Various changes in the new TLS extension code, including the following:

- fix indentation - rename some functions and macros - fix up confusion between SSL_ERROR_... and SSL_AD_... values
2006-01-03 03:27:19 +00:00
parent 349eb12fd5
commit f1fd4544a3
15 changed files with 484 additions and 213 deletions
--- a/31
+++ b/31
@@ -4,16 +4,33 @@
 Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]
-  *) Add support for TLS extensions, specifically for the HostName extension.
+  *) Add support for TLS extensions, specifically for the HostName extension
-     The SSL_SESSION, SSL_CTX, and SSL data structures now have new members
+     so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now have new
-     for HostName support.
+     members for HostName support.
     New functions (subject to change):
         SSL_get_servername()
         SSL_get_servername_type()
         SSL_set_SSL_CTX()
     New CTRL codes and macros (subject to change):
         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
                                 - SSL_CTX_set_tlsext_servername_callback()
         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
                                      - SSL_CTX_set_tlsext_servername_arg()
         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_hostname()
         SSL_CTRL_GET_TLSEXT_HOSTNAME     [similar to SSL_get_servername()]
         SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
                                         - SSL_set_tlsext_servername_done()
     openssl s_client has a new '-servername' option.
-     openssl s_server has new options '-servername', '-cert2', and '-key2';
+     openssl s_server has new options '-servername', '-cert2', and '-key2'
-     this allows testing the HostName extension for a specific single
+     (subject to change); this allows testing the HostName extension for a
-     host name ('-cert' and '-key' remain fallbacks for handshakes without
+     specific single host name ('-cert' and '-key' remain fallbacks for
-     HostName negotiation).
+     handshakes without HostName negotiation).
     [Peter Sylvester]
--- a/4
+++ b/4
@@ -836,6 +836,10 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
 	$disabled{"tls1"} = "forced";
 	}
 if (defined($disabled{"tls1"}))
 	{
 	$disabled{"tlsext"} = "forced";
 	}
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -239,11 +239,11 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 	{
 	tlsextctx * p = (tlsextctx *) arg;
-	const unsigned char * hn= SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+	const unsigned char * hn= SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
 	if (SSL_get_servername_type(s) != -1) 
 	        p->ack = !SSL_session_reused(s) && hn != NULL;
 	else 
-		BIO_printf(bio_err,"SSL_get_tlsext_hostname does not work\n");
+		BIO_printf(bio_err,"Can't use SSL_get_servername\n");
 	return SSL_ERROR_NONE;
 	}
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -539,7 +539,7 @@ typedef struct tlsextctx_st {
 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 	{
 	tlsextctx * p = (tlsextctx *) arg;
-	const char * servername = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host);
+	const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
        if (servername) 
 		BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
@@ -1257,8 +1257,10 @@ bad:
 #endif
 #endif
-	if (cipher != NULL) {
+	if (cipher != NULL)
-		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+		{
 		if(!SSL_CTX_set_cipher_list(ctx,cipher))
 			{
 			BIO_printf(bio_err,"error setting cipher list\n");
 			ERR_print_errors(bio_err);
 			goto end;
@@ -1283,13 +1285,14 @@ bad:
 		SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
 			sizeof s_server_session_id_context);
 		}
 		tlsextcbp.biodebug = bio_s_out;
 		SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
 		SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
 		SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
 		SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
 		}
 #endif
 	if (CAfile != NULL)
 		{
 		SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include "ssl_locl.h"
@@ -352,7 +405,6 @@ static int ssl23_client_hello(SSL *s)
 #ifdef OPENSSL_NO_COMP
 			*(p++)=1;
 #else
 			if ((s->options & SSL_OP_NO_COMPRESSION)
 						|| !s->ctx->comp_methods)
 				j=0;
@@ -366,8 +418,9 @@ static int ssl23_client_hello(SSL *s)
 				}
 #endif
 			*(p++)=0; /* Add the NULL method */
 #ifndef OPENSSL_NO_TLSEXT
-			if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+			if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 				return -1;
@@ -375,7 +428,6 @@ static int ssl23_client_hello(SSL *s)
 #endif
 			l = p-d;
 			*p = 42;
 			/* fill in 4-byte handshake header */
 			d=&(buf[5]);
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
 int ssl23_accept(SSL *s)
 	{
 	BUF_MEM *buf;
-	unsigned long Time=time(NULL);
+	unsigned long Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state;
@@ -416,7 +416,9 @@ int ssl23_get_client_hello(SSL *s)
 		n2s(p,sil);
 		n2s(p,cl);
 		d=(unsigned char *)s->init_buf->data;
-		if ((csl+sil+cl+11) > s->packet_length)
+		if ((csl+sil+cl+11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format
 		                                          * Client Hello, can we? Error condition should be
 		                                          * '>' otherweise */
 			{
 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
 			goto err;
@@ -459,11 +461,14 @@ int ssl23_get_client_hello(SSL *s)
 		*(d++)=1;
 		*(d++)=0;
 #if 0
                /* copy any remaining data with may be extensions */
-	        p = p+csl+sil+cl ;
+	        p = p+csl+sil+cl;
-		while (p <  s->packet+s->packet_length) {
+		while (p <  s->packet+s->packet_length)
 			{
 			*(d++)=*(p++);
 			}
 #endif
 		i = (d-(unsigned char *)s->init_buf->data) - 4;
 		l2n3((long)i, d_len);
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -257,10 +257,12 @@ int ssl3_connect(SSL *s)
 			if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
 			{
-				int extension_error = 0,al;
+				int al;
-				if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
+				if (ssl_check_tlsext(s,&al) <= 0)
-					ret = -1;
+					{
 					ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
 					SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
 					ret = -1;
 					goto end;
 					}
 			}
@@ -613,7 +615,7 @@ int ssl3_client_hello(SSL *s)
 #endif
 		*(p++)=0; /* Add the NULL method */
 #ifndef OPENSSL_NO_TLSEXT
-		if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 			goto err;
@@ -807,7 +809,9 @@ int ssl3_get_server_hello(SSL *s)
 	/* TLS extensions*/
 	if (s->version > SSL3_VERSION)
 		{
-		if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+		if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
 			{
 			/* 'al' set by ssl_parse_serverhello_tlsext */
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
 			goto f_err; 
 			}
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -1645,16 +1645,21 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 #endif /* !OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_TLSEXT
 	case SSL_CTRL_GET_TLSEXT_HOSTNAME:	
-		if (larg != TLSEXT_TYPE_SERVER_host)
+		if (larg != TLSEXT_NAMETYPE_host_name)
 			{
 			SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
 			return(0);
 			}
-	   	*((char **) parg) = s->session&&s->session->tlsext_hostname?s->session->tlsext_hostname:s->tlsext_hostname;
+		/* XXX cf. SSL_get_servername() (ssl_lib.c) */
 		if (s->session && s->session->tlsext_hostname)
 			*((char **) parg) = s->session->tlsext_hostname;
 		else
 			*((char **) parg) = s->tlsext_hostname;
 		ret = 1;
 		break;
 	case SSL_CTRL_SET_TLSEXT_HOSTNAME:
- 		if (larg == TLSEXT_TYPE_SERVER_host) {
+ 		if (larg == TLSEXT_NAMETYPE_host_name)
 			{
 			if (s->tlsext_hostname != NULL) 
 				OPENSSL_free(s->tlsext_hostname);
 			s->tlsext_hostname = NULL;
@@ -1662,19 +1667,23 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			ret = 1;
 			if (parg == NULL) 
 				break;
-			if (strlen((char *)parg) > 255) {
+			if (strlen((char *)parg) > 255)
 				{
 				SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
 				return 0;
 				}
-			if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) {
+			if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
 				return 0;
 				}
-		} else {
+			}
 		else
 			{
 			SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
 			return 0;
 			}
-		s->options |= SSL_OP_NO_SSLv2;
+		s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */
 		break;
 	case SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE:
 		s->servername_done = larg;
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -283,11 +283,12 @@ int ssl3_accept(SSL *s)
 			if (ret <= 0) goto end;
 #ifndef OPENSSL_NO_TLSEXT
 			{
-				int extension_error = 0,al;
+				int al;
-				if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
+				if (ssl_check_tlsext(s,&al) <= 0)
-					ret = -1;
+					{
 					ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
 					SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
-					ssl3_send_alert(s,al,extension_error);
+					ret = -1;
 					goto end;
 					}
 			}
@@ -937,30 +938,15 @@ int ssl3_get_client_hello(SSL *s)
 		}
 #endif
 	/* TLS does not mind if there is extra stuff */
 #if 0   /* SSL 3.0 does not mind either, so we should disable this test
         * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
         * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
 	if (s->version == SSL3_VERSION)
 		{
 		if (p < (d+n))
 			{
 			/* wrong number of bytes,
 			 * there could be more to follow */
 			al=SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
 			goto f_err;
 			}
 		}
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extensions*/
 	if (s->version > SSL3_VERSION)
 		{
-		if ((al = ssl_parse_ClientHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
+		if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
 			{
 			/* 'al' set by ssl_parse_clienthello_tlsext */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
-			ssl3_send_alert(s,SSL3_AL_WARNING,al);
+			goto f_err;
 			return (ret = al);
 			}
 		}
 #endif
@@ -1109,7 +1095,7 @@ int ssl3_send_server_hello(SSL *s)
 			*(p++)=s->s3->tmp.new_compression->id;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
-		if ((p = ssl_add_ServerHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
 			return -1;
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -109,7 +109,7 @@
 *
 */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -172,11 +172,6 @@
 #include <openssl/e_os2.h>
 #ifdef OPENSSL_NO_TLS1
 #	ifndef OPENSSL_NO_TLSEXT 
 #		define OPENSSL_NO_TLSEXT
 #	endif
 #endif
 #ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
 #endif
@@ -769,7 +764,6 @@ struct ssl_ctx_st
 	int (*tlsext_servername_callback)(SSL*, int *, void *);
 	void *tlsext_servername_arg;
 #endif
 	};
 #define SSL_SESS_CACHE_OFF			0x0000
@@ -1145,9 +1139,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
 #define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
 #define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
 #ifndef OPENSSL_NO_TLSEXT
 #define SSL_AD_UNRECOGNIZED_NAME	TLS1_AD_UNRECOGNIZED_NAME
 #endif
 #define SSL_ERROR_NONE			0
 #define SSL_ERROR_SSL			1
@@ -1208,6 +1200,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_CTRL_SET_MAX_SEND_FRAGMENT		52
 /* see tls.h for macros based on these */
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG	54
 #define SSL_CTRL_SET_TLSEXT_HOSTNAME		55
 #define SSL_CTRL_GET_TLSEXT_HOSTNAME		56
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE	57
 #define SSL_session_reused(ssl) \
 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
 #define SSL_num_renegotiations(ssl) \
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -58,7 +58,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -1315,27 +1315,30 @@ err:
 	return(NULL);
 	}
 #ifndef OPENSSL_TLSEXT
-/** return a servername extension value if provided in CLIENT HELLO
+/** return a servername extension value if provided in Client Hello, or NULL. 
- * or NULL. 
+ * So far, only host_name types are defined (RFC 3546).
 * For the moment, only hostname types are supported. 
 */
-const char *SSL_get_servername(const SSL *s, const int type) {
+const char *SSL_get_servername(const SSL *s, const int type)
-
+	{
-	if (type != TLSEXT_TYPE_SERVER_host) 
+	if (type != TLSEXT_NAMETYPE_host_name)
 		return NULL;
-	return s->session /*&&s->session->tlsext_hostname*/?s->session->tlsext_hostname:s->tlsext_hostname;
+	/* XXX cf. SSL_CTRL_GET_TLSEXT_HOSTNAME case in ssl3_ctrl (s3_lib.c) */
-}
+	return s->session /*&&s->session->tlsext_hostname*/ ?
 		s->session->tlsext_hostname :
 		s->tlsext_hostname;
 	}
-int SSL_get_servername_type(const SSL *s) {
+int SSL_get_servername_type(const SSL *s)
-
+	{
-	if (s->session &&s->session->tlsext_hostname ?s->session->tlsext_hostname:s->tlsext_hostname) 
+	if (s->session &&s->session->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname) 
-		return TLSEXT_TYPE_SERVER_host;
+		return TLSEXT_NAMETYPE_host_name;
 	return -1;
-}
+	}
 #endif
 unsigned long SSL_SESSION_hash(const SSL_SESSION *a)
 	{
 	unsigned long l;
@@ -1488,7 +1491,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 #ifndef OPENSSL_NO_TLSEXT
-	ret->tlsext_servername_callback = NULL;
+	ret->tlsext_servername_callback = 0;
 	ret->tlsext_servername_arg = NULL;
 #endif
 	return(ret);
@@ -2442,7 +2445,6 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 	{
 	if (ssl->cert != NULL)
 		ssl_cert_free(ssl->cert);
 	ssl->cert = ssl_cert_dup(ctx->cert);
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -941,10 +941,10 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **data, unsigned char *d, int n);
+int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad);
+int ssl_check_tlsext(SSL *s,int *al);
 #endif
 #endif
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include <openssl/lhash.h>
@@ -550,8 +603,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 	if (ss->peer != NULL) X509_free(ss->peer);
 	if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
 #ifndef OPENSSL_NO_TLSEXT
-	if (ss->tlsext_hostname != NULL)
+	if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
 		OPENSSL_free(ss->tlsext_hostname);
 #endif
 	OPENSSL_cleanse(ss,sizeof(*ss));
 	OPENSSL_free(ss);
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include <openssl/objects.h>
@@ -101,15 +154,18 @@ void tls1_clear(SSL *s)
 	s->version=TLS1_VERSION;
 	}
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 	{
 	int extdatalen=0;
 	unsigned char *ret = p;
 	ret+=2;
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
- 	if (s->servername_done == 0 && s->tlsext_hostname != NULL) { 
+ 	if (s->servername_done == 0 && s->tlsext_hostname != NULL)
 		{ 
 		/* Add TLS extension servername to the Client Hello message */
 		unsigned long size_str;
 		long lenmax; 
@@ -119,23 +175,22 @@ unsigned char *ssl_add_ClientHello_TLS_extensions(SSL *s, unsigned char *p, unsi
 		s2n(TLSEXT_TYPE_server_name,ret);
 		s2n(size_str+3,ret);
-		*(ret++) = (unsigned char) TLSEXT_TYPE_SERVER_host;
+		*(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name;
 		s2n(size_str,ret);
 		memcpy(ret, s->tlsext_hostname, size_str);
 		ret+=size_str;
 		}
 	if ((extdatalen = ret-p-2)== 0) 
 		return p;
 	s2n(extdatalen,p);
 	return ret;
 }
-unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsigned char *limit) {
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 	{
 	int extdatalen=0;
 	unsigned char *ret = p;
 	if (s->hit || s->servername_done == 2)
@@ -146,64 +201,76 @@ unsigned char *ssl_add_ServerHello_TLS_extensions(SSL *s, unsigned char *p, unsi
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
-	if (s->session->tlsext_hostname != NULL) { 
+	if (s->session->tlsext_hostname != NULL)
-
+		{ 
 		if (limit - p - 4 < 0) return NULL; 
 		s2n(TLSEXT_TYPE_server_name,ret);
 		s2n(0,ret);
 		}
 	if ((extdatalen = ret-p-2)== 0) 
 		return p;
 	s2n(extdatalen,p);
 	return ret;
 }
-int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
 	{
 	unsigned short type;
 	unsigned short size;
 	unsigned short len;
-	unsigned char * data = *p;
+	unsigned char *data = *p;
 	if (data >= (d+n-2))
-	   return SSL_ERROR_NONE;
+		return 1;
 	n2s(data,len);
        if (data > (d+n-len)) 
-	   return SSL_ERROR_NONE;
+		return 1;
-	while(data <= (d+n-4)){
+	while (data <= (d+n-4))
 		{
 		n2s(data,type);
 		n2s(data,size);
 		if (data+size > (d+n))
-	   		return SSL_ERROR_SSL;
+	   		return 1;
-		if (type == TLSEXT_TYPE_server_name) {
+		if (type == TLSEXT_TYPE_server_name)
 			{
 			unsigned char *sdata = data;
 			int servname_type;
 			int dsize = size-3 ;
-			if (dsize > 0 ) {
+			if (dsize > 0 )
 				{
 				servname_type = *(sdata++); 
 				n2s(sdata,len);
 				if (len != dsize) 
-			   		return SSL_ERROR_SSL;
+					{
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;
 					}
-				switch (servname_type) {
+				switch (servname_type)
-				case TLSEXT_TYPE_SERVER_host:
+					{
-                                        if (s->session->tlsext_hostname == NULL) {
+				case TLSEXT_NAMETYPE_host_name:
                                        if (s->session->tlsext_hostname == NULL)
 						{
 						if (len > 255 || 
 							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
-							return SSL_ERROR_SSL;
+							{
 							*al = TLS1_AD_UNRECOGNIZED_NAME;
 							return 0;
 							}
 						memcpy(s->session->tlsext_hostname, sdata, len);
 						s->session->tlsext_hostname[len]='\0'; 
 						}
 					break;
 				default:
 					break;
 					}
@@ -213,11 +280,13 @@ int ssl_parse_ClientHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
 		data+=size;		
 		}
 	*p = data;
-	return SSL_ERROR_NONE;
+	*p = data;
 	return 1;
 }
-int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned char *d, int n) {
+
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
 	{
 	unsigned short type;
 	unsigned short size;
 	unsigned short len;  
@@ -226,21 +295,24 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
 	int tlsext_servername = 0;
 	if (data >= (d+n-2))
-	   return SSL_ERROR_NONE;
+		return 1;
 	n2s(data,len);
-	while(data <= (d+n-4)){
+	while(data <= (d+n-4))
 		{
 		n2s(data,type);
 		n2s(data,size);
 		if (data+size > (d+n))
-	   		return SSL_ERROR_SSL;
+	   		return 1;
-		if (type == TLSEXT_TYPE_server_name) {
+		if (type == TLSEXT_TYPE_server_name)
-			if ( s->tlsext_hostname == NULL || size > 0 ) {
+			{
-				return SSL_ERROR_SSL;
+			if (s->tlsext_hostname == NULL || size > 0)
 				{
 				*al = TLS1_AD_UNRECOGNIZED_NAME;
 				return 0;
 				}
 			tlsext_servername = 1;   
 			}
@@ -248,39 +320,51 @@ int ssl_parse_ServerHello_TLS_extensions(SSL *s, unsigned char **p, unsigned cha
 		data+=size;		
 		}
 	if (data != d+n)
-	   	return SSL_ERROR_SSL;
+		{
 		*al = SSL_AD_DECODE_ERROR;
 		return 0;
 		}
-	if (!s->hit && tlsext_servername == 1) {
+	if (!s->hit && tlsext_servername == 1)
- 		if (s->tlsext_hostname) {
+		{
-			if (s->session->tlsext_hostname == NULL) {
+ 		if (s->tlsext_hostname)
 			{
 			if (s->session->tlsext_hostname == NULL)
 				{
 				s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);	
 				if (!s->session->tlsext_hostname)
-					return SSL_ERROR_SSL;
+					{
 					*al = SSL_AD_UNRECOGNIZED_NAME;
 					return 0;
 					}
 				}
 			else 
 				{
 				*al = SSL_AD_DECODE_ERROR;
 				return 0;
 				}
 			}
 		} else 
 			return SSL_ERROR_SSL;
 		}
 	*p = data;
-	return SSL_ERROR_NONE;
+	*p = data;
 	return 1;
 }
-int ssl_check_Hello_TLS_extensions(SSL *s,int *ad)
+int ssl_check_tlsext(SSL *s,int *al)
-{
+	{
-	int ret = SSL_ERROR_NONE;
+	int ret;
-	*ad = SSL_AD_UNRECOGNIZED_NAME;
+	*al = SSL_AD_UNRECOGNIZED_NAME;
-	if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != NULL) 
+	if (s->servername_done == 0 && (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0))
-		&& ((ret = s->ctx->tlsext_servername_callback(s, ad, s->ctx->tlsext_servername_arg))!= SSL_ERROR_NONE)) 
+		{
 		ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
 		if (ret <= 0)
 			return ret;
-
+		}
-	else if (s->servername_done == 1) 	
+	if (s->servername_done == 1) 	
 		s->servername_done = 2;
-	return ret;
+	return 1;
-}
+	}
 #endif
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -96,54 +149,55 @@ extern "C" {
 #define TLS1_AD_INTERNAL_ERROR		80	/* fatal */
 #define TLS1_AD_USER_CANCELLED		90
 #define TLS1_AD_NO_RENEGOTIATION	100
 #ifndef OPENSSL_NO_TLSEXT
 #define TLS1_AD_UNRECOGNIZED_NAME 	122
 /* ExtensionType values from RFC 3546 */
 #define TLSEXT_TYPE_server_name			0
 #define TLSEXT_TYPE_max_fragment_length		1
 #define TLSEXT_TYPE_client_certificate_url	2
 #define TLSEXT_TYPE_trusted_ca_keys		3
 #define TLSEXT_TYPE_truncated_hmac		4
 #define TLSEXT_TYPE_status_request		5
 #if 0
 #define TLSEXT_TYPE_srp				6
 #endif
-#define TLSEXT_TYPE_SERVER_host 0
+/* NameType value from RFC 3546 */
 #define TLSEXT_NAMETYPE_host_name 0
 #ifndef OPENSSL_NO_TLSEXT
 const char *SSL_get_servername(const SSL *s, const int type) ;
 int SSL_get_servername_type(const SSL *s) ;
 #define SSL_CTX_set_tlsext_hostname(ctx,name) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
 #define SSL_set_tlsext_hostname(s,name) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host,(char *)name)
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
 #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
-
+#define SSL_set_tlsext_servername_done(s,t) \
-const char *SSL_get_servername(const SSL *s, const int type) ;
+SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
 int SSL_get_servername_type(const SSL *s) ;
 #if 0
 #  if 0
 	#define SSL_get_tlsext_hostname(s,psn) \
-	SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_TYPE_SERVER_host, (void *)psn)
+	SSL_ctrl(s,SSL_CTRL_GET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name, (void *)psn)
-#else
+#  else
 	/* XXX this looks weird for a macro, define a function instead? */
 	 * or just used SSL_get_servername() directly ... */
 	#define SSL_get_tlsext_hostname(s,psn) \
-	(*psn = SSL_get_servername(s, TLSEXT_TYPE_SERVER_host),*psn != NULL)
+	(*psn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name),*psn != NULL)
 #  endif
 #endif
 	#define SSL_set_tlsext_servername_done(s,t) \
 	SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
 void SSL_set_ctx(SSL *s, SSL_CTX *ctx) ;
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB	53
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG	54
 #define SSL_CTRL_SET_TLSEXT_HOSTNAME		55
 #define SSL_CTRL_GET_TLSEXT_HOSTNAME		56
 #define SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE	57
 #endif
 /* Additional TLS ciphersuites from expired Internet Draft
 * draft-ietf-tls-56-bit-ciphersuites-01.txt
 * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see