155714Skris/* ssl/t1_lib.c */
255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
355714Skris * All rights reserved.
455714Skris *
555714Skris * This package is an SSL implementation written
655714Skris * by Eric Young (eay@cryptsoft.com).
755714Skris * The implementation was written so as to conform with Netscapes SSL.
855714Skris *
955714Skris * This library is free for commercial and non-commercial use as long as
1055714Skris * the following conditions are aheared to.  The following conditions
1155714Skris * apply to all code found in this distribution, be it the RC4, RSA,
1255714Skris * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
1355714Skris * included with this distribution is covered by the same copyright terms
1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1555714Skris *
1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in
1755714Skris * the code are not to be removed.
1855714Skris * If this package is used in a product, Eric Young should be given attribution
1955714Skris * as the author of the parts of the library used.
2055714Skris * This can be in the form of a textual message at program startup or
2155714Skris * in documentation (online or textual) provided with the package.
2255714Skris *
2355714Skris * Redistribution and use in source and binary forms, with or without
2455714Skris * modification, are permitted provided that the following conditions
2555714Skris * are met:
2655714Skris * 1. Redistributions of source code must retain the copyright
2755714Skris *    notice, this list of conditions and the following disclaimer.
2855714Skris * 2. Redistributions in binary form must reproduce the above copyright
2955714Skris *    notice, this list of conditions and the following disclaimer in the
3055714Skris *    documentation and/or other materials provided with the distribution.
3155714Skris * 3. All advertising materials mentioning features or use of this software
3255714Skris *    must display the following acknowledgement:
3355714Skris *    "This product includes cryptographic software written by
3455714Skris *     Eric Young (eay@cryptsoft.com)"
3555714Skris *    The word 'cryptographic' can be left out if the rouines from the library
3655714Skris *    being used are not cryptographic related :-).
3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from
3855714Skris *    the apps directory (application code) you must include an acknowledgement:
3955714Skris *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
4055714Skris *
4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4455714Skris * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
5155714Skris * SUCH DAMAGE.
5255714Skris *
5355714Skris * The licence and distribution terms for any publically available version or
5455714Skris * derivative of this code cannot be changed.  i.e. this code cannot simply be
5555714Skris * copied and put under another distribution licence
5655714Skris * [including the GNU Public Licence.]
5755714Skris */
58238405Sjkim/* ====================================================================
59238405Sjkim * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60238405Sjkim *
61238405Sjkim * Redistribution and use in source and binary forms, with or without
62238405Sjkim * modification, are permitted provided that the following conditions
63238405Sjkim * are met:
64238405Sjkim *
65238405Sjkim * 1. Redistributions of source code must retain the above copyright
66238405Sjkim *    notice, this list of conditions and the following disclaimer.
67238405Sjkim *
68238405Sjkim * 2. Redistributions in binary form must reproduce the above copyright
69238405Sjkim *    notice, this list of conditions and the following disclaimer in
70238405Sjkim *    the documentation and/or other materials provided with the
71238405Sjkim *    distribution.
72238405Sjkim *
73238405Sjkim * 3. All advertising materials mentioning features or use of this
74238405Sjkim *    software must display the following acknowledgment:
75238405Sjkim *    "This product includes software developed by the OpenSSL Project
76238405Sjkim *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77238405Sjkim *
78238405Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79238405Sjkim *    endorse or promote products derived from this software without
80238405Sjkim *    prior written permission. For written permission, please contact
81238405Sjkim *    openssl-core@openssl.org.
82238405Sjkim *
83238405Sjkim * 5. Products derived from this software may not be called "OpenSSL"
84238405Sjkim *    nor may "OpenSSL" appear in their names without prior written
85238405Sjkim *    permission of the OpenSSL Project.
86238405Sjkim *
87238405Sjkim * 6. Redistributions of any form whatsoever must retain the following
88238405Sjkim *    acknowledgment:
89238405Sjkim *    "This product includes software developed by the OpenSSL Project
90238405Sjkim *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91238405Sjkim *
92238405Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93238405Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94238405Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95238405Sjkim * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96238405Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97238405Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98238405Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99238405Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100238405Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101238405Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102238405Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103238405Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE.
104238405Sjkim * ====================================================================
105238405Sjkim *
106238405Sjkim * This product includes cryptographic software written by Eric Young
107238405Sjkim * (eay@cryptsoft.com).  This product includes software written by Tim
108238405Sjkim * Hudson (tjh@cryptsoft.com).
109238405Sjkim *
110238405Sjkim */
11155714Skris
11255714Skris#include <stdio.h>
11355714Skris#include <openssl/objects.h>
114194206Ssimon#include <openssl/evp.h>
115194206Ssimon#include <openssl/hmac.h>
116194206Ssimon#include <openssl/ocsp.h>
117238405Sjkim#include <openssl/rand.h>
11855714Skris#include "ssl_locl.h"
11955714Skris
120167612Ssimonconst char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
12155714Skris
122194206Ssimon#ifndef OPENSSL_NO_TLSEXT
123194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
124194206Ssimon				const unsigned char *sess_id, int sesslen,
125194206Ssimon				SSL_SESSION **psess);
126194206Ssimon#endif
127194206Ssimon
128160814SsimonSSL3_ENC_METHOD TLSv1_enc_data={
12955714Skris	tls1_enc,
13055714Skris	tls1_mac,
13155714Skris	tls1_setup_key_block,
13255714Skris	tls1_generate_master_secret,
13355714Skris	tls1_change_cipher_state,
13455714Skris	tls1_final_finish_mac,
13555714Skris	TLS1_FINISH_MAC_LENGTH,
13655714Skris	tls1_cert_verify_mac,
13755714Skris	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
13855714Skris	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
13955714Skris	tls1_alert_code,
140238405Sjkim	tls1_export_keying_material,
14155714Skris	};
14255714Skris
143160814Ssimonlong tls1_default_timeout(void)
14455714Skris	{
14555714Skris	/* 2 hours, the 24 hours mentioned in the TLSv1 spec
14655714Skris	 * is way too long for http, the cache would over fill */
14755714Skris	return(60*60*2);
14855714Skris	}
14955714Skris
15055714Skrisint tls1_new(SSL *s)
15155714Skris	{
15255714Skris	if (!ssl3_new(s)) return(0);
15355714Skris	s->method->ssl_clear(s);
15455714Skris	return(1);
15555714Skris	}
15655714Skris
15755714Skrisvoid tls1_free(SSL *s)
15855714Skris	{
159238405Sjkim#ifndef OPENSSL_NO_TLSEXT
160238405Sjkim	if (s->tlsext_session_ticket)
161238405Sjkim		{
162238405Sjkim		OPENSSL_free(s->tlsext_session_ticket);
163238405Sjkim		}
164238405Sjkim#endif /* OPENSSL_NO_TLSEXT */
16555714Skris	ssl3_free(s);
16655714Skris	}
16755714Skris
16855714Skrisvoid tls1_clear(SSL *s)
16955714Skris	{
17055714Skris	ssl3_clear(s);
171238405Sjkim	s->version = s->method->version;
17255714Skris	}
17355714Skris
174238405Sjkim#ifndef OPENSSL_NO_EC
175238405Sjkim
176238405Sjkimstatic int nid_list[] =
17755714Skris	{
178238405Sjkim		NID_sect163k1, /* sect163k1 (1) */
179238405Sjkim		NID_sect163r1, /* sect163r1 (2) */
180238405Sjkim		NID_sect163r2, /* sect163r2 (3) */
181238405Sjkim		NID_sect193r1, /* sect193r1 (4) */
182238405Sjkim		NID_sect193r2, /* sect193r2 (5) */
183238405Sjkim		NID_sect233k1, /* sect233k1 (6) */
184238405Sjkim		NID_sect233r1, /* sect233r1 (7) */
185238405Sjkim		NID_sect239k1, /* sect239k1 (8) */
186238405Sjkim		NID_sect283k1, /* sect283k1 (9) */
187238405Sjkim		NID_sect283r1, /* sect283r1 (10) */
188238405Sjkim		NID_sect409k1, /* sect409k1 (11) */
189238405Sjkim		NID_sect409r1, /* sect409r1 (12) */
190238405Sjkim		NID_sect571k1, /* sect571k1 (13) */
191238405Sjkim		NID_sect571r1, /* sect571r1 (14) */
192238405Sjkim		NID_secp160k1, /* secp160k1 (15) */
193238405Sjkim		NID_secp160r1, /* secp160r1 (16) */
194238405Sjkim		NID_secp160r2, /* secp160r2 (17) */
195238405Sjkim		NID_secp192k1, /* secp192k1 (18) */
196238405Sjkim		NID_X9_62_prime192v1, /* secp192r1 (19) */
197238405Sjkim		NID_secp224k1, /* secp224k1 (20) */
198238405Sjkim		NID_secp224r1, /* secp224r1 (21) */
199238405Sjkim		NID_secp256k1, /* secp256k1 (22) */
200238405Sjkim		NID_X9_62_prime256v1, /* secp256r1 (23) */
201238405Sjkim		NID_secp384r1, /* secp384r1 (24) */
202238405Sjkim		NID_secp521r1  /* secp521r1 (25) */
203238405Sjkim	};
204238405Sjkim
205238405Sjkimstatic int pref_list[] =
206238405Sjkim	{
207279264Sdelphij#ifndef OPENSSL_NO_EC2M
208238405Sjkim		NID_sect571r1, /* sect571r1 (14) */
209238405Sjkim		NID_sect571k1, /* sect571k1 (13) */
210279264Sdelphij#endif
211238405Sjkim		NID_secp521r1, /* secp521r1 (25) */
212279264Sdelphij#ifndef OPENSSL_NO_EC2M
213238405Sjkim		NID_sect409k1, /* sect409k1 (11) */
214238405Sjkim		NID_sect409r1, /* sect409r1 (12) */
215279264Sdelphij#endif
216238405Sjkim		NID_secp384r1, /* secp384r1 (24) */
217279264Sdelphij#ifndef OPENSSL_NO_EC2M
218238405Sjkim		NID_sect283k1, /* sect283k1 (9) */
219238405Sjkim		NID_sect283r1, /* sect283r1 (10) */
220279264Sdelphij#endif
221238405Sjkim		NID_secp256k1, /* secp256k1 (22) */
222238405Sjkim		NID_X9_62_prime256v1, /* secp256r1 (23) */
223279264Sdelphij#ifndef OPENSSL_NO_EC2M
224238405Sjkim		NID_sect239k1, /* sect239k1 (8) */
225238405Sjkim		NID_sect233k1, /* sect233k1 (6) */
226238405Sjkim		NID_sect233r1, /* sect233r1 (7) */
227279264Sdelphij#endif
228238405Sjkim		NID_secp224k1, /* secp224k1 (20) */
229238405Sjkim		NID_secp224r1, /* secp224r1 (21) */
230279264Sdelphij#ifndef OPENSSL_NO_EC2M
231238405Sjkim		NID_sect193r1, /* sect193r1 (4) */
232238405Sjkim		NID_sect193r2, /* sect193r2 (5) */
233279264Sdelphij#endif
234238405Sjkim		NID_secp192k1, /* secp192k1 (18) */
235238405Sjkim		NID_X9_62_prime192v1, /* secp192r1 (19) */
236279264Sdelphij#ifndef OPENSSL_NO_EC2M
237238405Sjkim		NID_sect163k1, /* sect163k1 (1) */
238238405Sjkim		NID_sect163r1, /* sect163r1 (2) */
239238405Sjkim		NID_sect163r2, /* sect163r2 (3) */
240279264Sdelphij#endif
241238405Sjkim		NID_secp160k1, /* secp160k1 (15) */
242238405Sjkim		NID_secp160r1, /* secp160r1 (16) */
243238405Sjkim		NID_secp160r2, /* secp160r2 (17) */
244238405Sjkim	};
245238405Sjkim
246238405Sjkimint tls1_ec_curve_id2nid(int curve_id)
247238405Sjkim	{
248279264Sdelphij	/* ECC curves from RFC 4492 */
249238405Sjkim	if ((curve_id < 1) || ((unsigned int)curve_id >
250238405Sjkim				sizeof(nid_list)/sizeof(nid_list[0])))
251238405Sjkim		return 0;
252238405Sjkim	return nid_list[curve_id-1];
25355714Skris	}
25459191Skris
255238405Sjkimint tls1_ec_nid2curve_id(int nid)
25659191Skris	{
257279264Sdelphij	/* ECC curves from RFC 4492 */
258238405Sjkim	switch (nid)
259238405Sjkim		{
260238405Sjkim	case NID_sect163k1: /* sect163k1 (1) */
261238405Sjkim		return 1;
262238405Sjkim	case NID_sect163r1: /* sect163r1 (2) */
263238405Sjkim		return 2;
264238405Sjkim	case NID_sect163r2: /* sect163r2 (3) */
265238405Sjkim		return 3;
266238405Sjkim	case NID_sect193r1: /* sect193r1 (4) */
267238405Sjkim		return 4;
268238405Sjkim	case NID_sect193r2: /* sect193r2 (5) */
269238405Sjkim		return 5;
270238405Sjkim	case NID_sect233k1: /* sect233k1 (6) */
271238405Sjkim		return 6;
272238405Sjkim	case NID_sect233r1: /* sect233r1 (7) */
273238405Sjkim		return 7;
274238405Sjkim	case NID_sect239k1: /* sect239k1 (8) */
275238405Sjkim		return 8;
276238405Sjkim	case NID_sect283k1: /* sect283k1 (9) */
277238405Sjkim		return 9;
278238405Sjkim	case NID_sect283r1: /* sect283r1 (10) */
279238405Sjkim		return 10;
280238405Sjkim	case NID_sect409k1: /* sect409k1 (11) */
281238405Sjkim		return 11;
282238405Sjkim	case NID_sect409r1: /* sect409r1 (12) */
283238405Sjkim		return 12;
284238405Sjkim	case NID_sect571k1: /* sect571k1 (13) */
285238405Sjkim		return 13;
286238405Sjkim	case NID_sect571r1: /* sect571r1 (14) */
287238405Sjkim		return 14;
288238405Sjkim	case NID_secp160k1: /* secp160k1 (15) */
289238405Sjkim		return 15;
290238405Sjkim	case NID_secp160r1: /* secp160r1 (16) */
291238405Sjkim		return 16;
292238405Sjkim	case NID_secp160r2: /* secp160r2 (17) */
293238405Sjkim		return 17;
294238405Sjkim	case NID_secp192k1: /* secp192k1 (18) */
295238405Sjkim		return 18;
296238405Sjkim	case NID_X9_62_prime192v1: /* secp192r1 (19) */
297238405Sjkim		return 19;
298238405Sjkim	case NID_secp224k1: /* secp224k1 (20) */
299238405Sjkim		return 20;
300238405Sjkim	case NID_secp224r1: /* secp224r1 (21) */
301238405Sjkim		return 21;
302238405Sjkim	case NID_secp256k1: /* secp256k1 (22) */
303238405Sjkim		return 22;
304238405Sjkim	case NID_X9_62_prime256v1: /* secp256r1 (23) */
305238405Sjkim		return 23;
306238405Sjkim	case NID_secp384r1: /* secp384r1 (24) */
307238405Sjkim		return 24;
308238405Sjkim	case NID_secp521r1:  /* secp521r1 (25) */
309238405Sjkim		return 25;
310238405Sjkim	default:
311238405Sjkim		return 0;
312238405Sjkim		}
31359191Skris	}
314238405Sjkim#endif /* OPENSSL_NO_EC */
315238405Sjkim
316238405Sjkim#ifndef OPENSSL_NO_TLSEXT
317238405Sjkim
318238405Sjkim/* List of supported signature algorithms and hashes. Should make this
319238405Sjkim * customisable at some point, for now include everything we support.
320238405Sjkim */
321238405Sjkim
322238405Sjkim#ifdef OPENSSL_NO_RSA
323238405Sjkim#define tlsext_sigalg_rsa(md) /* */
324238405Sjkim#else
325238405Sjkim#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
32655714Skris#endif
327194206Ssimon
328238405Sjkim#ifdef OPENSSL_NO_DSA
329238405Sjkim#define tlsext_sigalg_dsa(md) /* */
330238405Sjkim#else
331238405Sjkim#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
332238405Sjkim#endif
333238405Sjkim
334238405Sjkim#ifdef OPENSSL_NO_ECDSA
335238405Sjkim#define tlsext_sigalg_ecdsa(md) /* */
336238405Sjkim#else
337238405Sjkim#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
338238405Sjkim#endif
339238405Sjkim
340238405Sjkim#define tlsext_sigalg(md) \
341238405Sjkim		tlsext_sigalg_rsa(md) \
342238405Sjkim		tlsext_sigalg_dsa(md) \
343238405Sjkim		tlsext_sigalg_ecdsa(md)
344238405Sjkim
345238405Sjkimstatic unsigned char tls12_sigalgs[] = {
346238405Sjkim#ifndef OPENSSL_NO_SHA512
347238405Sjkim	tlsext_sigalg(TLSEXT_hash_sha512)
348238405Sjkim	tlsext_sigalg(TLSEXT_hash_sha384)
349238405Sjkim#endif
350238405Sjkim#ifndef OPENSSL_NO_SHA256
351238405Sjkim	tlsext_sigalg(TLSEXT_hash_sha256)
352238405Sjkim	tlsext_sigalg(TLSEXT_hash_sha224)
353238405Sjkim#endif
354238405Sjkim#ifndef OPENSSL_NO_SHA
355238405Sjkim	tlsext_sigalg(TLSEXT_hash_sha1)
356238405Sjkim#endif
357238405Sjkim};
358238405Sjkim
359238405Sjkimint tls12_get_req_sig_algs(SSL *s, unsigned char *p)
360238405Sjkim	{
361238405Sjkim	size_t slen = sizeof(tls12_sigalgs);
362238405Sjkim	if (p)
363238405Sjkim		memcpy(p, tls12_sigalgs, slen);
364238405Sjkim	return (int)slen;
365238405Sjkim	}
366238405Sjkim
367279264Sdelphijunsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
368194206Ssimon	{
369194206Ssimon	int extdatalen=0;
370279264Sdelphij	unsigned char *orig = buf;
371279264Sdelphij	unsigned char *ret = buf;
372194206Ssimon
373205128Ssimon	/* don't add extensions for SSLv3 unless doing secure renegotiation */
374205128Ssimon	if (s->client_version == SSL3_VERSION
375205128Ssimon					&& !s->s3->send_connection_binding)
376279264Sdelphij		return orig;
377205128Ssimon
378194206Ssimon	ret+=2;
379194206Ssimon
380194206Ssimon	if (ret>=limit) return NULL; /* this really never occurs, but ... */
381194206Ssimon
382194206Ssimon 	if (s->tlsext_hostname != NULL)
383194206Ssimon		{
384194206Ssimon		/* Add TLS extension servername to the Client Hello message */
385194206Ssimon		unsigned long size_str;
386194206Ssimon		long lenmax;
387194206Ssimon
388194206Ssimon		/* check for enough space.
389194206Ssimon		   4 for the servername type and entension length
390194206Ssimon		   2 for servernamelist length
391194206Ssimon		   1 for the hostname type
392194206Ssimon		   2 for hostname length
393194206Ssimon		   + hostname length
394194206Ssimon		*/
395194206Ssimon
396194206Ssimon		if ((lenmax = limit - ret - 9) < 0
397238405Sjkim		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
398194206Ssimon			return NULL;
399194206Ssimon
400194206Ssimon		/* extension type and length */
401194206Ssimon		s2n(TLSEXT_TYPE_server_name,ret);
402194206Ssimon		s2n(size_str+5,ret);
403194206Ssimon
404194206Ssimon		/* length of servername list */
405194206Ssimon		s2n(size_str+3,ret);
406194206Ssimon
407194206Ssimon		/* hostname type, length and hostname */
408194206Ssimon		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
409194206Ssimon		s2n(size_str,ret);
410194206Ssimon		memcpy(ret, s->tlsext_hostname, size_str);
411194206Ssimon		ret+=size_str;
412238405Sjkim		}
413194206Ssimon
414205128Ssimon        /* Add RI if renegotiating */
415238405Sjkim        if (s->renegotiate)
416205128Ssimon          {
417205128Ssimon          int el;
418205128Ssimon
419205128Ssimon          if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
420205128Ssimon              {
421205128Ssimon              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
422205128Ssimon              return NULL;
423205128Ssimon              }
424194206Ssimon
425279264Sdelphij          if((limit - ret - 4 - el) < 0) return NULL;
426205128Ssimon
427205128Ssimon          s2n(TLSEXT_TYPE_renegotiate,ret);
428205128Ssimon          s2n(el,ret);
429205128Ssimon
430205128Ssimon          if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
431205128Ssimon              {
432205128Ssimon              SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
433205128Ssimon              return NULL;
434205128Ssimon              }
435205128Ssimon
436205128Ssimon          ret += el;
437205128Ssimon        }
438205128Ssimon
439238405Sjkim#ifndef OPENSSL_NO_SRP
440238405Sjkim	/* Add SRP username if there is one */
441238405Sjkim	if (s->srp_ctx.login != NULL)
442238405Sjkim		{ /* Add TLS extension SRP username to the Client Hello message */
443238405Sjkim
444238405Sjkim		int login_len = strlen(s->srp_ctx.login);
445238405Sjkim		if (login_len > 255 || login_len == 0)
446238405Sjkim			{
447238405Sjkim			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
448238405Sjkim			return NULL;
449238405Sjkim			}
450238405Sjkim
451238405Sjkim		/* check for enough space.
452238405Sjkim		   4 for the srp type type and entension length
453238405Sjkim		   1 for the srp user identity
454238405Sjkim		   + srp user identity length
455238405Sjkim		*/
456238405Sjkim		if ((limit - ret - 5 - login_len) < 0) return NULL;
457238405Sjkim
458238405Sjkim		/* fill in the extension */
459238405Sjkim		s2n(TLSEXT_TYPE_srp,ret);
460238405Sjkim		s2n(login_len+1,ret);
461238405Sjkim		(*ret++) = (unsigned char) login_len;
462238405Sjkim		memcpy(ret, s->srp_ctx.login, login_len);
463238405Sjkim		ret+=login_len;
464238405Sjkim		}
465238405Sjkim#endif
466238405Sjkim
467238405Sjkim#ifndef OPENSSL_NO_EC
468279264Sdelphij	if (s->tlsext_ecpointformatlist != NULL)
469238405Sjkim		{
470238405Sjkim		/* Add TLS extension ECPointFormats to the ClientHello message */
471238405Sjkim		long lenmax;
472238405Sjkim
473238405Sjkim		if ((lenmax = limit - ret - 5) < 0) return NULL;
474238405Sjkim		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
475238405Sjkim		if (s->tlsext_ecpointformatlist_length > 255)
476238405Sjkim			{
477238405Sjkim			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
478238405Sjkim			return NULL;
479238405Sjkim			}
480238405Sjkim
481238405Sjkim		s2n(TLSEXT_TYPE_ec_point_formats,ret);
482238405Sjkim		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
483238405Sjkim		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
484238405Sjkim		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
485238405Sjkim		ret+=s->tlsext_ecpointformatlist_length;
486238405Sjkim		}
487279264Sdelphij	if (s->tlsext_ellipticcurvelist != NULL)
488238405Sjkim		{
489238405Sjkim		/* Add TLS extension EllipticCurves to the ClientHello message */
490238405Sjkim		long lenmax;
491238405Sjkim
492238405Sjkim		if ((lenmax = limit - ret - 6) < 0) return NULL;
493238405Sjkim		if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
494238405Sjkim		if (s->tlsext_ellipticcurvelist_length > 65532)
495238405Sjkim			{
496238405Sjkim			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
497238405Sjkim			return NULL;
498238405Sjkim			}
499238405Sjkim
500238405Sjkim		s2n(TLSEXT_TYPE_elliptic_curves,ret);
501238405Sjkim		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
502238405Sjkim
503238405Sjkim		s2n(s->tlsext_ellipticcurvelist_length, ret);
504238405Sjkim		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
505238405Sjkim		ret+=s->tlsext_ellipticcurvelist_length;
506238405Sjkim		}
507238405Sjkim#endif /* OPENSSL_NO_EC */
508238405Sjkim
509194206Ssimon	if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
510194206Ssimon		{
511194206Ssimon		int ticklen;
512205128Ssimon		if (!s->new_session && s->session && s->session->tlsext_tick)
513194206Ssimon			ticklen = s->session->tlsext_ticklen;
514238405Sjkim		else if (s->session && s->tlsext_session_ticket &&
515238405Sjkim			 s->tlsext_session_ticket->data)
516238405Sjkim			{
517238405Sjkim			ticklen = s->tlsext_session_ticket->length;
518238405Sjkim			s->session->tlsext_tick = OPENSSL_malloc(ticklen);
519238405Sjkim			if (!s->session->tlsext_tick)
520238405Sjkim				return NULL;
521238405Sjkim			memcpy(s->session->tlsext_tick,
522238405Sjkim			       s->tlsext_session_ticket->data,
523238405Sjkim			       ticklen);
524238405Sjkim			s->session->tlsext_ticklen = ticklen;
525238405Sjkim			}
526194206Ssimon		else
527194206Ssimon			ticklen = 0;
528238405Sjkim		if (ticklen == 0 && s->tlsext_session_ticket &&
529238405Sjkim		    s->tlsext_session_ticket->data == NULL)
530238405Sjkim			goto skip_ext;
531194206Ssimon		/* Check for enough room 2 for extension type, 2 for len
532194206Ssimon 		 * rest for ticket
533194206Ssimon  		 */
534238405Sjkim		if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
535194206Ssimon		s2n(TLSEXT_TYPE_session_ticket,ret);
536194206Ssimon		s2n(ticklen,ret);
537194206Ssimon		if (ticklen)
538194206Ssimon			{
539194206Ssimon			memcpy(ret, s->session->tlsext_tick, ticklen);
540194206Ssimon			ret += ticklen;
541194206Ssimon			}
542194206Ssimon		}
543238405Sjkim		skip_ext:
544194206Ssimon
545238405Sjkim	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
546238405Sjkim		{
547238405Sjkim		if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
548238405Sjkim			return NULL;
549238405Sjkim		s2n(TLSEXT_TYPE_signature_algorithms,ret);
550238405Sjkim		s2n(sizeof(tls12_sigalgs) + 2, ret);
551238405Sjkim		s2n(sizeof(tls12_sigalgs), ret);
552238405Sjkim		memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
553238405Sjkim		ret += sizeof(tls12_sigalgs);
554238405Sjkim		}
555238405Sjkim
556238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
557238405Sjkim	if (s->s3->client_opaque_prf_input != NULL &&
558238405Sjkim	    s->version != DTLS1_VERSION)
559238405Sjkim		{
560238405Sjkim		size_t col = s->s3->client_opaque_prf_input_len;
561238405Sjkim
562238405Sjkim		if ((long)(limit - ret - 6 - col < 0))
563238405Sjkim			return NULL;
564238405Sjkim		if (col > 0xFFFD) /* can't happen */
565238405Sjkim			return NULL;
566238405Sjkim
567238405Sjkim		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
568238405Sjkim		s2n(col + 2, ret);
569238405Sjkim		s2n(col, ret);
570238405Sjkim		memcpy(ret, s->s3->client_opaque_prf_input, col);
571238405Sjkim		ret += col;
572238405Sjkim		}
573238405Sjkim#endif
574238405Sjkim
575205128Ssimon	if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
576205128Ssimon	    s->version != DTLS1_VERSION)
577194206Ssimon		{
578194206Ssimon		int i;
579194206Ssimon		long extlen, idlen, itmp;
580194206Ssimon		OCSP_RESPID *id;
581194206Ssimon
582194206Ssimon		idlen = 0;
583194206Ssimon		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
584194206Ssimon			{
585194206Ssimon			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
586194206Ssimon			itmp = i2d_OCSP_RESPID(id, NULL);
587194206Ssimon			if (itmp <= 0)
588194206Ssimon				return NULL;
589194206Ssimon			idlen += itmp + 2;
590194206Ssimon			}
591194206Ssimon
592194206Ssimon		if (s->tlsext_ocsp_exts)
593194206Ssimon			{
594194206Ssimon			extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
595194206Ssimon			if (extlen < 0)
596194206Ssimon				return NULL;
597194206Ssimon			}
598194206Ssimon		else
599194206Ssimon			extlen = 0;
600194206Ssimon
601194206Ssimon		if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
602194206Ssimon		s2n(TLSEXT_TYPE_status_request, ret);
603194206Ssimon		if (extlen + idlen > 0xFFF0)
604194206Ssimon			return NULL;
605194206Ssimon		s2n(extlen + idlen + 5, ret);
606194206Ssimon		*(ret++) = TLSEXT_STATUSTYPE_ocsp;
607194206Ssimon		s2n(idlen, ret);
608194206Ssimon		for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
609194206Ssimon			{
610194206Ssimon			/* save position of id len */
611194206Ssimon			unsigned char *q = ret;
612194206Ssimon			id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
613194206Ssimon			/* skip over id len */
614194206Ssimon			ret += 2;
615194206Ssimon			itmp = i2d_OCSP_RESPID(id, &ret);
616194206Ssimon			/* write id len */
617194206Ssimon			s2n(itmp, q);
618194206Ssimon			}
619194206Ssimon		s2n(extlen, ret);
620194206Ssimon		if (extlen > 0)
621194206Ssimon			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
622194206Ssimon		}
623194206Ssimon
624238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
625238405Sjkim	/* Add Heartbeat extension */
626279264Sdelphij	if ((limit - ret - 4 - 1) < 0)
627279264Sdelphij		return NULL;
628238405Sjkim	s2n(TLSEXT_TYPE_heartbeat,ret);
629238405Sjkim	s2n(1,ret);
630238405Sjkim	/* Set mode:
631238405Sjkim	 * 1: peer may send requests
632238405Sjkim	 * 2: peer not allowed to send requests
633238405Sjkim	 */
634238405Sjkim	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635238405Sjkim		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636238405Sjkim	else
637238405Sjkim		*(ret++) = SSL_TLSEXT_HB_ENABLED;
638238405Sjkim#endif
639238405Sjkim
640238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
641238405Sjkim	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642238405Sjkim		{
643238405Sjkim		/* The client advertises an emtpy extension to indicate its
644238405Sjkim		 * support for Next Protocol Negotiation */
645238405Sjkim		if (limit - ret - 4 < 0)
646238405Sjkim			return NULL;
647238405Sjkim		s2n(TLSEXT_TYPE_next_proto_neg,ret);
648238405Sjkim		s2n(0,ret);
649238405Sjkim		}
650238405Sjkim#endif
651238405Sjkim
652246772Sjkim#ifndef OPENSSL_NO_SRTP
653273415Sdelphij	if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
654238405Sjkim                {
655238405Sjkim                int el;
656238405Sjkim
657238405Sjkim                ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
658238405Sjkim
659279264Sdelphij                if((limit - ret - 4 - el) < 0) return NULL;
660238405Sjkim
661238405Sjkim                s2n(TLSEXT_TYPE_use_srtp,ret);
662238405Sjkim                s2n(el,ret);
663238405Sjkim
664238405Sjkim                if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
665238405Sjkim			{
666238405Sjkim			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
667238405Sjkim			return NULL;
668238405Sjkim			}
669238405Sjkim                ret += el;
670238405Sjkim                }
671246772Sjkim#endif
672279264Sdelphij	/* Add padding to workaround bugs in F5 terminators.
673279264Sdelphij	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
674279264Sdelphij	 *
675279264Sdelphij	 * NB: because this code works out the length of all existing
676279264Sdelphij	 * extensions it MUST always appear last.
677279264Sdelphij	 */
678279264Sdelphij	if (s->options & SSL_OP_TLSEXT_PADDING)
679279264Sdelphij		{
680279264Sdelphij		int hlen = ret - (unsigned char *)s->init_buf->data;
681279264Sdelphij		/* The code in s23_clnt.c to build ClientHello messages
682279264Sdelphij		 * includes the 5-byte record header in the buffer, while
683279264Sdelphij		 * the code in s3_clnt.c does not.
684279264Sdelphij		 */
685279264Sdelphij		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
686279264Sdelphij			hlen -= 5;
687279264Sdelphij		if (hlen > 0xff && hlen < 0x200)
688279264Sdelphij			{
689279264Sdelphij			hlen = 0x200 - hlen;
690279264Sdelphij			if (hlen >= 4)
691279264Sdelphij				hlen -= 4;
692279264Sdelphij			else
693279264Sdelphij				hlen = 0;
694238405Sjkim
695279264Sdelphij			s2n(TLSEXT_TYPE_padding, ret);
696279264Sdelphij			s2n(hlen, ret);
697279264Sdelphij			memset(ret, 0, hlen);
698279264Sdelphij			ret += hlen;
699279264Sdelphij			}
700279264Sdelphij		}
701194206Ssimon
702279264Sdelphij	if ((extdatalen = ret-orig-2)== 0)
703279264Sdelphij		return orig;
704279264Sdelphij
705279264Sdelphij	s2n(extdatalen, orig);
706194206Ssimon	return ret;
707194206Ssimon	}
708194206Ssimon
709279264Sdelphijunsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
710194206Ssimon	{
711194206Ssimon	int extdatalen=0;
712279264Sdelphij	unsigned char *orig = buf;
713279264Sdelphij	unsigned char *ret = buf;
714238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
715238405Sjkim	int next_proto_neg_seen;
716238405Sjkim#endif
717194206Ssimon
718205128Ssimon	/* don't add extensions for SSLv3, unless doing secure renegotiation */
719205128Ssimon	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
720279264Sdelphij		return orig;
721205128Ssimon
722194206Ssimon	ret+=2;
723194206Ssimon	if (ret>=limit) return NULL; /* this really never occurs, but ... */
724194206Ssimon
725194206Ssimon	if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
726194206Ssimon		{
727238405Sjkim		if ((long)(limit - ret - 4) < 0) return NULL;
728194206Ssimon
729194206Ssimon		s2n(TLSEXT_TYPE_server_name,ret);
730194206Ssimon		s2n(0,ret);
731194206Ssimon		}
732205128Ssimon
733205128Ssimon	if(s->s3->send_connection_binding)
734205128Ssimon        {
735205128Ssimon          int el;
736205128Ssimon
737205128Ssimon          if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
738205128Ssimon              {
739205128Ssimon              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
740205128Ssimon              return NULL;
741205128Ssimon              }
742205128Ssimon
743279264Sdelphij          if((limit - ret - 4 - el) < 0) return NULL;
744205128Ssimon
745205128Ssimon          s2n(TLSEXT_TYPE_renegotiate,ret);
746205128Ssimon          s2n(el,ret);
747205128Ssimon
748205128Ssimon          if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
749205128Ssimon              {
750205128Ssimon              SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
751205128Ssimon              return NULL;
752205128Ssimon              }
753205128Ssimon
754205128Ssimon          ret += el;
755205128Ssimon        }
756238405Sjkim
757238405Sjkim#ifndef OPENSSL_NO_EC
758279264Sdelphij	if (s->tlsext_ecpointformatlist != NULL)
759238405Sjkim		{
760238405Sjkim		/* Add TLS extension ECPointFormats to the ServerHello message */
761238405Sjkim		long lenmax;
762238405Sjkim
763238405Sjkim		if ((lenmax = limit - ret - 5) < 0) return NULL;
764238405Sjkim		if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
765238405Sjkim		if (s->tlsext_ecpointformatlist_length > 255)
766238405Sjkim			{
767238405Sjkim			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
768238405Sjkim			return NULL;
769238405Sjkim			}
770238405Sjkim
771238405Sjkim		s2n(TLSEXT_TYPE_ec_point_formats,ret);
772238405Sjkim		s2n(s->tlsext_ecpointformatlist_length + 1,ret);
773238405Sjkim		*(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
774238405Sjkim		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
775238405Sjkim		ret+=s->tlsext_ecpointformatlist_length;
776238405Sjkim
777238405Sjkim		}
778238405Sjkim	/* Currently the server should not respond with a SupportedCurves extension */
779238405Sjkim#endif /* OPENSSL_NO_EC */
780238405Sjkim
781194206Ssimon	if (s->tlsext_ticket_expected
782194206Ssimon		&& !(SSL_get_options(s) & SSL_OP_NO_TICKET))
783194206Ssimon		{
784238405Sjkim		if ((long)(limit - ret - 4) < 0) return NULL;
785194206Ssimon		s2n(TLSEXT_TYPE_session_ticket,ret);
786194206Ssimon		s2n(0,ret);
787194206Ssimon		}
788194206Ssimon
789194206Ssimon	if (s->tlsext_status_expected)
790194206Ssimon		{
791194206Ssimon		if ((long)(limit - ret - 4) < 0) return NULL;
792194206Ssimon		s2n(TLSEXT_TYPE_status_request,ret);
793194206Ssimon		s2n(0,ret);
794194206Ssimon		}
795194206Ssimon
796238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
797238405Sjkim	if (s->s3->server_opaque_prf_input != NULL &&
798238405Sjkim	    s->version != DTLS1_VERSION)
799238405Sjkim		{
800238405Sjkim		size_t sol = s->s3->server_opaque_prf_input_len;
801238405Sjkim
802238405Sjkim		if ((long)(limit - ret - 6 - sol) < 0)
803238405Sjkim			return NULL;
804238405Sjkim		if (sol > 0xFFFD) /* can't happen */
805238405Sjkim			return NULL;
806238405Sjkim
807238405Sjkim		s2n(TLSEXT_TYPE_opaque_prf_input, ret);
808238405Sjkim		s2n(sol + 2, ret);
809238405Sjkim		s2n(sol, ret);
810238405Sjkim		memcpy(ret, s->s3->server_opaque_prf_input, sol);
811238405Sjkim		ret += sol;
812238405Sjkim		}
813238405Sjkim#endif
814238405Sjkim
815246772Sjkim#ifndef OPENSSL_NO_SRTP
816273415Sdelphij	if(SSL_IS_DTLS(s) && s->srtp_profile)
817238405Sjkim                {
818238405Sjkim                int el;
819238405Sjkim
820238405Sjkim                ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
821238405Sjkim
822279264Sdelphij                if((limit - ret - 4 - el) < 0) return NULL;
823238405Sjkim
824238405Sjkim                s2n(TLSEXT_TYPE_use_srtp,ret);
825238405Sjkim                s2n(el,ret);
826238405Sjkim
827238405Sjkim                if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
828238405Sjkim			{
829238405Sjkim			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
830238405Sjkim			return NULL;
831238405Sjkim			}
832238405Sjkim                ret+=el;
833238405Sjkim                }
834246772Sjkim#endif
835238405Sjkim
836238405Sjkim	if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
837238405Sjkim		&& (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
838238405Sjkim		{ const unsigned char cryptopro_ext[36] = {
839238405Sjkim			0xfd, 0xe8, /*65000*/
840238405Sjkim			0x00, 0x20, /*32 bytes length*/
841238405Sjkim			0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
842238405Sjkim			0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
843238405Sjkim			0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
844238405Sjkim			0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
845238405Sjkim			if (limit-ret<36) return NULL;
846238405Sjkim			memcpy(ret,cryptopro_ext,36);
847238405Sjkim			ret+=36;
848238405Sjkim
849238405Sjkim		}
850238405Sjkim
851238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
852238405Sjkim	/* Add Heartbeat extension if we've received one */
853238405Sjkim	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
854238405Sjkim		{
855279264Sdelphij		if ((limit - ret - 4 - 1) < 0)
856279264Sdelphij			return NULL;
857238405Sjkim		s2n(TLSEXT_TYPE_heartbeat,ret);
858238405Sjkim		s2n(1,ret);
859238405Sjkim		/* Set mode:
860238405Sjkim		 * 1: peer may send requests
861238405Sjkim		 * 2: peer not allowed to send requests
862238405Sjkim		 */
863238405Sjkim		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
864238405Sjkim			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
865238405Sjkim		else
866238405Sjkim			*(ret++) = SSL_TLSEXT_HB_ENABLED;
867238405Sjkim
868238405Sjkim		}
869238405Sjkim#endif
870238405Sjkim
871238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
872238405Sjkim	next_proto_neg_seen = s->s3->next_proto_neg_seen;
873238405Sjkim	s->s3->next_proto_neg_seen = 0;
874238405Sjkim	if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
875238405Sjkim		{
876238405Sjkim		const unsigned char *npa;
877238405Sjkim		unsigned int npalen;
878238405Sjkim		int r;
879238405Sjkim
880238405Sjkim		r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
881238405Sjkim		if (r == SSL_TLSEXT_ERR_OK)
882238405Sjkim			{
883238405Sjkim			if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
884238405Sjkim			s2n(TLSEXT_TYPE_next_proto_neg,ret);
885238405Sjkim			s2n(npalen,ret);
886238405Sjkim			memcpy(ret, npa, npalen);
887238405Sjkim			ret += npalen;
888238405Sjkim			s->s3->next_proto_neg_seen = 1;
889238405Sjkim			}
890238405Sjkim		}
891238405Sjkim#endif
892238405Sjkim
893279264Sdelphij	if ((extdatalen = ret-orig-2)== 0)
894279264Sdelphij		return orig;
895194206Ssimon
896279264Sdelphij	s2n(extdatalen, orig);
897194206Ssimon	return ret;
898194206Ssimon	}
899194206Ssimon
900279264Sdelphij#ifndef OPENSSL_NO_EC
901279264Sdelphij/* ssl_check_for_safari attempts to fingerprint Safari using OS X
902279264Sdelphij * SecureTransport using the TLS extension block in |d|, of length |n|.
903279264Sdelphij * Safari, since 10.6, sends exactly these extensions, in this order:
904279264Sdelphij *   SNI,
905279264Sdelphij *   elliptic_curves
906279264Sdelphij *   ec_point_formats
907279264Sdelphij *
908279264Sdelphij * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
909279264Sdelphij * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
910279264Sdelphij * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
911279264Sdelphij * 10.8..10.8.3 (which don't work).
912279264Sdelphij */
913279264Sdelphijstatic void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
914279264Sdelphij	unsigned short type, size;
915279264Sdelphij	static const unsigned char kSafariExtensionsBlock[] = {
916279264Sdelphij		0x00, 0x0a,  /* elliptic_curves extension */
917279264Sdelphij		0x00, 0x08,  /* 8 bytes */
918279264Sdelphij		0x00, 0x06,  /* 6 bytes of curve ids */
919279264Sdelphij		0x00, 0x17,  /* P-256 */
920279264Sdelphij		0x00, 0x18,  /* P-384 */
921279264Sdelphij		0x00, 0x19,  /* P-521 */
922279264Sdelphij
923279264Sdelphij		0x00, 0x0b,  /* ec_point_formats */
924279264Sdelphij		0x00, 0x02,  /* 2 bytes */
925279264Sdelphij		0x01,        /* 1 point format */
926279264Sdelphij		0x00,        /* uncompressed */
927279264Sdelphij	};
928279264Sdelphij
929279264Sdelphij	/* The following is only present in TLS 1.2 */
930279264Sdelphij	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
931279264Sdelphij		0x00, 0x0d,  /* signature_algorithms */
932279264Sdelphij		0x00, 0x0c,  /* 12 bytes */
933279264Sdelphij		0x00, 0x0a,  /* 10 bytes */
934279264Sdelphij		0x05, 0x01,  /* SHA-384/RSA */
935279264Sdelphij		0x04, 0x01,  /* SHA-256/RSA */
936279264Sdelphij		0x02, 0x01,  /* SHA-1/RSA */
937279264Sdelphij		0x04, 0x03,  /* SHA-256/ECDSA */
938279264Sdelphij		0x02, 0x03,  /* SHA-1/ECDSA */
939279264Sdelphij	};
940279264Sdelphij
941279264Sdelphij	if (data >= (d+n-2))
942279264Sdelphij		return;
943279264Sdelphij	data += 2;
944279264Sdelphij
945279264Sdelphij	if (data > (d+n-4))
946279264Sdelphij		return;
947279264Sdelphij	n2s(data,type);
948279264Sdelphij	n2s(data,size);
949279264Sdelphij
950279264Sdelphij	if (type != TLSEXT_TYPE_server_name)
951279264Sdelphij		return;
952279264Sdelphij
953279264Sdelphij	if (data+size > d+n)
954279264Sdelphij		return;
955279264Sdelphij	data += size;
956279264Sdelphij
957279264Sdelphij	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
958279264Sdelphij		{
959279264Sdelphij		const size_t len1 = sizeof(kSafariExtensionsBlock);
960279264Sdelphij		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
961279264Sdelphij
962279264Sdelphij		if (data + len1 + len2 != d+n)
963279264Sdelphij			return;
964279264Sdelphij		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
965279264Sdelphij			return;
966279264Sdelphij		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
967279264Sdelphij			return;
968279264Sdelphij		}
969279264Sdelphij	else
970279264Sdelphij		{
971279264Sdelphij		const size_t len = sizeof(kSafariExtensionsBlock);
972279264Sdelphij
973279264Sdelphij		if (data + len != d+n)
974279264Sdelphij			return;
975279264Sdelphij		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
976279264Sdelphij			return;
977279264Sdelphij		}
978279264Sdelphij
979279264Sdelphij	s->s3->is_probably_safari = 1;
980279264Sdelphij}
981279264Sdelphij#endif /* !OPENSSL_NO_EC */
982279264Sdelphij
983194206Ssimonint ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
984194206Ssimon	{
985194206Ssimon	unsigned short type;
986194206Ssimon	unsigned short size;
987194206Ssimon	unsigned short len;
988194206Ssimon	unsigned char *data = *p;
989205128Ssimon	int renegotiate_seen = 0;
990238405Sjkim	int sigalg_seen = 0;
991205128Ssimon
992194206Ssimon	s->servername_done = 0;
993194206Ssimon	s->tlsext_status_type = -1;
994238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
995238405Sjkim	s->s3->next_proto_neg_seen = 0;
996238405Sjkim#endif
997194206Ssimon
998238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
999238405Sjkim	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1000238405Sjkim	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1001238405Sjkim#endif
1002238405Sjkim
1003279264Sdelphij#ifndef OPENSSL_NO_EC
1004279264Sdelphij	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1005279264Sdelphij		ssl_check_for_safari(s, data, d, n);
1006279264Sdelphij#endif /* !OPENSSL_NO_EC */
1007279264Sdelphij
1008279264Sdelphij#ifndef OPENSSL_NO_SRP
1009279264Sdelphij	if (s->srp_ctx.login != NULL)
1010279264Sdelphij		{
1011279264Sdelphij		OPENSSL_free(s->srp_ctx.login);
1012279264Sdelphij		s->srp_ctx.login = NULL;
1013279264Sdelphij		}
1014279264Sdelphij#endif
1015279264Sdelphij
1016279264Sdelphij	s->srtp_profile = NULL;
1017279264Sdelphij
1018194206Ssimon	if (data >= (d+n-2))
1019205128Ssimon		goto ri_check;
1020194206Ssimon	n2s(data,len);
1021194206Ssimon
1022194206Ssimon	if (data > (d+n-len))
1023205128Ssimon		goto ri_check;
1024194206Ssimon
1025194206Ssimon	while (data <= (d+n-4))
1026194206Ssimon		{
1027194206Ssimon		n2s(data,type);
1028194206Ssimon		n2s(data,size);
1029194206Ssimon
1030194206Ssimon		if (data+size > (d+n))
1031205128Ssimon	   		goto ri_check;
1032238405Sjkim#if 0
1033238405Sjkim		fprintf(stderr,"Received extension type %d size %d\n",type,size);
1034238405Sjkim#endif
1035194206Ssimon		if (s->tlsext_debug_cb)
1036194206Ssimon			s->tlsext_debug_cb(s, 0, type, data, size,
1037194206Ssimon						s->tlsext_debug_arg);
1038194206Ssimon/* The servername extension is treated as follows:
1039194206Ssimon
1040194206Ssimon   - Only the hostname type is supported with a maximum length of 255.
1041194206Ssimon   - The servername is rejected if too long or if it contains zeros,
1042194206Ssimon     in which case an fatal alert is generated.
1043194206Ssimon   - The servername field is maintained together with the session cache.
1044194206Ssimon   - When a session is resumed, the servername call back invoked in order
1045194206Ssimon     to allow the application to position itself to the right context.
1046194206Ssimon   - The servername is acknowledged if it is new for a session or when
1047194206Ssimon     it is identical to a previously used for the same session.
1048194206Ssimon     Applications can control the behaviour.  They can at any time
1049194206Ssimon     set a 'desirable' servername for a new SSL object. This can be the
1050194206Ssimon     case for example with HTTPS when a Host: header field is received and
1051194206Ssimon     a renegotiation is requested. In this case, a possible servername
1052194206Ssimon     presented in the new client hello is only acknowledged if it matches
1053194206Ssimon     the value of the Host: field.
1054194206Ssimon   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1055194206Ssimon     if they provide for changing an explicit servername context for the session,
1056194206Ssimon     i.e. when the session has been established with a servername extension.
1057194206Ssimon   - On session reconnect, the servername extension may be absent.
1058194206Ssimon
1059194206Ssimon*/
1060194206Ssimon
1061194206Ssimon		if (type == TLSEXT_TYPE_server_name)
1062194206Ssimon			{
1063194206Ssimon			unsigned char *sdata;
1064194206Ssimon			int servname_type;
1065194206Ssimon			int dsize;
1066194206Ssimon
1067194206Ssimon			if (size < 2)
1068194206Ssimon				{
1069194206Ssimon				*al = SSL_AD_DECODE_ERROR;
1070194206Ssimon				return 0;
1071194206Ssimon				}
1072194206Ssimon			n2s(data,dsize);
1073194206Ssimon			size -= 2;
1074194206Ssimon			if (dsize > size  )
1075194206Ssimon				{
1076194206Ssimon				*al = SSL_AD_DECODE_ERROR;
1077194206Ssimon				return 0;
1078194206Ssimon				}
1079194206Ssimon
1080194206Ssimon			sdata = data;
1081194206Ssimon			while (dsize > 3)
1082194206Ssimon				{
1083194206Ssimon	 			servname_type = *(sdata++);
1084194206Ssimon				n2s(sdata,len);
1085194206Ssimon				dsize -= 3;
1086194206Ssimon
1087194206Ssimon				if (len > dsize)
1088194206Ssimon					{
1089194206Ssimon					*al = SSL_AD_DECODE_ERROR;
1090194206Ssimon					return 0;
1091194206Ssimon					}
1092194206Ssimon				if (s->servername_done == 0)
1093194206Ssimon				switch (servname_type)
1094194206Ssimon					{
1095194206Ssimon				case TLSEXT_NAMETYPE_host_name:
1096215697Ssimon					if (!s->hit)
1097194206Ssimon						{
1098215697Ssimon						if(s->session->tlsext_hostname)
1099194206Ssimon							{
1100215697Ssimon							*al = SSL_AD_DECODE_ERROR;
1101215697Ssimon							return 0;
1102215697Ssimon							}
1103215697Ssimon						if (len > TLSEXT_MAXLEN_host_name)
1104215697Ssimon							{
1105194206Ssimon							*al = TLS1_AD_UNRECOGNIZED_NAME;
1106194206Ssimon							return 0;
1107194206Ssimon							}
1108215697Ssimon						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1109215697Ssimon							{
1110215697Ssimon							*al = TLS1_AD_INTERNAL_ERROR;
1111215697Ssimon							return 0;
1112215697Ssimon							}
1113194206Ssimon						memcpy(s->session->tlsext_hostname, sdata, len);
1114194206Ssimon						s->session->tlsext_hostname[len]='\0';
1115194206Ssimon						if (strlen(s->session->tlsext_hostname) != len) {
1116194206Ssimon							OPENSSL_free(s->session->tlsext_hostname);
1117194206Ssimon							s->session->tlsext_hostname = NULL;
1118194206Ssimon							*al = TLS1_AD_UNRECOGNIZED_NAME;
1119194206Ssimon							return 0;
1120194206Ssimon						}
1121194206Ssimon						s->servername_done = 1;
1122194206Ssimon
1123194206Ssimon						}
1124194206Ssimon					else
1125215697Ssimon						s->servername_done = s->session->tlsext_hostname
1126215697Ssimon							&& strlen(s->session->tlsext_hostname) == len
1127194206Ssimon							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1128194206Ssimon
1129194206Ssimon					break;
1130194206Ssimon
1131194206Ssimon				default:
1132194206Ssimon					break;
1133194206Ssimon					}
1134194206Ssimon
1135194206Ssimon				dsize -= len;
1136194206Ssimon				}
1137194206Ssimon			if (dsize != 0)
1138194206Ssimon				{
1139194206Ssimon				*al = SSL_AD_DECODE_ERROR;
1140194206Ssimon				return 0;
1141194206Ssimon				}
1142194206Ssimon
1143194206Ssimon			}
1144238405Sjkim#ifndef OPENSSL_NO_SRP
1145238405Sjkim		else if (type == TLSEXT_TYPE_srp)
1146238405Sjkim			{
1147238405Sjkim			if (size <= 0 || ((len = data[0])) != (size -1))
1148238405Sjkim				{
1149238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1150238405Sjkim				return 0;
1151238405Sjkim				}
1152238405Sjkim			if (s->srp_ctx.login != NULL)
1153238405Sjkim				{
1154238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1155238405Sjkim				return 0;
1156238405Sjkim				}
1157238405Sjkim			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1158238405Sjkim				return -1;
1159238405Sjkim			memcpy(s->srp_ctx.login, &data[1], len);
1160238405Sjkim			s->srp_ctx.login[len]='\0';
1161238405Sjkim
1162238405Sjkim			if (strlen(s->srp_ctx.login) != len)
1163238405Sjkim				{
1164238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1165238405Sjkim				return 0;
1166238405Sjkim				}
1167238405Sjkim			}
1168238405Sjkim#endif
1169238405Sjkim
1170238405Sjkim#ifndef OPENSSL_NO_EC
1171279264Sdelphij		else if (type == TLSEXT_TYPE_ec_point_formats)
1172238405Sjkim			{
1173238405Sjkim			unsigned char *sdata = data;
1174238405Sjkim			int ecpointformatlist_length = *(sdata++);
1175238405Sjkim
1176238405Sjkim			if (ecpointformatlist_length != size - 1)
1177238405Sjkim				{
1178238405Sjkim				*al = TLS1_AD_DECODE_ERROR;
1179238405Sjkim				return 0;
1180238405Sjkim				}
1181238405Sjkim			if (!s->hit)
1182238405Sjkim				{
1183238405Sjkim				if(s->session->tlsext_ecpointformatlist)
1184238405Sjkim					{
1185238405Sjkim					OPENSSL_free(s->session->tlsext_ecpointformatlist);
1186238405Sjkim					s->session->tlsext_ecpointformatlist = NULL;
1187238405Sjkim					}
1188238405Sjkim				s->session->tlsext_ecpointformatlist_length = 0;
1189238405Sjkim				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1190238405Sjkim					{
1191238405Sjkim					*al = TLS1_AD_INTERNAL_ERROR;
1192238405Sjkim					return 0;
1193238405Sjkim					}
1194238405Sjkim				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1195238405Sjkim				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1196238405Sjkim				}
1197238405Sjkim#if 0
1198238405Sjkim			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1199238405Sjkim			sdata = s->session->tlsext_ecpointformatlist;
1200238405Sjkim			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1201238405Sjkim				fprintf(stderr,"%i ",*(sdata++));
1202238405Sjkim			fprintf(stderr,"\n");
1203238405Sjkim#endif
1204238405Sjkim			}
1205279264Sdelphij		else if (type == TLSEXT_TYPE_elliptic_curves)
1206238405Sjkim			{
1207238405Sjkim			unsigned char *sdata = data;
1208238405Sjkim			int ellipticcurvelist_length = (*(sdata++) << 8);
1209238405Sjkim			ellipticcurvelist_length += (*(sdata++));
1210238405Sjkim
1211246772Sjkim			if (ellipticcurvelist_length != size - 2 ||
1212279264Sdelphij				ellipticcurvelist_length < 1 ||
1213279264Sdelphij				/* Each NamedCurve is 2 bytes. */
1214279264Sdelphij				ellipticcurvelist_length & 1)
1215238405Sjkim				{
1216238405Sjkim				*al = TLS1_AD_DECODE_ERROR;
1217238405Sjkim				return 0;
1218238405Sjkim				}
1219238405Sjkim			if (!s->hit)
1220238405Sjkim				{
1221238405Sjkim				if(s->session->tlsext_ellipticcurvelist)
1222238405Sjkim					{
1223238405Sjkim					*al = TLS1_AD_DECODE_ERROR;
1224238405Sjkim					return 0;
1225238405Sjkim					}
1226238405Sjkim				s->session->tlsext_ellipticcurvelist_length = 0;
1227238405Sjkim				if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1228238405Sjkim					{
1229238405Sjkim					*al = TLS1_AD_INTERNAL_ERROR;
1230238405Sjkim					return 0;
1231238405Sjkim					}
1232238405Sjkim				s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1233238405Sjkim				memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1234238405Sjkim				}
1235238405Sjkim#if 0
1236238405Sjkim			fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1237238405Sjkim			sdata = s->session->tlsext_ellipticcurvelist;
1238238405Sjkim			for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1239238405Sjkim				fprintf(stderr,"%i ",*(sdata++));
1240238405Sjkim			fprintf(stderr,"\n");
1241238405Sjkim#endif
1242238405Sjkim			}
1243238405Sjkim#endif /* OPENSSL_NO_EC */
1244238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
1245238405Sjkim		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1246238405Sjkim	             s->version != DTLS1_VERSION)
1247238405Sjkim			{
1248238405Sjkim			unsigned char *sdata = data;
1249238405Sjkim
1250238405Sjkim			if (size < 2)
1251238405Sjkim				{
1252238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1253238405Sjkim				return 0;
1254238405Sjkim				}
1255238405Sjkim			n2s(sdata, s->s3->client_opaque_prf_input_len);
1256238405Sjkim			if (s->s3->client_opaque_prf_input_len != size - 2)
1257238405Sjkim				{
1258238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1259238405Sjkim				return 0;
1260238405Sjkim				}
1261238405Sjkim
1262238405Sjkim			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1263238405Sjkim				OPENSSL_free(s->s3->client_opaque_prf_input);
1264238405Sjkim			if (s->s3->client_opaque_prf_input_len == 0)
1265238405Sjkim				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1266238405Sjkim			else
1267238405Sjkim				s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1268238405Sjkim			if (s->s3->client_opaque_prf_input == NULL)
1269238405Sjkim				{
1270238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1271238405Sjkim				return 0;
1272238405Sjkim				}
1273238405Sjkim			}
1274238405Sjkim#endif
1275238405Sjkim		else if (type == TLSEXT_TYPE_session_ticket)
1276238405Sjkim			{
1277238405Sjkim			if (s->tls_session_ticket_ext_cb &&
1278238405Sjkim			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1279238405Sjkim				{
1280238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1281238405Sjkim				return 0;
1282238405Sjkim				}
1283238405Sjkim			}
1284205128Ssimon		else if (type == TLSEXT_TYPE_renegotiate)
1285194206Ssimon			{
1286205128Ssimon			if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1287205128Ssimon				return 0;
1288205128Ssimon			renegotiate_seen = 1;
1289205128Ssimon			}
1290238405Sjkim		else if (type == TLSEXT_TYPE_signature_algorithms)
1291238405Sjkim			{
1292238405Sjkim			int dsize;
1293238405Sjkim			if (sigalg_seen || size < 2)
1294238405Sjkim				{
1295238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1296238405Sjkim				return 0;
1297238405Sjkim				}
1298238405Sjkim			sigalg_seen = 1;
1299238405Sjkim			n2s(data,dsize);
1300238405Sjkim			size -= 2;
1301238405Sjkim			if (dsize != size || dsize & 1)
1302238405Sjkim				{
1303238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1304238405Sjkim				return 0;
1305238405Sjkim				}
1306238405Sjkim			if (!tls1_process_sigalgs(s, data, dsize))
1307238405Sjkim				{
1308238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1309238405Sjkim				return 0;
1310238405Sjkim				}
1311238405Sjkim			}
1312205128Ssimon		else if (type == TLSEXT_TYPE_status_request &&
1313279264Sdelphij		         s->version != DTLS1_VERSION)
1314205128Ssimon			{
1315194206Ssimon
1316194206Ssimon			if (size < 5)
1317194206Ssimon				{
1318194206Ssimon				*al = SSL_AD_DECODE_ERROR;
1319194206Ssimon				return 0;
1320194206Ssimon				}
1321194206Ssimon
1322194206Ssimon			s->tlsext_status_type = *data++;
1323194206Ssimon			size--;
1324194206Ssimon			if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1325194206Ssimon				{
1326194206Ssimon				const unsigned char *sdata;
1327194206Ssimon				int dsize;
1328194206Ssimon				/* Read in responder_id_list */
1329194206Ssimon				n2s(data,dsize);
1330194206Ssimon				size -= 2;
1331194206Ssimon				if (dsize > size  )
1332194206Ssimon					{
1333194206Ssimon					*al = SSL_AD_DECODE_ERROR;
1334194206Ssimon					return 0;
1335194206Ssimon					}
1336194206Ssimon				while (dsize > 0)
1337194206Ssimon					{
1338194206Ssimon					OCSP_RESPID *id;
1339194206Ssimon					int idsize;
1340194206Ssimon					if (dsize < 4)
1341194206Ssimon						{
1342194206Ssimon						*al = SSL_AD_DECODE_ERROR;
1343194206Ssimon						return 0;
1344194206Ssimon						}
1345194206Ssimon					n2s(data, idsize);
1346194206Ssimon					dsize -= 2 + idsize;
1347218625Ssimon					size -= 2 + idsize;
1348194206Ssimon					if (dsize < 0)
1349194206Ssimon						{
1350194206Ssimon						*al = SSL_AD_DECODE_ERROR;
1351194206Ssimon						return 0;
1352194206Ssimon						}
1353194206Ssimon					sdata = data;
1354194206Ssimon					data += idsize;
1355194206Ssimon					id = d2i_OCSP_RESPID(NULL,
1356194206Ssimon								&sdata, idsize);
1357194206Ssimon					if (!id)
1358194206Ssimon						{
1359194206Ssimon						*al = SSL_AD_DECODE_ERROR;
1360194206Ssimon						return 0;
1361194206Ssimon						}
1362194206Ssimon					if (data != sdata)
1363194206Ssimon						{
1364194206Ssimon						OCSP_RESPID_free(id);
1365194206Ssimon						*al = SSL_AD_DECODE_ERROR;
1366194206Ssimon						return 0;
1367194206Ssimon						}
1368194206Ssimon					if (!s->tlsext_ocsp_ids
1369194206Ssimon						&& !(s->tlsext_ocsp_ids =
1370194206Ssimon						sk_OCSP_RESPID_new_null()))
1371194206Ssimon						{
1372194206Ssimon						OCSP_RESPID_free(id);
1373194206Ssimon						*al = SSL_AD_INTERNAL_ERROR;
1374194206Ssimon						return 0;
1375194206Ssimon						}
1376194206Ssimon					if (!sk_OCSP_RESPID_push(
1377194206Ssimon							s->tlsext_ocsp_ids, id))
1378194206Ssimon						{
1379194206Ssimon						OCSP_RESPID_free(id);
1380194206Ssimon						*al = SSL_AD_INTERNAL_ERROR;
1381194206Ssimon						return 0;
1382194206Ssimon						}
1383194206Ssimon					}
1384194206Ssimon
1385194206Ssimon				/* Read in request_extensions */
1386218625Ssimon				if (size < 2)
1387218625Ssimon					{
1388218625Ssimon					*al = SSL_AD_DECODE_ERROR;
1389218625Ssimon					return 0;
1390218625Ssimon					}
1391194206Ssimon				n2s(data,dsize);
1392194206Ssimon				size -= 2;
1393218625Ssimon				if (dsize != size)
1394194206Ssimon					{
1395194206Ssimon					*al = SSL_AD_DECODE_ERROR;
1396194206Ssimon					return 0;
1397194206Ssimon					}
1398194206Ssimon				sdata = data;
1399194206Ssimon				if (dsize > 0)
1400194206Ssimon					{
1401237657Sjkim					if (s->tlsext_ocsp_exts)
1402237657Sjkim						{
1403237657Sjkim						sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1404237657Sjkim									   X509_EXTENSION_free);
1405237657Sjkim						}
1406237657Sjkim
1407194206Ssimon					s->tlsext_ocsp_exts =
1408194206Ssimon						d2i_X509_EXTENSIONS(NULL,
1409194206Ssimon							&sdata, dsize);
1410194206Ssimon					if (!s->tlsext_ocsp_exts
1411194206Ssimon						|| (data + dsize != sdata))
1412194206Ssimon						{
1413194206Ssimon						*al = SSL_AD_DECODE_ERROR;
1414194206Ssimon						return 0;
1415194206Ssimon						}
1416194206Ssimon					}
1417194206Ssimon				}
1418194206Ssimon				/* We don't know what to do with any other type
1419194206Ssimon 			 	* so ignore it.
1420194206Ssimon 			 	*/
1421194206Ssimon				else
1422194206Ssimon					s->tlsext_status_type = -1;
1423194206Ssimon			}
1424238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
1425238405Sjkim		else if (type == TLSEXT_TYPE_heartbeat)
1426238405Sjkim			{
1427238405Sjkim			switch(data[0])
1428238405Sjkim				{
1429238405Sjkim				case 0x01:	/* Client allows us to send HB requests */
1430238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1431238405Sjkim							break;
1432238405Sjkim				case 0x02:	/* Client doesn't accept HB requests */
1433238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1434238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1435238405Sjkim							break;
1436238405Sjkim				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1437238405Sjkim							return 0;
1438238405Sjkim				}
1439238405Sjkim			}
1440238405Sjkim#endif
1441238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
1442238405Sjkim		else if (type == TLSEXT_TYPE_next_proto_neg &&
1443238405Sjkim			 s->s3->tmp.finish_md_len == 0)
1444238405Sjkim			{
1445238405Sjkim			/* We shouldn't accept this extension on a
1446238405Sjkim			 * renegotiation.
1447238405Sjkim			 *
1448238405Sjkim			 * s->new_session will be set on renegotiation, but we
1449238405Sjkim			 * probably shouldn't rely that it couldn't be set on
1450238405Sjkim			 * the initial renegotation too in certain cases (when
1451238405Sjkim			 * there's some other reason to disallow resuming an
1452238405Sjkim			 * earlier session -- the current code won't be doing
1453238405Sjkim			 * anything like that, but this might change).
1454205128Ssimon
1455238405Sjkim			 * A valid sign that there's been a previous handshake
1456238405Sjkim			 * in this connection is if s->s3->tmp.finish_md_len >
1457238405Sjkim			 * 0.  (We are talking about a check that will happen
1458238405Sjkim			 * in the Hello protocol round, well before a new
1459238405Sjkim			 * Finished message could have been computed.) */
1460238405Sjkim			s->s3->next_proto_neg_seen = 1;
1461238405Sjkim			}
1462238405Sjkim#endif
1463238405Sjkim
1464194206Ssimon		/* session ticket processed earlier */
1465246772Sjkim#ifndef OPENSSL_NO_SRTP
1466273415Sdelphij		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1467273415Sdelphij			 && type == TLSEXT_TYPE_use_srtp)
1468246772Sjkim			{
1469238405Sjkim			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1470238405Sjkim							      al))
1471238405Sjkim				return 0;
1472246772Sjkim			}
1473246772Sjkim#endif
1474194206Ssimon
1475238405Sjkim		data+=size;
1476194206Ssimon		}
1477238405Sjkim
1478205128Ssimon	*p = data;
1479194206Ssimon
1480205128Ssimon	ri_check:
1481205128Ssimon
1482205128Ssimon	/* Need RI if renegotiating */
1483205128Ssimon
1484238405Sjkim	if (!renegotiate_seen && s->renegotiate &&
1485205128Ssimon		!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1486205128Ssimon		{
1487205128Ssimon		*al = SSL_AD_HANDSHAKE_FAILURE;
1488205128Ssimon	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1489205128Ssimon				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1490205128Ssimon		return 0;
1491205128Ssimon		}
1492205128Ssimon
1493194206Ssimon	return 1;
1494194206Ssimon	}
1495194206Ssimon
1496238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
1497238405Sjkim/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1498238405Sjkim * elements of zero length are allowed and the set of elements must exactly fill
1499238405Sjkim * the length of the block. */
1500238405Sjkimstatic char ssl_next_proto_validate(unsigned char *d, unsigned len)
1501238405Sjkim	{
1502238405Sjkim	unsigned int off = 0;
1503238405Sjkim
1504238405Sjkim	while (off < len)
1505238405Sjkim		{
1506238405Sjkim		if (d[off] == 0)
1507238405Sjkim			return 0;
1508238405Sjkim		off += d[off];
1509238405Sjkim		off++;
1510238405Sjkim		}
1511238405Sjkim
1512238405Sjkim	return off == len;
1513238405Sjkim	}
1514238405Sjkim#endif
1515238405Sjkim
1516194206Ssimonint ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1517194206Ssimon	{
1518215697Ssimon	unsigned short length;
1519194206Ssimon	unsigned short type;
1520194206Ssimon	unsigned short size;
1521194206Ssimon	unsigned char *data = *p;
1522194206Ssimon	int tlsext_servername = 0;
1523205128Ssimon	int renegotiate_seen = 0;
1524194206Ssimon
1525238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
1526238405Sjkim	s->s3->next_proto_neg_seen = 0;
1527238405Sjkim#endif
1528279264Sdelphij	s->tlsext_ticket_expected = 0;
1529238405Sjkim
1530238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
1531238405Sjkim	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1532238405Sjkim	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1533238405Sjkim#endif
1534238405Sjkim
1535194206Ssimon	if (data >= (d+n-2))
1536205128Ssimon		goto ri_check;
1537194206Ssimon
1538215697Ssimon	n2s(data,length);
1539215697Ssimon	if (data+length != d+n)
1540215697Ssimon		{
1541215697Ssimon		*al = SSL_AD_DECODE_ERROR;
1542215697Ssimon		return 0;
1543215697Ssimon		}
1544194206Ssimon
1545194206Ssimon	while(data <= (d+n-4))
1546194206Ssimon		{
1547194206Ssimon		n2s(data,type);
1548194206Ssimon		n2s(data,size);
1549194206Ssimon
1550194206Ssimon		if (data+size > (d+n))
1551205128Ssimon	   		goto ri_check;
1552194206Ssimon
1553194206Ssimon		if (s->tlsext_debug_cb)
1554194206Ssimon			s->tlsext_debug_cb(s, 1, type, data, size,
1555194206Ssimon						s->tlsext_debug_arg);
1556194206Ssimon
1557194206Ssimon		if (type == TLSEXT_TYPE_server_name)
1558194206Ssimon			{
1559194206Ssimon			if (s->tlsext_hostname == NULL || size > 0)
1560194206Ssimon				{
1561194206Ssimon				*al = TLS1_AD_UNRECOGNIZED_NAME;
1562194206Ssimon				return 0;
1563194206Ssimon				}
1564194206Ssimon			tlsext_servername = 1;
1565194206Ssimon			}
1566238405Sjkim
1567238405Sjkim#ifndef OPENSSL_NO_EC
1568279264Sdelphij		else if (type == TLSEXT_TYPE_ec_point_formats)
1569238405Sjkim			{
1570238405Sjkim			unsigned char *sdata = data;
1571238405Sjkim			int ecpointformatlist_length = *(sdata++);
1572238405Sjkim
1573246772Sjkim			if (ecpointformatlist_length != size - 1 ||
1574246772Sjkim				ecpointformatlist_length < 1)
1575238405Sjkim				{
1576238405Sjkim				*al = TLS1_AD_DECODE_ERROR;
1577238405Sjkim				return 0;
1578238405Sjkim				}
1579271304Sdelphij			if (!s->hit)
1580238405Sjkim				{
1581271304Sdelphij				s->session->tlsext_ecpointformatlist_length = 0;
1582271304Sdelphij				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1583271304Sdelphij				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1584271304Sdelphij					{
1585271304Sdelphij					*al = TLS1_AD_INTERNAL_ERROR;
1586271304Sdelphij					return 0;
1587271304Sdelphij					}
1588271304Sdelphij				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1589271304Sdelphij				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1590238405Sjkim				}
1591238405Sjkim#if 0
1592238405Sjkim			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1593238405Sjkim			sdata = s->session->tlsext_ecpointformatlist;
1594238405Sjkim			for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1595238405Sjkim				fprintf(stderr,"%i ",*(sdata++));
1596238405Sjkim			fprintf(stderr,"\n");
1597238405Sjkim#endif
1598238405Sjkim			}
1599238405Sjkim#endif /* OPENSSL_NO_EC */
1600238405Sjkim
1601194206Ssimon		else if (type == TLSEXT_TYPE_session_ticket)
1602194206Ssimon			{
1603238405Sjkim			if (s->tls_session_ticket_ext_cb &&
1604238405Sjkim			    !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1605238405Sjkim				{
1606238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1607238405Sjkim				return 0;
1608238405Sjkim				}
1609194206Ssimon			if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1610194206Ssimon				|| (size > 0))
1611194206Ssimon				{
1612194206Ssimon				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1613194206Ssimon				return 0;
1614194206Ssimon				}
1615194206Ssimon			s->tlsext_ticket_expected = 1;
1616194206Ssimon			}
1617238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
1618238405Sjkim		else if (type == TLSEXT_TYPE_opaque_prf_input &&
1619238405Sjkim	             s->version != DTLS1_VERSION)
1620238405Sjkim			{
1621238405Sjkim			unsigned char *sdata = data;
1622238405Sjkim
1623238405Sjkim			if (size < 2)
1624238405Sjkim				{
1625238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1626238405Sjkim				return 0;
1627238405Sjkim				}
1628238405Sjkim			n2s(sdata, s->s3->server_opaque_prf_input_len);
1629238405Sjkim			if (s->s3->server_opaque_prf_input_len != size - 2)
1630238405Sjkim				{
1631238405Sjkim				*al = SSL_AD_DECODE_ERROR;
1632238405Sjkim				return 0;
1633238405Sjkim				}
1634238405Sjkim
1635238405Sjkim			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1636238405Sjkim				OPENSSL_free(s->s3->server_opaque_prf_input);
1637238405Sjkim			if (s->s3->server_opaque_prf_input_len == 0)
1638238405Sjkim				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1639238405Sjkim			else
1640238405Sjkim				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1641238405Sjkim
1642238405Sjkim			if (s->s3->server_opaque_prf_input == NULL)
1643238405Sjkim				{
1644238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1645238405Sjkim				return 0;
1646238405Sjkim				}
1647238405Sjkim			}
1648238405Sjkim#endif
1649205128Ssimon		else if (type == TLSEXT_TYPE_status_request &&
1650205128Ssimon		         s->version != DTLS1_VERSION)
1651194206Ssimon			{
1652194206Ssimon			/* MUST be empty and only sent if we've requested
1653194206Ssimon			 * a status request message.
1654194206Ssimon			 */
1655194206Ssimon			if ((s->tlsext_status_type == -1) || (size > 0))
1656194206Ssimon				{
1657194206Ssimon				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1658194206Ssimon				return 0;
1659194206Ssimon				}
1660194206Ssimon			/* Set flag to expect CertificateStatus message */
1661194206Ssimon			s->tlsext_status_expected = 1;
1662194206Ssimon			}
1663238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG
1664238405Sjkim		else if (type == TLSEXT_TYPE_next_proto_neg &&
1665238405Sjkim			 s->s3->tmp.finish_md_len == 0)
1666238405Sjkim			{
1667238405Sjkim			unsigned char *selected;
1668238405Sjkim			unsigned char selected_len;
1669238405Sjkim
1670238405Sjkim			/* We must have requested it. */
1671246772Sjkim			if (s->ctx->next_proto_select_cb == NULL)
1672238405Sjkim				{
1673238405Sjkim				*al = TLS1_AD_UNSUPPORTED_EXTENSION;
1674238405Sjkim				return 0;
1675238405Sjkim				}
1676238405Sjkim			/* The data must be valid */
1677238405Sjkim			if (!ssl_next_proto_validate(data, size))
1678238405Sjkim				{
1679238405Sjkim				*al = TLS1_AD_DECODE_ERROR;
1680238405Sjkim				return 0;
1681238405Sjkim				}
1682238405Sjkim			if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1683238405Sjkim				{
1684238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1685238405Sjkim				return 0;
1686238405Sjkim				}
1687238405Sjkim			s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1688238405Sjkim			if (!s->next_proto_negotiated)
1689238405Sjkim				{
1690238405Sjkim				*al = TLS1_AD_INTERNAL_ERROR;
1691238405Sjkim				return 0;
1692238405Sjkim				}
1693238405Sjkim			memcpy(s->next_proto_negotiated, selected, selected_len);
1694238405Sjkim			s->next_proto_negotiated_len = selected_len;
1695238405Sjkim			s->s3->next_proto_neg_seen = 1;
1696238405Sjkim			}
1697238405Sjkim#endif
1698205128Ssimon		else if (type == TLSEXT_TYPE_renegotiate)
1699205128Ssimon			{
1700205128Ssimon			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1701205128Ssimon				return 0;
1702205128Ssimon			renegotiate_seen = 1;
1703205128Ssimon			}
1704238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
1705238405Sjkim		else if (type == TLSEXT_TYPE_heartbeat)
1706238405Sjkim			{
1707238405Sjkim			switch(data[0])
1708238405Sjkim				{
1709238405Sjkim				case 0x01:	/* Server allows us to send HB requests */
1710238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1711238405Sjkim							break;
1712238405Sjkim				case 0x02:	/* Server doesn't accept HB requests */
1713238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1714238405Sjkim							s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1715238405Sjkim							break;
1716238405Sjkim				default:	*al = SSL_AD_ILLEGAL_PARAMETER;
1717238405Sjkim							return 0;
1718238405Sjkim				}
1719238405Sjkim			}
1720238405Sjkim#endif
1721246772Sjkim#ifndef OPENSSL_NO_SRTP
1722273415Sdelphij		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
1723246772Sjkim			{
1724238405Sjkim                        if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1725238405Sjkim							      al))
1726238405Sjkim                                return 0;
1727246772Sjkim			}
1728246772Sjkim#endif
1729238405Sjkim
1730194206Ssimon		data+=size;
1731194206Ssimon		}
1732194206Ssimon
1733194206Ssimon	if (data != d+n)
1734194206Ssimon		{
1735194206Ssimon		*al = SSL_AD_DECODE_ERROR;
1736194206Ssimon		return 0;
1737194206Ssimon		}
1738194206Ssimon
1739194206Ssimon	if (!s->hit && tlsext_servername == 1)
1740194206Ssimon		{
1741194206Ssimon 		if (s->tlsext_hostname)
1742194206Ssimon			{
1743194206Ssimon			if (s->session->tlsext_hostname == NULL)
1744194206Ssimon				{
1745194206Ssimon				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1746194206Ssimon				if (!s->session->tlsext_hostname)
1747194206Ssimon					{
1748194206Ssimon					*al = SSL_AD_UNRECOGNIZED_NAME;
1749194206Ssimon					return 0;
1750194206Ssimon					}
1751194206Ssimon				}
1752194206Ssimon			else
1753194206Ssimon				{
1754194206Ssimon				*al = SSL_AD_DECODE_ERROR;
1755194206Ssimon				return 0;
1756194206Ssimon				}
1757194206Ssimon			}
1758194206Ssimon		}
1759194206Ssimon
1760194206Ssimon	*p = data;
1761205128Ssimon
1762205128Ssimon	ri_check:
1763205128Ssimon
1764205128Ssimon	/* Determine if we need to see RI. Strictly speaking if we want to
1765205128Ssimon	 * avoid an attack we should *always* see RI even on initial server
1766205128Ssimon	 * hello because the client doesn't see any renegotiation during an
1767205128Ssimon	 * attack. However this would mean we could not connect to any server
1768205128Ssimon	 * which doesn't support RI so for the immediate future tolerate RI
1769205128Ssimon	 * absence on initial connect only.
1770205128Ssimon	 */
1771205128Ssimon	if (!renegotiate_seen
1772205128Ssimon		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1773205128Ssimon		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1774205128Ssimon		{
1775205128Ssimon		*al = SSL_AD_HANDSHAKE_FAILURE;
1776205128Ssimon		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1777205128Ssimon				SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1778205128Ssimon		return 0;
1779205128Ssimon		}
1780205128Ssimon
1781194206Ssimon	return 1;
1782194206Ssimon	}
1783194206Ssimon
1784238405Sjkim
1785238405Sjkimint ssl_prepare_clienthello_tlsext(SSL *s)
1786238405Sjkim	{
1787238405Sjkim#ifndef OPENSSL_NO_EC
1788238405Sjkim	/* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1789238405Sjkim	 * and elliptic curves we support.
1790238405Sjkim	 */
1791238405Sjkim	int using_ecc = 0;
1792238405Sjkim	int i;
1793238405Sjkim	unsigned char *j;
1794238405Sjkim	unsigned long alg_k, alg_a;
1795238405Sjkim	STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1796238405Sjkim
1797238405Sjkim	for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1798238405Sjkim		{
1799238405Sjkim		SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1800238405Sjkim
1801238405Sjkim		alg_k = c->algorithm_mkey;
1802238405Sjkim		alg_a = c->algorithm_auth;
1803238405Sjkim		if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1804238405Sjkim			{
1805238405Sjkim			using_ecc = 1;
1806238405Sjkim			break;
1807238405Sjkim			}
1808238405Sjkim		}
1809238405Sjkim	using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1810238405Sjkim	if (using_ecc)
1811238405Sjkim		{
1812238405Sjkim		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1813238405Sjkim		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1814238405Sjkim			{
1815238405Sjkim			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1816238405Sjkim			return -1;
1817238405Sjkim			}
1818238405Sjkim		s->tlsext_ecpointformatlist_length = 3;
1819238405Sjkim		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1820238405Sjkim		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1821238405Sjkim		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1822238405Sjkim
1823279264Sdelphij		/* we support all named elliptic curves in RFC 4492 */
1824238405Sjkim		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1825238405Sjkim		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1826238405Sjkim		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1827238405Sjkim			{
1828238405Sjkim			s->tlsext_ellipticcurvelist_length = 0;
1829238405Sjkim			SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1830238405Sjkim			return -1;
1831238405Sjkim			}
1832238405Sjkim		for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1833238405Sjkim				sizeof(pref_list)/sizeof(pref_list[0]); i++)
1834238405Sjkim			{
1835238405Sjkim			int id = tls1_ec_nid2curve_id(pref_list[i]);
1836238405Sjkim			s2n(id,j);
1837238405Sjkim			}
1838238405Sjkim		}
1839238405Sjkim#endif /* OPENSSL_NO_EC */
1840238405Sjkim
1841238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
1842238405Sjkim 	{
1843238405Sjkim		int r = 1;
1844238405Sjkim
1845238405Sjkim		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1846238405Sjkim			{
1847238405Sjkim			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1848238405Sjkim			if (!r)
1849238405Sjkim				return -1;
1850238405Sjkim			}
1851238405Sjkim
1852238405Sjkim		if (s->tlsext_opaque_prf_input != NULL)
1853238405Sjkim			{
1854238405Sjkim			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1855238405Sjkim				OPENSSL_free(s->s3->client_opaque_prf_input);
1856238405Sjkim
1857238405Sjkim			if (s->tlsext_opaque_prf_input_len == 0)
1858238405Sjkim				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1859238405Sjkim			else
1860238405Sjkim				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1861238405Sjkim			if (s->s3->client_opaque_prf_input == NULL)
1862238405Sjkim				{
1863238405Sjkim				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1864238405Sjkim				return -1;
1865238405Sjkim				}
1866238405Sjkim			s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1867238405Sjkim			}
1868238405Sjkim
1869238405Sjkim		if (r == 2)
1870238405Sjkim			/* at callback's request, insist on receiving an appropriate server opaque PRF input */
1871238405Sjkim			s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1872238405Sjkim	}
1873238405Sjkim#endif
1874238405Sjkim
1875238405Sjkim	return 1;
1876238405Sjkim	}
1877238405Sjkim
1878238405Sjkimint ssl_prepare_serverhello_tlsext(SSL *s)
1879238405Sjkim	{
1880238405Sjkim#ifndef OPENSSL_NO_EC
1881238405Sjkim	/* If we are server and using an ECC cipher suite, send the point formats we support
1882238405Sjkim	 * if the client sent us an ECPointsFormat extension.  Note that the server is not
1883238405Sjkim	 * supposed to send an EllipticCurves extension.
1884238405Sjkim	 */
1885238405Sjkim
1886238405Sjkim	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1887238405Sjkim	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1888238405Sjkim	int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1889238405Sjkim	using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1890238405Sjkim
1891238405Sjkim	if (using_ecc)
1892238405Sjkim		{
1893238405Sjkim		if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1894238405Sjkim		if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1895238405Sjkim			{
1896238405Sjkim			SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1897238405Sjkim			return -1;
1898238405Sjkim			}
1899238405Sjkim		s->tlsext_ecpointformatlist_length = 3;
1900238405Sjkim		s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1901238405Sjkim		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1902238405Sjkim		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1903238405Sjkim		}
1904238405Sjkim#endif /* OPENSSL_NO_EC */
1905238405Sjkim
1906238405Sjkim	return 1;
1907238405Sjkim	}
1908238405Sjkim
1909246772Sjkimint ssl_check_clienthello_tlsext_early(SSL *s)
1910194206Ssimon	{
1911194206Ssimon	int ret=SSL_TLSEXT_ERR_NOACK;
1912194206Ssimon	int al = SSL_AD_UNRECOGNIZED_NAME;
1913194206Ssimon
1914238405Sjkim#ifndef OPENSSL_NO_EC
1915238405Sjkim	/* The handling of the ECPointFormats extension is done elsewhere, namely in
1916238405Sjkim	 * ssl3_choose_cipher in s3_lib.c.
1917238405Sjkim	 */
1918238405Sjkim	/* The handling of the EllipticCurves extension is done elsewhere, namely in
1919238405Sjkim	 * ssl3_choose_cipher in s3_lib.c.
1920238405Sjkim	 */
1921238405Sjkim#endif
1922238405Sjkim
1923194206Ssimon	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1924194206Ssimon		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1925194206Ssimon	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1926194206Ssimon		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1927194206Ssimon
1928238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
1929238405Sjkim 	{
1930238405Sjkim		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1931238405Sjkim		 * but we might be sending an alert in response to the client hello,
1932246772Sjkim		 * so this has to happen here in
1933246772Sjkim		 * ssl_check_clienthello_tlsext_early(). */
1934238405Sjkim
1935238405Sjkim		int r = 1;
1936238405Sjkim
1937238405Sjkim		if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1938238405Sjkim			{
1939238405Sjkim			r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1940238405Sjkim			if (!r)
1941238405Sjkim				{
1942238405Sjkim				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1943238405Sjkim				al = SSL_AD_INTERNAL_ERROR;
1944238405Sjkim				goto err;
1945238405Sjkim				}
1946238405Sjkim			}
1947238405Sjkim
1948238405Sjkim		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1949238405Sjkim			OPENSSL_free(s->s3->server_opaque_prf_input);
1950238405Sjkim		s->s3->server_opaque_prf_input = NULL;
1951238405Sjkim
1952238405Sjkim		if (s->tlsext_opaque_prf_input != NULL)
1953238405Sjkim			{
1954238405Sjkim			if (s->s3->client_opaque_prf_input != NULL &&
1955238405Sjkim				s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1956238405Sjkim				{
1957238405Sjkim				/* can only use this extension if we have a server opaque PRF input
1958238405Sjkim				 * of the same length as the client opaque PRF input! */
1959238405Sjkim
1960238405Sjkim				if (s->tlsext_opaque_prf_input_len == 0)
1961238405Sjkim					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1962238405Sjkim				else
1963238405Sjkim					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1964238405Sjkim				if (s->s3->server_opaque_prf_input == NULL)
1965238405Sjkim					{
1966238405Sjkim					ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1967238405Sjkim					al = SSL_AD_INTERNAL_ERROR;
1968238405Sjkim					goto err;
1969238405Sjkim					}
1970238405Sjkim				s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1971238405Sjkim				}
1972238405Sjkim			}
1973238405Sjkim
1974238405Sjkim		if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1975238405Sjkim			{
1976238405Sjkim			/* The callback wants to enforce use of the extension,
1977238405Sjkim			 * but we can't do that with the client opaque PRF input;
1978238405Sjkim			 * abort the handshake.
1979238405Sjkim			 */
1980238405Sjkim			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1981238405Sjkim			al = SSL_AD_HANDSHAKE_FAILURE;
1982238405Sjkim			}
1983238405Sjkim	}
1984238405Sjkim
1985246772Sjkim err:
1986238405Sjkim#endif
1987194206Ssimon	switch (ret)
1988194206Ssimon		{
1989194206Ssimon		case SSL_TLSEXT_ERR_ALERT_FATAL:
1990194206Ssimon			ssl3_send_alert(s,SSL3_AL_FATAL,al);
1991194206Ssimon			return -1;
1992194206Ssimon
1993194206Ssimon		case SSL_TLSEXT_ERR_ALERT_WARNING:
1994194206Ssimon			ssl3_send_alert(s,SSL3_AL_WARNING,al);
1995194206Ssimon			return 1;
1996194206Ssimon
1997194206Ssimon		case SSL_TLSEXT_ERR_NOACK:
1998194206Ssimon			s->servername_done=0;
1999194206Ssimon			default:
2000194206Ssimon		return 1;
2001194206Ssimon		}
2002194206Ssimon	}
2003194206Ssimon
2004246772Sjkimint ssl_check_clienthello_tlsext_late(SSL *s)
2005246772Sjkim	{
2006246772Sjkim	int ret = SSL_TLSEXT_ERR_OK;
2007246772Sjkim	int al;
2008246772Sjkim
2009246772Sjkim	/* If status request then ask callback what to do.
2010246772Sjkim 	 * Note: this must be called after servername callbacks in case
2011246772Sjkim 	 * the certificate has changed, and must be called after the cipher
2012246772Sjkim	 * has been chosen because this may influence which certificate is sent
2013246772Sjkim 	 */
2014246772Sjkim	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
2015246772Sjkim		{
2016246772Sjkim		int r;
2017246772Sjkim		CERT_PKEY *certpkey;
2018246772Sjkim		certpkey = ssl_get_server_send_pkey(s);
2019246772Sjkim		/* If no certificate can't return certificate status */
2020246772Sjkim		if (certpkey == NULL)
2021246772Sjkim			{
2022246772Sjkim			s->tlsext_status_expected = 0;
2023246772Sjkim			return 1;
2024246772Sjkim			}
2025246772Sjkim		/* Set current certificate to one we will use so
2026246772Sjkim		 * SSL_get_certificate et al can pick it up.
2027246772Sjkim		 */
2028246772Sjkim		s->cert->key = certpkey;
2029246772Sjkim		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2030246772Sjkim		switch (r)
2031246772Sjkim			{
2032246772Sjkim			/* We don't want to send a status request response */
2033246772Sjkim			case SSL_TLSEXT_ERR_NOACK:
2034246772Sjkim				s->tlsext_status_expected = 0;
2035246772Sjkim				break;
2036246772Sjkim			/* status request response should be sent */
2037246772Sjkim			case SSL_TLSEXT_ERR_OK:
2038246772Sjkim				if (s->tlsext_ocsp_resp)
2039246772Sjkim					s->tlsext_status_expected = 1;
2040246772Sjkim				else
2041246772Sjkim					s->tlsext_status_expected = 0;
2042246772Sjkim				break;
2043246772Sjkim			/* something bad happened */
2044246772Sjkim			case SSL_TLSEXT_ERR_ALERT_FATAL:
2045246772Sjkim				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2046246772Sjkim				al = SSL_AD_INTERNAL_ERROR;
2047246772Sjkim				goto err;
2048246772Sjkim			}
2049246772Sjkim		}
2050246772Sjkim	else
2051246772Sjkim		s->tlsext_status_expected = 0;
2052246772Sjkim
2053246772Sjkim err:
2054246772Sjkim	switch (ret)
2055246772Sjkim		{
2056246772Sjkim		case SSL_TLSEXT_ERR_ALERT_FATAL:
2057246772Sjkim			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2058246772Sjkim			return -1;
2059246772Sjkim
2060246772Sjkim		case SSL_TLSEXT_ERR_ALERT_WARNING:
2061246772Sjkim			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2062246772Sjkim			return 1;
2063246772Sjkim
2064246772Sjkim		default:
2065246772Sjkim			return 1;
2066246772Sjkim		}
2067246772Sjkim	}
2068246772Sjkim
2069194206Ssimonint ssl_check_serverhello_tlsext(SSL *s)
2070194206Ssimon	{
2071194206Ssimon	int ret=SSL_TLSEXT_ERR_NOACK;
2072194206Ssimon	int al = SSL_AD_UNRECOGNIZED_NAME;
2073194206Ssimon
2074238405Sjkim#ifndef OPENSSL_NO_EC
2075238405Sjkim	/* If we are client and using an elliptic curve cryptography cipher
2076238405Sjkim	 * suite, then if server returns an EC point formats lists extension
2077238405Sjkim	 * it must contain uncompressed.
2078238405Sjkim	 */
2079238405Sjkim	unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2080238405Sjkim	unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2081238405Sjkim	if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2082238405Sjkim	    (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2083238405Sjkim	    ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2084238405Sjkim		{
2085238405Sjkim		/* we are using an ECC cipher */
2086238405Sjkim		size_t i;
2087238405Sjkim		unsigned char *list;
2088238405Sjkim		int found_uncompressed = 0;
2089238405Sjkim		list = s->session->tlsext_ecpointformatlist;
2090238405Sjkim		for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2091238405Sjkim			{
2092238405Sjkim			if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2093238405Sjkim				{
2094238405Sjkim				found_uncompressed = 1;
2095238405Sjkim				break;
2096238405Sjkim				}
2097238405Sjkim			}
2098238405Sjkim		if (!found_uncompressed)
2099238405Sjkim			{
2100238405Sjkim			SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2101238405Sjkim			return -1;
2102238405Sjkim			}
2103238405Sjkim		}
2104238405Sjkim	ret = SSL_TLSEXT_ERR_OK;
2105238405Sjkim#endif /* OPENSSL_NO_EC */
2106238405Sjkim
2107194206Ssimon	if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2108194206Ssimon		ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2109194206Ssimon	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2110194206Ssimon		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2111194206Ssimon
2112238405Sjkim#ifdef TLSEXT_TYPE_opaque_prf_input
2113238405Sjkim	if (s->s3->server_opaque_prf_input_len > 0)
2114238405Sjkim		{
2115238405Sjkim		/* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2116238405Sjkim		 * So first verify that we really have a value from the server too. */
2117238405Sjkim
2118238405Sjkim		if (s->s3->server_opaque_prf_input == NULL)
2119238405Sjkim			{
2120238405Sjkim			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2121238405Sjkim			al = SSL_AD_HANDSHAKE_FAILURE;
2122238405Sjkim			}
2123238405Sjkim
2124238405Sjkim		/* Anytime the server *has* sent an opaque PRF input, we need to check
2125238405Sjkim		 * that we have a client opaque PRF input of the same size. */
2126238405Sjkim		if (s->s3->client_opaque_prf_input == NULL ||
2127238405Sjkim		    s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2128238405Sjkim			{
2129238405Sjkim			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2130238405Sjkim			al = SSL_AD_ILLEGAL_PARAMETER;
2131238405Sjkim			}
2132238405Sjkim		}
2133238405Sjkim#endif
2134238405Sjkim
2135194206Ssimon	/* If we've requested certificate status and we wont get one
2136194206Ssimon 	 * tell the callback
2137194206Ssimon 	 */
2138194206Ssimon	if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2139238405Sjkim			&& s->ctx && s->ctx->tlsext_status_cb)
2140194206Ssimon		{
2141194206Ssimon		int r;
2142194206Ssimon		/* Set resp to NULL, resplen to -1 so callback knows
2143194206Ssimon 		 * there is no response.
2144194206Ssimon 		 */
2145194206Ssimon		if (s->tlsext_ocsp_resp)
2146194206Ssimon			{
2147194206Ssimon			OPENSSL_free(s->tlsext_ocsp_resp);
2148194206Ssimon			s->tlsext_ocsp_resp = NULL;
2149194206Ssimon			}
2150194206Ssimon		s->tlsext_ocsp_resplen = -1;
2151194206Ssimon		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2152194206Ssimon		if (r == 0)
2153194206Ssimon			{
2154194206Ssimon			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2155194206Ssimon			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2156194206Ssimon			}
2157194206Ssimon		if (r < 0)
2158194206Ssimon			{
2159194206Ssimon			al = SSL_AD_INTERNAL_ERROR;
2160194206Ssimon			ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2161194206Ssimon			}
2162194206Ssimon		}
2163194206Ssimon
2164194206Ssimon	switch (ret)
2165194206Ssimon		{
2166194206Ssimon		case SSL_TLSEXT_ERR_ALERT_FATAL:
2167194206Ssimon			ssl3_send_alert(s,SSL3_AL_FATAL,al);
2168194206Ssimon			return -1;
2169194206Ssimon
2170194206Ssimon		case SSL_TLSEXT_ERR_ALERT_WARNING:
2171194206Ssimon			ssl3_send_alert(s,SSL3_AL_WARNING,al);
2172194206Ssimon			return 1;
2173194206Ssimon
2174194206Ssimon		case SSL_TLSEXT_ERR_NOACK:
2175194206Ssimon			s->servername_done=0;
2176194206Ssimon			default:
2177194206Ssimon		return 1;
2178194206Ssimon		}
2179194206Ssimon	}
2180194206Ssimon
2181238405Sjkim/* Since the server cache lookup is done early on in the processing of the
2182238405Sjkim * ClientHello, and other operations depend on the result, we need to handle
2183238405Sjkim * any TLS session ticket extension at the same time.
2184238405Sjkim *
2185238405Sjkim *   session_id: points at the session ID in the ClientHello. This code will
2186238405Sjkim *       read past the end of this in order to parse out the session ticket
2187238405Sjkim *       extension, if any.
2188238405Sjkim *   len: the length of the session ID.
2189238405Sjkim *   limit: a pointer to the first byte after the ClientHello.
2190238405Sjkim *   ret: (output) on return, if a ticket was decrypted, then this is set to
2191238405Sjkim *       point to the resulting session.
2192238405Sjkim *
2193238405Sjkim * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2194238405Sjkim * ciphersuite, in which case we have no use for session tickets and one will
2195238405Sjkim * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2196238405Sjkim *
2197238405Sjkim * Returns:
2198238405Sjkim *   -1: fatal error, either from parsing or decrypting the ticket.
2199238405Sjkim *    0: no ticket was found (or was ignored, based on settings).
2200238405Sjkim *    1: a zero length extension was found, indicating that the client supports
2201238405Sjkim *       session tickets but doesn't currently have one to offer.
2202238405Sjkim *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2203238405Sjkim *       couldn't be decrypted because of a non-fatal error.
2204238405Sjkim *    3: a ticket was successfully decrypted and *ret was set.
2205238405Sjkim *
2206238405Sjkim * Side effects:
2207238405Sjkim *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2208238405Sjkim *   a new session ticket to the client because the client indicated support
2209238405Sjkim *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2210238405Sjkim *   a session ticket or we couldn't use the one it gave us, or if
2211238405Sjkim *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2212238405Sjkim *   Otherwise, s->tlsext_ticket_expected is set to 0.
2213194206Ssimon */
2214194206Ssimonint tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2215238405Sjkim			const unsigned char *limit, SSL_SESSION **ret)
2216194206Ssimon	{
2217194206Ssimon	/* Point after session ID in client hello */
2218194206Ssimon	const unsigned char *p = session_id + len;
2219194206Ssimon	unsigned short i;
2220194206Ssimon
2221238405Sjkim	*ret = NULL;
2222238405Sjkim	s->tlsext_ticket_expected = 0;
2223238405Sjkim
2224194206Ssimon	/* If tickets disabled behave as if no ticket present
2225238405Sjkim	 * to permit stateful resumption.
2226238405Sjkim	 */
2227194206Ssimon	if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2228238405Sjkim		return 0;
2229194206Ssimon	if ((s->version <= SSL3_VERSION) || !limit)
2230238405Sjkim		return 0;
2231194206Ssimon	if (p >= limit)
2232194206Ssimon		return -1;
2233205128Ssimon	/* Skip past DTLS cookie */
2234205128Ssimon	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2235205128Ssimon		{
2236205128Ssimon		i = *(p++);
2237205128Ssimon		p+= i;
2238205128Ssimon		if (p >= limit)
2239205128Ssimon			return -1;
2240205128Ssimon		}
2241194206Ssimon	/* Skip past cipher list */
2242194206Ssimon	n2s(p, i);
2243194206Ssimon	p+= i;
2244194206Ssimon	if (p >= limit)
2245194206Ssimon		return -1;
2246194206Ssimon	/* Skip past compression algorithm list */
2247194206Ssimon	i = *(p++);
2248194206Ssimon	p += i;
2249194206Ssimon	if (p > limit)
2250194206Ssimon		return -1;
2251194206Ssimon	/* Now at start of extensions */
2252194206Ssimon	if ((p + 2) >= limit)
2253238405Sjkim		return 0;
2254194206Ssimon	n2s(p, i);
2255194206Ssimon	while ((p + 4) <= limit)
2256194206Ssimon		{
2257194206Ssimon		unsigned short type, size;
2258194206Ssimon		n2s(p, type);
2259194206Ssimon		n2s(p, size);
2260194206Ssimon		if (p + size > limit)
2261238405Sjkim			return 0;
2262194206Ssimon		if (type == TLSEXT_TYPE_session_ticket)
2263194206Ssimon			{
2264238405Sjkim			int r;
2265194206Ssimon			if (size == 0)
2266194206Ssimon				{
2267238405Sjkim				/* The client will accept a ticket but doesn't
2268238405Sjkim				 * currently have one. */
2269194206Ssimon				s->tlsext_ticket_expected = 1;
2270238405Sjkim				return 1;
2271194206Ssimon				}
2272238405Sjkim			if (s->tls_session_secret_cb)
2273238405Sjkim				{
2274238405Sjkim				/* Indicate that the ticket couldn't be
2275238405Sjkim				 * decrypted rather than generating the session
2276238405Sjkim				 * from ticket now, trigger abbreviated
2277238405Sjkim				 * handshake based on external mechanism to
2278238405Sjkim				 * calculate the master secret later. */
2279238405Sjkim				return 2;
2280238405Sjkim				}
2281238405Sjkim			r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2282238405Sjkim			switch (r)
2283238405Sjkim				{
2284238405Sjkim				case 2: /* ticket couldn't be decrypted */
2285238405Sjkim					s->tlsext_ticket_expected = 1;
2286238405Sjkim					return 2;
2287238405Sjkim				case 3: /* ticket was decrypted */
2288238405Sjkim					return r;
2289238405Sjkim				case 4: /* ticket decrypted but need to renew */
2290238405Sjkim					s->tlsext_ticket_expected = 1;
2291238405Sjkim					return 3;
2292238405Sjkim				default: /* fatal error */
2293238405Sjkim					return -1;
2294238405Sjkim				}
2295194206Ssimon			}
2296194206Ssimon		p += size;
2297194206Ssimon		}
2298238405Sjkim	return 0;
2299194206Ssimon	}
2300194206Ssimon
2301238405Sjkim/* tls_decrypt_ticket attempts to decrypt a session ticket.
2302238405Sjkim *
2303238405Sjkim *   etick: points to the body of the session ticket extension.
2304238405Sjkim *   eticklen: the length of the session tickets extenion.
2305238405Sjkim *   sess_id: points at the session ID.
2306238405Sjkim *   sesslen: the length of the session ID.
2307238405Sjkim *   psess: (output) on return, if a ticket was decrypted, then this is set to
2308238405Sjkim *       point to the resulting session.
2309238405Sjkim *
2310238405Sjkim * Returns:
2311238405Sjkim *   -1: fatal error, either from parsing or decrypting the ticket.
2312238405Sjkim *    2: the ticket couldn't be decrypted.
2313238405Sjkim *    3: a ticket was successfully decrypted and *psess was set.
2314238405Sjkim *    4: same as 3, but the ticket needs to be renewed.
2315238405Sjkim */
2316194206Ssimonstatic int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2317194206Ssimon				const unsigned char *sess_id, int sesslen,
2318194206Ssimon				SSL_SESSION **psess)
2319194206Ssimon	{
2320194206Ssimon	SSL_SESSION *sess;
2321194206Ssimon	unsigned char *sdec;
2322194206Ssimon	const unsigned char *p;
2323194206Ssimon	int slen, mlen, renew_ticket = 0;
2324194206Ssimon	unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2325194206Ssimon	HMAC_CTX hctx;
2326194206Ssimon	EVP_CIPHER_CTX ctx;
2327205128Ssimon	SSL_CTX *tctx = s->initial_ctx;
2328194206Ssimon	/* Need at least keyname + iv + some encrypted data */
2329194206Ssimon	if (eticklen < 48)
2330238405Sjkim		return 2;
2331194206Ssimon	/* Initialize session ticket encryption and HMAC contexts */
2332194206Ssimon	HMAC_CTX_init(&hctx);
2333194206Ssimon	EVP_CIPHER_CTX_init(&ctx);
2334205128Ssimon	if (tctx->tlsext_ticket_key_cb)
2335194206Ssimon		{
2336194206Ssimon		unsigned char *nctick = (unsigned char *)etick;
2337205128Ssimon		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2338194206Ssimon							&ctx, &hctx, 0);
2339194206Ssimon		if (rv < 0)
2340194206Ssimon			return -1;
2341194206Ssimon		if (rv == 0)
2342238405Sjkim			return 2;
2343194206Ssimon		if (rv == 2)
2344194206Ssimon			renew_ticket = 1;
2345194206Ssimon		}
2346194206Ssimon	else
2347194206Ssimon		{
2348194206Ssimon		/* Check key name matches */
2349205128Ssimon		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2350238405Sjkim			return 2;
2351205128Ssimon		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2352194206Ssimon					tlsext_tick_md(), NULL);
2353194206Ssimon		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2354205128Ssimon				tctx->tlsext_tick_aes_key, etick + 16);
2355194206Ssimon		}
2356194206Ssimon	/* Attempt to process session ticket, first conduct sanity and
2357238405Sjkim	 * integrity checks on ticket.
2358238405Sjkim	 */
2359194206Ssimon	mlen = HMAC_size(&hctx);
2360238405Sjkim	if (mlen < 0)
2361238405Sjkim		{
2362238405Sjkim		EVP_CIPHER_CTX_cleanup(&ctx);
2363238405Sjkim		return -1;
2364238405Sjkim		}
2365194206Ssimon	eticklen -= mlen;
2366194206Ssimon	/* Check HMAC of encrypted ticket */
2367194206Ssimon	HMAC_Update(&hctx, etick, eticklen);
2368194206Ssimon	HMAC_Final(&hctx, tick_hmac, NULL);
2369194206Ssimon	HMAC_CTX_cleanup(&hctx);
2370246772Sjkim	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2371273415Sdelphij		{
2372273415Sdelphij		EVP_CIPHER_CTX_cleanup(&ctx);
2373238405Sjkim		return 2;
2374273415Sdelphij		}
2375194206Ssimon	/* Attempt to decrypt session data */
2376194206Ssimon	/* Move p after IV to start of encrypted ticket, update length */
2377194206Ssimon	p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2378194206Ssimon	eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2379194206Ssimon	sdec = OPENSSL_malloc(eticklen);
2380194206Ssimon	if (!sdec)
2381194206Ssimon		{
2382194206Ssimon		EVP_CIPHER_CTX_cleanup(&ctx);
2383194206Ssimon		return -1;
2384194206Ssimon		}
2385194206Ssimon	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2386194206Ssimon	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2387279264Sdelphij		{
2388279264Sdelphij		EVP_CIPHER_CTX_cleanup(&ctx);
2389279264Sdelphij		OPENSSL_free(sdec);
2390238405Sjkim		return 2;
2391279264Sdelphij		}
2392194206Ssimon	slen += mlen;
2393194206Ssimon	EVP_CIPHER_CTX_cleanup(&ctx);
2394194206Ssimon	p = sdec;
2395238405Sjkim
2396194206Ssimon	sess = d2i_SSL_SESSION(NULL, &p, slen);
2397194206Ssimon	OPENSSL_free(sdec);
2398194206Ssimon	if (sess)
2399194206Ssimon		{
2400238405Sjkim		/* The session ID, if non-empty, is used by some clients to
2401238405Sjkim		 * detect that the ticket has been accepted. So we copy it to
2402238405Sjkim		 * the session structure. If it is empty set length to zero
2403238405Sjkim		 * as required by standard.
2404238405Sjkim		 */
2405194206Ssimon		if (sesslen)
2406194206Ssimon			memcpy(sess->session_id, sess_id, sesslen);
2407194206Ssimon		sess->session_id_length = sesslen;
2408194206Ssimon		*psess = sess;
2409238405Sjkim		if (renew_ticket)
2410238405Sjkim			return 4;
2411238405Sjkim		else
2412238405Sjkim			return 3;
2413238405Sjkim		}
2414238405Sjkim        ERR_clear_error();
2415238405Sjkim	/* For session parse failure, indicate that we need to send a new
2416238405Sjkim	 * ticket. */
2417238405Sjkim	return 2;
2418238405Sjkim	}
2419238405Sjkim
2420238405Sjkim/* Tables to translate from NIDs to TLS v1.2 ids */
2421238405Sjkim
2422238405Sjkimtypedef struct
2423238405Sjkim	{
2424238405Sjkim	int nid;
2425238405Sjkim	int id;
2426238405Sjkim	} tls12_lookup;
2427238405Sjkim
2428238405Sjkimstatic tls12_lookup tls12_md[] = {
2429238405Sjkim#ifndef OPENSSL_NO_MD5
2430238405Sjkim	{NID_md5, TLSEXT_hash_md5},
2431238405Sjkim#endif
2432238405Sjkim#ifndef OPENSSL_NO_SHA
2433238405Sjkim	{NID_sha1, TLSEXT_hash_sha1},
2434238405Sjkim#endif
2435238405Sjkim#ifndef OPENSSL_NO_SHA256
2436238405Sjkim	{NID_sha224, TLSEXT_hash_sha224},
2437238405Sjkim	{NID_sha256, TLSEXT_hash_sha256},
2438238405Sjkim#endif
2439238405Sjkim#ifndef OPENSSL_NO_SHA512
2440238405Sjkim	{NID_sha384, TLSEXT_hash_sha384},
2441238405Sjkim	{NID_sha512, TLSEXT_hash_sha512}
2442238405Sjkim#endif
2443238405Sjkim};
2444238405Sjkim
2445238405Sjkimstatic tls12_lookup tls12_sig[] = {
2446238405Sjkim#ifndef OPENSSL_NO_RSA
2447238405Sjkim	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
2448238405Sjkim#endif
2449238405Sjkim#ifndef OPENSSL_NO_DSA
2450238405Sjkim	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
2451238405Sjkim#endif
2452238405Sjkim#ifndef OPENSSL_NO_ECDSA
2453238405Sjkim	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2454238405Sjkim#endif
2455238405Sjkim};
2456238405Sjkim
2457238405Sjkimstatic int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2458238405Sjkim	{
2459238405Sjkim	size_t i;
2460238405Sjkim	for (i = 0; i < tlen; i++)
2461238405Sjkim		{
2462238405Sjkim		if (table[i].nid == nid)
2463238405Sjkim			return table[i].id;
2464238405Sjkim		}
2465238405Sjkim	return -1;
2466238405Sjkim	}
2467238405Sjkim#if 0
2468238405Sjkimstatic int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2469238405Sjkim	{
2470238405Sjkim	size_t i;
2471238405Sjkim	for (i = 0; i < tlen; i++)
2472238405Sjkim		{
2473238405Sjkim		if (table[i].id == id)
2474238405Sjkim			return table[i].nid;
2475238405Sjkim		}
2476238405Sjkim	return -1;
2477238405Sjkim	}
2478238405Sjkim#endif
2479238405Sjkim
2480238405Sjkimint tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2481238405Sjkim	{
2482238405Sjkim	int sig_id, md_id;
2483238405Sjkim	if (!md)
2484238405Sjkim		return 0;
2485238405Sjkim	md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2486238405Sjkim				sizeof(tls12_md)/sizeof(tls12_lookup));
2487238405Sjkim	if (md_id == -1)
2488238405Sjkim		return 0;
2489238405Sjkim	sig_id = tls12_get_sigid(pk);
2490238405Sjkim	if (sig_id == -1)
2491238405Sjkim		return 0;
2492238405Sjkim	p[0] = (unsigned char)md_id;
2493238405Sjkim	p[1] = (unsigned char)sig_id;
2494238405Sjkim	return 1;
2495238405Sjkim	}
2496238405Sjkim
2497238405Sjkimint tls12_get_sigid(const EVP_PKEY *pk)
2498238405Sjkim	{
2499238405Sjkim	return tls12_find_id(pk->type, tls12_sig,
2500238405Sjkim				sizeof(tls12_sig)/sizeof(tls12_lookup));
2501238405Sjkim	}
2502238405Sjkim
2503238405Sjkimconst EVP_MD *tls12_get_hash(unsigned char hash_alg)
2504238405Sjkim	{
2505238405Sjkim	switch(hash_alg)
2506238405Sjkim		{
2507238405Sjkim#ifndef OPENSSL_NO_SHA
2508238405Sjkim		case TLSEXT_hash_sha1:
2509238405Sjkim		return EVP_sha1();
2510238405Sjkim#endif
2511238405Sjkim#ifndef OPENSSL_NO_SHA256
2512238405Sjkim		case TLSEXT_hash_sha224:
2513238405Sjkim		return EVP_sha224();
2514238405Sjkim
2515238405Sjkim		case TLSEXT_hash_sha256:
2516238405Sjkim		return EVP_sha256();
2517238405Sjkim#endif
2518238405Sjkim#ifndef OPENSSL_NO_SHA512
2519238405Sjkim		case TLSEXT_hash_sha384:
2520238405Sjkim		return EVP_sha384();
2521238405Sjkim
2522238405Sjkim		case TLSEXT_hash_sha512:
2523238405Sjkim		return EVP_sha512();
2524238405Sjkim#endif
2525238405Sjkim		default:
2526238405Sjkim		return NULL;
2527238405Sjkim
2528238405Sjkim		}
2529238405Sjkim	}
2530238405Sjkim
2531238405Sjkim/* Set preferred digest for each key type */
2532238405Sjkim
2533238405Sjkimint tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2534238405Sjkim	{
2535238405Sjkim	int i, idx;
2536238405Sjkim	const EVP_MD *md;
2537238405Sjkim	CERT *c = s->cert;
2538238405Sjkim	/* Extension ignored for TLS versions below 1.2 */
2539238405Sjkim	if (TLS1_get_version(s) < TLS1_2_VERSION)
2540194206Ssimon		return 1;
2541238405Sjkim	/* Should never happen */
2542238405Sjkim	if (!c)
2543238405Sjkim		return 0;
2544238405Sjkim
2545238405Sjkim	c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2546238405Sjkim	c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2547238405Sjkim	c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2548238405Sjkim	c->pkeys[SSL_PKEY_ECC].digest = NULL;
2549238405Sjkim
2550238405Sjkim	for (i = 0; i < dsize; i += 2)
2551238405Sjkim		{
2552238405Sjkim		unsigned char hash_alg = data[i], sig_alg = data[i+1];
2553238405Sjkim
2554238405Sjkim		switch(sig_alg)
2555238405Sjkim			{
2556238405Sjkim#ifndef OPENSSL_NO_RSA
2557238405Sjkim			case TLSEXT_signature_rsa:
2558238405Sjkim			idx = SSL_PKEY_RSA_SIGN;
2559238405Sjkim			break;
2560238405Sjkim#endif
2561238405Sjkim#ifndef OPENSSL_NO_DSA
2562238405Sjkim			case TLSEXT_signature_dsa:
2563238405Sjkim			idx = SSL_PKEY_DSA_SIGN;
2564238405Sjkim			break;
2565238405Sjkim#endif
2566238405Sjkim#ifndef OPENSSL_NO_ECDSA
2567238405Sjkim			case TLSEXT_signature_ecdsa:
2568238405Sjkim			idx = SSL_PKEY_ECC;
2569238405Sjkim			break;
2570238405Sjkim#endif
2571238405Sjkim			default:
2572238405Sjkim			continue;
2573238405Sjkim			}
2574238405Sjkim
2575238405Sjkim		if (c->pkeys[idx].digest == NULL)
2576238405Sjkim			{
2577238405Sjkim			md = tls12_get_hash(hash_alg);
2578238405Sjkim			if (md)
2579238405Sjkim				{
2580238405Sjkim				c->pkeys[idx].digest = md;
2581238405Sjkim				if (idx == SSL_PKEY_RSA_SIGN)
2582238405Sjkim					c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2583238405Sjkim				}
2584238405Sjkim			}
2585238405Sjkim
2586194206Ssimon		}
2587238405Sjkim
2588238405Sjkim
2589238405Sjkim	/* Set any remaining keys to default values. NOTE: if alg is not
2590238405Sjkim	 * supported it stays as NULL.
2591238405Sjkim	 */
2592238405Sjkim#ifndef OPENSSL_NO_DSA
2593238405Sjkim	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2594246772Sjkim		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2595238405Sjkim#endif
2596238405Sjkim#ifndef OPENSSL_NO_RSA
2597238405Sjkim	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2598238405Sjkim		{
2599238405Sjkim		c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2600238405Sjkim		c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2601238405Sjkim		}
2602238405Sjkim#endif
2603238405Sjkim#ifndef OPENSSL_NO_ECDSA
2604238405Sjkim	if (!c->pkeys[SSL_PKEY_ECC].digest)
2605246772Sjkim		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2606238405Sjkim#endif
2607238405Sjkim	return 1;
2608238405Sjkim	}
2609238405Sjkim
2610238405Sjkim#endif
2611238405Sjkim
2612238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS
2613238405Sjkimint
2614238405Sjkimtls1_process_heartbeat(SSL *s)
2615238405Sjkim	{
2616238405Sjkim	unsigned char *p = &s->s3->rrec.data[0], *pl;
2617238405Sjkim	unsigned short hbtype;
2618238405Sjkim	unsigned int payload;
2619238405Sjkim	unsigned int padding = 16; /* Use minimum padding */
2620238405Sjkim
2621264267Sdelphij	if (s->msg_callback)
2622264267Sdelphij		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2623264267Sdelphij			&s->s3->rrec.data[0], s->s3->rrec.length,
2624264267Sdelphij			s, s->msg_callback_arg);
2625264267Sdelphij
2626238405Sjkim	/* Read type and payload length first */
2627264267Sdelphij	if (1 + 2 + 16 > s->s3->rrec.length)
2628264267Sdelphij		return 0; /* silently discard */
2629238405Sjkim	hbtype = *p++;
2630238405Sjkim	n2s(p, payload);
2631264267Sdelphij	if (1 + 2 + payload + 16 > s->s3->rrec.length)
2632264267Sdelphij		return 0; /* silently discard per RFC 6520 sec. 4 */
2633238405Sjkim	pl = p;
2634238405Sjkim
2635238405Sjkim	if (hbtype == TLS1_HB_REQUEST)
2636238405Sjkim		{
2637238405Sjkim		unsigned char *buffer, *bp;
2638238405Sjkim		int r;
2639238405Sjkim
2640238405Sjkim		/* Allocate memory for the response, size is 1 bytes
2641238405Sjkim		 * message type, plus 2 bytes payload length, plus
2642238405Sjkim		 * payload, plus padding
2643238405Sjkim		 */
2644238405Sjkim		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2645238405Sjkim		bp = buffer;
2646238405Sjkim
2647238405Sjkim		/* Enter response type, length and copy payload */
2648238405Sjkim		*bp++ = TLS1_HB_RESPONSE;
2649238405Sjkim		s2n(payload, bp);
2650238405Sjkim		memcpy(bp, pl, payload);
2651238405Sjkim		bp += payload;
2652238405Sjkim		/* Random padding */
2653238405Sjkim		RAND_pseudo_bytes(bp, padding);
2654238405Sjkim
2655238405Sjkim		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2656238405Sjkim
2657238405Sjkim		if (r >= 0 && s->msg_callback)
2658238405Sjkim			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2659238405Sjkim				buffer, 3 + payload + padding,
2660238405Sjkim				s, s->msg_callback_arg);
2661238405Sjkim
2662238405Sjkim		OPENSSL_free(buffer);
2663238405Sjkim
2664238405Sjkim		if (r < 0)
2665238405Sjkim			return r;
2666238405Sjkim		}
2667238405Sjkim	else if (hbtype == TLS1_HB_RESPONSE)
2668238405Sjkim		{
2669238405Sjkim		unsigned int seq;
2670238405Sjkim
2671238405Sjkim		/* We only send sequence numbers (2 bytes unsigned int),
2672238405Sjkim		 * and 16 random bytes, so we just try to read the
2673238405Sjkim		 * sequence number */
2674238405Sjkim		n2s(pl, seq);
2675238405Sjkim
2676238405Sjkim		if (payload == 18 && seq == s->tlsext_hb_seq)
2677238405Sjkim			{
2678238405Sjkim			s->tlsext_hb_seq++;
2679238405Sjkim			s->tlsext_hb_pending = 0;
2680238405Sjkim			}
2681238405Sjkim		}
2682238405Sjkim
2683194206Ssimon	return 0;
2684194206Ssimon	}
2685194206Ssimon
2686238405Sjkimint
2687238405Sjkimtls1_heartbeat(SSL *s)
2688238405Sjkim	{
2689238405Sjkim	unsigned char *buf, *p;
2690238405Sjkim	int ret;
2691238405Sjkim	unsigned int payload = 18; /* Sequence number + random bytes */
2692238405Sjkim	unsigned int padding = 16; /* Use minimum padding */
2693238405Sjkim
2694238405Sjkim	/* Only send if peer supports and accepts HB requests... */
2695238405Sjkim	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2696238405Sjkim	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2697238405Sjkim		{
2698238405Sjkim		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2699238405Sjkim		return -1;
2700238405Sjkim		}
2701238405Sjkim
2702238405Sjkim	/* ...and there is none in flight yet... */
2703238405Sjkim	if (s->tlsext_hb_pending)
2704238405Sjkim		{
2705238405Sjkim		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2706238405Sjkim		return -1;
2707238405Sjkim		}
2708238405Sjkim
2709238405Sjkim	/* ...and no handshake in progress. */
2710238405Sjkim	if (SSL_in_init(s) || s->in_handshake)
2711238405Sjkim		{
2712238405Sjkim		SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2713238405Sjkim		return -1;
2714238405Sjkim		}
2715238405Sjkim
2716238405Sjkim	/* Check if padding is too long, payload and padding
2717238405Sjkim	 * must not exceed 2^14 - 3 = 16381 bytes in total.
2718238405Sjkim	 */
2719238405Sjkim	OPENSSL_assert(payload + padding <= 16381);
2720238405Sjkim
2721238405Sjkim	/* Create HeartBeat message, we just use a sequence number
2722238405Sjkim	 * as payload to distuingish different messages and add
2723238405Sjkim	 * some random stuff.
2724238405Sjkim	 *  - Message Type, 1 byte
2725238405Sjkim	 *  - Payload Length, 2 bytes (unsigned int)
2726238405Sjkim	 *  - Payload, the sequence number (2 bytes uint)
2727238405Sjkim	 *  - Payload, random bytes (16 bytes uint)
2728238405Sjkim	 *  - Padding
2729238405Sjkim	 */
2730238405Sjkim	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2731238405Sjkim	p = buf;
2732238405Sjkim	/* Message Type */
2733238405Sjkim	*p++ = TLS1_HB_REQUEST;
2734238405Sjkim	/* Payload length (18 bytes here) */
2735238405Sjkim	s2n(payload, p);
2736238405Sjkim	/* Sequence number */
2737238405Sjkim	s2n(s->tlsext_hb_seq, p);
2738238405Sjkim	/* 16 random bytes */
2739238405Sjkim	RAND_pseudo_bytes(p, 16);
2740238405Sjkim	p += 16;
2741238405Sjkim	/* Random padding */
2742238405Sjkim	RAND_pseudo_bytes(p, padding);
2743238405Sjkim
2744238405Sjkim	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2745238405Sjkim	if (ret >= 0)
2746238405Sjkim		{
2747238405Sjkim		if (s->msg_callback)
2748238405Sjkim			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2749238405Sjkim				buf, 3 + payload + padding,
2750238405Sjkim				s, s->msg_callback_arg);
2751238405Sjkim
2752238405Sjkim		s->tlsext_hb_pending = 1;
2753238405Sjkim		}
2754238405Sjkim
2755238405Sjkim	OPENSSL_free(buf);
2756238405Sjkim
2757238405Sjkim	return ret;
2758238405Sjkim	}
2759194206Ssimon#endif
2760