crypto/openssl/ssl/t1_lib.c

   1 /* ssl/t1_lib.c */
   2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   3  * All rights reserved.
   4  *
   5  * This package is an SSL implementation written
   6  * by Eric Young (eay@cryptsoft.com).
   7  * The implementation was written so as to conform with Netscapes SSL.
   8  *
   9  * This library is free for commercial and non-commercial use as long as
  10  * the following conditions are aheared to.  The following conditions
  11  * apply to all code found in this distribution, be it the RC4, RSA,
  12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  13  * included with this distribution is covered by the same copyright terms
  14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15  *
  16  * Copyright remains Eric Young's, and as such any Copyright notices in
  17  * the code are not to be removed.
  18  * If this package is used in a product, Eric Young should be given attribution
  19  * as the author of the parts of the library used.
  20  * This can be in the form of a textual message at program startup or
  21  * in documentation (online or textual) provided with the package.
  22  *
  23  * Redistribution and use in source and binary forms, with or without
  24  * modification, are permitted provided that the following conditions
  25  * are met:
  26  * 1. Redistributions of source code must retain the copyright
  27  *    notice, this list of conditions and the following disclaimer.
  28  * 2. Redistributions in binary form must reproduce the above copyright
  29  *    notice, this list of conditions and the following disclaimer in the
  30  *    documentation and/or other materials provided with the distribution.
  31  * 3. All advertising materials mentioning features or use of this software
  32  *    must display the following acknowledgement:
  33  *    "This product includes cryptographic software written by
  34  *     Eric Young (eay@cryptsoft.com)"
  35  *    The word 'cryptographic' can be left out if the rouines from the library
  36  *    being used are not cryptographic related :-).
  37  * 4. If you include any Windows specific code (or a derivative thereof) from
  38  *    the apps directory (application code) you must include an acknowledgement:
  39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40  *
  41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51  * SUCH DAMAGE.
  52  *
  53  * The licence and distribution terms for any publically available version or
  54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  55  * copied and put under another distribution licence
  56  * [including the GNU Public Licence.]
  57  */
  58 /* ====================================================================
  59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  60  *
  61  * Redistribution and use in source and binary forms, with or without
  62  * modification, are permitted provided that the following conditions
  63  * are met:
  64  *
  65  * 1. Redistributions of source code must retain the above copyright
  66  *    notice, this list of conditions and the following disclaimer.
  67  *
  68  * 2. Redistributions in binary form must reproduce the above copyright
  69  *    notice, this list of conditions and the following disclaimer in
  70  *    the documentation and/or other materials provided with the
  71  *    distribution.
  72  *
  73  * 3. All advertising materials mentioning features or use of this
  74  *    software must display the following acknowledgment:
  75  *    "This product includes software developed by the OpenSSL Project
  76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77  *
  78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79  *    endorse or promote products derived from this software without
  80  *    prior written permission. For written permission, please contact
  81  *    openssl-core@openssl.org.
  82  *
  83  * 5. Products derived from this software may not be called "OpenSSL"
  84  *    nor may "OpenSSL" appear in their names without prior written
  85  *    permission of the OpenSSL Project.
  86  *
  87  * 6. Redistributions of any form whatsoever must retain the following
  88  *    acknowledgment:
  89  *    "This product includes software developed by the OpenSSL Project
  90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91  *
  92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 103  * OF THE POSSIBILITY OF SUCH DAMAGE.
 104  * ====================================================================
 105  *
 106  * This product includes cryptographic software written by Eric Young
 107  * (eay@cryptsoft.com).  This product includes software written by Tim
 108  * Hudson (tjh@cryptsoft.com).
 109  *
 110  */
 111
 112 #include <stdio.h>
 113 #include <openssl/objects.h>
 114 #include <openssl/evp.h>
 115 #include <openssl/hmac.h>
 116 #include <openssl/ocsp.h>
 117 #include <openssl/rand.h>
 118 #include "ssl_locl.h"
 119
 120 const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
 121
 122 #ifndef OPENSSL_NO_TLSEXT
 123 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
 124                                 const unsigned char *sess_id, int sesslen,
 125                                 SSL_SESSION **psess);
 126 #endif
 127
 128 SSL3_ENC_METHOD TLSv1_enc_data={
 129         tls1_enc,
 130         tls1_mac,
 131         tls1_setup_key_block,
 132         tls1_generate_master_secret,
 133         tls1_change_cipher_state,
 134         tls1_final_finish_mac,
 135         TLS1_FINISH_MAC_LENGTH,
 136         tls1_cert_verify_mac,
 137         TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
 138         TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
 139         tls1_alert_code,
 140         tls1_export_keying_material,
 141         };
 142
 143 long tls1_default_timeout(void)
 144         {
 145         /* 2 hours, the 24 hours mentioned in the TLSv1 spec
 146          * is way too long for http, the cache would over fill */
 147         return(60*60*2);
 148         }
 149
 150 int tls1_new(SSL *s)
 151         {
 152         if (!ssl3_new(s)) return(0);
 153         s->method->ssl_clear(s);
 154         return(1);
 155         }
 156
 157 void tls1_free(SSL *s)
 158         {
 159 #ifndef OPENSSL_NO_TLSEXT
 160         if (s->tlsext_session_ticket)
 161                 {
 162                 OPENSSL_free(s->tlsext_session_ticket);
 163                 }
 164 #endif /* OPENSSL_NO_TLSEXT */
 165         ssl3_free(s);
 166         }
 167
 168 void tls1_clear(SSL *s)
 169         {
 170         ssl3_clear(s);
 171         s->version = s->method->version;
 172         }
 173
 174 #ifndef OPENSSL_NO_EC
 175
 176 static int nid_list[] =
 177         {
 178                 NID_sect163k1, /* sect163k1 (1) */
 179                 NID_sect163r1, /* sect163r1 (2) */
 180                 NID_sect163r2, /* sect163r2 (3) */
 181                 NID_sect193r1, /* sect193r1 (4) */
 182                 NID_sect193r2, /* sect193r2 (5) */
 183                 NID_sect233k1, /* sect233k1 (6) */
 184                 NID_sect233r1, /* sect233r1 (7) */
 185                 NID_sect239k1, /* sect239k1 (8) */
 186                 NID_sect283k1, /* sect283k1 (9) */
 187                 NID_sect283r1, /* sect283r1 (10) */
 188                 NID_sect409k1, /* sect409k1 (11) */
 189                 NID_sect409r1, /* sect409r1 (12) */
 190                 NID_sect571k1, /* sect571k1 (13) */
 191                 NID_sect571r1, /* sect571r1 (14) */
 192                 NID_secp160k1, /* secp160k1 (15) */
 193                 NID_secp160r1, /* secp160r1 (16) */
 194                 NID_secp160r2, /* secp160r2 (17) */
 195                 NID_secp192k1, /* secp192k1 (18) */
 196                 NID_X9_62_prime192v1, /* secp192r1 (19) */
 197                 NID_secp224k1, /* secp224k1 (20) */
 198                 NID_secp224r1, /* secp224r1 (21) */
 199                 NID_secp256k1, /* secp256k1 (22) */
 200                 NID_X9_62_prime256v1, /* secp256r1 (23) */
 201                 NID_secp384r1, /* secp384r1 (24) */
 202                 NID_secp521r1  /* secp521r1 (25) */
 203         };
 204
 205 static int pref_list[] =
 206         {
 207 #ifndef OPENSSL_NO_EC2M
 208                 NID_sect571r1, /* sect571r1 (14) */
 209                 NID_sect571k1, /* sect571k1 (13) */
 210 #endif
 211                 NID_secp521r1, /* secp521r1 (25) */
 212 #ifndef OPENSSL_NO_EC2M
 213                 NID_sect409k1, /* sect409k1 (11) */
 214                 NID_sect409r1, /* sect409r1 (12) */
 215 #endif
 216                 NID_secp384r1, /* secp384r1 (24) */
 217 #ifndef OPENSSL_NO_EC2M
 218                 NID_sect283k1, /* sect283k1 (9) */
 219                 NID_sect283r1, /* sect283r1 (10) */
 220 #endif
 221                 NID_secp256k1, /* secp256k1 (22) */
 222                 NID_X9_62_prime256v1, /* secp256r1 (23) */
 223 #ifndef OPENSSL_NO_EC2M
 224                 NID_sect239k1, /* sect239k1 (8) */
 225                 NID_sect233k1, /* sect233k1 (6) */
 226                 NID_sect233r1, /* sect233r1 (7) */
 227 #endif
 228                 NID_secp224k1, /* secp224k1 (20) */
 229                 NID_secp224r1, /* secp224r1 (21) */
 230 #ifndef OPENSSL_NO_EC2M
 231                 NID_sect193r1, /* sect193r1 (4) */
 232                 NID_sect193r2, /* sect193r2 (5) */
 233 #endif
 234                 NID_secp192k1, /* secp192k1 (18) */
 235                 NID_X9_62_prime192v1, /* secp192r1 (19) */
 236 #ifndef OPENSSL_NO_EC2M
 237                 NID_sect163k1, /* sect163k1 (1) */
 238                 NID_sect163r1, /* sect163r1 (2) */
 239                 NID_sect163r2, /* sect163r2 (3) */
 240 #endif
 241                 NID_secp160k1, /* secp160k1 (15) */
 242                 NID_secp160r1, /* secp160r1 (16) */
 243                 NID_secp160r2, /* secp160r2 (17) */
 244         };
 245
 246 int tls1_ec_curve_id2nid(int curve_id)
 247         {
 248         /* ECC curves from RFC 4492 */
 249         if ((curve_id < 1) || ((unsigned int)curve_id >
 250                                 sizeof(nid_list)/sizeof(nid_list[0])))
 251                 return 0;
 252         return nid_list[curve_id-1];
 253         }
 254
 255 int tls1_ec_nid2curve_id(int nid)
 256         {
 257         /* ECC curves from RFC 4492 */
 258         switch (nid)
 259                 {
 260         case NID_sect163k1: /* sect163k1 (1) */
 261                 return 1;
 262         case NID_sect163r1: /* sect163r1 (2) */
 263                 return 2;
 264         case NID_sect163r2: /* sect163r2 (3) */
 265                 return 3;
 266         case NID_sect193r1: /* sect193r1 (4) */
 267                 return 4;
 268         case NID_sect193r2: /* sect193r2 (5) */
 269                 return 5;
 270         case NID_sect233k1: /* sect233k1 (6) */
 271                 return 6;
 272         case NID_sect233r1: /* sect233r1 (7) */
 273                 return 7;
 274         case NID_sect239k1: /* sect239k1 (8) */
 275                 return 8;
 276         case NID_sect283k1: /* sect283k1 (9) */
 277                 return 9;
 278         case NID_sect283r1: /* sect283r1 (10) */
 279                 return 10;
 280         case NID_sect409k1: /* sect409k1 (11) */
 281                 return 11;
 282         case NID_sect409r1: /* sect409r1 (12) */
 283                 return 12;
 284         case NID_sect571k1: /* sect571k1 (13) */
 285                 return 13;
 286         case NID_sect571r1: /* sect571r1 (14) */
 287                 return 14;
 288         case NID_secp160k1: /* secp160k1 (15) */
 289                 return 15;
 290         case NID_secp160r1: /* secp160r1 (16) */
 291                 return 16;
 292         case NID_secp160r2: /* secp160r2 (17) */
 293                 return 17;
 294         case NID_secp192k1: /* secp192k1 (18) */
 295                 return 18;
 296         case NID_X9_62_prime192v1: /* secp192r1 (19) */
 297                 return 19;
 298         case NID_secp224k1: /* secp224k1 (20) */
 299                 return 20;
 300         case NID_secp224r1: /* secp224r1 (21) */
 301                 return 21;
 302         case NID_secp256k1: /* secp256k1 (22) */
 303                 return 22;
 304         case NID_X9_62_prime256v1: /* secp256r1 (23) */
 305                 return 23;
 306         case NID_secp384r1: /* secp384r1 (24) */
 307                 return 24;
 308         case NID_secp521r1:  /* secp521r1 (25) */
 309                 return 25;
 310         default:
 311                 return 0;
 312                 }
 313         }
 314 #endif /* OPENSSL_NO_EC */
 315
 316 #ifndef OPENSSL_NO_TLSEXT
 317
 318 /* List of supported signature algorithms and hashes. Should make this
 319  * customisable at some point, for now include everything we support.
 320  */
 321
 322 #ifdef OPENSSL_NO_RSA
 323 #define tlsext_sigalg_rsa(md) /* */
 324 #else
 325 #define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
 326 #endif
 327
 328 #ifdef OPENSSL_NO_DSA
 329 #define tlsext_sigalg_dsa(md) /* */
 330 #else
 331 #define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
 332 #endif
 333
 334 #ifdef OPENSSL_NO_ECDSA
 335 #define tlsext_sigalg_ecdsa(md) /* */
 336 #else
 337 #define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
 338 #endif
 339
 340 #define tlsext_sigalg(md) \
 341                 tlsext_sigalg_rsa(md) \
 342                 tlsext_sigalg_dsa(md) \
 343                 tlsext_sigalg_ecdsa(md)
 344
 345 static unsigned char tls12_sigalgs[] = {
 346 #ifndef OPENSSL_NO_SHA512
 347         tlsext_sigalg(TLSEXT_hash_sha512)
 348         tlsext_sigalg(TLSEXT_hash_sha384)
 349 #endif
 350 #ifndef OPENSSL_NO_SHA256
 351         tlsext_sigalg(TLSEXT_hash_sha256)
 352         tlsext_sigalg(TLSEXT_hash_sha224)
 353 #endif
 354 #ifndef OPENSSL_NO_SHA
 355         tlsext_sigalg(TLSEXT_hash_sha1)
 356 #endif
 357 };
 358
 359 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
 360         {
 361         size_t slen = sizeof(tls12_sigalgs);
 362         if (p)
 363                 memcpy(p, tls12_sigalgs, slen);
 364         return (int)slen;
 365         }
 366
 367 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
 368         {
 369         int extdatalen=0;
 370         unsigned char *orig = buf;
 371         unsigned char *ret = buf;
 372
 373         /* don't add extensions for SSLv3 unless doing secure renegotiation */
 374         if (s->client_version == SSL3_VERSION
 375                                         && !s->s3->send_connection_binding)
 376                 return orig;
 377
 378         ret+=2;
 379
 380         if (ret>=limit) return NULL; /* this really never occurs, but ... */
 381
 382         if (s->tlsext_hostname != NULL)
 383                 {
 384                 /* Add TLS extension servername to the Client Hello message */
 385                 unsigned long size_str;
 386                 long lenmax;
 387
 388                 /* check for enough space.
 389                    4 for the servername type and entension length
 390                    2 for servernamelist length
 391                    1 for the hostname type
 392                    2 for hostname length
 393                    + hostname length
 394                 */
 395
 396                 if ((lenmax = limit - ret - 9) < 0
 397                     || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
 398                         return NULL;
 399
 400                 /* extension type and length */
 401                 s2n(TLSEXT_TYPE_server_name,ret);
 402                 s2n(size_str+5,ret);
 403
 404                 /* length of servername list */
 405                 s2n(size_str+3,ret);
 406
 407                 /* hostname type, length and hostname */
 408                 *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
 409                 s2n(size_str,ret);
 410                 memcpy(ret, s->tlsext_hostname, size_str);
 411                 ret+=size_str;
 412                 }
 413
 414         /* Add RI if renegotiating */
 415         if (s->renegotiate)
 416           {
 417           int el;
 418
 419           if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
 420               {
 421               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 422               return NULL;
 423               }
 424
 425           if((limit - ret - 4 - el) < 0) return NULL;
 426
 427           s2n(TLSEXT_TYPE_renegotiate,ret);
 428           s2n(el,ret);
 429
 430           if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
 431               {
 432               SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 433               return NULL;
 434               }
 435
 436           ret += el;
 437         }
 438
 439 #ifndef OPENSSL_NO_SRP
 440         /* Add SRP username if there is one */
 441         if (s->srp_ctx.login != NULL)
 442                 { /* Add TLS extension SRP username to the Client Hello message */
 443
 444                 int login_len = strlen(s->srp_ctx.login);
 445                 if (login_len > 255 || login_len == 0)
 446                         {
 447                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 448                         return NULL;
 449                         }
 450
 451                 /* check for enough space.
 452                    4 for the srp type type and entension length
 453                    1 for the srp user identity
 454                    + srp user identity length
 455                 */
 456                 if ((limit - ret - 5 - login_len) < 0) return NULL;
 457
 458                 /* fill in the extension */
 459                 s2n(TLSEXT_TYPE_srp,ret);
 460                 s2n(login_len+1,ret);
 461                 (*ret++) = (unsigned char) login_len;
 462                 memcpy(ret, s->srp_ctx.login, login_len);
 463                 ret+=login_len;
 464                 }
 465 #endif
 466
 467 #ifndef OPENSSL_NO_EC
 468         if (s->tlsext_ecpointformatlist != NULL)
 469                 {
 470                 /* Add TLS extension ECPointFormats to the ClientHello message */
 471                 long lenmax;
 472
 473                 if ((lenmax = limit - ret - 5) < 0) return NULL;
 474                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
 475                 if (s->tlsext_ecpointformatlist_length > 255)
 476                         {
 477                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 478                         return NULL;
 479                         }
 480
 481                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
 482                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
 483                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
 484                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
 485                 ret+=s->tlsext_ecpointformatlist_length;
 486                 }
 487         if (s->tlsext_ellipticcurvelist != NULL)
 488                 {
 489                 /* Add TLS extension EllipticCurves to the ClientHello message */
 490                 long lenmax;
 491
 492                 if ((lenmax = limit - ret - 6) < 0) return NULL;
 493                 if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL;
 494                 if (s->tlsext_ellipticcurvelist_length > 65532)
 495                         {
 496                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 497                         return NULL;
 498                         }
 499
 500                 s2n(TLSEXT_TYPE_elliptic_curves,ret);
 501                 s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
 502
 503                 s2n(s->tlsext_ellipticcurvelist_length, ret);
 504                 memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
 505                 ret+=s->tlsext_ellipticcurvelist_length;
 506                 }
 507 #endif /* OPENSSL_NO_EC */
 508
 509         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET))
 510                 {
 511                 int ticklen;
 512                 if (!s->new_session && s->session && s->session->tlsext_tick)
 513                         ticklen = s->session->tlsext_ticklen;
 514                 else if (s->session && s->tlsext_session_ticket &&
 515                          s->tlsext_session_ticket->data)
 516                         {
 517                         ticklen = s->tlsext_session_ticket->length;
 518                         s->session->tlsext_tick = OPENSSL_malloc(ticklen);
 519                         if (!s->session->tlsext_tick)
 520                                 return NULL;
 521                         memcpy(s->session->tlsext_tick,
 522                                s->tlsext_session_ticket->data,
 523                                ticklen);
 524                         s->session->tlsext_ticklen = ticklen;
 525                         }
 526                 else
 527                         ticklen = 0;
 528                 if (ticklen == 0 && s->tlsext_session_ticket &&
 529                     s->tlsext_session_ticket->data == NULL)
 530                         goto skip_ext;
 531                 /* Check for enough room 2 for extension type, 2 for len
 532                  * rest for ticket
 533                  */
 534                 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL;
 535                 s2n(TLSEXT_TYPE_session_ticket,ret);
 536                 s2n(ticklen,ret);
 537                 if (ticklen)
 538                         {
 539                         memcpy(ret, s->session->tlsext_tick, ticklen);
 540                         ret += ticklen;
 541                         }
 542                 }
 543                 skip_ext:
 544
 545         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
 546                 {
 547                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
 548                         return NULL;
 549                 s2n(TLSEXT_TYPE_signature_algorithms,ret);
 550                 s2n(sizeof(tls12_sigalgs) + 2, ret);
 551                 s2n(sizeof(tls12_sigalgs), ret);
 552                 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
 553                 ret += sizeof(tls12_sigalgs);
 554                 }
 555
 556 #ifdef TLSEXT_TYPE_opaque_prf_input
 557         if (s->s3->client_opaque_prf_input != NULL &&
 558             s->version != DTLS1_VERSION)
 559                 {
 560                 size_t col = s->s3->client_opaque_prf_input_len;
 561
 562                 if ((long)(limit - ret - 6 - col < 0))
 563                         return NULL;
 564                 if (col > 0xFFFD) /* can't happen */
 565                         return NULL;
 566
 567                 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
 568                 s2n(col + 2, ret);
 569                 s2n(col, ret);
 570                 memcpy(ret, s->s3->client_opaque_prf_input, col);
 571                 ret += col;
 572                 }
 573 #endif
 574
 575         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
 576             s->version != DTLS1_VERSION)
 577                 {
 578                 int i;
 579                 long extlen, idlen, itmp;
 580                 OCSP_RESPID *id;
 581
 582                 idlen = 0;
 583                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
 584                         {
 585                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
 586                         itmp = i2d_OCSP_RESPID(id, NULL);
 587                         if (itmp <= 0)
 588                                 return NULL;
 589                         idlen += itmp + 2;
 590                         }
 591
 592                 if (s->tlsext_ocsp_exts)
 593                         {
 594                         extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
 595                         if (extlen < 0)
 596                                 return NULL;
 597                         }
 598                 else
 599                         extlen = 0;
 600
 601                 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL;
 602                 s2n(TLSEXT_TYPE_status_request, ret);
 603                 if (extlen + idlen > 0xFFF0)
 604                         return NULL;
 605                 s2n(extlen + idlen + 5, ret);
 606                 *(ret++) = TLSEXT_STATUSTYPE_ocsp;
 607                 s2n(idlen, ret);
 608                 for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++)
 609                         {
 610                         /* save position of id len */
 611                         unsigned char *q = ret;
 612                         id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
 613                         /* skip over id len */
 614                         ret += 2;
 615                         itmp = i2d_OCSP_RESPID(id, &ret);
 616                         /* write id len */
 617                         s2n(itmp, q);
 618                         }
 619                 s2n(extlen, ret);
 620                 if (extlen > 0)
 621                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
 622                 }
 623
 624 #ifndef OPENSSL_NO_HEARTBEATS
 625         /* Add Heartbeat extension */
 626         if ((limit - ret - 4 - 1) < 0)
 627                 return NULL;
 628         s2n(TLSEXT_TYPE_heartbeat,ret);
 629         s2n(1,ret);
 630         /* Set mode:
 631          * 1: peer may send requests
 632          * 2: peer not allowed to send requests
 633          */
 634         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
 635                 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
 636         else
 637                 *(ret++) = SSL_TLSEXT_HB_ENABLED;
 638 #endif
 639
 640 #ifndef OPENSSL_NO_NEXTPROTONEG
 641         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
 642                 {
 643                 /* The client advertises an emtpy extension to indicate its
 644                  * support for Next Protocol Negotiation */
 645                 if (limit - ret - 4 < 0)
 646                         return NULL;
 647                 s2n(TLSEXT_TYPE_next_proto_neg,ret);
 648                 s2n(0,ret);
 649                 }
 650 #endif
 651
 652 #ifndef OPENSSL_NO_SRTP
 653         if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
 654                 {
 655                 int el;
 656
 657                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
 658
 659                 if((limit - ret - 4 - el) < 0) return NULL;
 660
 661                 s2n(TLSEXT_TYPE_use_srtp,ret);
 662                 s2n(el,ret);
 663
 664                 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
 665                         {
 666                         SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 667                         return NULL;
 668                         }
 669                 ret += el;
 670                 }
 671 #endif
 672         /* Add padding to workaround bugs in F5 terminators.
 673          * See https://tools.ietf.org/html/draft-agl-tls-padding-03
 674          *
 675          * NB: because this code works out the length of all existing
 676          * extensions it MUST always appear last.
 677          */
 678         if (s->options & SSL_OP_TLSEXT_PADDING)
 679                 {
 680                 int hlen = ret - (unsigned char *)s->init_buf->data;
 681                 /* The code in s23_clnt.c to build ClientHello messages
 682                  * includes the 5-byte record header in the buffer, while
 683                  * the code in s3_clnt.c does not.
 684                  */
 685                 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
 686                         hlen -= 5;
 687                 if (hlen > 0xff && hlen < 0x200)
 688                         {
 689                         hlen = 0x200 - hlen;
 690                         if (hlen >= 4)
 691                                 hlen -= 4;
 692                         else
 693                                 hlen = 0;
 694
 695                         s2n(TLSEXT_TYPE_padding, ret);
 696                         s2n(hlen, ret);
 697                         memset(ret, 0, hlen);
 698                         ret += hlen;
 699                         }
 700                 }
 701
 702         if ((extdatalen = ret-orig-2)== 0)
 703                 return orig;
 704
 705         s2n(extdatalen, orig);
 706         return ret;
 707         }
 708
 709 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
 710         {
 711         int extdatalen=0;
 712         unsigned char *orig = buf;
 713         unsigned char *ret = buf;
 714 #ifndef OPENSSL_NO_NEXTPROTONEG
 715         int next_proto_neg_seen;
 716 #endif
 717
 718         /* don't add extensions for SSLv3, unless doing secure renegotiation */
 719         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
 720                 return orig;
 721
 722         ret+=2;
 723         if (ret>=limit) return NULL; /* this really never occurs, but ... */
 724
 725         if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL)
 726                 {
 727                 if ((long)(limit - ret - 4) < 0) return NULL;
 728
 729                 s2n(TLSEXT_TYPE_server_name,ret);
 730                 s2n(0,ret);
 731                 }
 732
 733         if(s->s3->send_connection_binding)
 734         {
 735           int el;
 736
 737           if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
 738               {
 739               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 740               return NULL;
 741               }
 742
 743           if((limit - ret - 4 - el) < 0) return NULL;
 744
 745           s2n(TLSEXT_TYPE_renegotiate,ret);
 746           s2n(el,ret);
 747
 748           if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
 749               {
 750               SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 751               return NULL;
 752               }
 753
 754           ret += el;
 755         }
 756
 757 #ifndef OPENSSL_NO_EC
 758         if (s->tlsext_ecpointformatlist != NULL)
 759                 {
 760                 /* Add TLS extension ECPointFormats to the ServerHello message */
 761                 long lenmax;
 762
 763                 if ((lenmax = limit - ret - 5) < 0) return NULL;
 764                 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
 765                 if (s->tlsext_ecpointformatlist_length > 255)
 766                         {
 767                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 768                         return NULL;
 769                         }
 770
 771                 s2n(TLSEXT_TYPE_ec_point_formats,ret);
 772                 s2n(s->tlsext_ecpointformatlist_length + 1,ret);
 773                 *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length;
 774                 memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
 775                 ret+=s->tlsext_ecpointformatlist_length;
 776
 777                 }
 778         /* Currently the server should not respond with a SupportedCurves extension */
 779 #endif /* OPENSSL_NO_EC */
 780
 781         if (s->tlsext_ticket_expected
 782                 && !(SSL_get_options(s) & SSL_OP_NO_TICKET))
 783                 {
 784                 if ((long)(limit - ret - 4) < 0) return NULL;
 785                 s2n(TLSEXT_TYPE_session_ticket,ret);
 786                 s2n(0,ret);
 787                 }
 788
 789         if (s->tlsext_status_expected)
 790                 {
 791                 if ((long)(limit - ret - 4) < 0) return NULL;
 792                 s2n(TLSEXT_TYPE_status_request,ret);
 793                 s2n(0,ret);
 794                 }
 795
 796 #ifdef TLSEXT_TYPE_opaque_prf_input
 797         if (s->s3->server_opaque_prf_input != NULL &&
 798             s->version != DTLS1_VERSION)
 799                 {
 800                 size_t sol = s->s3->server_opaque_prf_input_len;
 801
 802                 if ((long)(limit - ret - 6 - sol) < 0)
 803                         return NULL;
 804                 if (sol > 0xFFFD) /* can't happen */
 805                         return NULL;
 806
 807                 s2n(TLSEXT_TYPE_opaque_prf_input, ret);
 808                 s2n(sol + 2, ret);
 809                 s2n(sol, ret);
 810                 memcpy(ret, s->s3->server_opaque_prf_input, sol);
 811                 ret += sol;
 812                 }
 813 #endif
 814
 815 #ifndef OPENSSL_NO_SRTP
 816         if(SSL_IS_DTLS(s) && s->srtp_profile)
 817                 {
 818                 int el;
 819
 820                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
 821
 822                 if((limit - ret - 4 - el) < 0) return NULL;
 823
 824                 s2n(TLSEXT_TYPE_use_srtp,ret);
 825                 s2n(el,ret);
 826
 827                 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
 828                         {
 829                         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 830                         return NULL;
 831                         }
 832                 ret+=el;
 833                 }
 834 #endif
 835
 836         if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
 837                 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
 838                 { const unsigned char cryptopro_ext[36] = {
 839                         0xfd, 0xe8, /*65000*/
 840                         0x00, 0x20, /*32 bytes length*/
 841                         0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
 842                         0x03,   0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
 843                         0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
 844                         0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17};
 845                         if (limit-ret<36) return NULL;
 846                         memcpy(ret,cryptopro_ext,36);
 847                         ret+=36;
 848
 849                 }
 850
 851 #ifndef OPENSSL_NO_HEARTBEATS
 852         /* Add Heartbeat extension if we've received one */
 853         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
 854                 {
 855                 if ((limit - ret - 4 - 1) < 0)
 856                         return NULL;
 857                 s2n(TLSEXT_TYPE_heartbeat,ret);
 858                 s2n(1,ret);
 859                 /* Set mode:
 860                  * 1: peer may send requests
 861                  * 2: peer not allowed to send requests
 862                  */
 863                 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
 864                         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
 865                 else
 866                         *(ret++) = SSL_TLSEXT_HB_ENABLED;
 867
 868                 }
 869 #endif
 870
 871 #ifndef OPENSSL_NO_NEXTPROTONEG
 872         next_proto_neg_seen = s->s3->next_proto_neg_seen;
 873         s->s3->next_proto_neg_seen = 0;
 874         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
 875                 {
 876                 const unsigned char *npa;
 877                 unsigned int npalen;
 878                 int r;
 879
 880                 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
 881                 if (r == SSL_TLSEXT_ERR_OK)
 882                         {
 883                         if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
 884                         s2n(TLSEXT_TYPE_next_proto_neg,ret);
 885                         s2n(npalen,ret);
 886                         memcpy(ret, npa, npalen);
 887                         ret += npalen;
 888                         s->s3->next_proto_neg_seen = 1;
 889                         }
 890                 }
 891 #endif
 892
 893         if ((extdatalen = ret-orig-2)== 0)
 894                 return orig;
 895
 896         s2n(extdatalen, orig);
 897         return ret;
 898         }
 899
 900 #ifndef OPENSSL_NO_EC
 901 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
 902  * SecureTransport using the TLS extension block in |d|, of length |n|.
 903  * Safari, since 10.6, sends exactly these extensions, in this order:
 904  *   SNI,
 905  *   elliptic_curves
 906  *   ec_point_formats
 907  *
 908  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 909  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 910  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 911  * 10.8..10.8.3 (which don't work).
 912  */
 913 static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
 914         unsigned short type, size;
 915         static const unsigned char kSafariExtensionsBlock[] = {
 916                 0x00, 0x0a,  /* elliptic_curves extension */
 917                 0x00, 0x08,  /* 8 bytes */
 918                 0x00, 0x06,  /* 6 bytes of curve ids */
 919                 0x00, 0x17,  /* P-256 */
 920                 0x00, 0x18,  /* P-384 */
 921                 0x00, 0x19,  /* P-521 */
 922
 923                 0x00, 0x0b,  /* ec_point_formats */
 924                 0x00, 0x02,  /* 2 bytes */
 925                 0x01,        /* 1 point format */
 926                 0x00,        /* uncompressed */
 927         };
 928
 929         /* The following is only present in TLS 1.2 */
 930         static const unsigned char kSafariTLS12ExtensionsBlock[] = {
 931                 0x00, 0x0d,  /* signature_algorithms */
 932                 0x00, 0x0c,  /* 12 bytes */
 933                 0x00, 0x0a,  /* 10 bytes */
 934                 0x05, 0x01,  /* SHA-384/RSA */
 935                 0x04, 0x01,  /* SHA-256/RSA */
 936                 0x02, 0x01,  /* SHA-1/RSA */
 937                 0x04, 0x03,  /* SHA-256/ECDSA */
 938                 0x02, 0x03,  /* SHA-1/ECDSA */
 939         };
 940
 941         if (data >= (d+n-2))
 942                 return;
 943         data += 2;
 944
 945         if (data > (d+n-4))
 946                 return;
 947         n2s(data,type);
 948         n2s(data,size);
 949
 950         if (type != TLSEXT_TYPE_server_name)
 951                 return;
 952
 953         if (data+size > d+n)
 954                 return;
 955         data += size;
 956
 957         if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
 958                 {
 959                 const size_t len1 = sizeof(kSafariExtensionsBlock);
 960                 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
 961
 962                 if (data + len1 + len2 != d+n)
 963                         return;
 964                 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
 965                         return;
 966                 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
 967                         return;
 968                 }
 969         else
 970                 {
 971                 const size_t len = sizeof(kSafariExtensionsBlock);
 972
 973                 if (data + len != d+n)
 974                         return;
 975                 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
 976                         return;
 977                 }
 978
 979         s->s3->is_probably_safari = 1;
 980 }
 981 #endif /* !OPENSSL_NO_EC */
 982
 983 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
 984         {
 985         unsigned short type;
 986         unsigned short size;
 987         unsigned short len;
 988         unsigned char *data = *p;
 989         int renegotiate_seen = 0;
 990         int sigalg_seen = 0;
 991
 992         s->servername_done = 0;
 993         s->tlsext_status_type = -1;
 994 #ifndef OPENSSL_NO_NEXTPROTONEG
 995         s->s3->next_proto_neg_seen = 0;
 996 #endif
 997
 998 #ifndef OPENSSL_NO_HEARTBEATS
 999         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1000                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1001 #endif
1002
1003 #ifndef OPENSSL_NO_EC
1004         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1005                 ssl_check_for_safari(s, data, d, n);
1006 #endif /* !OPENSSL_NO_EC */
1007
1008 #ifndef OPENSSL_NO_SRP
1009         if (s->srp_ctx.login != NULL)
1010                 {
1011                 OPENSSL_free(s->srp_ctx.login);
1012                 s->srp_ctx.login = NULL;
1013                 }
1014 #endif
1015
1016         s->srtp_profile = NULL;
1017
1018         if (data >= (d + n - 2)) {
1019             if (data != d + n)
1020                 goto err;
1021             else
1022                 goto ri_check;
1023         }
1024         n2s(data,len);
1025
1026         if (data > (d+n-len))
1027                 goto err;
1028
1029         while (data <= (d+n-4))
1030                 {
1031                 n2s(data,type);
1032                 n2s(data,size);
1033
1034                 if (data+size > (d+n))
1035                         goto err;
1036 #if 0
1037                 fprintf(stderr,"Received extension type %d size %d\n",type,size);
1038 #endif
1039                 if (s->tlsext_debug_cb)
1040                         s->tlsext_debug_cb(s, 0, type, data, size,
1041                                                 s->tlsext_debug_arg);
1042 /* The servername extension is treated as follows:
1043
1044    - Only the hostname type is supported with a maximum length of 255.
1045    - The servername is rejected if too long or if it contains zeros,
1046      in which case an fatal alert is generated.
1047    - The servername field is maintained together with the session cache.
1048    - When a session is resumed, the servername call back invoked in order
1049      to allow the application to position itself to the right context.
1050    - The servername is acknowledged if it is new for a session or when
1051      it is identical to a previously used for the same session.
1052      Applications can control the behaviour.  They can at any time
1053      set a 'desirable' servername for a new SSL object. This can be the
1054      case for example with HTTPS when a Host: header field is received and
1055      a renegotiation is requested. In this case, a possible servername
1056      presented in the new client hello is only acknowledged if it matches
1057      the value of the Host: field.
1058    - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1059      if they provide for changing an explicit servername context for the session,
1060      i.e. when the session has been established with a servername extension.
1061    - On session reconnect, the servername extension may be absent.
1062
1063 */
1064
1065                 if (type == TLSEXT_TYPE_server_name)
1066                         {
1067                         unsigned char *sdata;
1068                         int servname_type;
1069                         int dsize;
1070
1071                         if (size < 2)
1072                                 goto err;
1073                         n2s(data,dsize);
1074                         size -= 2;
1075                         if (dsize > size  )
1076                                 goto err;
1077
1078                         sdata = data;
1079                         while (dsize > 3)
1080                                 {
1081                                 servname_type = *(sdata++);
1082                                 n2s(sdata,len);
1083                                 dsize -= 3;
1084
1085                                 if (len > dsize)
1086                                         goto err;
1087                                 if (s->servername_done == 0)
1088                                 switch (servname_type)
1089                                         {
1090                                 case TLSEXT_NAMETYPE_host_name:
1091                                         if (!s->hit)
1092                                                 {
1093                                                 if(s->session->tlsext_hostname)
1094                                                         goto err;
1095                                                 if (len > TLSEXT_MAXLEN_host_name)
1096                                                         {
1097                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1098                                                         return 0;
1099                                                         }
1100                                                 if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
1101                                                         {
1102                                                         *al = TLS1_AD_INTERNAL_ERROR;
1103                                                         return 0;
1104                                                         }
1105                                                 memcpy(s->session->tlsext_hostname, sdata, len);
1106                                                 s->session->tlsext_hostname[len]='\0';
1107                                                 if (strlen(s->session->tlsext_hostname) != len) {
1108                                                         OPENSSL_free(s->session->tlsext_hostname);
1109                                                         s->session->tlsext_hostname = NULL;
1110                                                         *al = TLS1_AD_UNRECOGNIZED_NAME;
1111                                                         return 0;
1112                                                 }
1113                                                 s->servername_done = 1;
1114
1115                                                 }
1116                                         else
1117                                                 s->servername_done = s->session->tlsext_hostname
1118                                                         && strlen(s->session->tlsext_hostname) == len
1119                                                         && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1120
1121                                         break;
1122
1123                                 default:
1124                                         break;
1125                                         }
1126
1127                                 dsize -= len;
1128                                 }
1129                         if (dsize != 0)
1130                                 goto err;
1131
1132                         }
1133 #ifndef OPENSSL_NO_SRP
1134                 else if (type == TLSEXT_TYPE_srp)
1135                         {
1136                         if (size <= 0 || ((len = data[0])) != (size -1))
1137                                 goto err;
1138                         if (s->srp_ctx.login != NULL)
1139                                 goto err;
1140                         if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1141                                 return -1;
1142                         memcpy(s->srp_ctx.login, &data[1], len);
1143                         s->srp_ctx.login[len]='\0';
1144
1145                         if (strlen(s->srp_ctx.login) != len)
1146                                 goto err;
1147                                 }
1148 #endif
1149
1150 #ifndef OPENSSL_NO_EC
1151                 else if (type == TLSEXT_TYPE_ec_point_formats)
1152                         {
1153                         unsigned char *sdata = data;
1154                         int ecpointformatlist_length = *(sdata++);
1155
1156                         if (ecpointformatlist_length != size - 1)
1157                                 goto err;
1158                         if (!s->hit)
1159                                 {
1160                                 if(s->session->tlsext_ecpointformatlist)
1161                                         {
1162                                         OPENSSL_free(s->session->tlsext_ecpointformatlist);
1163                                         s->session->tlsext_ecpointformatlist = NULL;
1164                                         }
1165                                 s->session->tlsext_ecpointformatlist_length = 0;
1166                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1167                                         {
1168                                         *al = TLS1_AD_INTERNAL_ERROR;
1169                                         return 0;
1170                                         }
1171                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1172                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1173                                 }
1174 #if 0
1175                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
1176                         sdata = s->session->tlsext_ecpointformatlist;
1177                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1178                                 fprintf(stderr,"%i ",*(sdata++));
1179                         fprintf(stderr,"\n");
1180 #endif
1181                         }
1182                 else if (type == TLSEXT_TYPE_elliptic_curves)
1183                         {
1184                         unsigned char *sdata = data;
1185                         int ellipticcurvelist_length = (*(sdata++) << 8);
1186                         ellipticcurvelist_length += (*(sdata++));
1187
1188                         if (ellipticcurvelist_length != size - 2 ||
1189                                 ellipticcurvelist_length < 1 ||
1190                                 /* Each NamedCurve is 2 bytes. */
1191                                 ellipticcurvelist_length & 1)
1192                                         goto err;
1193                         if (!s->hit)
1194                                 {
1195                                 if(s->session->tlsext_ellipticcurvelist)
1196                                         goto err;
1197
1198                                 s->session->tlsext_ellipticcurvelist_length = 0;
1199                                 if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
1200                                         {
1201                                         *al = TLS1_AD_INTERNAL_ERROR;
1202                                         return 0;
1203                                         }
1204                                 s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
1205                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
1206                                 }
1207 #if 0
1208                         fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
1209                         sdata = s->session->tlsext_ellipticcurvelist;
1210                         for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
1211                                 fprintf(stderr,"%i ",*(sdata++));
1212                         fprintf(stderr,"\n");
1213 #endif
1214                         }
1215 #endif /* OPENSSL_NO_EC */
1216 #ifdef TLSEXT_TYPE_opaque_prf_input
1217                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1218                      s->version != DTLS1_VERSION)
1219                         {
1220                         unsigned char *sdata = data;
1221
1222                         if (size < 2)
1223                                 {
1224                                 *al = SSL_AD_DECODE_ERROR;
1225                                 return 0;
1226                                 }
1227                         n2s(sdata, s->s3->client_opaque_prf_input_len);
1228                         if (s->s3->client_opaque_prf_input_len != size - 2)
1229                                 {
1230                                 *al = SSL_AD_DECODE_ERROR;
1231                                 return 0;
1232                                 }
1233
1234                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1235                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1236                         if (s->s3->client_opaque_prf_input_len == 0)
1237                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1238                         else
1239                                 s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
1240                         if (s->s3->client_opaque_prf_input == NULL)
1241                                 {
1242                                 *al = TLS1_AD_INTERNAL_ERROR;
1243                                 return 0;
1244                                 }
1245                         }
1246 #endif
1247                 else if (type == TLSEXT_TYPE_session_ticket)
1248                         {
1249                         if (s->tls_session_ticket_ext_cb &&
1250                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1251                                 {
1252                                 *al = TLS1_AD_INTERNAL_ERROR;
1253                                 return 0;
1254                                 }
1255                         }
1256                 else if (type == TLSEXT_TYPE_renegotiate)
1257                         {
1258                         if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
1259                                 return 0;
1260                         renegotiate_seen = 1;
1261                         }
1262                 else if (type == TLSEXT_TYPE_signature_algorithms)
1263                         {
1264                         int dsize;
1265                         if (sigalg_seen || size < 2)
1266                                 goto err;
1267                         sigalg_seen = 1;
1268                         n2s(data,dsize);
1269                         size -= 2;
1270                         if (dsize != size || dsize & 1)
1271                                 goto err;
1272                         if (!tls1_process_sigalgs(s, data, dsize))
1273                                 goto err;
1274                                 }
1275                 else if (type == TLSEXT_TYPE_status_request &&
1276                          s->version != DTLS1_VERSION)
1277                         {
1278
1279                         if (size < 5)
1280                                 goto err;
1281
1282                         s->tlsext_status_type = *data++;
1283                         size--;
1284                         if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
1285                                 {
1286                                 const unsigned char *sdata;
1287                                 int dsize;
1288                                 /* Read in responder_id_list */
1289                                 n2s(data,dsize);
1290                                 size -= 2;
1291                                 if (dsize > size  )
1292                                         goto err;
1293                                 while (dsize > 0)
1294                                         {
1295                                         OCSP_RESPID *id;
1296                                         int idsize;
1297                                         if (dsize < 4)
1298                                                 goto err;
1299                                         n2s(data, idsize);
1300                                         dsize -= 2 + idsize;
1301                                         size -= 2 + idsize;
1302                                         if (dsize < 0)
1303                                                 goto err;
1304                                         sdata = data;
1305                                         data += idsize;
1306                                         id = d2i_OCSP_RESPID(NULL,
1307                                                                 &sdata, idsize);
1308                                         if (!id)
1309                                                 goto err;
1310                                         if (data != sdata)
1311                                                 {
1312                                                 OCSP_RESPID_free(id);
1313                         goto err;
1314                                                 }
1315                                         if (!s->tlsext_ocsp_ids
1316                                                 && !(s->tlsext_ocsp_ids =
1317                                                 sk_OCSP_RESPID_new_null()))
1318                                                 {
1319                                                 OCSP_RESPID_free(id);
1320                                                 *al = SSL_AD_INTERNAL_ERROR;
1321                                                 return 0;
1322                                                 }
1323                                         if (!sk_OCSP_RESPID_push(
1324                                                         s->tlsext_ocsp_ids, id))
1325                                                 {
1326                                                 OCSP_RESPID_free(id);
1327                                                 *al = SSL_AD_INTERNAL_ERROR;
1328                                                 return 0;
1329                                                 }
1330                                         }
1331
1332                                 /* Read in request_extensions */
1333                                 if (size < 2)
1334                                         goto err;
1335                                 n2s(data,dsize);
1336                                 size -= 2;
1337                                 if (dsize != size)
1338                                         goto err;
1339                                 sdata = data;
1340                                 if (dsize > 0)
1341                                         {
1342                                         if (s->tlsext_ocsp_exts)
1343                                                 {
1344                                                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
1345                                                                            X509_EXTENSION_free);
1346                                                 }
1347
1348                                         s->tlsext_ocsp_exts =
1349                                                 d2i_X509_EXTENSIONS(NULL,
1350                                                         &sdata, dsize);
1351                                         if (!s->tlsext_ocsp_exts
1352                                                 || (data + dsize != sdata))
1353                                                         goto err;
1354                                                 }
1355                                         }
1356                                 /* We don't know what to do with any other type
1357                                 * so ignore it.
1358                                 */
1359                                 else
1360                                         s->tlsext_status_type = -1;
1361                         }
1362 #ifndef OPENSSL_NO_HEARTBEATS
1363                 else if (type == TLSEXT_TYPE_heartbeat)
1364                         {
1365                         switch(data[0])
1366                                 {
1367                                 case 0x01:      /* Client allows us to send HB requests */
1368                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1369                                                         break;
1370                                 case 0x02:      /* Client doesn't accept HB requests */
1371                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1372                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1373                                                         break;
1374                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1375                                                         return 0;
1376                                 }
1377                         }
1378 #endif
1379 #ifndef OPENSSL_NO_NEXTPROTONEG
1380                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1381                          s->s3->tmp.finish_md_len == 0)
1382                         {
1383                         /* We shouldn't accept this extension on a
1384                          * renegotiation.
1385                          *
1386                          * s->new_session will be set on renegotiation, but we
1387                          * probably shouldn't rely that it couldn't be set on
1388                          * the initial renegotation too in certain cases (when
1389                          * there's some other reason to disallow resuming an
1390                          * earlier session -- the current code won't be doing
1391                          * anything like that, but this might change).
1392
1393                          * A valid sign that there's been a previous handshake
1394                          * in this connection is if s->s3->tmp.finish_md_len >
1395                          * 0.  (We are talking about a check that will happen
1396                          * in the Hello protocol round, well before a new
1397                          * Finished message could have been computed.) */
1398                         s->s3->next_proto_neg_seen = 1;
1399                         }
1400 #endif
1401
1402                 /* session ticket processed earlier */
1403 #ifndef OPENSSL_NO_SRTP
1404                 else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
1405                          && type == TLSEXT_TYPE_use_srtp)
1406                         {
1407                         if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1408                                                               al))
1409                                 return 0;
1410                         }
1411 #endif
1412
1413                 data+=size;
1414                 }
1415
1416     /* Spurious data on the end */
1417     if (data != d + n)
1418         goto err;
1419
1420         *p = data;
1421
1422         ri_check:
1423
1424         /* Need RI if renegotiating */
1425
1426         if (!renegotiate_seen && s->renegotiate &&
1427                 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1428                 {
1429                 *al = SSL_AD_HANDSHAKE_FAILURE;
1430                 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
1431                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1432                 return 0;
1433                 }
1434
1435         return 1;
1436 err:
1437     *al = SSL_AD_DECODE_ERROR;
1438     return 0;
1439 }
1440
1441 #ifndef OPENSSL_NO_NEXTPROTONEG
1442 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1443  * elements of zero length are allowed and the set of elements must exactly fill
1444  * the length of the block. */
1445 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1446         {
1447         unsigned int off = 0;
1448
1449         while (off < len)
1450                 {
1451                 if (d[off] == 0)
1452                         return 0;
1453                 off += d[off];
1454                 off++;
1455                 }
1456
1457         return off == len;
1458         }
1459 #endif
1460
1461 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1462         {
1463         unsigned short length;
1464         unsigned short type;
1465         unsigned short size;
1466         unsigned char *data = *p;
1467         int tlsext_servername = 0;
1468         int renegotiate_seen = 0;
1469
1470 #ifndef OPENSSL_NO_NEXTPROTONEG
1471         s->s3->next_proto_neg_seen = 0;
1472 #endif
1473         s->tlsext_ticket_expected = 0;
1474
1475 #ifndef OPENSSL_NO_HEARTBEATS
1476         s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1477                                SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1478 #endif
1479
1480         if (data >= (d+n-2))
1481                 goto ri_check;
1482
1483         n2s(data,length);
1484         if (data+length != d+n)
1485                 {
1486                 *al = SSL_AD_DECODE_ERROR;
1487                 return 0;
1488                 }
1489
1490         while(data <= (d+n-4))
1491                 {
1492                 n2s(data,type);
1493                 n2s(data,size);
1494
1495                 if (data+size > (d+n))
1496                         goto ri_check;
1497
1498                 if (s->tlsext_debug_cb)
1499                         s->tlsext_debug_cb(s, 1, type, data, size,
1500                                                 s->tlsext_debug_arg);
1501
1502                 if (type == TLSEXT_TYPE_server_name)
1503                         {
1504                         if (s->tlsext_hostname == NULL || size > 0)
1505                                 {
1506                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
1507                                 return 0;
1508                                 }
1509                         tlsext_servername = 1;
1510                         }
1511
1512 #ifndef OPENSSL_NO_EC
1513                 else if (type == TLSEXT_TYPE_ec_point_formats)
1514                         {
1515                         unsigned char *sdata = data;
1516                         int ecpointformatlist_length = *(sdata++);
1517
1518                         if (ecpointformatlist_length != size - 1 ||
1519                                 ecpointformatlist_length < 1)
1520                                 {
1521                                 *al = TLS1_AD_DECODE_ERROR;
1522                                 return 0;
1523                                 }
1524                         if (!s->hit)
1525                                 {
1526                                 s->session->tlsext_ecpointformatlist_length = 0;
1527                                 if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
1528                                 if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
1529                                         {
1530                                         *al = TLS1_AD_INTERNAL_ERROR;
1531                                         return 0;
1532                                         }
1533                                 s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
1534                                 memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
1535                                 }
1536 #if 0
1537                         fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
1538                         sdata = s->session->tlsext_ecpointformatlist;
1539                         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
1540                                 fprintf(stderr,"%i ",*(sdata++));
1541                         fprintf(stderr,"\n");
1542 #endif
1543                         }
1544 #endif /* OPENSSL_NO_EC */
1545
1546                 else if (type == TLSEXT_TYPE_session_ticket)
1547                         {
1548                         if (s->tls_session_ticket_ext_cb &&
1549                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
1550                                 {
1551                                 *al = TLS1_AD_INTERNAL_ERROR;
1552                                 return 0;
1553                                 }
1554                         if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
1555                                 || (size > 0))
1556                                 {
1557                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1558                                 return 0;
1559                                 }
1560                         s->tlsext_ticket_expected = 1;
1561                         }
1562 #ifdef TLSEXT_TYPE_opaque_prf_input
1563                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1564                      s->version != DTLS1_VERSION)
1565                         {
1566                         unsigned char *sdata = data;
1567
1568                         if (size < 2)
1569                                 {
1570                                 *al = SSL_AD_DECODE_ERROR;
1571                                 return 0;
1572                                 }
1573                         n2s(sdata, s->s3->server_opaque_prf_input_len);
1574                         if (s->s3->server_opaque_prf_input_len != size - 2)
1575                                 {
1576                                 *al = SSL_AD_DECODE_ERROR;
1577                                 return 0;
1578                                 }
1579
1580                         if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1581                                 OPENSSL_free(s->s3->server_opaque_prf_input);
1582                         if (s->s3->server_opaque_prf_input_len == 0)
1583                                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1584                         else
1585                                 s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
1586
1587                         if (s->s3->server_opaque_prf_input == NULL)
1588                                 {
1589                                 *al = TLS1_AD_INTERNAL_ERROR;
1590                                 return 0;
1591                                 }
1592                         }
1593 #endif
1594                 else if (type == TLSEXT_TYPE_status_request &&
1595                          s->version != DTLS1_VERSION)
1596                         {
1597                         /* MUST be empty and only sent if we've requested
1598                          * a status request message.
1599                          */
1600                         if ((s->tlsext_status_type == -1) || (size > 0))
1601                                 {
1602                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1603                                 return 0;
1604                                 }
1605                         /* Set flag to expect CertificateStatus message */
1606                         s->tlsext_status_expected = 1;
1607                         }
1608 #ifndef OPENSSL_NO_NEXTPROTONEG
1609                 else if (type == TLSEXT_TYPE_next_proto_neg &&
1610                          s->s3->tmp.finish_md_len == 0)
1611                         {
1612                         unsigned char *selected;
1613                         unsigned char selected_len;
1614
1615                         /* We must have requested it. */
1616                         if (s->ctx->next_proto_select_cb == NULL)
1617                                 {
1618                                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1619                                 return 0;
1620                                 }
1621                         /* The data must be valid */
1622                         if (!ssl_next_proto_validate(data, size))
1623                                 {
1624                                 *al = TLS1_AD_DECODE_ERROR;
1625                                 return 0;
1626                                 }
1627                         if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1628                                 {
1629                                 *al = TLS1_AD_INTERNAL_ERROR;
1630                                 return 0;
1631                                 }
1632                         s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1633                         if (!s->next_proto_negotiated)
1634                                 {
1635                                 *al = TLS1_AD_INTERNAL_ERROR;
1636                                 return 0;
1637                                 }
1638                         memcpy(s->next_proto_negotiated, selected, selected_len);
1639                         s->next_proto_negotiated_len = selected_len;
1640                         s->s3->next_proto_neg_seen = 1;
1641                         }
1642 #endif
1643                 else if (type == TLSEXT_TYPE_renegotiate)
1644                         {
1645                         if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1646                                 return 0;
1647                         renegotiate_seen = 1;
1648                         }
1649 #ifndef OPENSSL_NO_HEARTBEATS
1650                 else if (type == TLSEXT_TYPE_heartbeat)
1651                         {
1652                         switch(data[0])
1653                                 {
1654                                 case 0x01:      /* Server allows us to send HB requests */
1655                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1656                                                         break;
1657                                 case 0x02:      /* Server doesn't accept HB requests */
1658                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1659                                                         s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1660                                                         break;
1661                                 default:        *al = SSL_AD_ILLEGAL_PARAMETER;
1662                                                         return 0;
1663                                 }
1664                         }
1665 #endif
1666 #ifndef OPENSSL_NO_SRTP
1667                 else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
1668                         {
1669                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1670                                                               al))
1671                                 return 0;
1672                         }
1673 #endif
1674
1675                 data+=size;
1676                 }
1677
1678         if (data != d+n)
1679                 {
1680                 *al = SSL_AD_DECODE_ERROR;
1681                 return 0;
1682                 }
1683
1684         if (!s->hit && tlsext_servername == 1)
1685                 {
1686                 if (s->tlsext_hostname)
1687                         {
1688                         if (s->session->tlsext_hostname == NULL)
1689                                 {
1690                                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
1691                                 if (!s->session->tlsext_hostname)
1692                                         {
1693                                         *al = SSL_AD_UNRECOGNIZED_NAME;
1694                                         return 0;
1695                                         }
1696                                 }
1697                         else
1698                                 {
1699                                 *al = SSL_AD_DECODE_ERROR;
1700                                 return 0;
1701                                 }
1702                         }
1703                 }
1704
1705         *p = data;
1706
1707         ri_check:
1708
1709         /* Determine if we need to see RI. Strictly speaking if we want to
1710          * avoid an attack we should *always* see RI even on initial server
1711          * hello because the client doesn't see any renegotiation during an
1712          * attack. However this would mean we could not connect to any server
1713          * which doesn't support RI so for the immediate future tolerate RI
1714          * absence on initial connect only.
1715          */
1716         if (!renegotiate_seen
1717                 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
1718                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1719                 {
1720                 *al = SSL_AD_HANDSHAKE_FAILURE;
1721                 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1722                                 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1723                 return 0;
1724                 }
1725
1726         return 1;
1727         }
1728
1729
1730 int ssl_prepare_clienthello_tlsext(SSL *s)
1731         {
1732 #ifndef OPENSSL_NO_EC
1733         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
1734          * and elliptic curves we support.
1735          */
1736         int using_ecc = 0;
1737         int i;
1738         unsigned char *j;
1739         unsigned long alg_k, alg_a;
1740         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1741
1742         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
1743                 {
1744                 SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1745
1746                 alg_k = c->algorithm_mkey;
1747                 alg_a = c->algorithm_auth;
1748                 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
1749                         {
1750                         using_ecc = 1;
1751                         break;
1752                         }
1753                 }
1754         using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1755         if (using_ecc)
1756                 {
1757                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1758                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1759                         {
1760                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1761                         return -1;
1762                         }
1763                 s->tlsext_ecpointformatlist_length = 3;
1764                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1765                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1766                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1767
1768                 /* we support all named elliptic curves in RFC 4492 */
1769                 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1770                 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1771                 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1772                         {
1773                         s->tlsext_ellipticcurvelist_length = 0;
1774                         SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1775                         return -1;
1776                         }
1777                 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1778                                 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1779                         {
1780                         int id = tls1_ec_nid2curve_id(pref_list[i]);
1781                         s2n(id,j);
1782                         }
1783                 }
1784 #endif /* OPENSSL_NO_EC */
1785
1786 #ifdef TLSEXT_TYPE_opaque_prf_input
1787         {
1788                 int r = 1;
1789
1790                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1791                         {
1792                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1793                         if (!r)
1794                                 return -1;
1795                         }
1796
1797                 if (s->tlsext_opaque_prf_input != NULL)
1798                         {
1799                         if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
1800                                 OPENSSL_free(s->s3->client_opaque_prf_input);
1801
1802                         if (s->tlsext_opaque_prf_input_len == 0)
1803                                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1804                         else
1805                                 s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1806                         if (s->s3->client_opaque_prf_input == NULL)
1807                                 {
1808                                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1809                                 return -1;
1810                                 }
1811                         s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1812                         }
1813
1814                 if (r == 2)
1815                         /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1816                         s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1817         }
1818 #endif
1819
1820         return 1;
1821         }
1822
1823 int ssl_prepare_serverhello_tlsext(SSL *s)
1824         {
1825 #ifndef OPENSSL_NO_EC
1826         /* If we are server and using an ECC cipher suite, send the point formats we support
1827          * if the client sent us an ECPointsFormat extension.  Note that the server is not
1828          * supposed to send an EllipticCurves extension.
1829          */
1830
1831         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1832         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1833         int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
1834         using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1835
1836         if (using_ecc)
1837                 {
1838                 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
1839                 if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL)
1840                         {
1841                         SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1842                         return -1;
1843                         }
1844                 s->tlsext_ecpointformatlist_length = 3;
1845                 s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed;
1846                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1847                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1848                 }
1849 #endif /* OPENSSL_NO_EC */
1850
1851         return 1;
1852         }
1853
1854 int ssl_check_clienthello_tlsext_early(SSL *s)
1855         {
1856         int ret=SSL_TLSEXT_ERR_NOACK;
1857         int al = SSL_AD_UNRECOGNIZED_NAME;
1858
1859 #ifndef OPENSSL_NO_EC
1860         /* The handling of the ECPointFormats extension is done elsewhere, namely in
1861          * ssl3_choose_cipher in s3_lib.c.
1862          */
1863         /* The handling of the EllipticCurves extension is done elsewhere, namely in
1864          * ssl3_choose_cipher in s3_lib.c.
1865          */
1866 #endif
1867
1868         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
1869                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
1870         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1871                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1872
1873 #ifdef TLSEXT_TYPE_opaque_prf_input
1874         {
1875                 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1876                  * but we might be sending an alert in response to the client hello,
1877                  * so this has to happen here in
1878                  * ssl_check_clienthello_tlsext_early(). */
1879
1880                 int r = 1;
1881
1882                 if (s->ctx->tlsext_opaque_prf_input_callback != 0)
1883                         {
1884                         r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg);
1885                         if (!r)
1886                                 {
1887                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1888                                 al = SSL_AD_INTERNAL_ERROR;
1889                                 goto err;
1890                                 }
1891                         }
1892
1893                 if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
1894                         OPENSSL_free(s->s3->server_opaque_prf_input);
1895                 s->s3->server_opaque_prf_input = NULL;
1896
1897                 if (s->tlsext_opaque_prf_input != NULL)
1898                         {
1899                         if (s->s3->client_opaque_prf_input != NULL &&
1900                                 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len)
1901                                 {
1902                                 /* can only use this extension if we have a server opaque PRF input
1903                                  * of the same length as the client opaque PRF input! */
1904
1905                                 if (s->tlsext_opaque_prf_input_len == 0)
1906                                         s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
1907                                 else
1908                                         s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
1909                                 if (s->s3->server_opaque_prf_input == NULL)
1910                                         {
1911                                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1912                                         al = SSL_AD_INTERNAL_ERROR;
1913                                         goto err;
1914                                         }
1915                                 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1916                                 }
1917                         }
1918
1919                 if (r == 2 && s->s3->server_opaque_prf_input == NULL)
1920                         {
1921                         /* The callback wants to enforce use of the extension,
1922                          * but we can't do that with the client opaque PRF input;
1923                          * abort the handshake.
1924                          */
1925                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1926                         al = SSL_AD_HANDSHAKE_FAILURE;
1927                         }
1928         }
1929
1930  err:
1931 #endif
1932         switch (ret)
1933                 {
1934                 case SSL_TLSEXT_ERR_ALERT_FATAL:
1935                         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1936                         return -1;
1937
1938                 case SSL_TLSEXT_ERR_ALERT_WARNING:
1939                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
1940                         return 1;
1941
1942                 case SSL_TLSEXT_ERR_NOACK:
1943                         s->servername_done=0;
1944                         default:
1945                 return 1;
1946                 }
1947         }
1948
1949 int ssl_check_clienthello_tlsext_late(SSL *s)
1950         {
1951         int ret = SSL_TLSEXT_ERR_OK;
1952         int al;
1953
1954         /* If status request then ask callback what to do.
1955          * Note: this must be called after servername callbacks in case
1956          * the certificate has changed, and must be called after the cipher
1957          * has been chosen because this may influence which certificate is sent
1958          */
1959         if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1960                 {
1961                 int r;
1962                 CERT_PKEY *certpkey;
1963                 certpkey = ssl_get_server_send_pkey(s);
1964                 /* If no certificate can't return certificate status */
1965                 if (certpkey == NULL)
1966                         {
1967                         s->tlsext_status_expected = 0;
1968                         return 1;
1969                         }
1970                 /* Set current certificate to one we will use so
1971                  * SSL_get_certificate et al can pick it up.
1972                  */
1973                 s->cert->key = certpkey;
1974                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1975                 switch (r)
1976                         {
1977                         /* We don't want to send a status request response */
1978                         case SSL_TLSEXT_ERR_NOACK:
1979                                 s->tlsext_status_expected = 0;
1980                                 break;
1981                         /* status request response should be sent */
1982                         case SSL_TLSEXT_ERR_OK:
1983                                 if (s->tlsext_ocsp_resp)
1984                                         s->tlsext_status_expected = 1;
1985                                 else
1986                                         s->tlsext_status_expected = 0;
1987                                 break;
1988                         /* something bad happened */
1989                         case SSL_TLSEXT_ERR_ALERT_FATAL:
1990                                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1991                                 al = SSL_AD_INTERNAL_ERROR;
1992                                 goto err;
1993                         }
1994                 }
1995         else
1996                 s->tlsext_status_expected = 0;
1997
1998  err:
1999         switch (ret)
2000                 {
2001                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2002                         ssl3_send_alert(s,SSL3_AL_FATAL,al);
2003                         return -1;
2004
2005                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2006                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2007                         return 1;
2008
2009                 default:
2010                         return 1;
2011                 }
2012         }
2013
2014 int ssl_check_serverhello_tlsext(SSL *s)
2015         {
2016         int ret=SSL_TLSEXT_ERR_NOACK;
2017         int al = SSL_AD_UNRECOGNIZED_NAME;
2018
2019 #ifndef OPENSSL_NO_EC
2020         /* If we are client and using an elliptic curve cryptography cipher
2021          * suite, then if server returns an EC point formats lists extension
2022          * it must contain uncompressed.
2023          */
2024         unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2025         unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2026         if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) &&
2027             (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) &&
2028             ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
2029                 {
2030                 /* we are using an ECC cipher */
2031                 size_t i;
2032                 unsigned char *list;
2033                 int found_uncompressed = 0;
2034                 list = s->session->tlsext_ecpointformatlist;
2035                 for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2036                         {
2037                         if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed)
2038                                 {
2039                                 found_uncompressed = 1;
2040                                 break;
2041                                 }
2042                         }
2043                 if (!found_uncompressed)
2044                         {
2045                         SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
2046                         return -1;
2047                         }
2048                 }
2049         ret = SSL_TLSEXT_ERR_OK;
2050 #endif /* OPENSSL_NO_EC */
2051
2052         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2053                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
2054         else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
2055                 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
2056
2057 #ifdef TLSEXT_TYPE_opaque_prf_input
2058         if (s->s3->server_opaque_prf_input_len > 0)
2059                 {
2060                 /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs.
2061                  * So first verify that we really have a value from the server too. */
2062
2063                 if (s->s3->server_opaque_prf_input == NULL)
2064                         {
2065                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2066                         al = SSL_AD_HANDSHAKE_FAILURE;
2067                         }
2068
2069                 /* Anytime the server *has* sent an opaque PRF input, we need to check
2070                  * that we have a client opaque PRF input of the same size. */
2071                 if (s->s3->client_opaque_prf_input == NULL ||
2072                     s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len)
2073                         {
2074                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2075                         al = SSL_AD_ILLEGAL_PARAMETER;
2076                         }
2077                 }
2078 #endif
2079
2080         /* If we've requested certificate status and we wont get one
2081          * tell the callback
2082          */
2083         if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
2084                         && s->ctx && s->ctx->tlsext_status_cb)
2085                 {
2086                 int r;
2087                 /* Set resp to NULL, resplen to -1 so callback knows
2088                  * there is no response.
2089                  */
2090                 if (s->tlsext_ocsp_resp)
2091                         {
2092                         OPENSSL_free(s->tlsext_ocsp_resp);
2093                         s->tlsext_ocsp_resp = NULL;
2094                         }
2095                 s->tlsext_ocsp_resplen = -1;
2096                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2097                 if (r == 0)
2098                         {
2099                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2100                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2101                         }
2102                 if (r < 0)
2103                         {
2104                         al = SSL_AD_INTERNAL_ERROR;
2105                         ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2106                         }
2107                 }
2108
2109         switch (ret)
2110                 {
2111                 case SSL_TLSEXT_ERR_ALERT_FATAL:
2112                         ssl3_send_alert(s,SSL3_AL_FATAL,al);
2113                         return -1;
2114
2115                 case SSL_TLSEXT_ERR_ALERT_WARNING:
2116                         ssl3_send_alert(s,SSL3_AL_WARNING,al);
2117                         return 1;
2118
2119                 case SSL_TLSEXT_ERR_NOACK:
2120                         s->servername_done=0;
2121                         default:
2122                 return 1;
2123                 }
2124         }
2125
2126 /* Since the server cache lookup is done early on in the processing of the
2127  * ClientHello, and other operations depend on the result, we need to handle
2128  * any TLS session ticket extension at the same time.
2129  *
2130  *   session_id: points at the session ID in the ClientHello. This code will
2131  *       read past the end of this in order to parse out the session ticket
2132  *       extension, if any.
2133  *   len: the length of the session ID.
2134  *   limit: a pointer to the first byte after the ClientHello.
2135  *   ret: (output) on return, if a ticket was decrypted, then this is set to
2136  *       point to the resulting session.
2137  *
2138  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2139  * ciphersuite, in which case we have no use for session tickets and one will
2140  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2141  *
2142  * Returns:
2143  *   -1: fatal error, either from parsing or decrypting the ticket.
2144  *    0: no ticket was found (or was ignored, based on settings).
2145  *    1: a zero length extension was found, indicating that the client supports
2146  *       session tickets but doesn't currently have one to offer.
2147  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
2148  *       couldn't be decrypted because of a non-fatal error.
2149  *    3: a ticket was successfully decrypted and *ret was set.
2150  *
2151  * Side effects:
2152  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2153  *   a new session ticket to the client because the client indicated support
2154  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2155  *   a session ticket or we couldn't use the one it gave us, or if
2156  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2157  *   Otherwise, s->tlsext_ticket_expected is set to 0.
2158  */
2159 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
2160                         const unsigned char *limit, SSL_SESSION **ret)
2161         {
2162         /* Point after session ID in client hello */
2163         const unsigned char *p = session_id + len;
2164         unsigned short i;
2165
2166         *ret = NULL;
2167         s->tlsext_ticket_expected = 0;
2168
2169         /* If tickets disabled behave as if no ticket present
2170          * to permit stateful resumption.
2171          */
2172         if (SSL_get_options(s) & SSL_OP_NO_TICKET)
2173                 return 0;
2174         if ((s->version <= SSL3_VERSION) || !limit)
2175                 return 0;
2176         if (p >= limit)
2177                 return -1;
2178         /* Skip past DTLS cookie */
2179         if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
2180                 {
2181                 i = *(p++);
2182                 p+= i;
2183                 if (p >= limit)
2184                         return -1;
2185                 }
2186         /* Skip past cipher list */
2187         n2s(p, i);
2188         p+= i;
2189         if (p >= limit)
2190                 return -1;
2191         /* Skip past compression algorithm list */
2192         i = *(p++);
2193         p += i;
2194         if (p > limit)
2195                 return -1;
2196         /* Now at start of extensions */
2197         if ((p + 2) >= limit)
2198                 return 0;
2199         n2s(p, i);
2200         while ((p + 4) <= limit)
2201                 {
2202                 unsigned short type, size;
2203                 n2s(p, type);
2204                 n2s(p, size);
2205                 if (p + size > limit)
2206                         return 0;
2207                 if (type == TLSEXT_TYPE_session_ticket)
2208                         {
2209                         int r;
2210                         if (size == 0)
2211                                 {
2212                                 /* The client will accept a ticket but doesn't
2213                                  * currently have one. */
2214                                 s->tlsext_ticket_expected = 1;
2215                                 return 1;
2216                                 }
2217                         if (s->tls_session_secret_cb)
2218                                 {
2219                                 /* Indicate that the ticket couldn't be
2220                                  * decrypted rather than generating the session
2221                                  * from ticket now, trigger abbreviated
2222                                  * handshake based on external mechanism to
2223                                  * calculate the master secret later. */
2224                                 return 2;
2225                                 }
2226                         r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2227                         switch (r)
2228                                 {
2229                                 case 2: /* ticket couldn't be decrypted */
2230                                         s->tlsext_ticket_expected = 1;
2231                                         return 2;
2232                                 case 3: /* ticket was decrypted */
2233                                         return r;
2234                                 case 4: /* ticket decrypted but need to renew */
2235                                         s->tlsext_ticket_expected = 1;
2236                                         return 3;
2237                                 default: /* fatal error */
2238                                         return -1;
2239                                 }
2240                         }
2241                 p += size;
2242                 }
2243         return 0;
2244         }
2245
2246 /* tls_decrypt_ticket attempts to decrypt a session ticket.
2247  *
2248  *   etick: points to the body of the session ticket extension.
2249  *   eticklen: the length of the session tickets extenion.
2250  *   sess_id: points at the session ID.
2251  *   sesslen: the length of the session ID.
2252  *   psess: (output) on return, if a ticket was decrypted, then this is set to
2253  *       point to the resulting session.
2254  *
2255  * Returns:
2256  *   -1: fatal error, either from parsing or decrypting the ticket.
2257  *    2: the ticket couldn't be decrypted.
2258  *    3: a ticket was successfully decrypted and *psess was set.
2259  *    4: same as 3, but the ticket needs to be renewed.
2260  */
2261 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2262                                 const unsigned char *sess_id, int sesslen,
2263                                 SSL_SESSION **psess)
2264         {
2265         SSL_SESSION *sess;
2266         unsigned char *sdec;
2267         const unsigned char *p;
2268         int slen, mlen, renew_ticket = 0;
2269         unsigned char tick_hmac[EVP_MAX_MD_SIZE];
2270         HMAC_CTX hctx;
2271         EVP_CIPHER_CTX ctx;
2272         SSL_CTX *tctx = s->initial_ctx;
2273         /* Need at least keyname + iv + some encrypted data */
2274         if (eticklen < 48)
2275                 return 2;
2276         /* Initialize session ticket encryption and HMAC contexts */
2277         HMAC_CTX_init(&hctx);
2278         EVP_CIPHER_CTX_init(&ctx);
2279         if (tctx->tlsext_ticket_key_cb)
2280                 {
2281                 unsigned char *nctick = (unsigned char *)etick;
2282                 int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
2283                                                         &ctx, &hctx, 0);
2284                 if (rv < 0)
2285                         return -1;
2286                 if (rv == 0)
2287                         return 2;
2288                 if (rv == 2)
2289                         renew_ticket = 1;
2290                 }
2291         else
2292                 {
2293                 /* Check key name matches */
2294                 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
2295                         return 2;
2296                 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2297                                         tlsext_tick_md(), NULL);
2298                 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2299                                 tctx->tlsext_tick_aes_key, etick + 16);
2300                 }
2301         /* Attempt to process session ticket, first conduct sanity and
2302          * integrity checks on ticket.
2303          */
2304         mlen = HMAC_size(&hctx);
2305         if (mlen < 0)
2306                 {
2307                 EVP_CIPHER_CTX_cleanup(&ctx);
2308                 return -1;
2309                 }
2310         eticklen -= mlen;
2311         /* Check HMAC of encrypted ticket */
2312         HMAC_Update(&hctx, etick, eticklen);
2313         HMAC_Final(&hctx, tick_hmac, NULL);
2314         HMAC_CTX_cleanup(&hctx);
2315         if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2316                 {
2317                 EVP_CIPHER_CTX_cleanup(&ctx);
2318                 return 2;
2319                 }
2320         /* Attempt to decrypt session data */
2321         /* Move p after IV to start of encrypted ticket, update length */
2322         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2323         eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
2324         sdec = OPENSSL_malloc(eticklen);
2325         if (!sdec)
2326                 {
2327                 EVP_CIPHER_CTX_cleanup(&ctx);
2328                 return -1;
2329                 }
2330         EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
2331         if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
2332                 {
2333                 EVP_CIPHER_CTX_cleanup(&ctx);
2334                 OPENSSL_free(sdec);
2335                 return 2;
2336                 }
2337         slen += mlen;
2338         EVP_CIPHER_CTX_cleanup(&ctx);
2339         p = sdec;
2340
2341         sess = d2i_SSL_SESSION(NULL, &p, slen);
2342         OPENSSL_free(sdec);
2343         if (sess)
2344                 {
2345                 /* The session ID, if non-empty, is used by some clients to
2346                  * detect that the ticket has been accepted. So we copy it to
2347                  * the session structure. If it is empty set length to zero
2348                  * as required by standard.
2349                  */
2350                 if (sesslen)
2351                         memcpy(sess->session_id, sess_id, sesslen);
2352                 sess->session_id_length = sesslen;
2353                 *psess = sess;
2354                 if (renew_ticket)
2355                         return 4;
2356                 else
2357                         return 3;
2358                 }
2359         ERR_clear_error();
2360         /* For session parse failure, indicate that we need to send a new
2361          * ticket. */
2362         return 2;
2363         }
2364
2365 /* Tables to translate from NIDs to TLS v1.2 ids */
2366
2367 typedef struct
2368         {
2369         int nid;
2370         int id;
2371         } tls12_lookup;
2372
2373 static tls12_lookup tls12_md[] = {
2374 #ifndef OPENSSL_NO_MD5
2375         {NID_md5, TLSEXT_hash_md5},
2376 #endif
2377 #ifndef OPENSSL_NO_SHA
2378         {NID_sha1, TLSEXT_hash_sha1},
2379 #endif
2380 #ifndef OPENSSL_NO_SHA256
2381         {NID_sha224, TLSEXT_hash_sha224},
2382         {NID_sha256, TLSEXT_hash_sha256},
2383 #endif
2384 #ifndef OPENSSL_NO_SHA512
2385         {NID_sha384, TLSEXT_hash_sha384},
2386         {NID_sha512, TLSEXT_hash_sha512}
2387 #endif
2388 };
2389
2390 static tls12_lookup tls12_sig[] = {
2391 #ifndef OPENSSL_NO_RSA
2392         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2393 #endif
2394 #ifndef OPENSSL_NO_DSA
2395         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2396 #endif
2397 #ifndef OPENSSL_NO_ECDSA
2398         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2399 #endif
2400 };
2401
2402 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2403         {
2404         size_t i;
2405         for (i = 0; i < tlen; i++)
2406                 {
2407                 if (table[i].nid == nid)
2408                         return table[i].id;
2409                 }
2410         return -1;
2411         }
2412 #if 0
2413 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2414         {
2415         size_t i;
2416         for (i = 0; i < tlen; i++)
2417                 {
2418                 if (table[i].id == id)
2419                         return table[i].nid;
2420                 }
2421         return -1;
2422         }
2423 #endif
2424
2425 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2426         {
2427         int sig_id, md_id;
2428         if (!md)
2429                 return 0;
2430         md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2431                                 sizeof(tls12_md)/sizeof(tls12_lookup));
2432         if (md_id == -1)
2433                 return 0;
2434         sig_id = tls12_get_sigid(pk);
2435         if (sig_id == -1)
2436                 return 0;
2437         p[0] = (unsigned char)md_id;
2438         p[1] = (unsigned char)sig_id;
2439         return 1;
2440         }
2441
2442 int tls12_get_sigid(const EVP_PKEY *pk)
2443         {
2444         return tls12_find_id(pk->type, tls12_sig,
2445                                 sizeof(tls12_sig)/sizeof(tls12_lookup));
2446         }
2447
2448 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2449         {
2450         switch(hash_alg)
2451                 {
2452 #ifndef OPENSSL_NO_SHA
2453                 case TLSEXT_hash_sha1:
2454                 return EVP_sha1();
2455 #endif
2456 #ifndef OPENSSL_NO_SHA256
2457                 case TLSEXT_hash_sha224:
2458                 return EVP_sha224();
2459
2460                 case TLSEXT_hash_sha256:
2461                 return EVP_sha256();
2462 #endif
2463 #ifndef OPENSSL_NO_SHA512
2464                 case TLSEXT_hash_sha384:
2465                 return EVP_sha384();
2466
2467                 case TLSEXT_hash_sha512:
2468                 return EVP_sha512();
2469 #endif
2470                 default:
2471                 return NULL;
2472
2473                 }
2474         }
2475
2476 /* Set preferred digest for each key type */
2477
2478 int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2479         {
2480         int i, idx;
2481         const EVP_MD *md;
2482         CERT *c = s->cert;
2483         /* Extension ignored for TLS versions below 1.2 */
2484         if (TLS1_get_version(s) < TLS1_2_VERSION)
2485                 return 1;
2486         /* Should never happen */
2487         if (!c)
2488                 return 0;
2489
2490         c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2491         c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2492         c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2493         c->pkeys[SSL_PKEY_ECC].digest = NULL;
2494
2495         for (i = 0; i < dsize; i += 2)
2496                 {
2497                 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2498
2499                 switch(sig_alg)
2500                         {
2501 #ifndef OPENSSL_NO_RSA
2502                         case TLSEXT_signature_rsa:
2503                         idx = SSL_PKEY_RSA_SIGN;
2504                         break;
2505 #endif
2506 #ifndef OPENSSL_NO_DSA
2507                         case TLSEXT_signature_dsa:
2508                         idx = SSL_PKEY_DSA_SIGN;
2509                         break;
2510 #endif
2511 #ifndef OPENSSL_NO_ECDSA
2512                         case TLSEXT_signature_ecdsa:
2513                         idx = SSL_PKEY_ECC;
2514                         break;
2515 #endif
2516                         default:
2517                         continue;
2518                         }
2519
2520                 if (c->pkeys[idx].digest == NULL)
2521                         {
2522                         md = tls12_get_hash(hash_alg);
2523                         if (md)
2524                                 {
2525                                 c->pkeys[idx].digest = md;
2526                                 if (idx == SSL_PKEY_RSA_SIGN)
2527                                         c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2528                                 }
2529                         }
2530
2531                 }
2532
2533
2534         /* Set any remaining keys to default values. NOTE: if alg is not
2535          * supported it stays as NULL.
2536          */
2537 #ifndef OPENSSL_NO_DSA
2538         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2539                 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2540 #endif
2541 #ifndef OPENSSL_NO_RSA
2542         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2543                 {
2544                 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2545                 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2546                 }
2547 #endif
2548 #ifndef OPENSSL_NO_ECDSA
2549         if (!c->pkeys[SSL_PKEY_ECC].digest)
2550                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2551 #endif
2552         return 1;
2553         }
2554
2555 #endif
2556
2557 #ifndef OPENSSL_NO_HEARTBEATS
2558 int
2559 tls1_process_heartbeat(SSL *s)
2560         {
2561         unsigned char *p = &s->s3->rrec.data[0], *pl;
2562         unsigned short hbtype;
2563         unsigned int payload;
2564         unsigned int padding = 16; /* Use minimum padding */
2565
2566         if (s->msg_callback)
2567                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2568                         &s->s3->rrec.data[0], s->s3->rrec.length,
2569                         s, s->msg_callback_arg);
2570
2571         /* Read type and payload length first */
2572         if (1 + 2 + 16 > s->s3->rrec.length)
2573                 return 0; /* silently discard */
2574         hbtype = *p++;
2575         n2s(p, payload);
2576         if (1 + 2 + payload + 16 > s->s3->rrec.length)
2577                 return 0; /* silently discard per RFC 6520 sec. 4 */
2578         pl = p;
2579
2580         if (hbtype == TLS1_HB_REQUEST)
2581                 {
2582                 unsigned char *buffer, *bp;
2583                 int r;
2584
2585                 /* Allocate memory for the response, size is 1 bytes
2586                  * message type, plus 2 bytes payload length, plus
2587                  * payload, plus padding
2588                  */
2589                 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2590                 bp = buffer;
2591
2592                 /* Enter response type, length and copy payload */
2593                 *bp++ = TLS1_HB_RESPONSE;
2594                 s2n(payload, bp);
2595                 memcpy(bp, pl, payload);
2596                 bp += payload;
2597                 /* Random padding */
2598                 RAND_pseudo_bytes(bp, padding);
2599
2600                 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2601
2602                 if (r >= 0 && s->msg_callback)
2603                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2604                                 buffer, 3 + payload + padding,
2605                                 s, s->msg_callback_arg);
2606
2607                 OPENSSL_free(buffer);
2608
2609                 if (r < 0)
2610                         return r;
2611                 }
2612         else if (hbtype == TLS1_HB_RESPONSE)
2613                 {
2614                 unsigned int seq;
2615
2616                 /* We only send sequence numbers (2 bytes unsigned int),
2617                  * and 16 random bytes, so we just try to read the
2618                  * sequence number */
2619                 n2s(pl, seq);
2620
2621                 if (payload == 18 && seq == s->tlsext_hb_seq)
2622                         {
2623                         s->tlsext_hb_seq++;
2624                         s->tlsext_hb_pending = 0;
2625                         }
2626                 }
2627
2628         return 0;
2629         }
2630
2631 int
2632 tls1_heartbeat(SSL *s)
2633         {
2634         unsigned char *buf, *p;
2635         int ret;
2636         unsigned int payload = 18; /* Sequence number + random bytes */
2637         unsigned int padding = 16; /* Use minimum padding */
2638
2639         /* Only send if peer supports and accepts HB requests... */
2640         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2641             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2642                 {
2643                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2644                 return -1;
2645                 }
2646
2647         /* ...and there is none in flight yet... */
2648         if (s->tlsext_hb_pending)
2649                 {
2650                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2651                 return -1;
2652                 }
2653
2654         /* ...and no handshake in progress. */
2655         if (SSL_in_init(s) || s->in_handshake)
2656                 {
2657                 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2658                 return -1;
2659                 }
2660
2661         /* Check if padding is too long, payload and padding
2662          * must not exceed 2^14 - 3 = 16381 bytes in total.
2663          */
2664         OPENSSL_assert(payload + padding <= 16381);
2665
2666         /* Create HeartBeat message, we just use a sequence number
2667          * as payload to distuingish different messages and add
2668          * some random stuff.
2669          *  - Message Type, 1 byte
2670          *  - Payload Length, 2 bytes (unsigned int)
2671          *  - Payload, the sequence number (2 bytes uint)
2672          *  - Payload, random bytes (16 bytes uint)
2673          *  - Padding
2674          */
2675         buf = OPENSSL_malloc(1 + 2 + payload + padding);
2676         p = buf;
2677         /* Message Type */
2678         *p++ = TLS1_HB_REQUEST;
2679         /* Payload length (18 bytes here) */
2680         s2n(payload, p);
2681         /* Sequence number */
2682         s2n(s->tlsext_hb_seq, p);
2683         /* 16 random bytes */
2684         RAND_pseudo_bytes(p, 16);
2685         p += 16;
2686         /* Random padding */
2687         RAND_pseudo_bytes(p, padding);
2688
2689         ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2690         if (ret >= 0)
2691                 {
2692                 if (s->msg_callback)
2693                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2694                                 buf, 3 + payload + padding,
2695                                 s, s->msg_callback_arg);
2696
2697                 s->tlsext_hb_pending = 1;
2698                 }
2699
2700         OPENSSL_free(buf);
2701
2702         return ret;
2703         }
2704 #endif