Fix statless session resumption so it can coexist with SNI

 Changes between 0.9.8k and 1.0  [xx XXX xxxx]

  *) Fixes to stateless session resumption handling. Use initial_ctx when

     issuing and attempting to decrypt tickets in case it has changed during

     servername handling. Use a non-zero length session ID when attempting

     stateless session resumption: this makes it possible to determine if

     a resumption has occurred immediately after receiving server hello 

     (several places in OpenSSL subtly assume this) instead of later in

     the handshake.

     [Steve Henson]

  *) Update OCSP request code to permit adding custom headers to the request:

     some responders need this.

     [Steve Henson]

		unsigned int hlen;

		EVP_CIPHER_CTX ctx;

		HMAC_CTX hctx;

		SSL_CTX *tctx = s->initial_ctx;

		unsigned char iv[EVP_MAX_IV_LENGTH];

		unsigned char key_name[16];

		 * it does all the work otherwise use generated values

		 * from parent ctx.

		 */

		if (s->ctx->tlsext_ticket_key_cb)

		if (tctx->tlsext_ticket_key_cb)

			{

			if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,

			if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,

							 &hctx, 1) < 0)

				{

				OPENSSL_free(senc);

			{

			RAND_pseudo_bytes(iv, 16);

			EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,

					s->ctx->tlsext_tick_aes_key, iv);

			HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,

					tctx->tlsext_tick_aes_key, iv);

			HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,

					tlsext_tick_md(), NULL);

			memcpy(key_name, s->ctx->tlsext_tick_key_name, 16);

			memcpy(key_name, tctx->tlsext_tick_key_name, 16);

			}

		l2n(s->session->tlsext_tick_lifetime_hint, p);

		/* Skip ticket length for now */

		ret->tlsext_ticklen = os.length;

		os.data = NULL;

		os.length = 0;

#if 0

		/* There are two ways to detect a resumed ticket sesion.

		 * One is to set a random session ID and then the server

		 * must return a match in ServerHello. This allows the normal

		 * client session ID matching to work.

		 * client session ID matching to work and we know much 

		 * earlier that the ticket has been accepted.

		 * 

		 * The other way is to set zero length session ID when the

		 * ticket is presented and rely on the handshake to determine

		 * session resumption.

		 */ 

		if (ret->session_id_length == 0)

			{

			ret->session_id_length=SSL3_MAX_SSL_SESSION_ID_LENGTH;

			RAND_pseudo_bytes(ret->session_id,

						ret->session_id_length);

			}

			EVP_Digest(ret->tlsext_tick, ret->tlsext_ticklen, 

				   ret->session_id, &ret->session_id_length,

#ifndef OPENSSL_NO_SHA256

					EVP_sha256(), NULL);

#else

					EVP_sha1(), NULL);

#endif

			}

		}

	else

		ret->tlsext_tick=NULL;

#endif /* OPENSSL_NO_TLSEXT */

	unsigned char tick_hmac[EVP_MAX_MD_SIZE];

	HMAC_CTX hctx;

	EVP_CIPHER_CTX ctx;

	SSL_CTX *tctx = s->initial_ctx;

	/* Need at least keyname + iv + some encrypted data */

	if (eticklen < 48)

		goto tickerr;

	/* Initialize session ticket encryption and HMAC contexts */

	HMAC_CTX_init(&hctx);

	EVP_CIPHER_CTX_init(&ctx);

	if (s->ctx->tlsext_ticket_key_cb)

	if (tctx->tlsext_ticket_key_cb)

		{

		unsigned char *nctick = (unsigned char *)etick;

		int rv = s->ctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,

		int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,

							&ctx, &hctx, 0);

		if (rv < 0)

			return -1;

	else

		{

		/* Check key name matches */

		if (memcmp(etick, s->ctx->tlsext_tick_key_name, 16))

		if (memcmp(etick, tctx->tlsext_tick_key_name, 16))

			goto tickerr;

		HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,

		HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,

					tlsext_tick_md(), NULL);

		EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,

				s->ctx->tlsext_tick_aes_key, etick + 16);

				tctx->tlsext_tick_aes_key, etick + 16);

		}

	/* Attempt to process session ticket, first conduct sanity and

 	 * integrity checks on ticket.