Various changes in the new TLS extension code, including the following:
authorBodo Möller <bodo@openssl.org>
Tue, 3 Jan 2006 03:27:19 +0000 (03:27 +0000)
committerBodo Möller <bodo@openssl.org>
Tue, 3 Jan 2006 03:27:19 +0000 (03:27 +0000)
 - fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values

15 files changed:
CHANGES
Configure
apps/s_client.c
apps/s_server.c
ssl/s23_clnt.c
ssl/s23_srvr.c
ssl/s3_clnt.c
ssl/s3_lib.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_sess.c
ssl/t1_lib.c
ssl/tls1.h

diff --git a/CHANGES b/CHANGES
index 8023667d7527650f827a3dd8faaed5bf22f487a3..33d90e8fcf52e8ff7bdb8b89b656ee7663e407bc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,16 +4,33 @@
 
  Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]
 
-  *) Add support for TLS extensions, specifically for the HostName extension.
-     The SSL_SESSION, SSL_CTX, and SSL data structures now have new members
-     for HostName support.
+  *) Add support for TLS extensions, specifically for the HostName extension
+     so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now have new
+     members for HostName support.
+
+     New functions (subject to change):
+
+         SSL_get_servername()
+         SSL_get_servername_type()
+         SSL_set_SSL_CTX()
+
+     New CTRL codes and macros (subject to change):
+
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+                                 - SSL_CTX_set_tlsext_servername_callback()
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
+                                      - SSL_CTX_set_tlsext_servername_arg()
+         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_hostname()
+         SSL_CTRL_GET_TLSEXT_HOSTNAME     [similar to SSL_get_servername()]
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
+                                         - SSL_set_tlsext_servername_done()
 
      openssl s_client has a new '-servername' option.
 
-     openssl s_server has new options '-servername', '-cert2', and '-key2';
-     this allows testing the HostName extension for a specific single
-     host name ('-cert' and '-key' remain fallbacks for handshakes without
-     HostName negotiation).
+     openssl s_server has new options '-servername', '-cert2', and '-key2'
+     (subject to change); this allows testing the HostName extension for a
+     specific single host name ('-cert' and '-key' remain fallbacks for
+     handshakes without HostName negotiation).
 
      [Peter Sylvester]
 
index c9a30751aa61e9ed63dd12bf64ecf769e1620b89..a8e9bda150cb7519fe3fac1af2283db46975acca 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
        $disabled{"tls1"} = "forced";
        }
 
+if (defined($disabled{"tls1"}))
+       {
+       $disabled{"tlsext"} = "forced";
+       }
 
 if ($target eq "TABLE") {
        foreach $target (sort keys %table) {
index b5c044bfa710b982304f8069a3b0c10ca13db0f8..181cb3f15b19868392917cf5600fe3ef86fcd1c3 100644 (file)
@@ -239,11 +239,11 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
        {
        tlsextctx * p = (tlsextctx *) arg;
-       const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+       const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
        if (SSL_get_servername_type(s) != -1) 
                p->ack = !SSL_session_reused(s) && hn != NULL;
        else 
-               BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n");
+               BIO_printf(bio_err,"Can't use SSL_get_servername\n");
        
        return SSL_ERROR_NONE;
        }
index 068e0c54b100e9df76e0c53329396bbe820347c3..6c106f7f0250e699bbea040c85a83a7e4df618c0 100644 (file)
@@ -539,7 +539,7 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
        {
        tlsextctx * p = (tlsextctx *) arg;
-       const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+       const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
         if (servername) 
                BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
         
@@ -1257,12 +1257,14 @@ bad:
 #endif
 #endif
 
-       if (cipher != NULL) {
-               if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+       if (cipher != NULL)
+               {
+               if(!SSL_CTX_set_cipher_list(ctx,cipher))
+                       {
                        BIO_printf(bio_err,"error setting cipher list\n");
                        ERR_print_errors(bio_err);
                        goto end;
-               }
+                       }
 #ifndef OPENSSL_NO_TLSEXT
                if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
                        {
@@ -1271,7 +1273,7 @@ bad:
                        goto end;
                        }
 #endif
-       }
+               }
        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);
@@ -1283,13 +1285,14 @@ bad:
                SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
                        sizeof s_server_session_id_context);
 
+               tlsextcbp.biodebug = bio_s_out;
+               SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
+               SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
+               SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+               SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
                }
-       tlsextcbp.biodebug = bio_s_out;
-       SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
-       SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
-       SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
-       SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
 #endif
+
        if (CAfile != NULL)
                {
                SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
index 5a07db158f5db3d40400bdfbbe532ff278a33bf1..3bb5adfa480dba6bfd8da2abdcd8ce8b5c364ce8 100644 (file)
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "ssl_locl.h"
@@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s)
 #ifdef OPENSSL_NO_COMP
                        *(p++)=1;
 #else
-
                        if ((s->options & SSL_OP_NO_COMPRESSION)
                                                || !s->ctx->comp_methods)
                                j=0;
@@ -366,16 +418,16 @@ static int ssl23_client_hello(SSL *s)
                                }
 #endif
                        *(p++)=0; /* Add the NULL method */
+
 #ifndef OPENSSL_NO_TLSEXT
-                       if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-                       {
+                       if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+                               {
                                SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
                                return -1;
-                       }
+                               }
 #endif
                        
                        l = p-d;
-                       *p = 42;
 
                        /* fill in 4-byte handshake header */
                        d=&(buf[5]);
index 8bf044e15fd4f6c3e3cbb362d13d52c8715240aa..4da169eb31a97b7bf5348636e96becf5340f7b43 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
 int ssl23_accept(SSL *s)
        {
        BUF_MEM *buf;
-       unsigned long Time=time(NULL);
+       unsigned long Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
        int new_state,state;
@@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s)
                n2s(p,sil);
                n2s(p,cl);
                d=(unsigned char *)s->init_buf->data;
-               if ((csl+sil+cl+11) > s->packet_length)
+               if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
+                                                         * Client Hello, can we? Error condition should be
+                                                         * '>' otherweise */
                        {
                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
                        goto err;
@@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s)
                *(d++)=1;
                *(d++)=0;
                
+#if 0
                 /* copy any remaining data with may be extensions */
-               p = p+csl+sil+cl ;
-               while (p <  s->packet+s->packet_length) {
+               p = p+csl+sil+cl;
+               while (p <  s->packet+s->packet_length)
+                       {
                        *(d++)=*(p++);
-               }
+                       }
+#endif
 
                i = (d-(unsigned char *)s->init_buf->data) - 4;
                l2n3((long)i, d_len);
index 7a4f2566420708527c617b7f659f788bd6b93249..578285230d30e8ebb4f5fe078e560e2ef840b2f6 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -257,12 +257,14 @@ int ssl3_connect(SSL *s)
                        if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
                        {
-                               int extension_error = 0,al;
-                               if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
-                                       ret = -1;
+                               int al;
+                               if (ssl_check_tlsext(s,&al) <= 0)
+                                       {
+                                       ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
                                        SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
+                                       ret = -1;
                                        goto end;
-                               }
+                                       }
                        }
 #endif
                        if (s->hit)
@@ -613,11 +615,11 @@ int ssl3_client_hello(SSL *s)
 #endif
                *(p++)=0; /* Add the NULL method */
 #ifndef OPENSSL_NO_TLSEXT
-               if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-               {
+               if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+                       {
                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
                        goto err;
-               }
+                       }
 #endif
                
                l=(p-d);
@@ -806,12 +808,14 @@ int ssl3_get_server_hello(SSL *s)
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
        if (s->version > SSL3_VERSION)
-       {
-               if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+               {
+               if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
+                       {
+                       /* 'al' set by ssl_parse_serverhello_tlsext */
                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
                        goto f_err; 
+                       }
                }
-       }
 #endif
 
        if (p != (d+n))
index 845e5a16c589f6637b04407dd43b2f0965ad026c..c3bedf20ff184019af6b7d242ae1e3588a463b40 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 #endif /* !OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_TLSEXT
        case SSL_CTRL_GET_TLSEXT_HOSTNAME:      
-               if (larg != TLSEXT_TYPE_SERVER_host)
+               if (larg != TLSEXT_NAMETYPE_host_name)
                        {
                        SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
                        return(0);
                        }
-               *((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname;
+               /* XXX cf. SSL_get_servername() (ssl_lib.c) */
+               if (s->session && s->session->tlsext_hostname)
+                       *((char **) parg) = s->session->tlsext_hostname;
+               else
+                       *((char **) parg) = s->tlsext_hostname;
                ret = 1;
-                break;
+               break;
        case SSL_CTRL_SET_TLSEXT_HOSTNAME:
-               if (larg == TLSEXT_TYPE_SERVER_host) {
+               if (larg == TLSEXT_NAMETYPE_host_name)
+                       {
                        if (s->tlsext_hostname != NULL) 
                                OPENSSL_free(s->tlsext_hostname);
                        s->tlsext_hostname = NULL;
@@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        ret = 1;
                        if (parg == NULL) 
                                break;
-                       if (strlen((char *)parg) > 255) {
+                       if (strlen((char *)parg) > 255)
+                               {
                                SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
                                return 0;
-                       }
-                       if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) {
+                               }
+                       if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
+                               {
                                SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
                                return 0;
+                               }
                        }
-               } else {
+               else
+                       {
                        SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
                        return 0;
-               }
-               s->options |= SSL_OP_NO_SSLv2;
+                       }
+               s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
                break;
        case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE:
                s->servername_done = larg;
index 25b56fa6fac1007245f897c83cfa670a71e7e799..954959404a6bc8cd0be112127f8da799f73237aa 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -283,13 +283,14 @@ int ssl3_accept(SSL *s)
                        if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
                        {
-                               int extension_error = 0,al;
-                               if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
-                                       ret = -1;
+                               int al;
+                               if (ssl_check_tlsext(s,&al) <= 0)
+                                       {
+                                       ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
                                        SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
-                                       ssl3_send_alert(s,al,extension_error);
+                                       ret = -1;
                                        goto end;
-                               }
+                                       }
                        }
 #endif
                        s->new_session = 2;
@@ -937,32 +938,17 @@ int ssl3_get_client_hello(SSL *s)
                }
 #endif
 
-       /* TLS does not mind if there is extra stuff */
-#if 0   /* SSL 3.0 does not mind either, so we should disable this test
-         * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
-         * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
-       if (s->version == SSL3_VERSION)
-               {
-               if (p < (d+n))
-                       {
-                       /* wrong number of bytes,
-                        * there could be more to follow */
-                       al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
-                       goto f_err;
-                       }
-               }
-#endif
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
        if (s->version > SSL3_VERSION)
-       {
-               if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+               {
+               if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+                       {
+                       /* 'al' set by ssl_parse_clienthello_tlsext */
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
-                       ssl3_send_alert(s,SSL3_AL_WARNING,al);
-                       return (ret = al);
+                       goto f_err;
+                       }
                }
-       }
 #endif
 
        /* Given s->session->ciphers and SSL_get_ciphers, we must
@@ -1109,11 +1095,11 @@ int ssl3_send_server_hello(SSL *s)
                        *(p++)=s->s3->tmp.new_compression->id;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
-               if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-               {
+               if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+                       {
                        SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
                        return -1;
-               }
+                       }
 #endif
 
                /* do the header */
index 29f1e0beec48d5e8224015ab06d4870b873e7793..17d2103aac2f2645641f927a105fb37584fffefa 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
  *
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 
 #include <openssl/e_os2.h>
 
-#ifdef OPENSSL_NO_TLS1
-#      ifndef OPENSSL_NO_TLSEXT 
-#              define OPENSSL_NO_TLSEXT
-#      endif
-#endif
 #ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
 #endif
@@ -765,11 +760,10 @@ struct ssl_ctx_st
        unsigned int max_send_fragment;
 
 #ifndef OPENSSL_NO_TLSEXT
-    /* TLS extensions servername callback */
+       /* TLS extensions servername callback */
        int (*tlsext_servername_callback)(SSL*, int *, void *);
        void *tlsext_servername_arg;
 #endif
-
        };
 
 #define SSL_SESS_CACHE_OFF                     0x0000
@@ -994,11 +988,11 @@ struct ssl_st
        unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
        char *tlsext_hostname;
-        int servername_done;   /* no further mod of servername 
-                                  0 : call the servername extension callback.
-                                  1 : prepare 2, allow last ack just after in server callback.
-                                  2 : don't call servername callback, no ack in server hello
-                               */
+       int servername_done;   /* no further mod of servername 
+                                 0 : call the servername extension callback.
+                                 1 : prepare 2, allow last ack just after in server callback.
+                                 2 : don't call servername callback, no ack in server hello
+                              */
 #endif
        };
 
@@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_AD_INTERNAL_ERROR          TLS1_AD_INTERNAL_ERROR  /* fatal */
 #define SSL_AD_USER_CANCELLED          TLS1_AD_USER_CANCELLED
 #define SSL_AD_NO_RENEGOTIATION                TLS1_AD_NO_RENEGOTIATION
-#ifndef OPENSSL_NO_TLSEXT
 #define SSL_AD_UNRECOGNIZED_NAME       TLS1_AD_UNRECOGNIZED_NAME
-#endif
 
 #define SSL_ERROR_NONE                 0
 #define SSL_ERROR_SSL                  1
@@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 
 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT         52
 
+/* see tls.h for macros based on these */
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB      53
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG     54
+#define SSL_CTRL_SET_TLSEXT_HOSTNAME           55
+#define SSL_CTRL_GET_TLSEXT_HOSTNAME           56
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE    57
+
 #define SSL_session_reused(ssl) \
        SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
 #define SSL_num_renegotiations(ssl) \
index afe7162ab71e2cd13c5b7603e60c2f1245792dac..841d75d5855e83d61d2458ef44d9a91255f54d6a 100644 (file)
@@ -58,7 +58,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1315,27 +1315,30 @@ err:
        return(NULL);
        }
 
+
 #ifndef OPENSSL_TLSEXT
-/** return a servername extension value if provided in CLIENT HELLO
- * or NULL. 
- * For the moment, only hostname types are supported. 
+/** return a servername extension value if provided in Client Hello, or NULL. 
+ * So far, only host_name types are defined (RFC 3546).
  */
 
-const char *SSL_get_servername(const SSL *s, const int type) {
-
-       if (type != TLSEXT_TYPE_SERVER_host) 
+const char *SSL_get_servername(const SSL *s, const int type)
+       {
+       if (type != TLSEXT_NAMETYPE_host_name)
                return NULL;
-       return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname;
-}
-
-int SSL_get_servername_type(const SSL *s) {
+       /* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */
+       return s->session /*&&s->session->tlsext_hostname*/ ?
+               s->session->tlsext_hostname :
+               s->tlsext_hostname;
+       }
 
-       if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname) 
-               return TLSEXT_TYPE_SERVER_host;
+int SSL_get_servername_type(const SSL *s)
+       {
+       if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname) 
+               return TLSEXT_NAMETYPE_host_name;
        return -1;
-}
-
+       }
 #endif
+
 unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
 #ifndef OPENSSL_NO_TLSEXT
-       ret->tlsext_servername_callback = NULL;
+       ret->tlsext_servername_callback = 0;
        ret->tlsext_servername_arg = NULL;
 #endif
        return(ret);
@@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        {
-
        if (ssl->cert != NULL)
                ssl_cert_free(ssl->cert);
        ssl->cert = ssl_cert_dup(ctx->cert);
index 26a062fdcdb9a4c680514d9c53dbcc045b4e57b3..ccc490aaf1c8be5801dbfc392c796e3e98c36e29 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad);
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_check_tlsext(SSL *s,int *al);
 #endif
 #endif
index 6c2c04bf0fe612759d3f630d8fb445487bf40319..16162fa951de91e2562bfbafdb51deb0cbba30ef 100644 (file)
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <openssl/lhash.h>
@@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
        if (ss->peer != NULL) X509_free(ss->peer);
        if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
 #ifndef OPENSSL_NO_TLSEXT
-       if (ss->tlsext_hostname != NULL)
-               OPENSSL_free(ss->tlsext_hostname);
+       if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
 #endif
        OPENSSL_cleanse(ss,sizeof(*ss));
        OPENSSL_free(ss);
index ff5bc58ce705b84dacf3125405e1e6c934a052f4..b248dab36171d8e01303149d8dfe5541720fbf6b 100644 (file)
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <openssl/objects.h>
@@ -101,41 +154,43 @@ void tls1_clear(SSL *s)
        s->version=TLS1_VERSION;
        }
 
+
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+       {
        int extdatalen=0;
        unsigned char *ret = p;
 
        ret+=2;
 
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
-       if (s->servername_done == 0 && s->tlsext_hostname != NULL) { 
+       if (s->servername_done == 0 && s->tlsext_hostname != NULL)
+               { 
                /* Add TLS extension servername to the Client Hello message */
                unsigned long size_str;
                long lenmax; 
 
                if ((lenmax = limit - p - 7) < 0) return NULL; 
                if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL;
-
+               
                s2n(TLSEXT_TYPE_server_name,ret);
                s2n(size_str+3,ret);
-               *(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host;
+               *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
                s2n(size_str,ret);
        
                memcpy(ret, s->tlsext_hostname, size_str);
                ret+=size_str;
-       }
+               }
 
-       
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
        s2n(extdatalen,p);
        return ret;
-
 }
 
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+       {
        int extdatalen=0;
        unsigned char *ret = p;
        if (s->hit || s->servername_done == 2)
@@ -146,78 +201,92 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi
 
        if (ret>=limit) return NULL; /* this really never occurs, but ... */
 
-       if (s->session->tlsext_hostname != NULL) { 
-
+       if (s->session->tlsext_hostname != NULL)
+               { 
                if (limit - p - 4 < 0) return NULL; 
 
                s2n(TLSEXT_TYPE_server_name,ret);
                s2n(0,ret);
-       }
-
+               }
        
        if ((extdatalen = ret-p-2)== 0) 
                return p;
 
        s2n(extdatalen,p);
        return ret;
-
 }
 
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+       {
        unsigned short type;
        unsigned short size;
        unsigned short len;
-       unsigned char * data = *p;
+       unsigned char *data = *p;
 
        if (data >= (d+n-2))
-          return SSL_ERROR_NONE;
+               return 1;
        n2s(data,len);
 
         if (data > (d+n-len)) 
-          return SSL_ERROR_NONE;
+               return 1;
 
-       while(data <= (d+n-4)){
+       while (data <= (d+n-4))
+               {
                n2s(data,type);
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return SSL_ERROR_SSL;
-
-               if (type == TLSEXT_TYPE_server_name) {
+                       return 1;
+               
+               if (type == TLSEXT_TYPE_server_name)
+                       {
                        unsigned char *sdata = data;
                        int servname_type;
                        int dsize = size-3 ;
                         
-                       if (dsize > 0 ) {
+                       if (dsize > 0 )
+                               {
                                servname_type = *(sdata++); 
                                n2s(sdata,len);
                                if (len != dsize) 
-                                       return SSL_ERROR_SSL;
+                                       {
+                                       *al = SSL_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
 
-                               switch (servname_type) {
-                               case TLSEXT_TYPE_SERVER_host:
-                                        if (s->session->tlsext_hostname == NULL) {
+                               switch (servname_type)
+                                       {
+                               case TLSEXT_NAMETYPE_host_name:
+                                        if (s->session->tlsext_hostname == NULL)
+                                               {
                                                if (len > 255 || 
                                                        ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
-                                                       return SSL_ERROR_SSL;
+                                                       {
+                                                       *al = TLS1_AD_UNRECOGNIZED_NAME;
+                                                       return 0;
+                                                       }
+                                               
                                                memcpy(s->session->tlsext_hostname, sdata, len);
                                                s->session->tlsext_hostname[len]='\0'; 
-                                       }
+                                               }
                                        break;
+
                                default:
                                        break;
-                               }
+                                       }
                                  
+                               }
                        }
-               }
 
                data+=size;             
-       }
-       *p = data;
+               }
 
-       return SSL_ERROR_NONE;
+       *p = data;
+       return 1;
 }
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+       {
        unsigned short type;
        unsigned short size;
        unsigned short len;  
@@ -226,61 +295,76 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
        int tlsext_servername = 0;
 
        if (data >= (d+n-2))
-          return SSL_ERROR_NONE;
-
+               return 1;
 
        n2s(data,len);
 
-       while(data <= (d+n-4)){
+       while(data <= (d+n-4))
+               {
                n2s(data,type);
                n2s(data,size);
 
                if (data+size > (d+n))
-                       return SSL_ERROR_SSL;
-
-               if (type == TLSEXT_TYPE_server_name) {
-                       if ( s->tlsext_hostname == NULL || size > 0 ) {
-                               return SSL_ERROR_SSL;
-                       }
+                       return 1;
+
+               if (type == TLSEXT_TYPE_server_name)
+                       {
+                       if (s->tlsext_hostname == NULL || size > 0)
+                               {
+                               *al = TLS1_AD_UNRECOGNIZED_NAME;
+                               return 0;
+                               }
                        tlsext_servername = 1;   
-               } 
+                       }
 
                data+=size;             
-       }
-
-       
+               }
 
        if (data != d+n)
-               return SSL_ERROR_SSL;
+               {
+               *al = SSL_AD_DECODE_ERROR;
+               return 0;
+               }
 
-       if (!s->hit && tlsext_servername == 1) {
-               if (s->tlsext_hostname) {
-                       if (s->session->tlsext_hostname == NULL) {
+       if (!s->hit && tlsext_servername == 1)
+               {
+               if (s->tlsext_hostname)
+                       {
+                       if (s->session->tlsext_hostname == NULL)
+                               {
                                s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);   
                                if (!s->session->tlsext_hostname)
-                                       return SSL_ERROR_SSL;
+                                       {
+                                       *al = SSL_AD_UNRECOGNIZED_NAME;
+                                       return 0;
+                                       }
+                               }
+                       else 
+                               {
+                               *al = SSL_AD_DECODE_ERROR;
+                               return 0;
+                               }
                        }
-               } else 
-                       return SSL_ERROR_SSL;
-       }
-       *p = data;
+               }
 
-       return SSL_ERROR_NONE;
+       *p = data;
+       return 1;
 }
 
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad)
-{
-       int ret = SSL_ERROR_NONE;
-
-       *ad = SSL_AD_UNRECOGNIZED_NAME;
-       if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL) 
-               && ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE)) 
-               return ret;
-
-       else if (s->servername_done == 1)       
+int ssl_check_tlsext(SSL *s,int *al)
+       {
+       int ret;
+
+       *al = SSL_AD_UNRECOGNIZED_NAME;
+       if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0))
+               {
+               ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
+               if (ret <= 0)
+                       return ret;
+               }
+       if (s->servername_done == 1)    
                s->servername_done = 2;
-
-       return ret;
-}
+       
+       return 1;
+       }
 #endif
-
index 4c8a5daa563ff5f3f33d41113467b11d055c8fbd..b5370f20fb5dba02d61a526bd8fee28344fcb3e7 100644 (file)
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -96,54 +149,55 @@ extern "C" {
 #define TLS1_AD_INTERNAL_ERROR         80      /* fatal */
 #define TLS1_AD_USER_CANCELLED         90
 #define TLS1_AD_NO_RENEGOTIATION       100
-
-#ifndef OPENSSL_NO_TLSEXT
 #define TLS1_AD_UNRECOGNIZED_NAME      122
 
+/* ExtensionType values from RFC 3546 */
 #define TLSEXT_TYPE_server_name                        0
 #define TLSEXT_TYPE_max_fragment_length                1
 #define TLSEXT_TYPE_client_certificate_url     2
 #define TLSEXT_TYPE_trusted_ca_keys            3
 #define TLSEXT_TYPE_truncated_hmac             4
 #define TLSEXT_TYPE_status_request             5
+#if 0
 #define TLSEXT_TYPE_srp                                6
+#endif
+
+/* NameType value from RFC 3546 */
+#define TLSEXT_NAMETYPE_host_name 0
 
-#define TLSEXT_TYPE_SERVER_host 0
 
-#define SSL_CTX_set_tlsext_hostname(ctx,name) \
-SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
+#ifndef OPENSSL_NO_TLSEXT
+
+const char *SSL_get_servername(const SSL *s, const int type) ;
+int SSL_get_servername_type(const SSL *s) ;
+
 #define SSL_set_tlsext_hostname(s,name) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
 
 #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
 
-
-const char *SSL_get_servername(const SSL *s, const int type) ;
-int SSL_get_servername_type(const SSL *s) ;
+#define SSL_set_tlsext_servername_done(s,t) \
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
 
 #if 0
+#  if 0
+
        #define SSL_get_tlsext_hostname(s,psn) \
-       SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn)
-#else
+       SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
+#  else
+       /* XXX this looks weird for a macro, define a function instead? */
+        * or just used SSL_get_servername() directly ... */
        #define SSL_get_tlsext_hostname(s,psn) \
-       (*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL)
+       (*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
+#  endif
 #endif
-       #define SSL_set_tlsext_servername_done(s,t) \
-       SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
-
-void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ;
-
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB      53
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG     54
-#define SSL_CTRL_SET_TLSEXT_HOSTNAME           55
-#define SSL_CTRL_GET_TLSEXT_HOSTNAME           56
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE    57
   
 #endif
 
+
 /* Additional TLS ciphersuites from expired Internet Draft
  * draft-ietf-tls-56-bit-ciphersuites-01.txt
  * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see