Various changes in the new TLS extension code, including the following:

 - fix indentation
 - rename some functions and macros
 - fix up confusion between SSL_ERROR_... and SSL_AD_... values

CHANGES

@@ -4,16 +4,33 @@
 
  Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]
 
-  *) Add support for TLS extensions, specifically for the HostName extension.
-     The SSL_SESSION, SSL_CTX, and SSL data structures now have new members
-     for HostName support.
+  *) Add support for TLS extensions, specifically for the HostName extension
+     so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now have new
+     members for HostName support.
+
+     New functions (subject to change):
+
+         SSL_get_servername()
+         SSL_get_servername_type()
+         SSL_set_SSL_CTX()
+
+     New CTRL codes and macros (subject to change):
+
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+                                 - SSL_CTX_set_tlsext_servername_callback()
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
+                                      - SSL_CTX_set_tlsext_servername_arg()
+         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_hostname()
+         SSL_CTRL_GET_TLSEXT_HOSTNAME     [similar to SSL_get_servername()]
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
+                                         - SSL_set_tlsext_servername_done()
 
      openssl s_client has a new '-servername' option.
 
-     openssl s_server has new options '-servername', '-cert2', and '-key2';
-     this allows testing the HostName extension for a specific single
-     host name ('-cert' and '-key' remain fallbacks for handshakes without
-     HostName negotiation).
+     openssl s_server has new options '-servername', '-cert2', and '-key2'
+     (subject to change); this allows testing the HostName extension for a
+     specific single host name ('-cert' and '-key' remain fallbacks for
+     handshakes without HostName negotiation).
 
      [Peter Sylvester]
 

Configure

@@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
 	$disabled{"tls1"} = "forced";
 	}
 
+if (defined($disabled{"tls1"}))
+	{
+	$disabled{"tlsext"} = "forced";
+	}
 
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {

apps/s_client.c

@@ -239,11 +239,11 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 	{
 	tlsextctx * p = (tlsextctx *) arg;
-	const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+	const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
 	if (SSL_get_servername_type(s) != -1) 
  	        p->ack = !SSL_session_reused(s) && hn != NULL;
 	else 
-		BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n");
+		BIO_printf(bio_err,"Can't use SSL_get_servername\n");
 	
 	return SSL_ERROR_NONE;
 	}

apps/s_server.c

@@ -539,7 +539,7 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 	{
 	tlsextctx * p = (tlsextctx *) arg;
-	const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+	const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
         if (servername) 
 		BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
         
@@ -1257,12 +1257,14 @@ bad:
 #endif
 #endif
 
-	if (cipher != NULL) {
-		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+	if (cipher != NULL)
+		{
+		if(!SSL_CTX_set_cipher_list(ctx,cipher))
+			{
 			BIO_printf(bio_err,"error setting cipher list\n");
 			ERR_print_errors(bio_err);
 			goto end;
-		}
+			}
 #ifndef OPENSSL_NO_TLSEXT
 		if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
 			{
@@ -1271,7 +1273,7 @@ bad:
 			goto end;
 			}
 #endif
-	}
+		}
 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
 		sizeof s_server_session_id_context);
@@ -1283,13 +1285,14 @@ bad:
 		SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
 			sizeof s_server_session_id_context);
 
+		tlsextcbp.biodebug = bio_s_out;
+		SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
+		SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
+		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
+		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
 		}
-	tlsextcbp.biodebug = bio_s_out;
-	SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
-	SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
-	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
-	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
 #endif
+
 	if (CAfile != NULL)
 		{
 		SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

ssl/s23_clnt.c

@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "ssl_locl.h"
@@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s)
 #ifdef OPENSSL_NO_COMP
 			*(p++)=1;
 #else
-
 			if ((s->options & SSL_OP_NO_COMPRESSION)
 						|| !s->ctx->comp_methods)
 				j=0;
@@ -366,16 +418,16 @@ static int ssl23_client_hello(SSL *s)
 				}
 #endif
 			*(p++)=0; /* Add the NULL method */
+
 #ifndef OPENSSL_NO_TLSEXT
-			if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-			{
+			if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+				{
 				SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 				return -1;
-			}
+				}
 #endif
 			
 			l = p-d;
-			*p = 42;
 
 			/* fill in 4-byte handshake header */
 			d=&(buf[5]);

ssl/s23_srvr.c

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
 int ssl23_accept(SSL *s)
 	{
 	BUF_MEM *buf;
-	unsigned long Time=time(NULL);
+	unsigned long Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state;
@@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s)
 		n2s(p,sil);
 		n2s(p,cl);
 		d=(unsigned char *)s->init_buf->data;
-		if ((csl+sil+cl+11) > s->packet_length)
+		if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
+		                                          * Client Hello, can we? Error condition should be
+		                                          * '>' otherweise */
 			{
 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
 			goto err;
@@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s)
 		*(d++)=1;
 		*(d++)=0;
 		
+#if 0
                 /* copy any remaining data with may be extensions */
-	        p = p+csl+sil+cl ;
-		while (p <  s->packet+s->packet_length) {
+	        p = p+csl+sil+cl;
+		while (p <  s->packet+s->packet_length)
+			{
 			*(d++)=*(p++);
-		}
+			}
+#endif
 
 		i = (d-(unsigned char *)s->init_buf->data) - 4;
 		l2n3((long)i, d_len);

ssl/s3_clnt.c

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -257,12 +257,14 @@ int ssl3_connect(SSL *s)
 			if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
 			{
-				int extension_error = 0,al;
-				if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
-					ret = -1;
+				int al;
+				if (ssl_check_tlsext(s,&al) <= 0)
+					{
+					ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
 					SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
+					ret = -1;
 					goto end;
-				}
+					}
 			}
 #endif
 			if (s->hit)
@@ -613,11 +615,11 @@ int ssl3_client_hello(SSL *s)
 #endif
 		*(p++)=0; /* Add the NULL method */
 #ifndef OPENSSL_NO_TLSEXT
-		if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-		{
+		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+			{
 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 			goto err;
-		}
+			}
 #endif
 		
 		l=(p-d);
@@ -806,12 +808,14 @@ int ssl3_get_server_hello(SSL *s)
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extensions*/
 	if (s->version > SSL3_VERSION)
-	{
-		if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+		{
+		if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
+			{
+			/* 'al' set by ssl_parse_serverhello_tlsext */
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
 			goto f_err; 
+			}
 		}
-	}
 #endif
 
 	if (p != (d+n))

ssl/s3_lib.c

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 #endif /* !OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_TLSEXT
 	case SSL_CTRL_GET_TLSEXT_HOSTNAME:	
-		if (larg != TLSEXT_TYPE_SERVER_host)
+		if (larg != TLSEXT_NAMETYPE_host_name)
 			{
 			SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
 			return(0);
 			}
-	   	*((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname;
+		/* XXX cf. SSL_get_servername() (ssl_lib.c) */
+		if (s->session && s->session->tlsext_hostname)
+			*((char **) parg) = s->session->tlsext_hostname;
+		else
+			*((char **) parg) = s->tlsext_hostname;
 		ret = 1;
-                break;
+		break;
 	case SSL_CTRL_SET_TLSEXT_HOSTNAME:
- 		if (larg == TLSEXT_TYPE_SERVER_host) {
+ 		if (larg == TLSEXT_NAMETYPE_host_name)
+			{
 			if (s->tlsext_hostname != NULL) 
 				OPENSSL_free(s->tlsext_hostname);
 			s->tlsext_hostname = NULL;
@@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			ret = 1;
 			if (parg == NULL) 
 				break;
-			if (strlen((char *)parg) > 255) {
+			if (strlen((char *)parg) > 255)
+				{
 				SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
 				return 0;
-			}
-			if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) {
+				}
+			if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
+				{
 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
 				return 0;
+				}
 			}
-		} else {
+		else
+			{
 			SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
 			return 0;
-		}
-		s->options |= SSL_OP_NO_SSLv2;
+			}
+		s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
  		break;
 	case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE:
 		s->servername_done = larg;

ssl/s3_srvr.c

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -283,13 +283,14 @@ int ssl3_accept(SSL *s)
 			if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
 			{
-				int extension_error = 0,al;
-				if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
-					ret = -1;
+				int al;
+				if (ssl_check_tlsext(s,&al) <= 0)
+					{
+					ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
 					SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
-					ssl3_send_alert(s,al,extension_error);
+					ret = -1;
 					goto end;
-				}
+					}
 			}
 #endif
 			s->new_session = 2;
@@ -937,32 +938,17 @@ int ssl3_get_client_hello(SSL *s)
 		}
 #endif
 
-	/* TLS does not mind if there is extra stuff */
-#if 0   /* SSL 3.0 does not mind either, so we should disable this test
-         * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
-         * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
-	if (s->version == SSL3_VERSION)
-		{
-		if (p < (d+n))
-			{
-			/* wrong number of bytes,
-			 * there could be more to follow */
-			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
-			goto f_err;
-			}
-		}
-#endif
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extensions*/
 	if (s->version > SSL3_VERSION)
-	{
-		if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+		{
+		if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+			{
+			/* 'al' set by ssl_parse_clienthello_tlsext */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
-			ssl3_send_alert(s,SSL3_AL_WARNING,al);
-			return (ret = al);
+			goto f_err;
+			}
 		}
-	}
 #endif
 
 	/* Given s->session->ciphers and SSL_get_ciphers, we must
@@ -1109,11 +1095,11 @@ int ssl3_send_server_hello(SSL *s)
 			*(p++)=s->s3->tmp.new_compression->id;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
-		if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
-		{
+		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
 			return -1;
-		}
+			}
 #endif
 
 		/* do the header */

ssl/ssl.h

@@ -109,7 +109,7 @@
  *
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -172,11 +172,6 @@
 
 #include <openssl/e_os2.h>
 
-#ifdef OPENSSL_NO_TLS1
-#	ifndef OPENSSL_NO_TLSEXT 
-#		define OPENSSL_NO_TLSEXT
-#	endif
-#endif
 #ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
 #endif
@@ -765,11 +760,10 @@ struct ssl_ctx_st
 	unsigned int max_send_fragment;
 
 #ifndef OPENSSL_NO_TLSEXT
-    /* TLS extensions servername callback */
+	/* TLS extensions servername callback */
 	int (*tlsext_servername_callback)(SSL*, int *, void *);
 	void *tlsext_servername_arg;
 #endif
-
 	};
 
 #define SSL_SESS_CACHE_OFF			0x0000
@@ -994,11 +988,11 @@ struct ssl_st
 	unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
 	char *tlsext_hostname;
-        int servername_done;   /* no further mod of servername 
-                                  0 : call the servername extension callback.
-                                  1 : prepare 2, allow last ack just after in server callback.
-                                  2 : don't call servername callback, no ack in server hello
-                               */
+	int servername_done;   /* no further mod of servername 
+	                          0 : call the servername extension callback.
+	                          1 : prepare 2, allow last ack just after in server callback.
+	                          2 : don't call servername callback, no ack in server hello
+	                       */
 #endif
 	};
 
@@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
 #define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
 #define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
-#ifndef OPENSSL_NO_TLSEXT
 #define SSL_AD_UNRECOGNIZED_NAME	TLS1_AD_UNRECOGNIZED_NAME
-#endif
 
 #define SSL_ERROR_NONE			0
 #define SSL_ERROR_SSL			1
@@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 
 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT		52
 
+/* see tls.h for macros based on these */
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG	54
+#define SSL_CTRL_SET_TLSEXT_HOSTNAME		55
+#define SSL_CTRL_GET_TLSEXT_HOSTNAME		56
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE	57
+
 #define SSL_session_reused(ssl) \
 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
 #define SSL_num_renegotiations(ssl) \

ssl/ssl_lib.c

@@ -58,7 +58,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1315,27 +1315,30 @@ err:
 	return(NULL);
 	}
 
+
 #ifndef OPENSSL_TLSEXT
-/** return a servername extension value if provided in CLIENT HELLO
- * or NULL. 
- * For the moment, only hostname types are supported. 
+/** return a servername extension value if provided in Client Hello, or NULL. 
+ * So far, only host_name types are defined (RFC 3546).
  */
 
-const char *SSL_get_servername(const SSL *s, const int type) {
-
-	if (type != TLSEXT_TYPE_SERVER_host) 
+const char *SSL_get_servername(const SSL *s, const int type)
+	{
+	if (type != TLSEXT_NAMETYPE_host_name)
 		return NULL;
-	return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname;
-}
-
-int SSL_get_servername_type(const SSL *s) {
+	/* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */
+	return s->session /*&&s->session->tlsext_hostname*/ ?
+		s->session->tlsext_hostname :
+		s->tlsext_hostname;
+	}
 
-	if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname) 
-		return TLSEXT_TYPE_SERVER_host;
+int SSL_get_servername_type(const SSL *s)
+	{
+	if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname) 
+		return TLSEXT_NAMETYPE_host_name;
 	return -1;
-}
-
+	}
 #endif
+
 unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
 	{
 	unsigned long l;
@@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
 #ifndef OPENSSL_NO_TLSEXT
-	ret->tlsext_servername_callback = NULL;
+	ret->tlsext_servername_callback = 0;
 	ret->tlsext_servername_arg = NULL;
 #endif
 	return(ret);
@@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 	{
-
 	if (ssl->cert != NULL)
 		ssl_cert_free(ssl->cert);
 	ssl->cert = ssl_cert_dup(ctx->cert);

ssl/ssl_locl.h

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad);
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
+int ssl_check_tlsext(SSL *s,int *al);
 #endif
 #endif

ssl/ssl_sess.c

@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <openssl/lhash.h>
@@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 	if (ss->peer != NULL) X509_free(ss->peer);
 	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
 #ifndef OPENSSL_NO_TLSEXT
-	if (ss->tlsext_hostname != NULL)
-		OPENSSL_free(ss->tlsext_hostname);
+	if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
 #endif
 	OPENSSL_cleanse(ss,sizeof(*ss));
 	OPENSSL_free(ss);

ssl/t1_lib.c

@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <openssl/objects.h>
@@ -101,41 +154,43 @@ void tls1_clear(SSL *s)
 	s->version=TLS1_VERSION;
 	}
 
+
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+	{
 	int extdatalen=0;
 	unsigned char *ret = p;
 
 	ret+=2;
 
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
- 	if (s->servername_done == 0 && s->tlsext_hostname != NULL) { 
+ 	if (s->servername_done == 0 && s->tlsext_hostname != NULL)
+		{ 
 		/* Add TLS extension servername to the Client Hello message */
 		unsigned long size_str;
 		long lenmax; 
 
 		if ((lenmax = limit - p - 7) < 0) return NULL; 
 		if ((size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) return NULL;
-
+		
 		s2n(TLSEXT_TYPE_server_name,ret);
 		s2n(size_str+3,ret);
-		*(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host;
+		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
 		s2n(size_str,ret);
 	
 		memcpy(ret, s->tlsext_hostname, size_str);
 		ret+=size_str;
-	}
+		}
 
-	
 	if ((extdatalen = ret-p-2)== 0) 
 		return p;
 
 	s2n(extdatalen,p);
 	return ret;
-
 }
 
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+	{
 	int extdatalen=0;
 	unsigned char *ret = p;
 	if (s->hit || s->servername_done == 2)
@@ -146,78 +201,92 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi
 
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
 
-	if (s->session->tlsext_hostname != NULL) { 
-
+	if (s->session->tlsext_hostname != NULL)
+		{ 
 		if (limit - p - 4 < 0) return NULL; 
 
 		s2n(TLSEXT_TYPE_server_name,ret);
 		s2n(0,ret);
-	}
-
+		}
 	
 	if ((extdatalen = ret-p-2)== 0) 
 		return p;
 
 	s2n(extdatalen,p);
 	return ret;
-
 }
 
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+	{
 	unsigned short type;
 	unsigned short size;
 	unsigned short len;
-	unsigned char * data = *p;
+	unsigned char *data = *p;
 
 	if (data >= (d+n-2))
-	   return SSL_ERROR_NONE;
+		return 1;
 	n2s(data,len);
 
         if (data > (d+n-len)) 
-	   return SSL_ERROR_NONE;
+		return 1;
 
-	while(data <= (d+n-4)){
+	while (data <= (d+n-4))
+		{
 		n2s(data,type);
 		n2s(data,size);
 
 		if (data+size > (d+n))
-	   		return SSL_ERROR_SSL;
-
-		if (type == TLSEXT_TYPE_server_name) {
+	   		return 1;
+		
+		if (type == TLSEXT_TYPE_server_name)
+			{
 			unsigned char *sdata = data;
 			int servname_type;
 			int dsize = size-3 ;
                         
-			if (dsize > 0 ) {
+			if (dsize > 0 )
+				{
  				servname_type = *(sdata++); 
 				n2s(sdata,len);
 				if (len != dsize) 
-			   		return SSL_ERROR_SSL;
+					{
+					*al = SSL_AD_DECODE_ERROR;
+					return 0;
+					}
 
-				switch (servname_type) {
-				case TLSEXT_TYPE_SERVER_host:
-                                        if (s->session->tlsext_hostname == NULL) {
+				switch (servname_type)
+					{
+				case TLSEXT_NAMETYPE_host_name:
+                                        if (s->session->tlsext_hostname == NULL)
+						{
 						if (len > 255 || 
 							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
-							return SSL_ERROR_SSL;
+							{
+							*al = TLS1_AD_UNRECOGNIZED_NAME;
+							return 0;
+							}
+						
 						memcpy(s->session->tlsext_hostname, sdata, len);
 						s->session->tlsext_hostname[len]='\0'; 
-					}
+						}
 					break;
+
 				default:
 					break;
-				}
+					}
                                  
+				}
 			}
-		}
 
 		data+=size;		
-	}
-	*p = data;
+		}
 
-	return SSL_ERROR_NONE;
+	*p = data;
+	return 1;
 }
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
+	{
 	unsigned short type;
 	unsigned short size;
 	unsigned short len;  
@@ -226,61 +295,76 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
 	int tlsext_servername = 0;
 
 	if (data >= (d+n-2))
-	   return SSL_ERROR_NONE;
-
+		return 1;
 
 	n2s(data,len);
 
-	while(data <= (d+n-4)){
+	while(data <= (d+n-4))
+		{
 		n2s(data,type);
 		n2s(data,size);
 
 		if (data+size > (d+n))
-	   		return SSL_ERROR_SSL;
-
-		if (type == TLSEXT_TYPE_server_name) {
-			if ( s->tlsext_hostname == NULL || size > 0 ) {
-				return SSL_ERROR_SSL;
-			}
+	   		return 1;
+
+		if (type == TLSEXT_TYPE_server_name)
+			{
+			if (s->tlsext_hostname == NULL || size > 0)
+				{
+				*al = TLS1_AD_UNRECOGNIZED_NAME;
+				return 0;
+				}
 			tlsext_servername = 1;   
-		} 
+			}
 
 		data+=size;		
-	}
-
-	
+		}
 
 	if (data != d+n)
-	   	return SSL_ERROR_SSL;
+		{
+		*al = SSL_AD_DECODE_ERROR;
+		return 0;
+		}
 
-	if (!s->hit && tlsext_servername == 1) {
- 		if (s->tlsext_hostname) {
-			if (s->session->tlsext_hostname == NULL) {
+	if (!s->hit && tlsext_servername == 1)
+		{
+ 		if (s->tlsext_hostname)
+			{
+			if (s->session->tlsext_hostname == NULL)
+				{
 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);	
 				if (!s->session->tlsext_hostname)
-					return SSL_ERROR_SSL;
+					{
+					*al = SSL_AD_UNRECOGNIZED_NAME;
+					return 0;
+					}
+				}
+			else 
+				{
+				*al = SSL_AD_DECODE_ERROR;
+				return 0;
+				}
 			}
-		} else 
-			return SSL_ERROR_SSL;
-	}
-	*p = data;
+		}
 
-	return SSL_ERROR_NONE;
+	*p = data;
+	return 1;
 }
 
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad)
-{
-	int ret = SSL_ERROR_NONE;
-
-	*ad = SSL_AD_UNRECOGNIZED_NAME;
-	if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL) 
-		&& ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE)) 
-  		return ret;
-
-	else if (s->servername_done == 1) 	
+int ssl_check_tlsext(SSL *s,int *al)
+	{
+	int ret;
+
+	*al = SSL_AD_UNRECOGNIZED_NAME;
+	if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0))
+		{
+		ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
+		if (ret <= 0)
+			return ret;
+		}
+	if (s->servername_done == 1) 	
 		s->servername_done = 2;
-
-	return ret;
-}
+	
+	return 1;
+	}
 #endif
-

ssl/tls1.h

@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -96,54 +149,55 @@ extern "C" {
 #define TLS1_AD_INTERNAL_ERROR		80	/* fatal */
 #define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
-
-#ifndef OPENSSL_NO_TLSEXT
 #define TLS1_AD_UNRECOGNIZED_NAME 	122
 
+/* ExtensionType values from RFC 3546 */
 #define TLSEXT_TYPE_server_name			0
 #define TLSEXT_TYPE_max_fragment_length		1
 #define TLSEXT_TYPE_client_certificate_url	2
 #define TLSEXT_TYPE_trusted_ca_keys		3
 #define TLSEXT_TYPE_truncated_hmac		4
 #define TLSEXT_TYPE_status_request		5
+#if 0
 #define TLSEXT_TYPE_srp				6
+#endif
+
+/* NameType value from RFC 3546 */
+#define TLSEXT_NAMETYPE_host_name 0
 
-#define TLSEXT_TYPE_SERVER_host 0
 
-#define SSL_CTX_set_tlsext_hostname(ctx,name) \
-SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
+#ifndef OPENSSL_NO_TLSEXT
+
+const char *SSL_get_servername(const SSL *s, const int type) ;
+int SSL_get_servername_type(const SSL *s) ;
+
 #define SSL_set_tlsext_hostname(s,name) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
 
 #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
 
-
-const char *SSL_get_servername(const SSL *s, const int type) ;
-int SSL_get_servername_type(const SSL *s) ;
+#define SSL_set_tlsext_servername_done(s,t) \
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
 
 #if 0
+#  if 0
+
 	#define SSL_get_tlsext_hostname(s,psn) \
-	SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn)
-#else
+	SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
+#  else
+	/* XXX this looks weird for a macro, define a function instead? */
+	 * or just used SSL_get_servername() directly ... */
 	#define SSL_get_tlsext_hostname(s,psn) \
-	(*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL)
+	(*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
+#  endif
 #endif
-	#define SSL_set_tlsext_servername_done(s,t) \
-	SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
-
-void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ;
-
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG	54
-#define SSL_CTRL_SET_TLSEXT_HOSTNAME		55
-#define SSL_CTRL_GET_TLSEXT_HOSTNAME		56
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE	57
   
 #endif
 
+
 /* Additional TLS ciphersuites from expired Internet Draft
  * draft-ietf-tls-56-bit-ciphersuites-01.txt
  * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see