]>
Commit | Line | Data |
---|---|---|
846e33c7 RS |
1 | /* |
2 | * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. | |
ecf4d660 | 3 | * |
846e33c7 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
ecf4d660 DSH |
8 | */ |
9 | ||
10 | /* Custom extension utility functions */ | |
11 | ||
3c27208f | 12 | #include <openssl/ct.h> |
ecf4d660 DSH |
13 | #include "ssl_locl.h" |
14 | ||
0cfefe4b | 15 | /* Find a custom extension from the list. */ |
ed29e82a | 16 | static custom_ext_method *custom_ext_find(const custom_ext_methods *exts, |
0f113f3e MC |
17 | unsigned int ext_type) |
18 | { | |
19 | size_t i; | |
20 | custom_ext_method *meth = exts->meths; | |
21 | for (i = 0; i < exts->meths_count; i++, meth++) { | |
22 | if (ext_type == meth->ext_type) | |
23 | return meth; | |
24 | } | |
25 | return NULL; | |
26 | } | |
27 | ||
28 | /* | |
29 | * Initialise custom extensions flags to indicate neither sent nor received. | |
28ea0a0c DSH |
30 | */ |
31 | void custom_ext_init(custom_ext_methods *exts) | |
0f113f3e MC |
32 | { |
33 | size_t i; | |
34 | custom_ext_method *meth = exts->meths; | |
35 | for (i = 0; i < exts->meths_count; i++, meth++) | |
36 | meth->ext_flags = 0; | |
37 | } | |
ecf4d660 | 38 | |
0cfefe4b | 39 | /* Pass received custom extension data to the application for parsing. */ |
ecf4d660 | 40 | int custom_ext_parse(SSL *s, int server, |
0f113f3e MC |
41 | unsigned int ext_type, |
42 | const unsigned char *ext_data, size_t ext_size, int *al) | |
43 | { | |
44 | custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext; | |
45 | custom_ext_method *meth; | |
46 | meth = custom_ext_find(exts, ext_type); | |
47 | /* If not found return success */ | |
48 | if (!meth) | |
49 | return 1; | |
50 | if (!server) { | |
51 | /* | |
52 | * If it's ServerHello we can't have any extensions not sent in | |
53 | * ClientHello. | |
54 | */ | |
55 | if (!(meth->ext_flags & SSL_EXT_FLAG_SENT)) { | |
56 | *al = TLS1_AD_UNSUPPORTED_EXTENSION; | |
57 | return 0; | |
58 | } | |
59 | } | |
60 | /* If already present it's a duplicate */ | |
61 | if (meth->ext_flags & SSL_EXT_FLAG_RECEIVED) { | |
62 | *al = TLS1_AD_DECODE_ERROR; | |
63 | return 0; | |
64 | } | |
65 | meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; | |
66 | /* If no parse function set return success */ | |
67 | if (!meth->parse_cb) | |
68 | return 1; | |
ecf4d660 | 69 | |
a230b26e | 70 | return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->parse_arg); |
0f113f3e | 71 | } |
ecf4d660 | 72 | |
2c7b4dbc MC |
73 | /* |
74 | * Request custom extension data from the application and add to the return | |
75 | * buffer. | |
76 | */ | |
ae2f7b37 | 77 | int custom_ext_add(SSL *s, int server, WPACKET *pkt, int *al) |
2c7b4dbc MC |
78 | { |
79 | custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext; | |
80 | custom_ext_method *meth; | |
81 | size_t i; | |
82 | ||
83 | for (i = 0; i < exts->meths_count; i++) { | |
84 | const unsigned char *out = NULL; | |
85 | size_t outlen = 0; | |
2c7b4dbc MC |
86 | |
87 | meth = exts->meths + i; | |
88 | ||
89 | if (server) { | |
90 | /* | |
91 | * For ServerHello only send extensions present in ClientHello. | |
92 | */ | |
93 | if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) | |
94 | continue; | |
95 | /* If callback absent for server skip it */ | |
96 | if (!meth->add_cb) | |
97 | continue; | |
98 | } | |
99 | if (meth->add_cb) { | |
100 | int cb_retval = 0; | |
101 | cb_retval = meth->add_cb(s, meth->ext_type, | |
102 | &out, &outlen, al, meth->add_arg); | |
103 | if (cb_retval < 0) | |
104 | return 0; /* error */ | |
105 | if (cb_retval == 0) | |
106 | continue; /* skip this extension */ | |
107 | } | |
108 | ||
08029dfa | 109 | if (!WPACKET_put_bytes_u16(pkt, meth->ext_type) |
de451856 | 110 | || !WPACKET_start_sub_packet_u16(pkt) |
0217dd19 MC |
111 | || (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen)) |
112 | || !WPACKET_close(pkt)) { | |
2c7b4dbc MC |
113 | *al = SSL_AD_INTERNAL_ERROR; |
114 | return 0; | |
115 | } | |
116 | /* | |
117 | * We can't send duplicates: code logic should prevent this. | |
118 | */ | |
119 | OPENSSL_assert(!(meth->ext_flags & SSL_EXT_FLAG_SENT)); | |
120 | /* | |
121 | * Indicate extension has been sent: this is both a sanity check to | |
122 | * ensure we don't send duplicate extensions and indicates that it is | |
123 | * not an error if the extension is present in ServerHello. | |
124 | */ | |
125 | meth->ext_flags |= SSL_EXT_FLAG_SENT; | |
126 | if (meth->free_cb) | |
127 | meth->free_cb(s, meth->ext_type, out, meth->add_arg); | |
128 | } | |
129 | return 1; | |
130 | } | |
131 | ||
ecf4d660 | 132 | /* Copy table of custom extensions */ |
ecf4d660 | 133 | int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src) |
0f113f3e MC |
134 | { |
135 | if (src->meths_count) { | |
136 | dst->meths = | |
7644a9ae | 137 | OPENSSL_memdup(src->meths, |
a230b26e | 138 | sizeof(custom_ext_method) * src->meths_count); |
0f113f3e MC |
139 | if (dst->meths == NULL) |
140 | return 0; | |
141 | dst->meths_count = src->meths_count; | |
142 | } | |
143 | return 1; | |
144 | } | |
ecf4d660 DSH |
145 | |
146 | void custom_exts_free(custom_ext_methods *exts) | |
0f113f3e | 147 | { |
b548a1f1 | 148 | OPENSSL_free(exts->meths); |
0f113f3e | 149 | } |
ecf4d660 | 150 | |
0cfefe4b | 151 | /* Set callbacks for a custom extension. */ |
8cafe9e8 | 152 | static int custom_ext_meth_add(custom_ext_methods *exts, |
0f113f3e MC |
153 | unsigned int ext_type, |
154 | custom_ext_add_cb add_cb, | |
155 | custom_ext_free_cb free_cb, | |
156 | void *add_arg, | |
157 | custom_ext_parse_cb parse_cb, void *parse_arg) | |
158 | { | |
7c0ef843 | 159 | custom_ext_method *meth, *tmp; |
0f113f3e MC |
160 | /* |
161 | * Check application error: if add_cb is not set free_cb will never be | |
162 | * called. | |
163 | */ | |
164 | if (!add_cb && free_cb) | |
165 | return 0; | |
ed29e82a RP |
166 | /* |
167 | * Don't add if extension supported internally, but make exception | |
168 | * for extension types that previously were not supported, but now are. | |
169 | */ | |
170 | if (SSL_extension_supported(ext_type) && | |
171 | ext_type != TLSEXT_TYPE_signed_certificate_timestamp) | |
0f113f3e MC |
172 | return 0; |
173 | /* Extension type must fit in 16 bits */ | |
174 | if (ext_type > 0xffff) | |
175 | return 0; | |
176 | /* Search for duplicate */ | |
177 | if (custom_ext_find(exts, ext_type)) | |
178 | return 0; | |
7c0ef843 DSH |
179 | tmp = OPENSSL_realloc(exts->meths, |
180 | (exts->meths_count + 1) * sizeof(custom_ext_method)); | |
ecf4d660 | 181 | |
ed874fac | 182 | if (tmp == NULL) |
0f113f3e | 183 | return 0; |
ecf4d660 | 184 | |
7c0ef843 | 185 | exts->meths = tmp; |
0f113f3e | 186 | meth = exts->meths + exts->meths_count; |
16f8d4eb | 187 | memset(meth, 0, sizeof(*meth)); |
0f113f3e MC |
188 | meth->parse_cb = parse_cb; |
189 | meth->add_cb = add_cb; | |
190 | meth->free_cb = free_cb; | |
191 | meth->ext_type = ext_type; | |
192 | meth->add_arg = add_arg; | |
193 | meth->parse_arg = parse_arg; | |
194 | exts->meths_count++; | |
195 | return 1; | |
196 | } | |
ecf4d660 | 197 | |
ed29e82a RP |
198 | /* Return true if a client custom extension exists, false otherwise */ |
199 | int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) | |
200 | { | |
201 | return custom_ext_find(&ctx->cert->cli_ext, ext_type) != NULL; | |
202 | } | |
203 | ||
ecf4d660 | 204 | /* Application level functions to add custom extension callbacks */ |
8cafe9e8 | 205 | int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, |
0f113f3e MC |
206 | custom_ext_add_cb add_cb, |
207 | custom_ext_free_cb free_cb, | |
0cfefe4b | 208 | void *add_arg, |
a230b26e | 209 | custom_ext_parse_cb parse_cb, void *parse_arg) |
0f113f3e | 210 | { |
ed29e82a RP |
211 | #ifndef OPENSSL_NO_CT |
212 | /* | |
213 | * We don't want applications registering callbacks for SCT extensions | |
214 | * whilst simultaneously using the built-in SCT validation features, as | |
215 | * these two things may not play well together. | |
216 | */ | |
217 | if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp && | |
43341433 VD |
218 | SSL_CTX_ct_is_enabled(ctx)) |
219 | return 0; | |
ed29e82a | 220 | #endif |
43341433 VD |
221 | return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb, |
222 | free_cb, add_arg, parse_cb, parse_arg); | |
0f113f3e | 223 | } |
ecf4d660 | 224 | |
8cafe9e8 | 225 | int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, |
0f113f3e MC |
226 | custom_ext_add_cb add_cb, |
227 | custom_ext_free_cb free_cb, | |
0cfefe4b | 228 | void *add_arg, |
a230b26e | 229 | custom_ext_parse_cb parse_cb, void *parse_arg) |
0f113f3e MC |
230 | { |
231 | return custom_ext_meth_add(&ctx->cert->srv_ext, ext_type, | |
232 | add_cb, free_cb, add_arg, parse_cb, parse_arg); | |
233 | } | |
c846a5f5 DSH |
234 | |
235 | int SSL_extension_supported(unsigned int ext_type) | |
0f113f3e MC |
236 | { |
237 | switch (ext_type) { | |
238 | /* Internally supported extensions. */ | |
239 | case TLSEXT_TYPE_application_layer_protocol_negotiation: | |
240 | case TLSEXT_TYPE_ec_point_formats: | |
de4d764e | 241 | case TLSEXT_TYPE_supported_groups: |
1595ca02 | 242 | #ifndef OPENSSL_NO_NEXTPROTONEG |
0f113f3e | 243 | case TLSEXT_TYPE_next_proto_neg: |
1595ca02 | 244 | #endif |
0f113f3e MC |
245 | case TLSEXT_TYPE_padding: |
246 | case TLSEXT_TYPE_renegotiate: | |
247 | case TLSEXT_TYPE_server_name: | |
248 | case TLSEXT_TYPE_session_ticket: | |
249 | case TLSEXT_TYPE_signature_algorithms: | |
250 | case TLSEXT_TYPE_srp: | |
251 | case TLSEXT_TYPE_status_request: | |
ed29e82a | 252 | case TLSEXT_TYPE_signed_certificate_timestamp: |
0f113f3e | 253 | case TLSEXT_TYPE_use_srtp: |
e481f9b9 | 254 | #ifdef TLSEXT_TYPE_encrypt_then_mac |
0f113f3e | 255 | case TLSEXT_TYPE_encrypt_then_mac: |
e481f9b9 | 256 | #endif |
91b60e2a MC |
257 | case TLSEXT_TYPE_key_share: |
258 | case TLSEXT_TYPE_supported_versions: | |
259 | case TLSEXT_TYPE_extended_master_secret: | |
0f113f3e MC |
260 | return 1; |
261 | default: | |
262 | return 0; | |
263 | } | |
264 | } |