept HB requests */
   1430 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1431 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1432 							break;
   1433 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1434 							return 0;
   1435 				}
   1436 			}
   1437 #endif
   1438 #ifndef OPENSSL_NO_NEXTPROTONEG
   1439 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1440 			 s->s3->tmp.finish_md_len == 0 &&
   1441 			 s->s3->alpn_selected == NULL)
   1442 			{
   1443 			/* We shouldn't accept this extension on a
   1444 			 * renegotiation.
   1445 			 *
   1446 			 * s->new_session will be set on renegotiation, but we
   1447 			 * probably shouldn't rely that it couldn't be set on
   1448 			 * the initial renegotation too in certain cases (when
   1449 			 * there's some other reason to disallow resuming an
   1450 			 * earlier session -- the current code won't be doing
   1451 			 * anything like that, but this might change).
   1452 
   1453 			 * A valid sign that there's been a previous handshake
   1454 			 * in this connection is if s->s3->tmp.finish_md_len >
   1455 			 * 0.  (We are talking about a check that will happen
   1456 			 * in the Hello protocol round, well before a new
   1457 			 * Finished message could have been computed.) */
   1458 			s->s3->next_proto_neg_seen = 1;
   1459 			}
   1460 #endif
   1461 
   1462 		else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
   1463 			s->s3->tlsext_channel_id_valid = 1;
   1464 
   1465 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
   1466 			 s->ctx->alpn_select_cb &&
   1467 			 s->s3->tmp.finish_md_len == 0)
   1468 			{
   1469 			if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
   1470 				return 0;
   1471 			/* ALPN takes precedence over NPN. */
   1472 			s->s3->next_proto_neg_seen = 0;
   1473 			}
   1474 
   1475 		/* session ticket processed earlier */
   1476 #ifndef OPENSSL_NO_SRTP
   1477 		else if (type == TLSEXT_TYPE_use_srtp)
   1478 			{
   1479 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
   1480 							      al))
   1481 				return 0;
   1482 			}
   1483 #endif
   1484 
   1485 		data+=size;
   1486 		}
   1487 
   1488 	*p = data;
   1489 
   1490 	ri_check:
   1491 
   1492 	/* Need RI if renegotiating */
   1493 
   1494 	if (!renegotiate_seen && s->renegotiate &&
   1495 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1496 		{
   1497 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1498 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
   1499 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1500 		return 0;
   1501 		}
   1502 
   1503 	return 1;
   1504 	}
   1505 
   1506 #ifndef OPENSSL_NO_NEXTPROTONEG
   1507 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
   1508  * elements of zero length are allowed and the set of elements must exactly fill
   1509  * the length of the block. */
   1510 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
   1511 	{
   1512 	unsigned int off = 0;
   1513 
   1514 	while (off < len)
   1515 		{
   1516 		if (d[off] == 0)
   1517 			return 0;
   1518 		off += d[off];
   1519 		off++;
   1520 		}
   1521 
   1522 	return off == len;
   1523 	}
   1524 #endif
   1525 
   1526 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
   1527 	{
   1528 	unsigned short length;
   1529 	unsigned short type;
   1530 	unsigned short size;
   1531 	unsigned char *data = *p;
   1532 	int tlsext_servername = 0;
   1533 	int renegotiate_seen = 0;
   1534 
   1535 #ifndef OPENSSL_NO_NEXTPROTONEG
   1536 	s->s3->next_proto_neg_seen = 0;
   1537 #endif
   1538 
   1539 	if (s->s3->alpn_selected)
   1540 		{
   1541 		OPENSSL_free(s->s3->alpn_selected);
   1542 		s->s3->alpn_selected = NULL;
   1543 		}
   1544 
   1545 #ifndef OPENSSL_NO_HEARTBEATS
   1546 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
   1547 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
   1548 #endif
   1549 
   1550 	if (data >= (d+n-2))
   1551 		goto ri_check;
   1552 
   1553 	n2s(data,length);
   1554 	if (data+length != d+n)
   1555 		{
   1556 		*al = SSL_AD_DECODE_ERROR;
   1557 		return 0;
   1558 		}
   1559 
   1560 	while(data <= (d+n-4))
   1561 		{
   1562 		n2s(data,type);
   1563 		n2s(data,size);
   1564 
   1565 		if (data+size > (d+n))
   1566 	   		goto ri_check;
   1567 
   1568 		if (s->tlsext_debug_cb)
   1569 			s->tlsext_debug_cb(s, 1, type, data, size,
   1570 						s->tlsext_debug_arg);
   1571 
   1572 		if (type == TLSEXT_TYPE_server_name)
   1573 			{
   1574 			if (s->tlsext_hostname == NULL || size > 0)
   1575 				{
   1576 				*al = TLS1_AD_UNRECOGNIZED_NAME;
   1577 				return 0;
   1578 				}
   1579 			tlsext_servername = 1;
   1580 			}
   1581 
   1582 #ifndef OPENSSL_NO_EC
   1583 		else if (type == TLSEXT_TYPE_ec_point_formats &&
   1584 	             s->version != DTLS1_VERSION)
   1585 			{
   1586 			unsigned char *sdata = data;
   1587 			int ecpointformatlist_length = *(sdata++);
   1588 
   1589 			if (ecpointformatlist_length != size - 1 ||
   1590 				ecpointformatlist_length < 1)
   1591 				{
   1592 				*al = TLS1_AD_DECODE_ERROR;
   1593 				return 0;
   1594 				}
   1595 			s->session->tlsext_ecpointformatlist_length = 0;
   1596 			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1597 			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1598 				{
   1599 				*al = TLS1_AD_INTERNAL_ERROR;
   1600 				return 0;
   1601 				}
   1602 			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1603 			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1604 #if 0
   1605 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
   1606 			sdata = s->session->tlsext_ecpointformatlist;
   1607 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1608 				fprintf(stderr,"%i ",*(sdata++));
   1609 			fprintf(stderr,"\n");
   1610 #endif
   1611 			}
   1612 #endif /* OPENSSL_NO_EC */
   1613 
   1614 		else if (type == TLSEXT_TYPE_session_ticket)
   1615 			{
   1616 			if (s->tls_session_ticket_ext_cb &&
   1617 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1618 				{
   1619 				*al = TLS1_AD_INTERNAL_ERROR;
   1620 				return 0;
   1621 				}
   1622 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
   1623 				|| (size > 0))
   1624 				{
   1625 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1626 				return 0;
   1627 				}
   1628 			s->tlsext_ticket_expected = 1;
   1629 			}
   1630 #ifdef TLSEXT_TYPE_opaque_prf_input
   1631 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1632 	             s->version != DTLS1_VERSION)
   1633 			{
   1634 			unsigned char *sdata = data;
   1635 
   1636 			if (size < 2)
   1637 				{
   1638 				*al = SSL_AD_DECODE_ERROR;
   1639 				return 0;
   1640 				}
   1641 			n2s(sdata, s->s3->server_opaque_prf_input_len);
   1642 			if (s->s3->server_opaque_prf_input_len != size - 2)
   1643 				{
   1644 				*al = SSL_AD_DECODE_ERROR;
   1645 				return 0;
   1646 				}
   1647 
   1648 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   1649 				OPENSSL_free(s->s3->server_opaque_prf_input);
   1650 			if (s->s3->server_opaque_prf_input_len == 0)
   1651 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1652 			else
   1653 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
   1654 
   1655 			if (s->s3->server_opaque_prf_input == NULL)
   1656 				{
   1657 				*al = TLS1_AD_INTERNAL_ERROR;
   1658 				return 0;
   1659 				}
   1660 			}
   1661 #endif
   1662 		else if (type == TLSEXT_TYPE_status_request &&
   1663 		         s->version != DTLS1_VERSION)
   1664 			{
   1665 			/* MUST be empty and only sent if we've requested
   1666 			 * a status request message.
   1667 			 */
   1668 			if ((s->tlsext_status_type == -1) || (size > 0))
   1669 				{
   1670 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1671 				return 0;
   1672 				}
   1673 			/* Set flag to expect CertificateStatus message */
   1674 			s->tlsext_status_expected = 1;
   1675 			}
   1676 #ifndef OPENSSL_NO_NEXTPROTONEG
   1677 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1678 			 s->s3->tmp.finish_md_len == 0)
   1679 			{
   1680 			unsigned char *selected;
   1681 			unsigned char selected_len;
   1682 
   1683 			/* We must have requested it. */
   1684 			if (s->ctx->next_proto_select_cb == NULL)
   1685 				{
   1686 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1687 				return 0;
   1688 				}
   1689 			/* The data must be valid */
   1690 			if (!ssl_next_proto_validate(data, size))
   1691 				{
   1692 				*al = TLS1_AD_DECODE_ERROR;
   1693 				return 0;
   1694 				}
   1695 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
   1696 				{
   1697 				*al = TLS1_AD_INTERNAL_ERROR;
   1698 				return 0;
   1699 				}
   1700 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
   1701 			if (!s->next_proto_negotiated)
   1702 				{
   1703 				*al = TLS1_AD_INTERNAL_ERROR;
   1704 				return 0;
   1705 				}
   1706 			memcpy(s->next_proto_negotiated, selected, selected_len);
   1707 			s->next_proto_negotiated_len = selected_len;
   1708 			s->s3->next_proto_neg_seen = 1;
   1709 			}
   1710 #endif
   1711 		else if (type == TLSEXT_TYPE_channel_id)
   1712 			s->s3->tlsext_channel_id_valid = 1;
   1713 
   1714 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
   1715 			{
   1716 			unsigned len;
   1717 
   1718 			/* We must have requested it. */
   1719 			if (s->alpn_client_proto_list == NULL)
   1720 				{
   1721 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1722 				return 0;
   1723 				}
   1724 			if (size < 4)
   1725 				{
   1726 				*al = TLS1_AD_DECODE_ERROR;
   1727 				return 0;
   1728 				}
   1729 			/* The extension data consists of:
   1730 			 *   uint16 list_length
   1731 			 *   uint8 proto_length;
   1732 			 *   uint8 proto[proto_length]; */
   1733 			len = data[0];
   1734 			len <<= 8;
   1735 			len |= data[1];
   1736 			if (len != (unsigned) size - 2)
   1737 				{
   1738 				*al = TLS1_AD_DECODE_ERROR;
   1739 				return 0;
   1740 				}
   1741 			len = data[2];
   1742 			if (len != (unsigned) size - 3)
   1743 				{
   1744 				*al = TLS1_AD_DECODE_ERROR;
   1745 				return 0;
   1746 				}
   1747 			if (s->s3->alpn_selected)
   1748 				OPENSSL_free(s->s3->alpn_selected);
   1749 			s->s3->alpn_selected = OPENSSL_malloc(len);
   1750 			if (!s->s3->alpn_selected)
   1751 				{
   1752 				*al = TLS1_AD_INTERNAL_ERROR;
   1753 				return 0;
   1754 				}
   1755 			memcpy(s->s3->alpn_selected, data + 3, len);
   1756 			s->s3->alpn_selected_len = len;
   1757 			}
   1758 
   1759 		else if (type == TLSEXT_TYPE_renegotiate)
   1760 			{
   1761 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
   1762 				return 0;
   1763 			renegotiate_seen = 1;
   1764 			}
   1765 #ifndef OPENSSL_NO_HEARTBEATS
   1766 		else if (type == TLSEXT_TYPE_heartbeat)
   1767 			{
   1768 			switch(data[0])
   1769 				{
   1770 				case 0x01:	/* Server allows us to send HB requests */
   1771 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1772 							break;
   1773 				case 0x02:	/* Server doesn't accept HB requests */
   1774 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1775 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1776 							break;
   1777 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1778 							return 0;
   1779 				}
   1780 			}
   1781 #endif
   1782 #ifndef OPENSSL_NO_SRTP
   1783 		else if (type == TLSEXT_TYPE_use_srtp)
   1784 			{
   1785                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
   1786 							      al))
   1787                                 return 0;
   1788 			}
   1789 #endif
   1790 
   1791 		data+=size;
   1792 		}
   1793 
   1794 	if (data != d+n)
   1795 		{
   1796 		*al = SSL_AD_DECODE_ERROR;
   1797 		return 0;
   1798 		}
   1799 
   1800 	if (!s->hit && tlsext_servername == 1)
   1801 		{
   1802  		if (s->tlsext_hostname)
   1803 			{
   1804 			if (s->session->tlsext_hostname == NULL)
   1805 				{
   1806 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
   1807 				if (!s->session->tlsext_hostname)
   1808 					{
   1809 					*al = SSL_AD_UNRECOGNIZED_NAME;
   1810 					return 0;
   1811 					}
   1812 				}
   1813 			else
   1814 				{
   1815 				*al = SSL_AD_DECODE_ERROR;
   1816 				return 0;
   1817 				}
   1818 			}
   1819 		}
   1820 
   1821 	*p = data;
   1822 
   1823 	ri_check:
   1824 
   1825 	/* Determine if we need to see RI. Strictly speaking if we want to
   1826 	 * avoid an attack we should *always* see RI even on initial server
   1827 	 * hello because the client doesn't see any renegotiation during an
   1828 	 * attack. However this would mean we could not connect to any server
   1829 	 * which doesn't support RI so for the immediate future tolerate RI
   1830 	 * absence on initial connect only.
   1831 	 */
   1832 	if (!renegotiate_seen
   1833 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
   1834 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1835 		{
   1836 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1837 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
   1838 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1839 		return 0;
   1840 		}
   1841 
   1842 	return 1;
   1843 	}
   1844 
   1845 
   1846 int ssl_prepare_clienthello_tlsext(SSL *s)
   1847 	{
   1848 #ifndef OPENSSL_NO_EC
   1849 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
   1850 	 * and elliptic curves we support.
   1851 	 */
   1852 	int using_ecc = 0;
   1853 	int i;
   1854 	unsigned char *j;
   1855 	unsigned long alg_k, alg_a;
   1856 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
   1857 
   1858 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
   1859 		{
   1860 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
   1861 
   1862 		alg_k = c->algorithm_mkey;
   1863 		alg_a = c->algorithm_auth;
   1864 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
   1865 			{
   1866 			using_ecc = 1;
   1867 			break;
   1868 			}
   1869 		}
   1870 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
   1871 	if (using_ecc)
   1872 		{
   1873 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   1874 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   1875 			{
   1876 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1877 			return -1;
   1878 			}
   1879 		s->tlsext_ecpointformatlist_length = 3;
   1880 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   1881 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   1882 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   1883 
   1884 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
   1885 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
   1886 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
   1887 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
   1888 			{
   1889 			s->tlsext_ellipticcurvelist_length = 0;
   1890 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1891 			return -1;
   1892 			}
   1893 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
   1894 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
   1895 			{
   1896 			int id = tls1_ec_nid2curve_id(pref_list[i]);
   1897 			s2n(id,j);
   1898 			}
   1899 		}
   1900 #endif /* OPENSSL_NO_EC */
   1901 
   1902 #ifdef TLSEXT_TYPE_opaque_prf_input
   1903  	{
   1904 		int r = 1;
   1905 
   1906 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   1907 			{
   1908 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   1909 			if (!r)
   1910 				return -1;
   1911 			}
   1912 
   1913 		if (s->tlsext_opaque_prf_input != NULL)
   1914 			{
   1915 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   1916 				OPENSSL_free(s->s3->client_opaque_prf_input);
   1917 
   1918 			if (s->tlsext_opaque_prf_input_len == 0)
   1919 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1920 			else
   1921 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   1922 			if (s->s3->client_opaque_prf_input == NULL)
   1923 				{
   1924 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1925 				return -1;
   1926 				}
   1927 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   1928 			}
   1929 
   1930 		if (r == 2)
   1931 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
   1932 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   1933 	}
   1934 #endif
   1935 
   1936 	return 1;
   1937 	}
   1938 
   1939 int ssl_prepare_serverhello_tlsext(SSL *s)
   1940 	{
   1941 #ifndef OPENSSL_NO_EC
   1942 	/* If we are server and using an ECC cipher suite, send the point formats we support
   1943 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
   1944 	 * supposed to send an EllipticCurves extension.
   1945 	 */
   1946 
   1947 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   1948 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   1949 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
   1950 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
   1951 
   1952 	if (using_ecc)
   1953 		{
   1954 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   1955 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   1956 			{
   1957 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   1958 			return -1;
   1959 			}
   1960 		s->tlsext_ecpointformatlist_length = 3;
   1961 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   1962 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   1963 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   1964 		}
   1965 #endif /* OPENSSL_NO_EC */
   1966 
   1967 	return 1;
   1968 	}
   1969 
   1970 int ssl_check_clienthello_tlsext_early(SSL *s)
   1971 	{
   1972 	int ret=SSL_TLSEXT_ERR_NOACK;
   1973 	int al = SSL_AD_UNRECOGNIZED_NAME;
   1974 
   1975 #ifndef OPENSSL_NO_EC
   1976 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
   1977 	 * ssl3_choose_cipher in s3_lib.c.
   1978 	 */
   1979 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
   1980 	 * ssl3_choose_cipher in s3_lib.c.
   1981 	 */
   1982 #endif
   1983 
   1984 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   1985 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   1986 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   1987 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   1988 
   1989 #ifdef TLSEXT_TYPE_opaque_prf_input
   1990  	{
   1991 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
   1992 		 * but we might be sending an alert in response to the client hello,
   1993 		 * so this has to happen here in
   1994 		 * ssl_check_clienthello_tlsext_early(). */
   1995 
   1996 		int r = 1;
   1997 
   1998 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   1999 			{
   2000 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   2001 			if (!r)
   2002 				{
   2003 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2004 				al = SSL_AD_INTERNAL_ERROR;
   2005 				goto err;
   2006 				}
   2007 			}
   2008 
   2009 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   2010 			OPENSSL_free(s->s3->server_opaque_prf_input);
   2011 		s->s3->server_opaque_prf_input = NULL;
   2012 
   2013 		if (s->tlsext_opaque_prf_input != NULL)
   2014 			{
   2015 			if (s->s3->client_opaque_prf_input != NULL &&
   2016 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
   2017 				{
   2018 				/* can only use this extension if we have a server opaque PRF input
   2019 				 * of the same length as the client opaque PRF input! */
   2020 
   2021 				if (s->tlsext_opaque_prf_input_len == 0)
   2022 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   2023 				else
   2024 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   2025 				if (s->s3->server_opaque_prf_input == NULL)
   2026 					{
   2027 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2028 					al = SSL_AD_INTERNAL_ERROR;
   2029 					goto err;
   2030 					}
   2031 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   2032 				}
   2033 			}
   2034 
   2035 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
   2036 			{
   2037 			/* The callback wants to enforce use of the extension,
   2038 			 * but we can't do that with the client opaque PRF input;
   2039 			 * abort the handshake.
   2040 			 */
   2041 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2042 			al = SSL_AD_HANDSHAKE_FAILURE;
   2043 			}
   2044 	}
   2045 
   2046  err:
   2047 #endif
   2048 	switch (ret)
   2049 		{
   2050 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2051 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2052 			return -1;
   2053 
   2054 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2055 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2056 			return 1;
   2057 
   2058 		case SSL_TLSEXT_ERR_NOACK:
   2059 			s->servername_done=0;
   2060 			default:
   2061 		return 1;
   2062 		}
   2063 	}
   2064 
   2065 int ssl_check_clienthello_tlsext_late(SSL *s)
   2066 	{
   2067 	int ret = SSL_TLSEXT_ERR_OK;
   2068 	int al;
   2069 
   2070 	/* If status request then ask callback what to do.
   2071  	 * Note: this must be called after servername callbacks in case
   2072  	 * the certificate has changed, and must be called after the cipher
   2073 	 * has been chosen because this may influence which certificate is sent
   2074  	 */
   2075 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
   2076 		{
   2077 		int r;
   2078 		CERT_PKEY *certpkey;
   2079 		certpkey = ssl_get_server_send_pkey(s);
   2080 		/* If no certificate can't return certificate status */
   2081 		if (certpkey == NULL)
   2082 			{
   2083 			s->tlsext_status_expected = 0;
   2084 			return 1;
   2085 			}
   2086 		/* Set current certificate to one we will use so
   2087 		 * SSL_get_certificate et al can pick it up.
   2088 		 */
   2089 		s->cert->key = certpkey;
   2090 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   2091 		switch (r)
   2092 			{
   2093 			/* We don't want to send a status request response */
   2094 			case SSL_TLSEXT_ERR_NOACK:
   2095 				s->tlsext_status_expected = 0;
   2096 				break;
   2097 			/* status request response should be sent */
   2098 			case SSL_TLSEXT_ERR_OK:
   2099 				if (s->tlsext_ocsp_resp)
   2100 					s->tlsext_status_expected = 1;
   2101 				else
   2102 					s->tlsext_status_expected = 0;
   2103 				break;
   2104 			/* something bad happened */
   2105 			case SSL_TLSEXT_ERR_ALERT_FATAL:
   2106 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2107 				al = SSL_AD_INTERNAL_ERROR;
   2108 				goto err;
   2109 			}
   2110 		}
   2111 	else
   2112 		s->tlsext_status_expected = 0;
   2113 
   2114  err:
   2115 	switch (ret)
   2116 		{
   2117 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2118 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2119 			return -1;
   2120 
   2121 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2122 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2123 			return 1;
   2124 
   2125 		default:
   2126 			return 1;
   2127 		}
   2128 	}
   2129 
   2130 int ssl_check_serverhello_tlsext(SSL *s)
   2131 	{
   2132 	int ret=SSL_TLSEXT_ERR_NOACK;
   2133 	int al = SSL_AD_UNRECOGNIZED_NAME;
   2134 
   2135 #ifndef OPENSSL_NO_EC
   2136 	/* If we are client and using an elliptic curve cryptography cipher
   2137 	 * suite, then if server returns an EC point formats lists extension
   2138 	 * it must contain uncompressed.
   2139 	 */
   2140 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   2141 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   2142 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
   2143 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
   2144 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
   2145 		{
   2146 		/* we are using an ECC cipher */
   2147 		size_t i;
   2148 		unsigned char *list;
   2149 		int found_uncompressed = 0;
   2150 		list = s->session->tlsext_ecpointformatlist;
   2151 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   2152 			{
   2153 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
   2154 				{
   2155 				found_uncompressed = 1;
   2156 				break;
   2157 				}
   2158 			}
   2159 		if (!found_uncompressed)
   2160 			{
   2161 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
   2162 			return -1;
   2163 			}
   2164 		}
   2165 	ret = SSL_TLSEXT_ERR_OK;
   2166 #endif /* OPENSSL_NO_EC */
   2167 
   2168 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   2169 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   2170 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   2171 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   2172 
   2173 #ifdef TLSEXT_TYPE_opaque_prf_input
   2174 	if (s->s3->server_opaque_prf_input_len > 0)
   2175 		{
   2176 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
   2177 		 * So first verify that we really have a value from the server too. */
   2178 
   2179 		if (s->s3->server_opaque_prf_input == NULL)
   2180 			{
   2181 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2182 			al = SSL_AD_HANDSHAKE_FAILURE;
   2183 			}
   2184 
   2185 		/* Anytime the server *has* sent an opaque PRF input, we need to check
   2186 		 * that we have a client opaque PRF input of the same size. */
   2187 		if (s->s3->client_opaque_prf_input == NULL ||
   2188 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
   2189 			{
   2190 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2191 			al = SSL_AD_ILLEGAL_PARAMETER;
   2192 			}
   2193 		}
   2194 #endif
   2195 
   2196 	/* If we've requested certificate status and we wont get one
   2197  	 * tell the callback
   2198  	 */
   2199 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
   2200 			&& s->ctx && s->ctx->tlsext_status_cb)
   2201 		{
   2202 		int r;
   2203 		/* Set resp to NULL, resplen to -1 so callback knows
   2204  		 * there is no response.
   2205  		 */
   2206 		if (s->tlsext_ocsp_resp)
   2207 			{
   2208 			OPENSSL_free(s->tlsext_ocsp_resp);
   2209 			s->tlsext_ocsp_resp = NULL;
   2210 			}
   2211 		s->tlsext_ocsp_resplen = -1;
   2212 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   2213 		if (r == 0)
   2214 			{
   2215 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
   2216 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2217 			}
   2218 		if (r < 0)
   2219 			{
   2220 			al = SSL_AD_INTERNAL_ERROR;
   2221 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2222 			}
   2223 		}
   2224 
   2225 	switch (ret)
   2226 		{
   2227 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2228 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2229 			return -1;
   2230 
   2231 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2232 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2233 			return 1;
   2234 
   2235 		case SSL_TLSEXT_ERR_NOACK:
   2236 			s->servername_done=0;
   2237 			default:
   2238 		return 1;
   2239 		}
   2240 	}
   2241 
   2242 /* Since the server cache lookup is done early on in the processing of the
   2243  * ClientHello, and other operations depend on the result, we need to handle
   2244  * any TLS session ticket extension at the same time.
   2245  *
   2246  *   session_id: points at the session ID in the ClientHello. This code will
   2247  *       read past the end of this in order to parse out the session ticket
   2248  *       extension, if any.
   2249  *   len: the length of the session ID.
   2250  *   limit: a pointer to the first byte after the ClientHello.
   2251  *   ret: (output) on return, if a ticket was decrypted, then this is set to
   2252  *       point to the resulting session.
   2253  *
   2254  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
   2255  * ciphersuite, in which case we have no use for session tickets and one will
   2256  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
   2257  *
   2258  * Returns:
   2259  *   -1: fatal error, either from parsing or decrypting the ticket.
   2260  *    0: no ticket was found (or was ignored, based on settings).
   2261  *    1: a zero length extension was found, indicating that the client supports
   2262  *       session tickets but doesn't currently have one to offer.
   2263  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
   2264  *       couldn't be decrypted because of a non-fatal error.
   2265  *    3: a ticket was successfully decrypted and *ret was set.
   2266  *
   2267  * Side effects:
   2268  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
   2269  *   a new session ticket to the client because the client indicated support
   2270  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
   2271  *   a session ticket or we couldn't use the one it gave us, or if
   2272  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
   2273  *   Otherwise, s->tlsext_ticket_expected is set to 0.
   2274  */
   2275 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
   2276 			const unsigned char *limit, SSL_SESSION **ret)
   2277 	{
   2278 	/* Point after session ID in client hello */
   2279 	const unsigned char *p = session_id + len;
   2280 	unsigned short i;
   2281 
   2282 	*ret = NULL;
   2283 	s->tlsext_ticket_expected = 0;
   2284 
   2285 	/* If tickets disabled behave as if no ticket present
   2286 	 * to permit stateful resumption.
   2287 	 */
   2288 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
   2289 		return 0;
   2290 	if ((s->version <= SSL3_VERSION) || !limit)
   2291 		return 0;
   2292 	if (p >= limit)
   2293 		return -1;
   2294 	/* Skip past DTLS cookie */
   2295 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
   2296 		{
   2297 		i = *(p++);
   2298 		p+= i;
   2299 		if (p >= limit)
   2300 			return -1;
   2301 		}
   2302 	/* Skip past cipher list */
   2303 	n2s(p, i);
   2304 	p+= i;
   2305 	if (p >= limit)
   2306 		return -1;
   2307 	/* Skip past compression algorithm list */
   2308 	i = *(p++);
   2309 	p += i;
   2310 	if (p > limit)
   2311 		return -1;
   2312 	/* Now at start of extensions */
   2313 	if ((p + 2) >= limit)
   2314 		return 0;
   2315 	n2s(p, i);
   2316 	while ((p + 4) <= limit)
   2317 		{
   2318 		unsigned short type, size;
   2319 		n2s(p, type);
   2320 		n2s(p, size);
   2321 		if (p + size > limit)
   2322 			return 0;
   2323 		if (type == TLSEXT_TYPE_session_ticket)
   2324 			{
   2325 			int r;
   2326 			if (size == 0)
   2327 				{
   2328 				/* The client will accept a ticket but doesn't
   2329 				 * currently have one. */
   2330 				s->tlsext_ticket_expected = 1;
   2331 				return 1;
   2332 				}
   2333 			if (s->tls_session_secret_cb)
   2334 				{
   2335 				/* Indicate that the ticket couldn't be
   2336 				 * decrypted rather than generating the session
   2337 				 * from ticket now, trigger abbreviated
   2338 				 * handshake based on external mechanism to
   2339 				 * calculate the master secret later. */
   2340 				return 2;
   2341 				}
   2342 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
   2343 			switch (r)
   2344 				{
   2345 				case 2: /* ticket couldn't be decrypted */
   2346 					s->tlsext_ticket_expected = 1;
   2347 					return 2;
   2348 				case 3: /* ticket was decrypted */
   2349 					return r;
   2350 				case 4: /* ticket decrypted but need to renew */
   2351 					s->tlsext_ticket_expected = 1;
   2352 					return 3;
   2353 				default: /* fatal error */
   2354 					return -1;
   2355 				}
   2356 			}
   2357 		p += size;
   2358 		}
   2359 	return 0;
   2360 	}
   2361 
   2362 /* tls_decrypt_ticket attempts to decrypt a session ticket.
   2363  *
   2364  *   etick: points to the body of the session ticket extension.
   2365  *   eticklen: the length of the session tickets extenion.
   2366  *   sess_id: points at the session ID.
   2367  *   sesslen: the length of the session ID.
   2368  *   psess: (output) on return, if a ticket was decrypted, then this is set to
   2369  *       point to the resulting session.
   2370  *
   2371  * Returns:
   2372  *   -1: fatal error, either from parsing or decrypting the ticket.
   2373  *    2: the ticket couldn't be decrypted.
   2374  *    3: a ticket was successfully decrypted and *psess was set.
   2375  *    4: same as 3, but the ticket needs to be renewed.
   2376  */
   2377 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
   2378 				const unsigned char *sess_id, int sesslen,
   2379 				SSL_SESSION **psess)
   2380 	{
   2381 	SSL_SESSION *sess;
   2382 	unsigned char *sdec;
   2383 	const unsigned char *p;
   2384 	int slen, mlen, renew_ticket = 0;
   2385 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
   2386 	HMAC_CTX hctx;
   2387 	EVP_CIPHER_CTX ctx;
   2388 	SSL_CTX *tctx = s->initial_ctx;
   2389 	/* Need at least keyname + iv + some encrypted data */
   2390 	if (eticklen < 48)
   2391 		return 2;
   2392 	/* Initialize session ticket encryption and HMAC contexts */
   2393 	HMAC_CTX_init(&hctx);
   2394 	EVP_CIPHER_CTX_init(&ctx);
   2395 	if (tctx->tlsext_ticket_key_cb)
   2396 		{
   2397 		unsigned char *nctick = (unsigned char *)etick;
   2398 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
   2399 							&ctx, &hctx, 0);
   2400 		if (rv < 0)
   2401 			return -1;
   2402 		if (rv == 0)
   2403 			return 2;
   2404 		if (rv == 2)
   2405 			renew_ticket = 1;
   2406 		}
   2407 	else
   2408 		{
   2409 		/* Check key name matches */
   2410 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
   2411 			return 2;
   2412 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
   2413 					tlsext_tick_md(), NULL);
   2414 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
   2415 				tctx->tlsext_tick_aes_key, etick + 16);
   2416 		}
   2417 	/* Attempt to process session ticket, first conduct sanity and
   2418 	 * integrity checks on ticket.
   2419 	 */
   2420 	mlen = HMAC_size(&hctx);
   2421 	if (mlen < 0)
   2422 		{
   2423 		EVP_CIPHER_CTX_cleanup(&ctx);
   2424 		return -1;
   2425 		}
   2426 	eticklen -= mlen;
   2427 	/* Check HMAC of encrypted ticket */
   2428 	HMAC_Update(&hctx, etick, eticklen);
   2429 	HMAC_Final(&hctx, tick_hmac, NULL);
   2430 	HMAC_CTX_cleanup(&hctx);
   2431 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
   2432 		return 2;
   2433 	/* Attempt to decrypt session data */
   2434 	/* Move p after IV to start of encrypted ticket, update length */
   2435 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2436 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2437 	sdec = OPENSSL_malloc(eticklen);
   2438 	if (!sdec)
   2439 		{
   2440 		EVP_CIPHER_CTX_cleanup(&ctx);
   2441 		return -1;
   2442 		}
   2443 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
   2444 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
   2445 		return 2;
   2446 	slen += mlen;
   2447 	EVP_CIPHER_CTX_cleanup(&ctx);
   2448 	p = sdec;
   2449 
   2450 	sess = d2i_SSL_SESSION(NULL, &p, slen);
   2451 	OPENSSL_free(sdec);
   2452 	if (sess)
   2453 		{
   2454 		/* The session ID, if non-empty, is used by some clients to
   2455 		 * detect that the ticket has been accepted. So we copy it to
   2456 		 * the session structure. If it is empty set length to zero
   2457 		 * as required by standard.
   2458 		 */
   2459 		if (sesslen)
   2460 			memcpy(sess->session_id, sess_id, sesslen);
   2461 		sess->session_id_length = sesslen;
   2462 		*psess = sess;
   2463 		if (renew_ticket)
   2464 			return 4;
   2465 		else
   2466 			return 3;
   2467 		}
   2468         ERR_clear_error();
   2469 	/* For session parse failure, indicate that we need to send a new
   2470 	 * ticket. */
   2471 	return 2;
   2472 	}
   2473 
   2474 /* Tables to translate from NIDs to TLS v1.2 ids */
   2475 
   2476 typedef struct
   2477 	{
   2478 	int nid;
   2479 	int id;
   2480 	} tls12_lookup;
   2481 
   2482 static tls12_lookup tls12_md[] = {
   2483 #ifndef OPENSSL_NO_MD5
   2484 	{NID_md5, TLSEXT_hash_md5},
   2485 #endif
   2486 #ifndef OPENSSL_NO_SHA
   2487 	{NID_sha1, TLSEXT_hash_sha1},
   2488 #endif
   2489 #ifndef OPENSSL_NO_SHA256
   2490 	{NID_sha224, TLSEXT_hash_sha224},
   2491 	{NID_sha256, TLSEXT_hash_sha256},
   2492 #endif
   2493 #ifndef OPENSSL_NO_SHA512
   2494 	{NID_sha384, TLSEXT_hash_sha384},
   2495 	{NID_sha512, TLSEXT_hash_sha512}
   2496 #endif
   2497 };
   2498 
   2499 static tls12_lookup tls12_sig[] = {
   2500 #ifndef OPENSSL_NO_RSA
   2501 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
   2502 #endif
   2503 #ifndef OPENSSL_NO_DSA
   2504 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
   2505 #endif
   2506 #ifndef OPENSSL_NO_ECDSA
   2507 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
   2508 #endif
   2509 };
   2510 
   2511 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
   2512 	{
   2513 	size_t i;
   2514 	for (i = 0; i < tlen; i++)
   2515 		{
   2516 		if (table[i].nid == nid)
   2517 			return table[i].id;
   2518 		}
   2519 	return -1;
   2520 	}
   2521 
   2522 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
   2523 	{
   2524 	int sig_id, md_id;
   2525 	if (!md)
   2526 		return 0;
   2527 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
   2528 				sizeof(tls12_md)/sizeof(tls12_lookup));
   2529 	if (md_id == -1)
   2530 		return 0;
   2531 	sig_id = tls12_get_sigid(pk);
   2532 	if (sig_id == -1)
   2533 		return 0;
   2534 	p[0] = (unsigned char)md_id;
   2535 	p[1] = (unsigned char)sig_id;
   2536 	return 1;
   2537 	}
   2538 
   2539 /* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding
   2540  * to the given public key, or -1 if not known. */
   2541 int tls12_get_sigid(const EVP_PKEY *pk)
   2542 	{
   2543 	return tls12_find_id(pk->type, tls12_sig,
   2544 				sizeof(tls12_sig)/sizeof(tls12_lookup));
   2545 	}
   2546 
   2547 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
   2548 	{
   2549 	switch(hash_alg)
   2550 		{
   2551 #ifndef OPENSSL_NO_MD5
   2552 		case TLSEXT_hash_md5:
   2553 #ifdef OPENSSL_FIPS
   2554 		if (FIPS_mode())
   2555 			return NULL;
   2556 #endif
   2557 		return EVP_md5();
   2558 #endif
   2559 #ifndef OPENSSL_NO_SHA
   2560 	case TLSEXT_hash_sha1:
   2561 		return EVP_sha1();
   2562 #endif
   2563 #ifndef OPENSSL_NO_SHA256
   2564 	case TLSEXT_hash_sha224:
   2565 		return EVP_sha224();
   2566 
   2567 	case TLSEXT_hash_sha256:
   2568 		return EVP_sha256();
   2569 #endif
   2570 #ifndef OPENSSL_NO_SHA512
   2571 	case TLSEXT_hash_sha384:
   2572 		return EVP_sha384();
   2573 
   2574 	case TLSEXT_hash_sha512:
   2575 		return EVP_sha512();
   2576 #endif
   2577 	default:
   2578 		return NULL;
   2579 
   2580 		}
   2581 	}
   2582 
   2583 /* tls1_process_sigalgs processes a signature_algorithms extension and sets the
   2584  * digest functions accordingly for each key type.
   2585  *
   2586  * See RFC 5246, section 7.4.1.4.1.
   2587  *
   2588  * data: points to the content of the extension, not including type and length
   2589  *     headers.
   2590  * dsize: the number of bytes of |data|. Must be even.
   2591  */
   2592 void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
   2593 	{
   2594 	int i;
   2595 	const EVP_MD *md, **digest_ptr;
   2596 	/* Extension ignored for TLS versions below 1.2 */
   2597 	if (TLS1_get_version(s) < TLS1_2_VERSION)
   2598 		return;
   2599 
   2600 	s->s3->digest_rsa = NULL;
   2601 	s->s3->digest_dsa = NULL;
   2602 	s->s3->digest_ecdsa = NULL;
   2603 
   2604 	for (i = 0; i < dsize; i += 2)
   2605 		{
   2606 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
   2607 
   2608 		switch(sig_alg)
   2609 			{
   2610 #ifndef OPENSSL_NO_RSA
   2611 			case TLSEXT_signature_rsa:
   2612 			digest_ptr = &s->s3->digest_rsa;
   2613 			break;
   2614 #endif
   2615 #ifndef OPENSSL_NO_DSA
   2616 			case TLSEXT_signature_dsa:
   2617 			digest_ptr = &s->s3->digest_dsa;
   2618 			break;
   2619 #endif
   2620 #ifndef OPENSSL_NO_ECDSA
   2621 			case TLSEXT_signature_ecdsa:
   2622 			digest_ptr = &s->s3->digest_ecdsa;
   2623 			break;
   2624 #endif
   2625 			default:
   2626 			continue;
   2627 			}
   2628 
   2629 		if (*digest_ptr == NULL)
   2630 			{
   2631 			md = tls12_get_hash(hash_alg);
   2632 			if (md)
   2633 				*digest_ptr = md;
   2634 			}
   2635 
   2636 		}
   2637 	}
   2638 
   2639 #endif
   2640 
   2641 #ifndef OPENSSL_NO_HEARTBEATS
   2642 int
   2643 tls1_process_heartbeat(SSL *s)
   2644 	{
   2645 	unsigned char *p = &s->s3->rrec.data[0], *pl;
   2646 	unsigned short hbtype;
   2647 	unsigned int payload;
   2648 	unsigned int padding = 16; /* Use minimum padding */
   2649 
   2650 	/* Read type and payload length first */
   2651 	hbtype = *p++;
   2652 	n2s(p, payload);
   2653 	pl = p;
   2654 
   2655 	if (s->msg_callback)
   2656 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
   2657 			&s->s3->rrec.data[0], s->s3->rrec.length,
   2658 			s, s->msg_callback_arg);
   2659 
   2660 	if (hbtype == TLS1_HB_REQUEST)
   2661 		{
   2662 		unsigned char *buffer, *bp;
   2663 		int r;
   2664 
   2665 		/* Allocate memory for the response, size is 1 bytes
   2666 		 * message type, plus 2 bytes payload length, plus
   2667 		 * payload, plus padding
   2668 		 */
   2669 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
   2670 		bp = buffer;
   2671 
   2672 		/* Enter response type, length and copy payload */
   2673 		*bp++ = TLS1_HB_RESPONSE;
   2674 		s2n(payload, bp);
   2675 		memcpy(bp, pl, payload);
   2676 		bp += payload;
   2677 		/* Random padding */
   2678 		RAND_pseudo_bytes(bp, padding);
   2679 
   2680 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
   2681 
   2682 		if (r >= 0 && s->msg_callback)
   2683 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2684 				buffer, 3 + payload + padding,
   2685 				s, s->msg_callback_arg);
   2686 
   2687 		OPENSSL_free(buffer);
   2688 
   2689 		if (r < 0)
   2690 			return r;
   2691 		}
   2692 	else if (hbtype == TLS1_HB_RESPONSE)
   2693 		{
   2694 		unsigned int seq;
   2695 
   2696 		/* We only send sequence numbers (2 bytes unsigned int),
   2697 		 * and 16 random bytes, so we just try to read the
   2698 		 * sequence number */
   2699 		n2s(pl, seq);
   2700 
   2701 		if (payload == 18 && seq == s->tlsext_hb_seq)
   2702 			{
   2703 			s->tlsext_hb_seq++;
   2704 			s->tlsext_hb_pending = 0;
   2705 			}
   2706 		}
   2707 
   2708 	return 0;
   2709 	}
   2710 
   2711 int
   2712 tls1_heartbeat(SSL *s)
   2713 	{
   2714 	unsigned char *buf, *p;
   2715 	int ret;
   2716 	unsigned int payload = 18; /* Sequence number + random bytes */
   2717 	unsigned int padding = 16; /* Use minimum padding */
   2718 
   2719 	/* Only send if peer supports and accepts HB requests... */
   2720 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
   2721 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
   2722 		{
   2723 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
   2724 		return -1;
   2725 		}
   2726 
   2727 	/* ...and there is none in flight yet... */
   2728 	if (s->tlsext_hb_pending)
   2729 		{
   2730 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
   2731 		return -1;
   2732 		}
   2733 
   2734 	/* ...and no handshake in progress. */
   2735 	if (SSL_in_init(s) || s->in_handshake)
   2736 		{
   2737 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
   2738 		return -1;
   2739 		}
   2740 
   2741 	/* Check if padding is too long, payload and padding
   2742 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
   2743 	 */
   2744 	OPENSSL_assert(payload + padding <= 16381);
   2745 
   2746 	/* Create HeartBeat message, we just use a sequence number
   2747 	 * as payload to distuingish different messages and add
   2748 	 * some random stuff.
   2749 	 *  - Message Type, 1 byte
   2750 	 *  - Payload Length, 2 bytes (unsigned int)
   2751 	 *  - Payload, the sequence number (2 bytes uint)
   2752 	 *  - Payload, random bytes (16 bytes uint)
   2753 	 *  - Padding
   2754 	 */
   2755 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
   2756 	p = buf;
   2757 	/* Message Type */
   2758 	*p++ = TLS1_HB_REQUEST;
   2759 	/* Payload length (18 bytes here) */
   2760 	s2n(payload, p);
   2761 	/* Sequence number */
   2762 	s2n(s->tlsext_hb_seq, p);
   2763 	/* 16 random bytes */
   2764 	RAND_pseudo_bytes(p, 16);
   2765 	p += 16;
   2766 	/* Random padding */
   2767 	RAND_pseudo_bytes(p, padding);
   2768 
   2769 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
   2770 	if (ret >= 0)
   2771 		{
   2772 		if (s->msg_callback)
   2773 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2774 				buf, 3 + payload + padding,
   2775 				s, s->msg_callback_arg);
   2776 
   2777 		s->tlsext_hb_pending = 1;
   2778 		}
   2779 
   2780 	OPENSSL_free(buf);
   2781 
   2782 	return ret;
   2783 	}
   2784 #endif
   2785 
   2786 #if !defined(OPENSSL_NO_TLSEXT)
   2787 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
   2788  * SSL connection and writes it to |md|.
   2789  */
   2790 int
   2791 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
   2792 	{
   2793 	EVP_MD_CTX ctx;
   2794 	unsigned char temp_digest[EVP_MAX_MD_SIZE];
   2795 	unsigned temp_digest_len;
   2796 	int i;
   2797 	static const char kClientIDMagic[] = "TLS Channel ID signature";
   2798 
   2799 	if (s->s3->handshake_buffer)
   2800 		if (!ssl3_digest_cached_records(s))
   2801 			return 0;
   2802 
   2803 	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
   2804 
   2805 	EVP_MD_CTX_init(&ctx);
   2806 	for (i = 0; i < SSL_MAX_DIGEST; i++)
   2807 		{
   2808 		if (s->s3->handshake_dgst[i] == NULL)
   2809 			continue;
   2810 		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
   2811 		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
   2812 		EVP_DigestUpdate(md, temp_digest, temp_digest_len);
   2813 		}
   2814 	EVP_MD_CTX_cleanup(&ctx);
   2815 
   2816 	return 1;
   2817 	}
   2818 #endif
   2819