Home | History | Annotate | Download | only in ssl
      1 /* ssl/t1_lib.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #include <stdio.h>
    113 #include <openssl/objects.h>
    114 #include <openssl/evp.h>
    115 #include <openssl/hmac.h>
    116 #include <openssl/ocsp.h>
    117 #include <openssl/rand.h>
    118 #include "ssl_locl.h"
    119 
    120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
    121 
    122 #ifndef OPENSSL_NO_TLSEXT
    123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
    124 				const unsigned char *sess_id, int sesslen,
    125 				SSL_SESSION **psess);
    126 #endif
    127 
    128 SSL3_ENC_METHOD TLSv1_enc_data={
    129 	tls1_enc,
    130 	tls1_mac,
    131 	tls1_setup_key_block,
    132 	tls1_generate_master_secret,
    133 	tls1_change_cipher_state,
    134 	tls1_final_finish_mac,
    135 	TLS1_FINISH_MAC_LENGTH,
    136 	tls1_cert_verify_mac,
    137 	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
    138 	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
    139 	tls1_alert_code,
    140 	tls1_export_keying_material,
    141 	};
    142 
    143 long tls1_default_timeout(void)
    144 	{
    145 	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
    146 	 * is way too long for http, the cache would over fill */
    147 	return(60*60*2);
    148 	}
    149 
    150 int tls1_new(SSL *s)
    151 	{
    152 	if (!ssl3_new(s)) return(0);
    153 	s->method->ssl_clear(s);
    154 	return(1);
    155 	}
    156 
    157 void tls1_free(SSL *s)
    158 	{
    159 #ifndef OPENSSL_NO_TLSEXT
    160 	if (s->tlsext_session_ticket)
    161 		{
    162 		OPENSSL_free(s->tlsext_session_ticket);
    163 		}
    164 #endif /* OPENSSL_NO_TLSEXT */
    165 	ssl3_free(s);
    166 	}
    167 
    168 void tls1_clear(SSL *s)
    169 	{
    170 	ssl3_clear(s);
    171 	s->version = s->method->version;
    172 	}
    173 
    174 #ifndef OPENSSL_NO_EC
    175 
    176 static int nid_list[] =
    177 	{
    178 		NID_sect163k1, /* sect163k1 (1) */
    179 		NID_sect163r1, /* sect163r1 (2) */
    180 		NID_sect163r2, /* sect163r2 (3) */
    181 		NID_sect193r1, /* sect193r1 (4) */
    182 		NID_sect193r2, /* sect193r2 (5) */
    183 		NID_sect233k1, /* sect233k1 (6) */
    184 		NID_sect233r1, /* sect233r1 (7) */
    185 		NID_sect239k1, /* sect239k1 (8) */
    186 		NID_sect283k1, /* sect283k1 (9) */
    187 		NID_sect283r1, /* sect283r1 (10) */
    188 		NID_sect409k1, /* sect409k1 (11) */
    189 		NID_sect409r1, /* sect409r1 (12) */
    190 		NID_sect571k1, /* sect571k1 (13) */
    191 		NID_sect571r1, /* sect571r1 (14) */
    192 		NID_secp160k1, /* secp160k1 (15) */
    193 		NID_secp160r1, /* secp160r1 (16) */
    194 		NID_secp160r2, /* secp160r2 (17) */
    195 		NID_secp192k1, /* secp192k1 (18) */
    196 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    197 		NID_secp224k1, /* secp224k1 (20) */
    198 		NID_secp224r1, /* secp224r1 (21) */
    199 		NID_secp256k1, /* secp256k1 (22) */
    200 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    201 		NID_secp384r1, /* secp384r1 (24) */
    202 		NID_secp521r1  /* secp521r1 (25) */
    203 	};
    204 
    205 static int pref_list[] =
    206 	{
    207 		NID_sect571r1, /* sect571r1 (14) */
    208 		NID_sect571k1, /* sect571k1 (13) */
    209 		NID_secp521r1, /* secp521r1 (25) */
    210 		NID_sect409k1, /* sect409k1 (11) */
    211 		NID_sect409r1, /* sect409r1 (12) */
    212 		NID_secp384r1, /* secp384r1 (24) */
    213 		NID_sect283k1, /* sect283k1 (9) */
    214 		NID_sect283r1, /* sect283r1 (10) */
    215 		NID_secp256k1, /* secp256k1 (22) */
    216 		NID_X9_62_prime256v1, /* secp256r1 (23) */
    217 		NID_sect239k1, /* sect239k1 (8) */
    218 		NID_sect233k1, /* sect233k1 (6) */
    219 		NID_sect233r1, /* sect233r1 (7) */
    220 		NID_secp224k1, /* secp224k1 (20) */
    221 		NID_secp224r1, /* secp224r1 (21) */
    222 		NID_sect193r1, /* sect193r1 (4) */
    223 		NID_sect193r2, /* sect193r2 (5) */
    224 		NID_secp192k1, /* secp192k1 (18) */
    225 		NID_X9_62_prime192v1, /* secp192r1 (19) */
    226 		NID_sect163k1, /* sect163k1 (1) */
    227 		NID_sect163r1, /* sect163r1 (2) */
    228 		NID_sect163r2, /* sect163r2 (3) */
    229 		NID_secp160k1, /* secp160k1 (15) */
    230 		NID_secp160r1, /* secp160r1 (16) */
    231 		NID_secp160r2, /* secp160r2 (17) */
    232 	};
    233 
    234 int tls1_ec_curve_id2nid(int curve_id)
    235 	{
    236 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    237 	if ((curve_id < 1) || ((unsigned int)curve_id >
    238 				sizeof(nid_list)/sizeof(nid_list[0])))
    239 		return 0;
    240 	return nid_list[curve_id-1];
    241 	}
    242 
    243 int tls1_ec_nid2curve_id(int nid)
    244 	{
    245 	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
    246 	switch (nid)
    247 		{
    248 	case NID_sect163k1: /* sect163k1 (1) */
    249 		return 1;
    250 	case NID_sect163r1: /* sect163r1 (2) */
    251 		return 2;
    252 	case NID_sect163r2: /* sect163r2 (3) */
    253 		return 3;
    254 	case NID_sect193r1: /* sect193r1 (4) */
    255 		return 4;
    256 	case NID_sect193r2: /* sect193r2 (5) */
    257 		return 5;
    258 	case NID_sect233k1: /* sect233k1 (6) */
    259 		return 6;
    260 	case NID_sect233r1: /* sect233r1 (7) */
    261 		return 7;
    262 	case NID_sect239k1: /* sect239k1 (8) */
    263 		return 8;
    264 	case NID_sect283k1: /* sect283k1 (9) */
    265 		return 9;
    266 	case NID_sect283r1: /* sect283r1 (10) */
    267 		return 10;
    268 	case NID_sect409k1: /* sect409k1 (11) */
    269 		return 11;
    270 	case NID_sect409r1: /* sect409r1 (12) */
    271 		return 12;
    272 	case NID_sect571k1: /* sect571k1 (13) */
    273 		return 13;
    274 	case NID_sect571r1: /* sect571r1 (14) */
    275 		return 14;
    276 	case NID_secp160k1: /* secp160k1 (15) */
    277 		return 15;
    278 	case NID_secp160r1: /* secp160r1 (16) */
    279 		return 16;
    280 	case NID_secp160r2: /* secp160r2 (17) */
    281 		return 17;
    282 	case NID_secp192k1: /* secp192k1 (18) */
    283 		return 18;
    284 	case NID_X9_62_prime192v1: /* secp192r1 (19) */
    285 		return 19;
    286 	case NID_secp224k1: /* secp224k1 (20) */
    287 		return 20;
    288 	case NID_secp224r1: /* secp224r1 (21) */
    289 		return 21;
    290 	case NID_secp256k1: /* secp256k1 (22) */
    291 		return 22;
    292 	case NID_X9_62_prime256v1: /* secp256r1 (23) */
    293 		return 23;
    294 	case NID_secp384r1: /* secp384r1 (24) */
    295 		return 24;
    296 	case NID_secp521r1:  /* secp521r1 (25) */
    297 		return 25;
    298 	default:
    299 		return 0;
    300 		}
    301 	}
    302 #endif /* OPENSSL_NO_EC */
    303 
    304 #ifndef OPENSSL_NO_TLSEXT
    305 
    306 /* List of supported signature algorithms and hashes. Should make this
    307  * customisable at some point, for now include everything we support.
    308  */
    309 
    310 #ifdef OPENSSL_NO_RSA
    311 #define tlsext_sigalg_rsa(md) /* */
    312 #else
    313 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
    314 #endif
    315 
    316 #ifdef OPENSSL_NO_DSA
    317 #define tlsext_sigalg_dsa(md) /* */
    318 #else
    319 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
    320 #endif
    321 
    322 #ifdef OPENSSL_NO_ECDSA
    323 #define tlsext_sigalg_ecdsa(md) /* */
    324 #else
    325 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
    326 #endif
    327 
    328 #define tlsext_sigalg(md) \
    329 		tlsext_sigalg_rsa(md) \
    330 		tlsext_sigalg_dsa(md) \
    331 		tlsext_sigalg_ecdsa(md)
    332 
    333 static unsigned char tls12_sigalgs[] = {
    334 #ifndef OPENSSL_NO_SHA512
    335 	tlsext_sigalg(TLSEXT_hash_sha512)
    336 	tlsext_sigalg(TLSEXT_hash_sha384)
    337 #endif
    338 #ifndef OPENSSL_NO_SHA256
    339 	tlsext_sigalg(TLSEXT_hash_sha256)
    340 	tlsext_sigalg(TLSEXT_hash_sha224)
    341 #endif
    342 #ifndef OPENSSL_NO_SHA
    343 	tlsext_sigalg(TLSEXT_hash_sha1)
    344 #endif
    345 };
    346 
    347 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
    348 	{
    349 	size_t slen = sizeof(tls12_sigalgs);
    350 	if (p)
    351 		memcpy(p, tls12_sigalgs, slen);
    352 	return (int)slen;
    353 	}
    354 
    355 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
    356 	{
    357 	int extdatalen=0;
    358 	unsigned char *orig = buf;
    359 	unsigned char *ret = buf;
    360 
    361 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
    362 	if (s->client_version == SSL3_VERSION
    363 					&& !s->s3->send_connection_binding)
    364 		return orig;
    365 
    366 	ret+=2;
    367 
    368 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    369 
    370  	if (s->tlsext_hostname != NULL)
    371 		{
    372 		/* Add TLS extension servername to the Client Hello message */
    373 		unsigned long size_str;
    374 		long lenmax;
    375 
    376 		/* check for enough space.
    377 		   4 for the servername type and entension length
    378 		   2 for servernamelist length
    379 		   1 for the hostname type
    380 		   2 for hostname length
    381 		   + hostname length
    382 		*/
    383 
    384 		if ((lenmax = limit - ret - 9) < 0
    385 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
    386 			return NULL;
    387 
    388 		/* extension type and length */
    389 		s2n(TLSEXT_TYPE_server_name,ret);
    390 		s2n(size_str+5,ret);
    391 
    392 		/* length of servername list */
    393 		s2n(size_str+3,ret);
    394 
    395 		/* hostname type, length and hostname */
    396 		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
    397 		s2n(size_str,ret);
    398 		memcpy(ret, s->tlsext_hostname, size_str);
    399 		ret+=size_str;
    400 		}
    401 
    402         /* Add RI if renegotiating */
    403         if (s->renegotiate)
    404           {
    405           int el;
    406 
    407           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
    408               {
    409               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    410               return NULL;
    411               }
    412 
    413           if((limit - ret - 4 - el) < 0) return NULL;
    414 
    415           s2n(TLSEXT_TYPE_renegotiate,ret);
    416           s2n(el,ret);
    417 
    418           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
    419               {
    420               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    421               return NULL;
    422               }
    423 
    424           ret += el;
    425         }
    426 
    427 #ifndef OPENSSL_NO_SRP
    428 	/* Add SRP username if there is one */
    429 	if (s->srp_ctx.login != NULL)
    430 		{ /* Add TLS extension SRP username to the Client Hello message */
    431 
    432 		int login_len = strlen(s->srp_ctx.login);
    433 		if (login_len > 255 || login_len == 0)
    434 			{
    435 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    436 			return NULL;
    437 			}
    438 
    439 		/* check for enough space.
    440 		   4 for the srp type type and entension length
    441 		   1 for the srp user identity
    442 		   + srp user identity length
    443 		*/
    444 		if ((limit - ret - 5 - login_len) < 0) return NULL;
    445 
    446 		/* fill in the extension */
    447 		s2n(TLSEXT_TYPE_srp,ret);
    448 		s2n(login_len+1,ret);
    449 		(*ret++) = (unsigned char) login_len;
    450 		memcpy(ret, s->srp_ctx.login, login_len);
    451 		ret+=login_len;
    452 		}
    453 #endif
    454 
    455 #ifndef OPENSSL_NO_EC
    456 	if (s->tlsext_ecpointformatlist != NULL)
    457 		{
    458 		/* Add TLS extension ECPointFormats to the ClientHello message */
    459 		long lenmax;
    460 
    461 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    462 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    463 		if (s->tlsext_ecpointformatlist_length > 255)
    464 			{
    465 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    466 			return NULL;
    467 			}
    468 
    469 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    470 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    471 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    472 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    473 		ret+=s->tlsext_ecpointformatlist_length;
    474 		}
    475 	if (s->tlsext_ellipticcurvelist != NULL)
    476 		{
    477 		/* Add TLS extension EllipticCurves to the ClientHello message */
    478 		long lenmax;
    479 
    480 		if ((lenmax = limit - ret - 6) < 0) return NULL;
    481 		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
    482 		if (s->tlsext_ellipticcurvelist_length > 65532)
    483 			{
    484 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    485 			return NULL;
    486 			}
    487 
    488 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
    489 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
    490 
    491 		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
    492 		 * elliptic_curve_list, but the examples use two bytes.
    493 		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
    494 		 * resolves this to two bytes.
    495 		 */
    496 		s2n(s->tlsext_ellipticcurvelist_length, ret);
    497 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
    498 		ret+=s->tlsext_ellipticcurvelist_length;
    499 		}
    500 #endif /* OPENSSL_NO_EC */
    501 
    502 	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
    503 		{
    504 		int ticklen;
    505 		if (!s->new_session && s->session && s->session->tlsext_tick)
    506 			ticklen = s->session->tlsext_ticklen;
    507 		else if (s->session && s->tlsext_session_ticket &&
    508 			 s->tlsext_session_ticket->data)
    509 			{
    510 			ticklen = s->tlsext_session_ticket->length;
    511 			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
    512 			if (!s->session->tlsext_tick)
    513 				return NULL;
    514 			memcpy(s->session->tlsext_tick,
    515 			       s->tlsext_session_ticket->data,
    516 			       ticklen);
    517 			s->session->tlsext_ticklen = ticklen;
    518 			}
    519 		else
    520 			ticklen = 0;
    521 		if (ticklen == 0 && s->tlsext_session_ticket &&
    522 		    s->tlsext_session_ticket->data == NULL)
    523 			goto skip_ext;
    524 		/* Check for enough room 2 for extension type, 2 for len
    525  		 * rest for ticket
    526   		 */
    527 		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
    528 		s2n(TLSEXT_TYPE_session_ticket,ret);
    529 		s2n(ticklen,ret);
    530 		if (ticklen)
    531 			{
    532 			memcpy(ret, s->session->tlsext_tick, ticklen);
    533 			ret += ticklen;
    534 			}
    535 		}
    536 		skip_ext:
    537 
    538 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
    539 		{
    540 		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
    541 			return NULL;
    542 		s2n(TLSEXT_TYPE_signature_algorithms,ret);
    543 		s2n(sizeof(tls12_sigalgs) + 2, ret);
    544 		s2n(sizeof(tls12_sigalgs), ret);
    545 		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
    546 		ret += sizeof(tls12_sigalgs);
    547 		}
    548 
    549 #ifdef TLSEXT_TYPE_opaque_prf_input
    550 	if (s->s3->client_opaque_prf_input != NULL &&
    551 	    s->version != DTLS1_VERSION)
    552 		{
    553 		size_t col = s->s3->client_opaque_prf_input_len;
    554 
    555 		if ((long)(limit - ret - 6 - col < 0))
    556 			return NULL;
    557 		if (col > 0xFFFD) /* can't happen */
    558 			return NULL;
    559 
    560 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    561 		s2n(col + 2, ret);
    562 		s2n(col, ret);
    563 		memcpy(ret, s->s3->client_opaque_prf_input, col);
    564 		ret += col;
    565 		}
    566 #endif
    567 
    568 	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
    569 	    s->version != DTLS1_VERSION)
    570 		{
    571 		int i;
    572 		long extlen, idlen, itmp;
    573 		OCSP_RESPID *id;
    574 
    575 		idlen = 0;
    576 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    577 			{
    578 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    579 			itmp = i2d_OCSP_RESPID(id, NULL);
    580 			if (itmp <= 0)
    581 				return NULL;
    582 			idlen += itmp + 2;
    583 			}
    584 
    585 		if (s->tlsext_ocsp_exts)
    586 			{
    587 			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
    588 			if (extlen < 0)
    589 				return NULL;
    590 			}
    591 		else
    592 			extlen = 0;
    593 
    594 		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
    595 		s2n(TLSEXT_TYPE_status_request, ret);
    596 		if (extlen + idlen > 0xFFF0)
    597 			return NULL;
    598 		s2n(extlen + idlen + 5, ret);
    599 		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
    600 		s2n(idlen, ret);
    601 		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
    602 			{
    603 			/* save position of id len */
    604 			unsigned char *q = ret;
    605 			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    606 			/* skip over id len */
    607 			ret += 2;
    608 			itmp = i2d_OCSP_RESPID(id, &ret);
    609 			/* write id len */
    610 			s2n(itmp, q);
    611 			}
    612 		s2n(extlen, ret);
    613 		if (extlen > 0)
    614 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
    615 		}
    616 
    617 #ifndef OPENSSL_NO_HEARTBEATS
    618 	/* Add Heartbeat extension */
    619 	if ((limit - ret - 4 - 1) < 0)
    620 		return NULL;
    621 	s2n(TLSEXT_TYPE_heartbeat,ret);
    622 	s2n(1,ret);
    623 	/* Set mode:
    624 	 * 1: peer may send requests
    625 	 * 2: peer not allowed to send requests
    626 	 */
    627 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    628 		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    629 	else
    630 		*(ret++) = SSL_TLSEXT_HB_ENABLED;
    631 #endif
    632 
    633 #ifndef OPENSSL_NO_NEXTPROTONEG
    634 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
    635 		{
    636 		/* The client advertises an emtpy extension to indicate its
    637 		 * support for Next Protocol Negotiation */
    638 		if (limit - ret - 4 < 0)
    639 			return NULL;
    640 		s2n(TLSEXT_TYPE_next_proto_neg,ret);
    641 		s2n(0,ret);
    642 		}
    643 #endif
    644 
    645 	if (s->tlsext_channel_id_enabled)
    646 		{
    647 		/* The client advertises an emtpy extension to indicate its
    648 		 * support for Channel ID. */
    649 		if (limit - ret - 4 < 0)
    650 			return NULL;
    651 		if (s->ctx->tlsext_channel_id_enabled_new)
    652 			s2n(TLSEXT_TYPE_channel_id_new,ret);
    653 		else
    654 			s2n(TLSEXT_TYPE_channel_id,ret);
    655 		s2n(0,ret);
    656 		}
    657 
    658 	if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len)
    659 		{
    660 		if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
    661 			return NULL;
    662 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
    663 		s2n(2 + s->alpn_client_proto_list_len,ret);
    664 		s2n(s->alpn_client_proto_list_len,ret);
    665 		memcpy(ret, s->alpn_client_proto_list,
    666 		       s->alpn_client_proto_list_len);
    667 		ret += s->alpn_client_proto_list_len;
    668 		}
    669 
    670 #ifndef OPENSSL_NO_SRTP
    671 	if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
    672                 {
    673                 int el;
    674 
    675                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
    676 
    677                 if((limit - ret - 4 - el) < 0) return NULL;
    678 
    679                 s2n(TLSEXT_TYPE_use_srtp,ret);
    680                 s2n(el,ret);
    681 
    682                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
    683 			{
    684 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    685 			return NULL;
    686 			}
    687                 ret += el;
    688                 }
    689 #endif
    690 	/* Add padding to workaround bugs in F5 terminators.
    691 	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
    692 	 *
    693 	 * NB: because this code works out the length of all existing
    694 	 * extensions it MUST always appear last.
    695 	 */
    696 	if (s->options & SSL_OP_TLSEXT_PADDING)
    697 		{
    698 		int hlen = ret - (unsigned char *)s->init_buf->data;
    699 		/* The code in s23_clnt.c to build ClientHello messages
    700 		 * includes the 5-byte record header in the buffer, while
    701 		 * the code in s3_clnt.c does not.
    702 		 */
    703 		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
    704 			hlen -= 5;
    705 		if (hlen > 0xff && hlen < 0x200)
    706 			{
    707 			hlen = 0x200 - hlen;
    708 			if (hlen >= 4)
    709 				hlen -= 4;
    710 			else
    711 				hlen = 0;
    712 
    713 			s2n(TLSEXT_TYPE_padding, ret);
    714 			s2n(hlen, ret);
    715 			memset(ret, 0, hlen);
    716 			ret += hlen;
    717 			}
    718 		}
    719 
    720 	if ((extdatalen = ret-orig-2)== 0)
    721 		return orig;
    722 
    723 	s2n(extdatalen, orig);
    724 	return ret;
    725 	}
    726 
    727 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
    728 	{
    729 	int extdatalen=0;
    730 	unsigned char *orig = buf;
    731 	unsigned char *ret = buf;
    732 #ifndef OPENSSL_NO_NEXTPROTONEG
    733 	int next_proto_neg_seen;
    734 #endif
    735 
    736 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
    737 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
    738 		return orig;
    739 
    740 	ret+=2;
    741 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
    742 
    743 	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
    744 		{
    745 		if ((long)(limit - ret - 4) < 0) return NULL;
    746 
    747 		s2n(TLSEXT_TYPE_server_name,ret);
    748 		s2n(0,ret);
    749 		}
    750 
    751 	if(s->s3->send_connection_binding)
    752         {
    753           int el;
    754 
    755           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
    756               {
    757               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    758               return NULL;
    759               }
    760 
    761           if((limit - ret - 4 - el) < 0) return NULL;
    762 
    763           s2n(TLSEXT_TYPE_renegotiate,ret);
    764           s2n(el,ret);
    765 
    766           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
    767               {
    768               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    769               return NULL;
    770               }
    771 
    772           ret += el;
    773         }
    774 
    775 #ifndef OPENSSL_NO_EC
    776 	if (s->tlsext_ecpointformatlist != NULL)
    777 		{
    778 		/* Add TLS extension ECPointFormats to the ServerHello message */
    779 		long lenmax;
    780 
    781 		if ((lenmax = limit - ret - 5) < 0) return NULL;
    782 		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
    783 		if (s->tlsext_ecpointformatlist_length > 255)
    784 			{
    785 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    786 			return NULL;
    787 			}
    788 
    789 		s2n(TLSEXT_TYPE_ec_point_formats,ret);
    790 		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
    791 		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
    792 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
    793 		ret+=s->tlsext_ecpointformatlist_length;
    794 
    795 		}
    796 	/* Currently the server should not respond with a SupportedCurves extension */
    797 #endif /* OPENSSL_NO_EC */
    798 
    799 	if (s->tlsext_ticket_expected
    800 		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
    801 		{
    802 		if ((long)(limit - ret - 4) < 0) return NULL;
    803 		s2n(TLSEXT_TYPE_session_ticket,ret);
    804 		s2n(0,ret);
    805 		}
    806 
    807 	if (s->tlsext_status_expected)
    808 		{
    809 		if ((long)(limit - ret - 4) < 0) return NULL;
    810 		s2n(TLSEXT_TYPE_status_request,ret);
    811 		s2n(0,ret);
    812 		}
    813 
    814 #ifdef TLSEXT_TYPE_opaque_prf_input
    815 	if (s->s3->server_opaque_prf_input != NULL &&
    816 	    s->version != DTLS1_VERSION)
    817 		{
    818 		size_t sol = s->s3->server_opaque_prf_input_len;
    819 
    820 		if ((long)(limit - ret - 6 - sol) < 0)
    821 			return NULL;
    822 		if (sol > 0xFFFD) /* can't happen */
    823 			return NULL;
    824 
    825 		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
    826 		s2n(sol + 2, ret);
    827 		s2n(sol, ret);
    828 		memcpy(ret, s->s3->server_opaque_prf_input, sol);
    829 		ret += sol;
    830 		}
    831 #endif
    832 
    833 #ifndef OPENSSL_NO_SRTP
    834 	if(SSL_IS_DTLS(s) && s->srtp_profile)
    835                 {
    836                 int el;
    837 
    838                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
    839 
    840                 if((limit - ret - 4 - el) < 0) return NULL;
    841 
    842                 s2n(TLSEXT_TYPE_use_srtp,ret);
    843                 s2n(el,ret);
    844 
    845                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
    846 			{
    847 			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    848 			return NULL;
    849 			}
    850                 ret+=el;
    851                 }
    852 #endif
    853 
    854 	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
    855 		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
    856 		{ const unsigned char cryptopro_ext[36] = {
    857 			0xfd, 0xe8, /*65000*/
    858 			0x00, 0x20, /*32 bytes length*/
    859 			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
    860 			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
    861 			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
    862 			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
    863 			if (limit-ret<36) return NULL;
    864 			memcpy(ret,cryptopro_ext,36);
    865 			ret+=36;
    866 
    867 		}
    868 
    869 #ifndef OPENSSL_NO_HEARTBEATS
    870 	/* Add Heartbeat extension if we've received one */
    871 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
    872 		{
    873 		if ((limit - ret - 4 - 1) < 0)
    874 			return NULL;
    875 		s2n(TLSEXT_TYPE_heartbeat,ret);
    876 		s2n(1,ret);
    877 		/* Set mode:
    878 		 * 1: peer may send requests
    879 		 * 2: peer not allowed to send requests
    880 		 */
    881 		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
    882 			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
    883 		else
    884 			*(ret++) = SSL_TLSEXT_HB_ENABLED;
    885 
    886 		}
    887 #endif
    888 
    889 #ifndef OPENSSL_NO_NEXTPROTONEG
    890 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
    891 	s->s3->next_proto_neg_seen = 0;
    892 	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
    893 		{
    894 		const unsigned char *npa;
    895 		unsigned int npalen;
    896 		int r;
    897 
    898 		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
    899 		if (r == SSL_TLSEXT_ERR_OK)
    900 			{
    901 			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
    902 			s2n(TLSEXT_TYPE_next_proto_neg,ret);
    903 			s2n(npalen,ret);
    904 			memcpy(ret, npa, npalen);
    905 			ret += npalen;
    906 			s->s3->next_proto_neg_seen = 1;
    907 			}
    908 		}
    909 #endif
    910 
    911 	/* If the client advertised support for Channel ID, and we have it
    912 	 * enabled, then we want to echo it back. */
    913 	if (s->s3->tlsext_channel_id_valid)
    914 		{
    915 		if (limit - ret - 4 < 0)
    916 			return NULL;
    917 		if (s->s3->tlsext_channel_id_new)
    918 			s2n(TLSEXT_TYPE_channel_id_new,ret);
    919 		else
    920 			s2n(TLSEXT_TYPE_channel_id,ret);
    921 		s2n(0,ret);
    922 		}
    923 
    924 	if (s->s3->alpn_selected)
    925 		{
    926 		const unsigned char *selected = s->s3->alpn_selected;
    927 		unsigned len = s->s3->alpn_selected_len;
    928 
    929 		if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
    930 			return NULL;
    931 		s2n(TLSEXT_TYPE_application_layer_protocol_negotiation,ret);
    932 		s2n(3 + len,ret);
    933 		s2n(1 + len,ret);
    934 		*ret++ = len;
    935 		memcpy(ret, selected, len);
    936 		ret += len;
    937 		}
    938 
    939 	if ((extdatalen = ret-orig-2)== 0)
    940 		return orig;
    941 
    942 	s2n(extdatalen, orig);
    943 	return ret;
    944 	}
    945 
    946 #ifndef OPENSSL_NO_EC
    947 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
    948  * SecureTransport using the TLS extension block in |d|, of length |n|.
    949  * Safari, since 10.6, sends exactly these extensions, in this order:
    950  *   SNI,
    951  *   elliptic_curves
    952  *   ec_point_formats
    953  *
    954  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
    955  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
    956  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
    957  * 10.8..10.8.3 (which don't work).
    958  */
    959 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
    960 	unsigned short type, size;
    961 	static const unsigned char kSafariExtensionsBlock[] = {
    962 		0x00, 0x0a,  /* elliptic_curves extension */
    963 		0x00, 0x08,  /* 8 bytes */
    964 		0x00, 0x06,  /* 6 bytes of curve ids */
    965 		0x00, 0x17,  /* P-256 */
    966 		0x00, 0x18,  /* P-384 */
    967 		0x00, 0x19,  /* P-521 */
    968 
    969 		0x00, 0x0b,  /* ec_point_formats */
    970 		0x00, 0x02,  /* 2 bytes */
    971 		0x01,        /* 1 point format */
    972 		0x00,        /* uncompressed */
    973 	};
    974 
    975 	/* The following is only present in TLS 1.2 */
    976 	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
    977 		0x00, 0x0d,  /* signature_algorithms */
    978 		0x00, 0x0c,  /* 12 bytes */
    979 		0x00, 0x0a,  /* 10 bytes */
    980 		0x05, 0x01,  /* SHA-384/RSA */
    981 		0x04, 0x01,  /* SHA-256/RSA */
    982 		0x02, 0x01,  /* SHA-1/RSA */
    983 		0x04, 0x03,  /* SHA-256/ECDSA */
    984 		0x02, 0x03,  /* SHA-1/ECDSA */
    985 	};
    986 
    987 	if (data >= (d+n-2))
    988 		return;
    989 	data += 2;
    990 
    991 	if (data > (d+n-4))
    992 		return;
    993 	n2s(data,type);
    994 	n2s(data,size);
    995 
    996 	if (type != TLSEXT_TYPE_server_name)
    997 		return;
    998 
    999 	if (data+size > d+n)
   1000 		return;
   1001 	data += size;
   1002 
   1003 	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
   1004 		{
   1005 		const size_t len1 = sizeof(kSafariExtensionsBlock);
   1006 		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
   1007 
   1008 		if (data + len1 + len2 != d+n)
   1009 			return;
   1010 		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
   1011 			return;
   1012 		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
   1013 			return;
   1014 		}
   1015 	else
   1016 		{
   1017 		const size_t len = sizeof(kSafariExtensionsBlock);
   1018 
   1019 		if (data + len != d+n)
   1020 			return;
   1021 		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
   1022 			return;
   1023 		}
   1024 
   1025 	s->s3->is_probably_safari = 1;
   1026 }
   1027 #endif /* !OPENSSL_NO_EC */
   1028 
   1029 /* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
   1030  * ClientHello.
   1031  *   data: the contents of the extension, not including the type and length.
   1032  *   data_len: the number of bytes in |data|
   1033  *   al: a pointer to the alert value to send in the event of a non-zero
   1034  *       return.
   1035  *
   1036  *   returns: 0 on success. */
   1037 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
   1038 					 unsigned data_len, int *al)
   1039 	{
   1040 	unsigned i;
   1041 	unsigned proto_len;
   1042 	const unsigned char *selected;
   1043 	unsigned char selected_len;
   1044 	int r;
   1045 
   1046 	if (s->ctx->alpn_select_cb == NULL)
   1047 		return 0;
   1048 
   1049 	if (data_len < 2)
   1050 		goto parse_error;
   1051 
   1052 	/* data should contain a uint16 length followed by a series of 8-bit,
   1053 	 * length-prefixed strings. */
   1054 	i = ((unsigned) data[0]) << 8 |
   1055 	    ((unsigned) data[1]);
   1056 	data_len -= 2;
   1057 	data += 2;
   1058 	if (data_len != i)
   1059 		goto parse_error;
   1060 
   1061 	if (data_len < 2)
   1062 		goto parse_error;
   1063 
   1064 	for (i = 0; i < data_len;)
   1065 		{
   1066 		proto_len = data[i];
   1067 		i++;
   1068 
   1069 		if (proto_len == 0)
   1070 			goto parse_error;
   1071 
   1072 		if (i + proto_len < i || i + proto_len > data_len)
   1073 			goto parse_error;
   1074 
   1075 		i += proto_len;
   1076 		}
   1077 
   1078 	r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
   1079 				   s->ctx->alpn_select_cb_arg);
   1080 	if (r == SSL_TLSEXT_ERR_OK) {
   1081 		if (s->s3->alpn_selected)
   1082 			OPENSSL_free(s->s3->alpn_selected);
   1083 		s->s3->alpn_selected = OPENSSL_malloc(selected_len);
   1084 		if (!s->s3->alpn_selected)
   1085 			{
   1086 			*al = SSL_AD_INTERNAL_ERROR;
   1087 			return -1;
   1088 			}
   1089 		memcpy(s->s3->alpn_selected, selected, selected_len);
   1090 		s->s3->alpn_selected_len = selected_len;
   1091 	}
   1092 	return 0;
   1093 
   1094 parse_error:
   1095 	*al = SSL_AD_DECODE_ERROR;
   1096 	return -1;
   1097 	}
   1098 
   1099 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
   1100 	{
   1101 	unsigned short type;
   1102 	unsigned short size;
   1103 	unsigned short len;
   1104 	unsigned char *data = *p;
   1105 	int renegotiate_seen = 0;
   1106 	int sigalg_seen = 0;
   1107 
   1108 	s->servername_done = 0;
   1109 	s->tlsext_status_type = -1;
   1110 
   1111 	/* Reset TLS 1.2 digest functions to defaults because they don't carry
   1112 	 * over to a renegotiation. */
   1113 	s->s3->digest_rsa = NULL;
   1114 	s->s3->digest_dsa = NULL;
   1115 	s->s3->digest_ecdsa = NULL;
   1116 
   1117 #ifndef OPENSSL_NO_NEXTPROTONEG
   1118 	s->s3->next_proto_neg_seen = 0;
   1119 #endif
   1120 
   1121 	if (s->s3->alpn_selected)
   1122 		{
   1123 		OPENSSL_free(s->s3->alpn_selected);
   1124 		s->s3->alpn_selected = NULL;
   1125 		}
   1126 
   1127 #ifndef OPENSSL_NO_HEARTBEATS
   1128 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
   1129 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
   1130 #endif
   1131 
   1132 #ifndef OPENSSL_NO_EC
   1133 	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
   1134 		ssl_check_for_safari(s, data, d, n);
   1135 #endif /* !OPENSSL_NO_EC */
   1136 
   1137 	if (data >= (d+n-2))
   1138 		goto ri_check;
   1139 	n2s(data,len);
   1140 
   1141 	if (data > (d+n-len))
   1142 		goto ri_check;
   1143 
   1144 	while (data <= (d+n-4))
   1145 		{
   1146 		n2s(data,type);
   1147 		n2s(data,size);
   1148 
   1149 		if (data+size > (d+n))
   1150 	   		goto ri_check;
   1151 #if 0
   1152 		fprintf(stderr,"Received extension type %d size %d\n",type,size);
   1153 #endif
   1154 		if (s->tlsext_debug_cb)
   1155 			s->tlsext_debug_cb(s, 0, type, data, size,
   1156 						s->tlsext_debug_arg);
   1157 /* The servername extension is treated as follows:
   1158 
   1159    - Only the hostname type is supported with a maximum length of 255.
   1160    - The servername is rejected if too long or if it contains zeros,
   1161      in which case an fatal alert is generated.
   1162    - The servername field is maintained together with the session cache.
   1163    - When a session is resumed, the servername call back invoked in order
   1164      to allow the application to position itself to the right context.
   1165    - The servername is acknowledged if it is new for a session or when
   1166      it is identical to a previously used for the same session.
   1167      Applications can control the behaviour.  They can at any time
   1168      set a 'desirable' servername for a new SSL object. This can be the
   1169      case for example with HTTPS when a Host: header field is received and
   1170      a renegotiation is requested. In this case, a possible servername
   1171      presented in the new client hello is only acknowledged if it matches
   1172      the value of the Host: field.
   1173    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
   1174      if they provide for changing an explicit servername context for the session,
   1175      i.e. when the session has been established with a servername extension.
   1176    - On session reconnect, the servername extension may be absent.
   1177 
   1178 */
   1179 
   1180 		if (type == TLSEXT_TYPE_server_name)
   1181 			{
   1182 			unsigned char *sdata;
   1183 			int servname_type;
   1184 			int dsize;
   1185 
   1186 			if (size < 2)
   1187 				{
   1188 				*al = SSL_AD_DECODE_ERROR;
   1189 				return 0;
   1190 				}
   1191 			n2s(data,dsize);
   1192 			size -= 2;
   1193 			if (dsize > size  )
   1194 				{
   1195 				*al = SSL_AD_DECODE_ERROR;
   1196 				return 0;
   1197 				}
   1198 
   1199 			sdata = data;
   1200 			while (dsize > 3)
   1201 				{
   1202 	 			servname_type = *(sdata++);
   1203 				n2s(sdata,len);
   1204 				dsize -= 3;
   1205 
   1206 				if (len > dsize)
   1207 					{
   1208 					*al = SSL_AD_DECODE_ERROR;
   1209 					return 0;
   1210 					}
   1211 				if (s->servername_done == 0)
   1212 				switch (servname_type)
   1213 					{
   1214 				case TLSEXT_NAMETYPE_host_name:
   1215 					if (!s->hit)
   1216 						{
   1217 						if(s->session->tlsext_hostname)
   1218 							{
   1219 							*al = SSL_AD_DECODE_ERROR;
   1220 							return 0;
   1221 							}
   1222 						if (len > TLSEXT_MAXLEN_host_name)
   1223 							{
   1224 							*al = TLS1_AD_UNRECOGNIZED_NAME;
   1225 							return 0;
   1226 							}
   1227 						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
   1228 							{
   1229 							*al = TLS1_AD_INTERNAL_ERROR;
   1230 							return 0;
   1231 							}
   1232 						memcpy(s->session->tlsext_hostname, sdata, len);
   1233 						s->session->tlsext_hostname[len]='\0';
   1234 						if (strlen(s->session->tlsext_hostname) != len) {
   1235 							OPENSSL_free(s->session->tlsext_hostname);
   1236 							s->session->tlsext_hostname = NULL;
   1237 							*al = TLS1_AD_UNRECOGNIZED_NAME;
   1238 							return 0;
   1239 						}
   1240 						s->servername_done = 1;
   1241 
   1242 						}
   1243 					else
   1244 						s->servername_done = s->session->tlsext_hostname
   1245 							&& strlen(s->session->tlsext_hostname) == len
   1246 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
   1247 
   1248 					break;
   1249 
   1250 				default:
   1251 					break;
   1252 					}
   1253 
   1254 				dsize -= len;
   1255 				}
   1256 			if (dsize != 0)
   1257 				{
   1258 				*al = SSL_AD_DECODE_ERROR;
   1259 				return 0;
   1260 				}
   1261 
   1262 			}
   1263 #ifndef OPENSSL_NO_SRP
   1264 		else if (type == TLSEXT_TYPE_srp)
   1265 			{
   1266 			if (size <= 0 || ((len = data[0])) != (size -1))
   1267 				{
   1268 				*al = SSL_AD_DECODE_ERROR;
   1269 				return 0;
   1270 				}
   1271 			if (s->srp_ctx.login != NULL)
   1272 				{
   1273 				*al = SSL_AD_DECODE_ERROR;
   1274 				return 0;
   1275 				}
   1276 			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
   1277 				return -1;
   1278 			memcpy(s->srp_ctx.login, &data[1], len);
   1279 			s->srp_ctx.login[len]='\0';
   1280 
   1281 			if (strlen(s->srp_ctx.login) != len)
   1282 				{
   1283 				*al = SSL_AD_DECODE_ERROR;
   1284 				return 0;
   1285 				}
   1286 			}
   1287 #endif
   1288 
   1289 #ifndef OPENSSL_NO_EC
   1290 		else if (type == TLSEXT_TYPE_ec_point_formats)
   1291 			{
   1292 			unsigned char *sdata = data;
   1293 			int ecpointformatlist_length = *(sdata++);
   1294 
   1295 			if (ecpointformatlist_length != size - 1)
   1296 				{
   1297 				*al = TLS1_AD_DECODE_ERROR;
   1298 				return 0;
   1299 				}
   1300 			if (!s->hit)
   1301 				{
   1302 				if(s->session->tlsext_ecpointformatlist)
   1303 					{
   1304 					OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1305 					s->session->tlsext_ecpointformatlist = NULL;
   1306 					}
   1307 				s->session->tlsext_ecpointformatlist_length = 0;
   1308 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1309 					{
   1310 					*al = TLS1_AD_INTERNAL_ERROR;
   1311 					return 0;
   1312 					}
   1313 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1314 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1315 				}
   1316 #if 0
   1317 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
   1318 			sdata = s->session->tlsext_ecpointformatlist;
   1319 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1320 				fprintf(stderr,"%i ",*(sdata++));
   1321 			fprintf(stderr,"\n");
   1322 #endif
   1323 			}
   1324 		else if (type == TLSEXT_TYPE_elliptic_curves)
   1325 			{
   1326 			unsigned char *sdata = data;
   1327 			int ellipticcurvelist_length = (*(sdata++) << 8);
   1328 			ellipticcurvelist_length += (*(sdata++));
   1329 
   1330 			if (ellipticcurvelist_length != size - 2 ||
   1331 				ellipticcurvelist_length < 1)
   1332 				{
   1333 				*al = TLS1_AD_DECODE_ERROR;
   1334 				return 0;
   1335 				}
   1336 			if (!s->hit)
   1337 				{
   1338 				if(s->session->tlsext_ellipticcurvelist)
   1339 					{
   1340 					*al = TLS1_AD_DECODE_ERROR;
   1341 					return 0;
   1342 					}
   1343 				s->session->tlsext_ellipticcurvelist_length = 0;
   1344 				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
   1345 					{
   1346 					*al = TLS1_AD_INTERNAL_ERROR;
   1347 					return 0;
   1348 					}
   1349 				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
   1350 				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
   1351 				}
   1352 #if 0
   1353 			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
   1354 			sdata = s->session->tlsext_ellipticcurvelist;
   1355 			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
   1356 				fprintf(stderr,"%i ",*(sdata++));
   1357 			fprintf(stderr,"\n");
   1358 #endif
   1359 			}
   1360 #endif /* OPENSSL_NO_EC */
   1361 #ifdef TLSEXT_TYPE_opaque_prf_input
   1362 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1363 	             s->version != DTLS1_VERSION)
   1364 			{
   1365 			unsigned char *sdata = data;
   1366 
   1367 			if (size < 2)
   1368 				{
   1369 				*al = SSL_AD_DECODE_ERROR;
   1370 				return 0;
   1371 				}
   1372 			n2s(sdata, s->s3->client_opaque_prf_input_len);
   1373 			if (s->s3->client_opaque_prf_input_len != size - 2)
   1374 				{
   1375 				*al = SSL_AD_DECODE_ERROR;
   1376 				return 0;
   1377 				}
   1378 
   1379 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   1380 				OPENSSL_free(s->s3->client_opaque_prf_input);
   1381 			if (s->s3->client_opaque_prf_input_len == 0)
   1382 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1383 			else
   1384 				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
   1385 			if (s->s3->client_opaque_prf_input == NULL)
   1386 				{
   1387 				*al = TLS1_AD_INTERNAL_ERROR;
   1388 				return 0;
   1389 				}
   1390 			}
   1391 #endif
   1392 		else if (type == TLSEXT_TYPE_session_ticket)
   1393 			{
   1394 			if (s->tls_session_ticket_ext_cb &&
   1395 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1396 				{
   1397 				*al = TLS1_AD_INTERNAL_ERROR;
   1398 				return 0;
   1399 				}
   1400 			}
   1401 		else if (type == TLSEXT_TYPE_renegotiate)
   1402 			{
   1403 			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
   1404 				return 0;
   1405 			renegotiate_seen = 1;
   1406 			}
   1407 		else if (type == TLSEXT_TYPE_signature_algorithms)
   1408 			{
   1409 			int dsize;
   1410 			if (sigalg_seen || size < 2)
   1411 				{
   1412 				*al = SSL_AD_DECODE_ERROR;
   1413 				return 0;
   1414 				}
   1415 			sigalg_seen = 1;
   1416 			n2s(data,dsize);
   1417 			size -= 2;
   1418 			if (dsize != size || dsize & 1)
   1419 				{
   1420 				*al = SSL_AD_DECODE_ERROR;
   1421 				return 0;
   1422 				}
   1423 			tls1_process_sigalgs(s, data, dsize);
   1424 			}
   1425 		else if (type == TLSEXT_TYPE_status_request &&
   1426 		         s->version != DTLS1_VERSION)
   1427 			{
   1428 
   1429 			if (size < 5)
   1430 				{
   1431 				*al = SSL_AD_DECODE_ERROR;
   1432 				return 0;
   1433 				}
   1434 
   1435 			s->tlsext_status_type = *data++;
   1436 			size--;
   1437 			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
   1438 				{
   1439 				const unsigned char *sdata;
   1440 				int dsize;
   1441 				/* Read in responder_id_list */
   1442 				n2s(data,dsize);
   1443 				size -= 2;
   1444 				if (dsize > size  )
   1445 					{
   1446 					*al = SSL_AD_DECODE_ERROR;
   1447 					return 0;
   1448 					}
   1449 				while (dsize > 0)
   1450 					{
   1451 					OCSP_RESPID *id;
   1452 					int idsize;
   1453 					if (dsize < 4)
   1454 						{
   1455 						*al = SSL_AD_DECODE_ERROR;
   1456 						return 0;
   1457 						}
   1458 					n2s(data, idsize);
   1459 					dsize -= 2 + idsize;
   1460 					size -= 2 + idsize;
   1461 					if (dsize < 0)
   1462 						{
   1463 						*al = SSL_AD_DECODE_ERROR;
   1464 						return 0;
   1465 						}
   1466 					sdata = data;
   1467 					data += idsize;
   1468 					id = d2i_OCSP_RESPID(NULL,
   1469 								&sdata, idsize);
   1470 					if (!id)
   1471 						{
   1472 						*al = SSL_AD_DECODE_ERROR;
   1473 						return 0;
   1474 						}
   1475 					if (data != sdata)
   1476 						{
   1477 						OCSP_RESPID_free(id);
   1478 						*al = SSL_AD_DECODE_ERROR;
   1479 						return 0;
   1480 						}
   1481 					if (!s->tlsext_ocsp_ids
   1482 						&& !(s->tlsext_ocsp_ids =
   1483 						sk_OCSP_RESPID_new_null()))
   1484 						{
   1485 						OCSP_RESPID_free(id);
   1486 						*al = SSL_AD_INTERNAL_ERROR;
   1487 						return 0;
   1488 						}
   1489 					if (!sk_OCSP_RESPID_push(
   1490 							s->tlsext_ocsp_ids, id))
   1491 						{
   1492 						OCSP_RESPID_free(id);
   1493 						*al = SSL_AD_INTERNAL_ERROR;
   1494 						return 0;
   1495 						}
   1496 					}
   1497 
   1498 				/* Read in request_extensions */
   1499 				if (size < 2)
   1500 					{
   1501 					*al = SSL_AD_DECODE_ERROR;
   1502 					return 0;
   1503 					}
   1504 				n2s(data,dsize);
   1505 				size -= 2;
   1506 				if (dsize != size)
   1507 					{
   1508 					*al = SSL_AD_DECODE_ERROR;
   1509 					return 0;
   1510 					}
   1511 				sdata = data;
   1512 				if (dsize > 0)
   1513 					{
   1514 					if (s->tlsext_ocsp_exts)
   1515 						{
   1516 						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
   1517 									   X509_EXTENSION_free);
   1518 						}
   1519 
   1520 					s->tlsext_ocsp_exts =
   1521 						d2i_X509_EXTENSIONS(NULL,
   1522 							&sdata, dsize);
   1523 					if (!s->tlsext_ocsp_exts
   1524 						|| (data + dsize != sdata))
   1525 						{
   1526 						*al = SSL_AD_DECODE_ERROR;
   1527 						return 0;
   1528 						}
   1529 					}
   1530 				}
   1531 				/* We don't know what to do with any other type
   1532  			 	* so ignore it.
   1533  			 	*/
   1534 				else
   1535 					s->tlsext_status_type = -1;
   1536 			}
   1537 #ifndef OPENSSL_NO_HEARTBEATS
   1538 		else if (type == TLSEXT_TYPE_heartbeat)
   1539 			{
   1540 			switch(data[0])
   1541 				{
   1542 				case 0x01:	/* Client allows us to send HB requests */
   1543 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1544 							break;
   1545 				case 0x02:	/* Client doesn't accept HB requests */
   1546 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1547 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1548 							break;
   1549 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1550 							return 0;
   1551 				}
   1552 			}
   1553 #endif
   1554 #ifndef OPENSSL_NO_NEXTPROTONEG
   1555 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1556 			 s->s3->tmp.finish_md_len == 0 &&
   1557 			 s->s3->alpn_selected == NULL)
   1558 			{
   1559 			/* We shouldn't accept this extension on a
   1560 			 * renegotiation.
   1561 			 *
   1562 			 * s->new_session will be set on renegotiation, but we
   1563 			 * probably shouldn't rely that it couldn't be set on
   1564 			 * the initial renegotation too in certain cases (when
   1565 			 * there's some other reason to disallow resuming an
   1566 			 * earlier session -- the current code won't be doing
   1567 			 * anything like that, but this might change).
   1568 
   1569 			 * A valid sign that there's been a previous handshake
   1570 			 * in this connection is if s->s3->tmp.finish_md_len >
   1571 			 * 0.  (We are talking about a check that will happen
   1572 			 * in the Hello protocol round, well before a new
   1573 			 * Finished message could have been computed.) */
   1574 			s->s3->next_proto_neg_seen = 1;
   1575 			}
   1576 #endif
   1577 
   1578 		else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
   1579 			s->s3->tlsext_channel_id_valid = 1;
   1580 
   1581 		else if (type == TLSEXT_TYPE_channel_id_new &&
   1582 			 s->tlsext_channel_id_enabled)
   1583 			{
   1584 			s->s3->tlsext_channel_id_valid = 1;
   1585 			s->s3->tlsext_channel_id_new = 1;
   1586 			}
   1587 
   1588 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
   1589 			 s->ctx->alpn_select_cb &&
   1590 			 s->s3->tmp.finish_md_len == 0)
   1591 			{
   1592 			if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
   1593 				return 0;
   1594 			/* ALPN takes precedence over NPN. */
   1595 			s->s3->next_proto_neg_seen = 0;
   1596 			}
   1597 
   1598 		/* session ticket processed earlier */
   1599 #ifndef OPENSSL_NO_SRTP
   1600 		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
   1601 			 && type == TLSEXT_TYPE_use_srtp)
   1602 			{
   1603 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
   1604 							      al))
   1605 				return 0;
   1606 			}
   1607 #endif
   1608 
   1609 		data+=size;
   1610 		}
   1611 
   1612 	*p = data;
   1613 
   1614 	ri_check:
   1615 
   1616 	/* Need RI if renegotiating */
   1617 
   1618 	if (!renegotiate_seen && s->renegotiate &&
   1619 		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1620 		{
   1621 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1622 	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
   1623 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1624 		return 0;
   1625 		}
   1626 
   1627 	return 1;
   1628 	}
   1629 
   1630 #ifndef OPENSSL_NO_NEXTPROTONEG
   1631 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
   1632  * elements of zero length are allowed and the set of elements must exactly fill
   1633  * the length of the block. */
   1634 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
   1635 	{
   1636 	unsigned int off = 0;
   1637 
   1638 	while (off < len)
   1639 		{
   1640 		if (d[off] == 0)
   1641 			return 0;
   1642 		off += d[off];
   1643 		off++;
   1644 		}
   1645 
   1646 	return off == len;
   1647 	}
   1648 #endif
   1649 
   1650 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
   1651 	{
   1652 	unsigned short length;
   1653 	unsigned short type;
   1654 	unsigned short size;
   1655 	unsigned char *data = *p;
   1656 	int tlsext_servername = 0;
   1657 	int renegotiate_seen = 0;
   1658 
   1659 #ifndef OPENSSL_NO_NEXTPROTONEG
   1660 	s->s3->next_proto_neg_seen = 0;
   1661 #endif
   1662 
   1663 	if (s->s3->alpn_selected)
   1664 		{
   1665 		OPENSSL_free(s->s3->alpn_selected);
   1666 		s->s3->alpn_selected = NULL;
   1667 		}
   1668 
   1669 #ifndef OPENSSL_NO_HEARTBEATS
   1670 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
   1671 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
   1672 #endif
   1673 
   1674 	if (data >= (d+n-2))
   1675 		goto ri_check;
   1676 
   1677 	n2s(data,length);
   1678 	if (data+length != d+n)
   1679 		{
   1680 		*al = SSL_AD_DECODE_ERROR;
   1681 		return 0;
   1682 		}
   1683 
   1684 	while(data <= (d+n-4))
   1685 		{
   1686 		n2s(data,type);
   1687 		n2s(data,size);
   1688 
   1689 		if (data+size > (d+n))
   1690 	   		goto ri_check;
   1691 
   1692 		if (s->tlsext_debug_cb)
   1693 			s->tlsext_debug_cb(s, 1, type, data, size,
   1694 						s->tlsext_debug_arg);
   1695 
   1696 		if (type == TLSEXT_TYPE_server_name)
   1697 			{
   1698 			if (s->tlsext_hostname == NULL || size > 0)
   1699 				{
   1700 				*al = TLS1_AD_UNRECOGNIZED_NAME;
   1701 				return 0;
   1702 				}
   1703 			tlsext_servername = 1;
   1704 			}
   1705 
   1706 #ifndef OPENSSL_NO_EC
   1707 		else if (type == TLSEXT_TYPE_ec_point_formats)
   1708 			{
   1709 			unsigned char *sdata = data;
   1710 			int ecpointformatlist_length = *(sdata++);
   1711 
   1712 			if (ecpointformatlist_length != size - 1 ||
   1713 				ecpointformatlist_length < 1)
   1714 				{
   1715 				*al = TLS1_AD_DECODE_ERROR;
   1716 				return 0;
   1717 				}
   1718 			if (!s->hit)
   1719 				{
   1720 				s->session->tlsext_ecpointformatlist_length = 0;
   1721 				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
   1722 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
   1723 					{
   1724 					*al = TLS1_AD_INTERNAL_ERROR;
   1725 					return 0;
   1726 					}
   1727 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
   1728 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
   1729 				}
   1730 #if 0
   1731 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
   1732 			sdata = s->session->tlsext_ecpointformatlist;
   1733 			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   1734 				fprintf(stderr,"%i ",*(sdata++));
   1735 			fprintf(stderr,"\n");
   1736 #endif
   1737 			}
   1738 #endif /* OPENSSL_NO_EC */
   1739 
   1740 		else if (type == TLSEXT_TYPE_session_ticket)
   1741 			{
   1742 			if (s->tls_session_ticket_ext_cb &&
   1743 			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
   1744 				{
   1745 				*al = TLS1_AD_INTERNAL_ERROR;
   1746 				return 0;
   1747 				}
   1748 			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
   1749 				|| (size > 0))
   1750 				{
   1751 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1752 				return 0;
   1753 				}
   1754 			s->tlsext_ticket_expected = 1;
   1755 			}
   1756 #ifdef TLSEXT_TYPE_opaque_prf_input
   1757 		else if (type == TLSEXT_TYPE_opaque_prf_input &&
   1758 	             s->version != DTLS1_VERSION)
   1759 			{
   1760 			unsigned char *sdata = data;
   1761 
   1762 			if (size < 2)
   1763 				{
   1764 				*al = SSL_AD_DECODE_ERROR;
   1765 				return 0;
   1766 				}
   1767 			n2s(sdata, s->s3->server_opaque_prf_input_len);
   1768 			if (s->s3->server_opaque_prf_input_len != size - 2)
   1769 				{
   1770 				*al = SSL_AD_DECODE_ERROR;
   1771 				return 0;
   1772 				}
   1773 
   1774 			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   1775 				OPENSSL_free(s->s3->server_opaque_prf_input);
   1776 			if (s->s3->server_opaque_prf_input_len == 0)
   1777 				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   1778 			else
   1779 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
   1780 
   1781 			if (s->s3->server_opaque_prf_input == NULL)
   1782 				{
   1783 				*al = TLS1_AD_INTERNAL_ERROR;
   1784 				return 0;
   1785 				}
   1786 			}
   1787 #endif
   1788 		else if (type == TLSEXT_TYPE_status_request &&
   1789 		         s->version != DTLS1_VERSION)
   1790 			{
   1791 			/* MUST be empty and only sent if we've requested
   1792 			 * a status request message.
   1793 			 */
   1794 			if ((s->tlsext_status_type == -1) || (size > 0))
   1795 				{
   1796 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1797 				return 0;
   1798 				}
   1799 			/* Set flag to expect CertificateStatus message */
   1800 			s->tlsext_status_expected = 1;
   1801 			}
   1802 #ifndef OPENSSL_NO_NEXTPROTONEG
   1803 		else if (type == TLSEXT_TYPE_next_proto_neg &&
   1804 			 s->s3->tmp.finish_md_len == 0)
   1805 			{
   1806 			unsigned char *selected;
   1807 			unsigned char selected_len;
   1808 
   1809 			/* We must have requested it. */
   1810 			if (s->ctx->next_proto_select_cb == NULL)
   1811 				{
   1812 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1813 				return 0;
   1814 				}
   1815 			/* The data must be valid */
   1816 			if (!ssl_next_proto_validate(data, size))
   1817 				{
   1818 				*al = TLS1_AD_DECODE_ERROR;
   1819 				return 0;
   1820 				}
   1821 			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
   1822 				{
   1823 				*al = TLS1_AD_INTERNAL_ERROR;
   1824 				return 0;
   1825 				}
   1826 			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
   1827 			if (!s->next_proto_negotiated)
   1828 				{
   1829 				*al = TLS1_AD_INTERNAL_ERROR;
   1830 				return 0;
   1831 				}
   1832 			memcpy(s->next_proto_negotiated, selected, selected_len);
   1833 			s->next_proto_negotiated_len = selected_len;
   1834 			s->s3->next_proto_neg_seen = 1;
   1835 			}
   1836 #endif
   1837 		else if (type == TLSEXT_TYPE_channel_id)
   1838 			s->s3->tlsext_channel_id_valid = 1;
   1839 
   1840 		else if (type == TLSEXT_TYPE_channel_id_new)
   1841 			{
   1842 			s->s3->tlsext_channel_id_valid = 1;
   1843 			s->s3->tlsext_channel_id_new = 1;
   1844 			}
   1845 
   1846 		else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation)
   1847 			{
   1848 			unsigned len;
   1849 
   1850 			/* We must have requested it. */
   1851 			if (s->alpn_client_proto_list == NULL)
   1852 				{
   1853 				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
   1854 				return 0;
   1855 				}
   1856 			if (size < 4)
   1857 				{
   1858 				*al = TLS1_AD_DECODE_ERROR;
   1859 				return 0;
   1860 				}
   1861 			/* The extension data consists of:
   1862 			 *   uint16 list_length
   1863 			 *   uint8 proto_length;
   1864 			 *   uint8 proto[proto_length]; */
   1865 			len = data[0];
   1866 			len <<= 8;
   1867 			len |= data[1];
   1868 			if (len != (unsigned) size - 2)
   1869 				{
   1870 				*al = TLS1_AD_DECODE_ERROR;
   1871 				return 0;
   1872 				}
   1873 			len = data[2];
   1874 			if (len != (unsigned) size - 3)
   1875 				{
   1876 				*al = TLS1_AD_DECODE_ERROR;
   1877 				return 0;
   1878 				}
   1879 			if (s->s3->alpn_selected)
   1880 				OPENSSL_free(s->s3->alpn_selected);
   1881 			s->s3->alpn_selected = OPENSSL_malloc(len);
   1882 			if (!s->s3->alpn_selected)
   1883 				{
   1884 				*al = TLS1_AD_INTERNAL_ERROR;
   1885 				return 0;
   1886 				}
   1887 			memcpy(s->s3->alpn_selected, data + 3, len);
   1888 			s->s3->alpn_selected_len = len;
   1889 			}
   1890 
   1891 		else if (type == TLSEXT_TYPE_renegotiate)
   1892 			{
   1893 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
   1894 				return 0;
   1895 			renegotiate_seen = 1;
   1896 			}
   1897 #ifndef OPENSSL_NO_HEARTBEATS
   1898 		else if (type == TLSEXT_TYPE_heartbeat)
   1899 			{
   1900 			switch(data[0])
   1901 				{
   1902 				case 0x01:	/* Server allows us to send HB requests */
   1903 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1904 							break;
   1905 				case 0x02:	/* Server doesn't accept HB requests */
   1906 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
   1907 							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
   1908 							break;
   1909 				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
   1910 							return 0;
   1911 				}
   1912 			}
   1913 #endif
   1914 #ifndef OPENSSL_NO_SRTP
   1915 		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
   1916 			{
   1917                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
   1918 							      al))
   1919                                 return 0;
   1920 			}
   1921 #endif
   1922 
   1923 		data+=size;
   1924 		}
   1925 
   1926 	if (data != d+n)
   1927 		{
   1928 		*al = SSL_AD_DECODE_ERROR;
   1929 		return 0;
   1930 		}
   1931 
   1932 	if (!s->hit && tlsext_servername == 1)
   1933 		{
   1934  		if (s->tlsext_hostname)
   1935 			{
   1936 			if (s->session->tlsext_hostname == NULL)
   1937 				{
   1938 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
   1939 				if (!s->session->tlsext_hostname)
   1940 					{
   1941 					*al = SSL_AD_UNRECOGNIZED_NAME;
   1942 					return 0;
   1943 					}
   1944 				}
   1945 			else
   1946 				{
   1947 				*al = SSL_AD_DECODE_ERROR;
   1948 				return 0;
   1949 				}
   1950 			}
   1951 		}
   1952 
   1953 	*p = data;
   1954 
   1955 	ri_check:
   1956 
   1957 	/* Determine if we need to see RI. Strictly speaking if we want to
   1958 	 * avoid an attack we should *always* see RI even on initial server
   1959 	 * hello because the client doesn't see any renegotiation during an
   1960 	 * attack. However this would mean we could not connect to any server
   1961 	 * which doesn't support RI so for the immediate future tolerate RI
   1962 	 * absence on initial connect only.
   1963 	 */
   1964 	if (!renegotiate_seen
   1965 		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
   1966 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
   1967 		{
   1968 		*al = SSL_AD_HANDSHAKE_FAILURE;
   1969 		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
   1970 				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
   1971 		return 0;
   1972 		}
   1973 
   1974 	return 1;
   1975 	}
   1976 
   1977 
   1978 int ssl_prepare_clienthello_tlsext(SSL *s)
   1979 	{
   1980 #ifndef OPENSSL_NO_EC
   1981 	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
   1982 	 * and elliptic curves we support.
   1983 	 */
   1984 	int using_ecc = 0;
   1985 	int i;
   1986 	unsigned char *j;
   1987 	unsigned long alg_k, alg_a;
   1988 	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
   1989 
   1990 	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
   1991 		{
   1992 		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
   1993 
   1994 		alg_k = c->algorithm_mkey;
   1995 		alg_a = c->algorithm_auth;
   1996 		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
   1997 			{
   1998 			using_ecc = 1;
   1999 			break;
   2000 			}
   2001 		}
   2002 	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
   2003 	if (using_ecc)
   2004 		{
   2005 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   2006 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   2007 			{
   2008 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   2009 			return -1;
   2010 			}
   2011 		s->tlsext_ecpointformatlist_length = 3;
   2012 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   2013 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   2014 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   2015 
   2016 		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
   2017 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
   2018 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
   2019 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
   2020 			{
   2021 			s->tlsext_ellipticcurvelist_length = 0;
   2022 			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   2023 			return -1;
   2024 			}
   2025 		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
   2026 				sizeof(pref_list)/sizeof(pref_list[0]); i++)
   2027 			{
   2028 			int id = tls1_ec_nid2curve_id(pref_list[i]);
   2029 			s2n(id,j);
   2030 			}
   2031 		}
   2032 #endif /* OPENSSL_NO_EC */
   2033 
   2034 #ifdef TLSEXT_TYPE_opaque_prf_input
   2035  	{
   2036 		int r = 1;
   2037 
   2038 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   2039 			{
   2040 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   2041 			if (!r)
   2042 				return -1;
   2043 			}
   2044 
   2045 		if (s->tlsext_opaque_prf_input != NULL)
   2046 			{
   2047 			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
   2048 				OPENSSL_free(s->s3->client_opaque_prf_input);
   2049 
   2050 			if (s->tlsext_opaque_prf_input_len == 0)
   2051 				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   2052 			else
   2053 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   2054 			if (s->s3->client_opaque_prf_input == NULL)
   2055 				{
   2056 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   2057 				return -1;
   2058 				}
   2059 			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   2060 			}
   2061 
   2062 		if (r == 2)
   2063 			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
   2064 			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   2065 	}
   2066 #endif
   2067 
   2068 	return 1;
   2069 	}
   2070 
   2071 int ssl_prepare_serverhello_tlsext(SSL *s)
   2072 	{
   2073 #ifndef OPENSSL_NO_EC
   2074 	/* If we are server and using an ECC cipher suite, send the point formats we support
   2075 	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
   2076 	 * supposed to send an EllipticCurves extension.
   2077 	 */
   2078 
   2079 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   2080 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   2081 	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
   2082 	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
   2083 
   2084 	if (using_ecc)
   2085 		{
   2086 		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
   2087 		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
   2088 			{
   2089 			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
   2090 			return -1;
   2091 			}
   2092 		s->tlsext_ecpointformatlist_length = 3;
   2093 		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
   2094 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
   2095 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
   2096 		}
   2097 #endif /* OPENSSL_NO_EC */
   2098 
   2099 	return 1;
   2100 	}
   2101 
   2102 int ssl_check_clienthello_tlsext_early(SSL *s)
   2103 	{
   2104 	int ret=SSL_TLSEXT_ERR_NOACK;
   2105 	int al = SSL_AD_UNRECOGNIZED_NAME;
   2106 
   2107 #ifndef OPENSSL_NO_EC
   2108 	/* The handling of the ECPointFormats extension is done elsewhere, namely in
   2109 	 * ssl3_choose_cipher in s3_lib.c.
   2110 	 */
   2111 	/* The handling of the EllipticCurves extension is done elsewhere, namely in
   2112 	 * ssl3_choose_cipher in s3_lib.c.
   2113 	 */
   2114 #endif
   2115 
   2116 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   2117 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   2118 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   2119 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   2120 
   2121 #ifdef TLSEXT_TYPE_opaque_prf_input
   2122  	{
   2123 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
   2124 		 * but we might be sending an alert in response to the client hello,
   2125 		 * so this has to happen here in
   2126 		 * ssl_check_clienthello_tlsext_early(). */
   2127 
   2128 		int r = 1;
   2129 
   2130 		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
   2131 			{
   2132 			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
   2133 			if (!r)
   2134 				{
   2135 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2136 				al = SSL_AD_INTERNAL_ERROR;
   2137 				goto err;
   2138 				}
   2139 			}
   2140 
   2141 		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
   2142 			OPENSSL_free(s->s3->server_opaque_prf_input);
   2143 		s->s3->server_opaque_prf_input = NULL;
   2144 
   2145 		if (s->tlsext_opaque_prf_input != NULL)
   2146 			{
   2147 			if (s->s3->client_opaque_prf_input != NULL &&
   2148 				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
   2149 				{
   2150 				/* can only use this extension if we have a server opaque PRF input
   2151 				 * of the same length as the client opaque PRF input! */
   2152 
   2153 				if (s->tlsext_opaque_prf_input_len == 0)
   2154 					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
   2155 				else
   2156 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
   2157 				if (s->s3->server_opaque_prf_input == NULL)
   2158 					{
   2159 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2160 					al = SSL_AD_INTERNAL_ERROR;
   2161 					goto err;
   2162 					}
   2163 				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
   2164 				}
   2165 			}
   2166 
   2167 		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
   2168 			{
   2169 			/* The callback wants to enforce use of the extension,
   2170 			 * but we can't do that with the client opaque PRF input;
   2171 			 * abort the handshake.
   2172 			 */
   2173 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2174 			al = SSL_AD_HANDSHAKE_FAILURE;
   2175 			}
   2176 	}
   2177 
   2178  err:
   2179 #endif
   2180 	switch (ret)
   2181 		{
   2182 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2183 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2184 			return -1;
   2185 
   2186 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2187 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2188 			return 1;
   2189 
   2190 		case SSL_TLSEXT_ERR_NOACK:
   2191 			s->servername_done=0;
   2192 			default:
   2193 		return 1;
   2194 		}
   2195 	}
   2196 
   2197 int ssl_check_clienthello_tlsext_late(SSL *s)
   2198 	{
   2199 	int ret = SSL_TLSEXT_ERR_OK;
   2200 	int al;
   2201 
   2202 	/* If status request then ask callback what to do.
   2203  	 * Note: this must be called after servername callbacks in case
   2204  	 * the certificate has changed, and must be called after the cipher
   2205 	 * has been chosen because this may influence which certificate is sent
   2206  	 */
   2207 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
   2208 		{
   2209 		int r;
   2210 		CERT_PKEY *certpkey;
   2211 		certpkey = ssl_get_server_send_pkey(s);
   2212 		/* If no certificate can't return certificate status */
   2213 		if (certpkey == NULL)
   2214 			{
   2215 			s->tlsext_status_expected = 0;
   2216 			return 1;
   2217 			}
   2218 		/* Set current certificate to one we will use so
   2219 		 * SSL_get_certificate et al can pick it up.
   2220 		 */
   2221 		s->cert->key = certpkey;
   2222 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   2223 		switch (r)
   2224 			{
   2225 			/* We don't want to send a status request response */
   2226 			case SSL_TLSEXT_ERR_NOACK:
   2227 				s->tlsext_status_expected = 0;
   2228 				break;
   2229 			/* status request response should be sent */
   2230 			case SSL_TLSEXT_ERR_OK:
   2231 				if (s->tlsext_ocsp_resp)
   2232 					s->tlsext_status_expected = 1;
   2233 				else
   2234 					s->tlsext_status_expected = 0;
   2235 				break;
   2236 			/* something bad happened */
   2237 			case SSL_TLSEXT_ERR_ALERT_FATAL:
   2238 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2239 				al = SSL_AD_INTERNAL_ERROR;
   2240 				goto err;
   2241 			}
   2242 		}
   2243 	else
   2244 		s->tlsext_status_expected = 0;
   2245 
   2246  err:
   2247 	switch (ret)
   2248 		{
   2249 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2250 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2251 			return -1;
   2252 
   2253 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2254 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2255 			return 1;
   2256 
   2257 		default:
   2258 			return 1;
   2259 		}
   2260 	}
   2261 
   2262 int ssl_check_serverhello_tlsext(SSL *s)
   2263 	{
   2264 	int ret=SSL_TLSEXT_ERR_NOACK;
   2265 	int al = SSL_AD_UNRECOGNIZED_NAME;
   2266 
   2267 #ifndef OPENSSL_NO_EC
   2268 	/* If we are client and using an elliptic curve cryptography cipher
   2269 	 * suite, then if server returns an EC point formats lists extension
   2270 	 * it must contain uncompressed.
   2271 	 */
   2272 	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
   2273 	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
   2274 	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
   2275 	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
   2276 	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
   2277 		{
   2278 		/* we are using an ECC cipher */
   2279 		size_t i;
   2280 		unsigned char *list;
   2281 		int found_uncompressed = 0;
   2282 		list = s->session->tlsext_ecpointformatlist;
   2283 		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
   2284 			{
   2285 			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
   2286 				{
   2287 				found_uncompressed = 1;
   2288 				break;
   2289 				}
   2290 			}
   2291 		if (!found_uncompressed)
   2292 			{
   2293 			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
   2294 			return -1;
   2295 			}
   2296 		}
   2297 	ret = SSL_TLSEXT_ERR_OK;
   2298 #endif /* OPENSSL_NO_EC */
   2299 
   2300 	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
   2301 		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
   2302 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
   2303 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
   2304 
   2305 #ifdef TLSEXT_TYPE_opaque_prf_input
   2306 	if (s->s3->server_opaque_prf_input_len > 0)
   2307 		{
   2308 		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
   2309 		 * So first verify that we really have a value from the server too. */
   2310 
   2311 		if (s->s3->server_opaque_prf_input == NULL)
   2312 			{
   2313 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2314 			al = SSL_AD_HANDSHAKE_FAILURE;
   2315 			}
   2316 
   2317 		/* Anytime the server *has* sent an opaque PRF input, we need to check
   2318 		 * that we have a client opaque PRF input of the same size. */
   2319 		if (s->s3->client_opaque_prf_input == NULL ||
   2320 		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
   2321 			{
   2322 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2323 			al = SSL_AD_ILLEGAL_PARAMETER;
   2324 			}
   2325 		}
   2326 #endif
   2327 
   2328 	/* If we've requested certificate status and we wont get one
   2329  	 * tell the callback
   2330  	 */
   2331 	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
   2332 			&& s->ctx && s->ctx->tlsext_status_cb)
   2333 		{
   2334 		int r;
   2335 		/* Set resp to NULL, resplen to -1 so callback knows
   2336  		 * there is no response.
   2337  		 */
   2338 		if (s->tlsext_ocsp_resp)
   2339 			{
   2340 			OPENSSL_free(s->tlsext_ocsp_resp);
   2341 			s->tlsext_ocsp_resp = NULL;
   2342 			}
   2343 		s->tlsext_ocsp_resplen = -1;
   2344 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
   2345 		if (r == 0)
   2346 			{
   2347 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
   2348 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2349 			}
   2350 		if (r < 0)
   2351 			{
   2352 			al = SSL_AD_INTERNAL_ERROR;
   2353 			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
   2354 			}
   2355 		}
   2356 
   2357 	switch (ret)
   2358 		{
   2359 		case SSL_TLSEXT_ERR_ALERT_FATAL:
   2360 			ssl3_send_alert(s,SSL3_AL_FATAL,al);
   2361 			return -1;
   2362 
   2363 		case SSL_TLSEXT_ERR_ALERT_WARNING:
   2364 			ssl3_send_alert(s,SSL3_AL_WARNING,al);
   2365 			return 1;
   2366 
   2367 		case SSL_TLSEXT_ERR_NOACK:
   2368 			s->servername_done=0;
   2369 			default:
   2370 		return 1;
   2371 		}
   2372 	}
   2373 
   2374 /* Since the server cache lookup is done early on in the processing of the
   2375  * ClientHello, and other operations depend on the result, we need to handle
   2376  * any TLS session ticket extension at the same time.
   2377  *
   2378  *   session_id: points at the session ID in the ClientHello. This code will
   2379  *       read past the end of this in order to parse out the session ticket
   2380  *       extension, if any.
   2381  *   len: the length of the session ID.
   2382  *   limit: a pointer to the first byte after the ClientHello.
   2383  *   ret: (output) on return, if a ticket was decrypted, then this is set to
   2384  *       point to the resulting session.
   2385  *
   2386  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
   2387  * ciphersuite, in which case we have no use for session tickets and one will
   2388  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
   2389  *
   2390  * Returns:
   2391  *   -1: fatal error, either from parsing or decrypting the ticket.
   2392  *    0: no ticket was found (or was ignored, based on settings).
   2393  *    1: a zero length extension was found, indicating that the client supports
   2394  *       session tickets but doesn't currently have one to offer.
   2395  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
   2396  *       couldn't be decrypted because of a non-fatal error.
   2397  *    3: a ticket was successfully decrypted and *ret was set.
   2398  *
   2399  * Side effects:
   2400  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
   2401  *   a new session ticket to the client because the client indicated support
   2402  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
   2403  *   a session ticket or we couldn't use the one it gave us, or if
   2404  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
   2405  *   Otherwise, s->tlsext_ticket_expected is set to 0.
   2406  */
   2407 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
   2408 			const unsigned char *limit, SSL_SESSION **ret)
   2409 	{
   2410 	/* Point after session ID in client hello */
   2411 	const unsigned char *p = session_id + len;
   2412 	unsigned short i;
   2413 
   2414 	*ret = NULL;
   2415 	s->tlsext_ticket_expected = 0;
   2416 
   2417 	/* If tickets disabled behave as if no ticket present
   2418 	 * to permit stateful resumption.
   2419 	 */
   2420 	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
   2421 		return 0;
   2422 	if ((s->version <= SSL3_VERSION) || !limit)
   2423 		return 0;
   2424 	if (p >= limit)
   2425 		return -1;
   2426 	/* Skip past DTLS cookie */
   2427 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
   2428 		{
   2429 		i = *(p++);
   2430 		p+= i;
   2431 		if (p >= limit)
   2432 			return -1;
   2433 		}
   2434 	/* Skip past cipher list */
   2435 	n2s(p, i);
   2436 	p+= i;
   2437 	if (p >= limit)
   2438 		return -1;
   2439 	/* Skip past compression algorithm list */
   2440 	i = *(p++);
   2441 	p += i;
   2442 	if (p > limit)
   2443 		return -1;
   2444 	/* Now at start of extensions */
   2445 	if ((p + 2) >= limit)
   2446 		return 0;
   2447 	n2s(p, i);
   2448 	while ((p + 4) <= limit)
   2449 		{
   2450 		unsigned short type, size;
   2451 		n2s(p, type);
   2452 		n2s(p, size);
   2453 		if (p + size > limit)
   2454 			return 0;
   2455 		if (type == TLSEXT_TYPE_session_ticket)
   2456 			{
   2457 			int r;
   2458 			if (size == 0)
   2459 				{
   2460 				/* The client will accept a ticket but doesn't
   2461 				 * currently have one. */
   2462 				s->tlsext_ticket_expected = 1;
   2463 				return 1;
   2464 				}
   2465 			if (s->tls_session_secret_cb)
   2466 				{
   2467 				/* Indicate that the ticket couldn't be
   2468 				 * decrypted rather than generating the session
   2469 				 * from ticket now, trigger abbreviated
   2470 				 * handshake based on external mechanism to
   2471 				 * calculate the master secret later. */
   2472 				return 2;
   2473 				}
   2474 			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
   2475 			switch (r)
   2476 				{
   2477 				case 2: /* ticket couldn't be decrypted */
   2478 					s->tlsext_ticket_expected = 1;
   2479 					return 2;
   2480 				case 3: /* ticket was decrypted */
   2481 					return r;
   2482 				case 4: /* ticket decrypted but need to renew */
   2483 					s->tlsext_ticket_expected = 1;
   2484 					return 3;
   2485 				default: /* fatal error */
   2486 					return -1;
   2487 				}
   2488 			}
   2489 		p += size;
   2490 		}
   2491 	return 0;
   2492 	}
   2493 
   2494 /* tls_decrypt_ticket attempts to decrypt a session ticket.
   2495  *
   2496  *   etick: points to the body of the session ticket extension.
   2497  *   eticklen: the length of the session tickets extenion.
   2498  *   sess_id: points at the session ID.
   2499  *   sesslen: the length of the session ID.
   2500  *   psess: (output) on return, if a ticket was decrypted, then this is set to
   2501  *       point to the resulting session.
   2502  *
   2503  * Returns:
   2504  *   -1: fatal error, either from parsing or decrypting the ticket.
   2505  *    2: the ticket couldn't be decrypted.
   2506  *    3: a ticket was successfully decrypted and *psess was set.
   2507  *    4: same as 3, but the ticket needs to be renewed.
   2508  */
   2509 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
   2510 				const unsigned char *sess_id, int sesslen,
   2511 				SSL_SESSION **psess)
   2512 	{
   2513 	SSL_SESSION *sess;
   2514 	unsigned char *sdec;
   2515 	const unsigned char *p;
   2516 	int slen, mlen, renew_ticket = 0;
   2517 	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
   2518 	HMAC_CTX hctx;
   2519 	EVP_CIPHER_CTX ctx;
   2520 	SSL_CTX *tctx = s->initial_ctx;
   2521 	/* Need at least keyname + iv + some encrypted data */
   2522 	if (eticklen < 48)
   2523 		return 2;
   2524 	/* Initialize session ticket encryption and HMAC contexts */
   2525 	HMAC_CTX_init(&hctx);
   2526 	EVP_CIPHER_CTX_init(&ctx);
   2527 	if (tctx->tlsext_ticket_key_cb)
   2528 		{
   2529 		unsigned char *nctick = (unsigned char *)etick;
   2530 		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
   2531 							&ctx, &hctx, 0);
   2532 		if (rv < 0)
   2533 			return -1;
   2534 		if (rv == 0)
   2535 			return 2;
   2536 		if (rv == 2)
   2537 			renew_ticket = 1;
   2538 		}
   2539 	else
   2540 		{
   2541 		/* Check key name matches */
   2542 		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
   2543 			return 2;
   2544 		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
   2545 					tlsext_tick_md(), NULL);
   2546 		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
   2547 				tctx->tlsext_tick_aes_key, etick + 16);
   2548 		}
   2549 	/* Attempt to process session ticket, first conduct sanity and
   2550 	 * integrity checks on ticket.
   2551 	 */
   2552 	mlen = HMAC_size(&hctx);
   2553 	if (mlen < 0)
   2554 		{
   2555 		EVP_CIPHER_CTX_cleanup(&ctx);
   2556 		return -1;
   2557 		}
   2558 	eticklen -= mlen;
   2559 	/* Check HMAC of encrypted ticket */
   2560 	HMAC_Update(&hctx, etick, eticklen);
   2561 	HMAC_Final(&hctx, tick_hmac, NULL);
   2562 	HMAC_CTX_cleanup(&hctx);
   2563 	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
   2564 		{
   2565 		EVP_CIPHER_CTX_cleanup(&ctx);
   2566 		return 2;
   2567 		}
   2568 	/* Attempt to decrypt session data */
   2569 	/* Move p after IV to start of encrypted ticket, update length */
   2570 	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2571 	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
   2572 	sdec = OPENSSL_malloc(eticklen);
   2573 	if (!sdec)
   2574 		{
   2575 		EVP_CIPHER_CTX_cleanup(&ctx);
   2576 		return -1;
   2577 		}
   2578 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
   2579 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
   2580 		{
   2581 		EVP_CIPHER_CTX_cleanup(&ctx);
   2582 		OPENSSL_free(sdec);
   2583 		return 2;
   2584 		}
   2585 	slen += mlen;
   2586 	EVP_CIPHER_CTX_cleanup(&ctx);
   2587 	p = sdec;
   2588 
   2589 	sess = d2i_SSL_SESSION(NULL, &p, slen);
   2590 	OPENSSL_free(sdec);
   2591 	if (sess)
   2592 		{
   2593 		/* The session ID, if non-empty, is used by some clients to
   2594 		 * detect that the ticket has been accepted. So we copy it to
   2595 		 * the session structure. If it is empty set length to zero
   2596 		 * as required by standard.
   2597 		 */
   2598 		if (sesslen)
   2599 			memcpy(sess->session_id, sess_id, sesslen);
   2600 		sess->session_id_length = sesslen;
   2601 		*psess = sess;
   2602 		if (renew_ticket)
   2603 			return 4;
   2604 		else
   2605 			return 3;
   2606 		}
   2607         ERR_clear_error();
   2608 	/* For session parse failure, indicate that we need to send a new
   2609 	 * ticket. */
   2610 	return 2;
   2611 	}
   2612 
   2613 /* Tables to translate from NIDs to TLS v1.2 ids */
   2614 
   2615 typedef struct
   2616 	{
   2617 	int nid;
   2618 	int id;
   2619 	} tls12_lookup;
   2620 
   2621 static tls12_lookup tls12_md[] = {
   2622 #ifndef OPENSSL_NO_MD5
   2623 	{NID_md5, TLSEXT_hash_md5},
   2624 #endif
   2625 #ifndef OPENSSL_NO_SHA
   2626 	{NID_sha1, TLSEXT_hash_sha1},
   2627 #endif
   2628 #ifndef OPENSSL_NO_SHA256
   2629 	{NID_sha224, TLSEXT_hash_sha224},
   2630 	{NID_sha256, TLSEXT_hash_sha256},
   2631 #endif
   2632 #ifndef OPENSSL_NO_SHA512
   2633 	{NID_sha384, TLSEXT_hash_sha384},
   2634 	{NID_sha512, TLSEXT_hash_sha512}
   2635 #endif
   2636 };
   2637 
   2638 static tls12_lookup tls12_sig[] = {
   2639 #ifndef OPENSSL_NO_RSA
   2640 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
   2641 #endif
   2642 #ifndef OPENSSL_NO_DSA
   2643 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
   2644 #endif
   2645 #ifndef OPENSSL_NO_ECDSA
   2646 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
   2647 #endif
   2648 };
   2649 
   2650 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
   2651 	{
   2652 	size_t i;
   2653 	for (i = 0; i < tlen; i++)
   2654 		{
   2655 		if (table[i].nid == nid)
   2656 			return table[i].id;
   2657 		}
   2658 	return -1;
   2659 	}
   2660 
   2661 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
   2662 	{
   2663 	int sig_id, md_id;
   2664 	if (!md)
   2665 		return 0;
   2666 	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
   2667 				sizeof(tls12_md)/sizeof(tls12_lookup));
   2668 	if (md_id == -1)
   2669 		return 0;
   2670 	sig_id = tls12_get_sigid(pk);
   2671 	if (sig_id == -1)
   2672 		return 0;
   2673 	p[0] = (unsigned char)md_id;
   2674 	p[1] = (unsigned char)sig_id;
   2675 	return 1;
   2676 	}
   2677 
   2678 /* tls12_get_sigid returns the TLS 1.2 SignatureAlgorithm value corresponding
   2679  * to the given public key, or -1 if not known. */
   2680 int tls12_get_sigid(const EVP_PKEY *pk)
   2681 	{
   2682 	return tls12_find_id(pk->type, tls12_sig,
   2683 				sizeof(tls12_sig)/sizeof(tls12_lookup));
   2684 	}
   2685 
   2686 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
   2687 	{
   2688 	switch(hash_alg)
   2689 		{
   2690 #ifndef OPENSSL_NO_SHA
   2691 	case TLSEXT_hash_sha1:
   2692 		return EVP_sha1();
   2693 #endif
   2694 #ifndef OPENSSL_NO_SHA256
   2695 	case TLSEXT_hash_sha224:
   2696 		return EVP_sha224();
   2697 
   2698 	case TLSEXT_hash_sha256:
   2699 		return EVP_sha256();
   2700 #endif
   2701 #ifndef OPENSSL_NO_SHA512
   2702 	case TLSEXT_hash_sha384:
   2703 		return EVP_sha384();
   2704 
   2705 	case TLSEXT_hash_sha512:
   2706 		return EVP_sha512();
   2707 #endif
   2708 	default:
   2709 		return NULL;
   2710 
   2711 		}
   2712 	}
   2713 
   2714 /* tls1_process_sigalgs processes a signature_algorithms extension and sets the
   2715  * digest functions accordingly for each key type.
   2716  *
   2717  * See RFC 5246, section 7.4.1.4.1.
   2718  *
   2719  * data: points to the content of the extension, not including type and length
   2720  *     headers.
   2721  * dsize: the number of bytes of |data|. Must be even.
   2722  */
   2723 void tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
   2724 	{
   2725 	int i;
   2726 	const EVP_MD *md, **digest_ptr;
   2727 	/* Extension ignored for TLS versions below 1.2 */
   2728 	if (TLS1_get_version(s) < TLS1_2_VERSION)
   2729 		return;
   2730 
   2731 	s->s3->digest_rsa = NULL;
   2732 	s->s3->digest_dsa = NULL;
   2733 	s->s3->digest_ecdsa = NULL;
   2734 
   2735 	for (i = 0; i < dsize; i += 2)
   2736 		{
   2737 		unsigned char hash_alg = data[i], sig_alg = data[i+1];
   2738 
   2739 		switch(sig_alg)
   2740 			{
   2741 #ifndef OPENSSL_NO_RSA
   2742 			case TLSEXT_signature_rsa:
   2743 			digest_ptr = &s->s3->digest_rsa;
   2744 			break;
   2745 #endif
   2746 #ifndef OPENSSL_NO_DSA
   2747 			case TLSEXT_signature_dsa:
   2748 			digest_ptr = &s->s3->digest_dsa;
   2749 			break;
   2750 #endif
   2751 #ifndef OPENSSL_NO_ECDSA
   2752 			case TLSEXT_signature_ecdsa:
   2753 			digest_ptr = &s->s3->digest_ecdsa;
   2754 			break;
   2755 #endif
   2756 			default:
   2757 			continue;
   2758 			}
   2759 
   2760 		if (*digest_ptr == NULL)
   2761 			{
   2762 			md = tls12_get_hash(hash_alg);
   2763 			if (md)
   2764 				*digest_ptr = md;
   2765 			}
   2766 
   2767 		}
   2768 	}
   2769 
   2770 #endif
   2771 
   2772 #ifndef OPENSSL_NO_HEARTBEATS
   2773 int
   2774 tls1_process_heartbeat(SSL *s)
   2775 	{
   2776 	unsigned char *p = &s->s3->rrec.data[0], *pl;
   2777 	unsigned short hbtype;
   2778 	unsigned int payload;
   2779 	unsigned int padding = 16; /* Use minimum padding */
   2780 
   2781 	if (s->msg_callback)
   2782 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
   2783 			&s->s3->rrec.data[0], s->s3->rrec.length,
   2784 			s, s->msg_callback_arg);
   2785 
   2786 	/* Read type and payload length first */
   2787 	if (1 + 2 + 16 > s->s3->rrec.length)
   2788 		return 0; /* silently discard */
   2789 	hbtype = *p++;
   2790 	n2s(p, payload);
   2791 	if (1 + 2 + payload + 16 > s->s3->rrec.length)
   2792 		return 0; /* silently discard per RFC 6520 sec. 4 */
   2793 	pl = p;
   2794 
   2795 	if (hbtype == TLS1_HB_REQUEST)
   2796 		{
   2797 		unsigned char *buffer, *bp;
   2798 		int r;
   2799 
   2800 		/* Allocate memory for the response, size is 1 bytes
   2801 		 * message type, plus 2 bytes payload length, plus
   2802 		 * payload, plus padding
   2803 		 */
   2804 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
   2805 		bp = buffer;
   2806 
   2807 		/* Enter response type, length and copy payload */
   2808 		*bp++ = TLS1_HB_RESPONSE;
   2809 		s2n(payload, bp);
   2810 		memcpy(bp, pl, payload);
   2811 		bp += payload;
   2812 		/* Random padding */
   2813 		RAND_pseudo_bytes(bp, padding);
   2814 
   2815 		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
   2816 
   2817 		if (r >= 0 && s->msg_callback)
   2818 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2819 				buffer, 3 + payload + padding,
   2820 				s, s->msg_callback_arg);
   2821 
   2822 		OPENSSL_free(buffer);
   2823 
   2824 		if (r < 0)
   2825 			return r;
   2826 		}
   2827 	else if (hbtype == TLS1_HB_RESPONSE)
   2828 		{
   2829 		unsigned int seq;
   2830 
   2831 		/* We only send sequence numbers (2 bytes unsigned int),
   2832 		 * and 16 random bytes, so we just try to read the
   2833 		 * sequence number */
   2834 		n2s(pl, seq);
   2835 
   2836 		if (payload == 18 && seq == s->tlsext_hb_seq)
   2837 			{
   2838 			s->tlsext_hb_seq++;
   2839 			s->tlsext_hb_pending = 0;
   2840 			}
   2841 		}
   2842 
   2843 	return 0;
   2844 	}
   2845 
   2846 int
   2847 tls1_heartbeat(SSL *s)
   2848 	{
   2849 	unsigned char *buf, *p;
   2850 	int ret;
   2851 	unsigned int payload = 18; /* Sequence number + random bytes */
   2852 	unsigned int padding = 16; /* Use minimum padding */
   2853 
   2854 	/* Only send if peer supports and accepts HB requests... */
   2855 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
   2856 	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
   2857 		{
   2858 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
   2859 		return -1;
   2860 		}
   2861 
   2862 	/* ...and there is none in flight yet... */
   2863 	if (s->tlsext_hb_pending)
   2864 		{
   2865 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
   2866 		return -1;
   2867 		}
   2868 
   2869 	/* ...and no handshake in progress. */
   2870 	if (SSL_in_init(s) || s->in_handshake)
   2871 		{
   2872 		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
   2873 		return -1;
   2874 		}
   2875 
   2876 	/* Check if padding is too long, payload and padding
   2877 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
   2878 	 */
   2879 	OPENSSL_assert(payload + padding <= 16381);
   2880 
   2881 	/* Create HeartBeat message, we just use a sequence number
   2882 	 * as payload to distuingish different messages and add
   2883 	 * some random stuff.
   2884 	 *  - Message Type, 1 byte
   2885 	 *  - Payload Length, 2 bytes (unsigned int)
   2886 	 *  - Payload, the sequence number (2 bytes uint)
   2887 	 *  - Payload, random bytes (16 bytes uint)
   2888 	 *  - Padding
   2889 	 */
   2890 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
   2891 	p = buf;
   2892 	/* Message Type */
   2893 	*p++ = TLS1_HB_REQUEST;
   2894 	/* Payload length (18 bytes here) */
   2895 	s2n(payload, p);
   2896 	/* Sequence number */
   2897 	s2n(s->tlsext_hb_seq, p);
   2898 	/* 16 random bytes */
   2899 	RAND_pseudo_bytes(p, 16);
   2900 	p += 16;
   2901 	/* Random padding */
   2902 	RAND_pseudo_bytes(p, padding);
   2903 
   2904 	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
   2905 	if (ret >= 0)
   2906 		{
   2907 		if (s->msg_callback)
   2908 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
   2909 				buf, 3 + payload + padding,
   2910 				s, s->msg_callback_arg);
   2911 
   2912 		s->tlsext_hb_pending = 1;
   2913 		}
   2914 
   2915 	OPENSSL_free(buf);
   2916 
   2917 	return ret;
   2918 	}
   2919 #endif
   2920 
   2921 #if !defined(OPENSSL_NO_TLSEXT)
   2922 /* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
   2923  * SSL connection and writes it to |md|.
   2924  */
   2925 int
   2926 tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
   2927 	{
   2928 	EVP_MD_CTX ctx;
   2929 	unsigned char temp_digest[EVP_MAX_MD_SIZE];
   2930 	unsigned temp_digest_len;
   2931 	int i;
   2932 	static const char kClientIDMagic[] = "TLS Channel ID signature";
   2933 
   2934 	if (s->s3->handshake_buffer)
   2935 		if (!ssl3_digest_cached_records(s))
   2936 			return 0;
   2937 
   2938 	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
   2939 
   2940 	if (s->hit && s->s3->tlsext_channel_id_new)
   2941 		{
   2942 		static const char kResumptionMagic[] = "Resumption";
   2943 		EVP_DigestUpdate(md, kResumptionMagic,
   2944 				 sizeof(kResumptionMagic));
   2945 		if (s->session->original_handshake_hash_len == 0)
   2946 			return 0;
   2947 		EVP_DigestUpdate(md, s->session->original_handshake_hash,
   2948 				 s->session->original_handshake_hash_len);
   2949 		}
   2950 
   2951 	EVP_MD_CTX_init(&ctx);
   2952 	for (i = 0; i < SSL_MAX_DIGEST; i++)
   2953 		{
   2954 		if (s->s3->handshake_dgst[i] == NULL)
   2955 			continue;
   2956 		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
   2957 		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
   2958 		EVP_DigestUpdate(md, temp_digest, temp_digest_len);
   2959 		}
   2960 	EVP_MD_CTX_cleanup(&ctx);
   2961 
   2962 	return 1;
   2963 	}
   2964 #endif
   2965 
   2966 /* tls1_record_handshake_hashes_for_channel_id records the current handshake
   2967  * hashes in |s->session| so that Channel ID resumptions can sign that data. */
   2968 int tls1_record_handshake_hashes_for_channel_id(SSL *s)
   2969 	{
   2970 	int digest_len;
   2971 	/* This function should never be called for a resumed session because
   2972 	 * the handshake hashes that we wish to record are for the original,
   2973 	 * full handshake. */
   2974 	if (s->hit)
   2975 		return -1;
   2976 	/* It only makes sense to call this function if Channel IDs have been
   2977 	 * negotiated. */
   2978 	if (!s->s3->tlsext_channel_id_new)
   2979 		return -1;
   2980 
   2981 	digest_len = tls1_handshake_digest(
   2982 		s, s->session->original_handshake_hash,
   2983 		sizeof(s->session->original_handshake_hash));
   2984 	if (digest_len < 0)
   2985 		return -1;
   2986 
   2987 	s->session->original_handshake_hash_len = digest_len;
   2988 
   2989 	return 1;
   2990 	}
   2991