]>
Commit | Line | Data |
---|---|---|
6b473aca MC |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
6b473aca MC |
10 | #include "../ssl_locl.h" |
11 | #include "statem_locl.h" | |
12 | ||
1266eefd | 13 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e | 14 | int *al); |
1266eefd MC |
15 | static int init_server_name(SSL *s, unsigned int context); |
16 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
805a2e9e | 17 | int *al); |
332eb390 | 18 | #ifndef OPENSSL_NO_EC |
1266eefd | 19 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
20 | int *al); |
21 | #endif | |
1266eefd MC |
22 | static int init_session_ticket(SSL *s, unsigned int context); |
23 | static int init_status_request(SSL *s, unsigned int context); | |
24 | static int final_status_request(SSL *s, unsigned int context, int sent, | |
332eb390 | 25 | int *al); |
805a2e9e | 26 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 27 | static int init_npn(SSL *s, unsigned int context); |
805a2e9e | 28 | #endif |
1266eefd MC |
29 | static int init_alpn(SSL *s, unsigned int context); |
30 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al); | |
31 | static int init_sig_algs(SSL *s, unsigned int context); | |
805a2e9e | 32 | #ifndef OPENSSL_NO_SRP |
1266eefd | 33 | static int init_srp(SSL *s, unsigned int context); |
805a2e9e | 34 | #endif |
1266eefd MC |
35 | static int init_etm(SSL *s, unsigned int context); |
36 | static int init_ems(SSL *s, unsigned int context); | |
37 | static int final_ems(SSL *s, unsigned int context, int sent, int *al); | |
805a2e9e | 38 | #ifndef OPENSSL_NO_SRTP |
1266eefd | 39 | static int init_srtp(SSL *s, unsigned int context); |
805a2e9e MC |
40 | #endif |
41 | ||
70af3d8e | 42 | /* Structure to define a built-in extension */ |
1266eefd MC |
43 | typedef struct extensions_definition_st { |
44 | /* The defined type for the extension */ | |
6b473aca | 45 | unsigned int type; |
1266eefd MC |
46 | /* |
47 | * The context that this extension applies to, e.g. what messages and | |
48 | * protocol versions | |
49 | */ | |
50 | unsigned int context; | |
68db4dda | 51 | /* |
805a2e9e MC |
52 | * Initialise extension before parsing. Always called for relevant contexts |
53 | * even if extension not present | |
68db4dda | 54 | */ |
1266eefd MC |
55 | int (*init)(SSL *s, unsigned int context); |
56 | /* Parse extension sent from client to server */ | |
57 | int (*parse_ctos)(SSL *s, PACKET *pkt, int *al); | |
58 | /* Parse extension send from server to client */ | |
59 | int (*parse_stoc)(SSL *s, PACKET *pkt, int *al); | |
60 | /* Construct extension sent from server to client */ | |
61 | int (*construct_stoc)(SSL *s, WPACKET *pkt, int *al); | |
62 | /* Construct extension sent from client to server */ | |
63 | int (*construct_ctos)(SSL *s, WPACKET *pkt, int *al); | |
68db4dda | 64 | /* |
805a2e9e MC |
65 | * Finalise extension after parsing. Always called where an extensions was |
66 | * initialised even if the extension was not present. |sent| is set to 1 if | |
67 | * the extension was seen, or 0 otherwise. | |
68db4dda | 68 | */ |
1266eefd | 69 | int (*final)(SSL *s, unsigned int context, int sent, int *al); |
6b473aca MC |
70 | } EXTENSION_DEFINITION; |
71 | ||
4b299b8e | 72 | /* |
70af3d8e MC |
73 | * Definitions of all built-in extensions. NOTE: Changes in the number or order |
74 | * of these extensions should be mirrored with equivalent changes to the indexes | |
75 | * defined in statem_locl.h. | |
76 | * Each extension has an initialiser, a client and | |
77 | * server side parser and a finaliser. The initialiser is called (if the | |
78 | * extension is relevant to the given context) even if we did not see the | |
79 | * extension in the message that we received. The parser functions are only | |
80 | * called if we see the extension in the message. The finalisers are always | |
81 | * called if the initialiser was called. | |
82 | * There are also server and client side constructor functions which are always | |
83 | * called during message construction if the extension is relevant for the | |
84 | * given context. | |
85 | * The initialisation, parsing, finalisation and construction functions are | |
86 | * always called in the order defined in this list. Some extensions may depend | |
87 | * on others having been processed first, so the order of this list is | |
88 | * significant. | |
89 | * The extension context is defined by a series of flags which specify which | |
90 | * messages the extension is relevant to. These flags also specify whether the | |
91 | * extension is relevant to a paricular protocol or protocol version. | |
a1448c26 | 92 | * |
70af3d8e | 93 | * TODO(TLS1.3): Make sure we have a test to check the consistency of these |
4b299b8e | 94 | */ |
6b473aca MC |
95 | static const EXTENSION_DEFINITION ext_defs[] = { |
96 | { | |
97 | TLSEXT_TYPE_renegotiate, | |
6b473aca | 98 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED |
1266eefd MC |
99 | | EXT_TLS1_2_AND_BELOW_ONLY, |
100 | NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, | |
101 | tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, | |
102 | final_renegotiate | |
6b473aca MC |
103 | }, |
104 | { | |
105 | TLSEXT_TYPE_server_name, | |
6b473aca | 106 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
107 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
108 | init_server_name, | |
109 | tls_parse_ctos_server_name, tls_parse_stoc_server_name, | |
110 | tls_construct_stoc_server_name, tls_construct_ctos_server_name, | |
111 | final_server_name | |
6b473aca MC |
112 | }, |
113 | #ifndef OPENSSL_NO_SRP | |
114 | { | |
115 | TLSEXT_TYPE_srp, | |
1266eefd MC |
116 | EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
117 | init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL | |
6b473aca MC |
118 | }, |
119 | #endif | |
120 | #ifndef OPENSSL_NO_EC | |
121 | { | |
122 | TLSEXT_TYPE_ec_point_formats, | |
1266eefd MC |
123 | EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
124 | NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, | |
125 | tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, | |
126 | final_ec_pt_formats | |
6b473aca MC |
127 | }, |
128 | { | |
129 | TLSEXT_TYPE_supported_groups, | |
1266eefd MC |
130 | EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
131 | NULL, tls_parse_ctos_supported_groups, NULL, | |
7da160b0 | 132 | NULL /* TODO(TLS1.3): Need to add this */, |
1266eefd | 133 | tls_construct_ctos_supported_groups, NULL |
6b473aca MC |
134 | }, |
135 | #endif | |
136 | { | |
137 | TLSEXT_TYPE_session_ticket, | |
1266eefd MC |
138 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
139 | init_session_ticket, tls_parse_ctos_session_ticket, | |
140 | tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, | |
141 | tls_construct_ctos_session_ticket, NULL | |
6b473aca MC |
142 | }, |
143 | { | |
144 | TLSEXT_TYPE_signature_algorithms, | |
1266eefd MC |
145 | EXT_CLIENT_HELLO, |
146 | init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL, | |
147 | tls_construct_ctos_sig_algs, NULL | |
6b473aca | 148 | }, |
ab83e314 | 149 | #ifndef OPENSSL_NO_OCSP |
6b473aca MC |
150 | { |
151 | TLSEXT_TYPE_status_request, | |
4b299b8e | 152 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
153 | | EXT_TLS1_3_CERTIFICATE, |
154 | init_status_request, tls_parse_ctos_status_request, | |
155 | tls_parse_stoc_status_request, tls_construct_stoc_status_request, | |
156 | tls_construct_ctos_status_request, final_status_request | |
6b473aca | 157 | }, |
ab83e314 | 158 | #endif |
6b473aca MC |
159 | #ifndef OPENSSL_NO_NEXTPROTONEG |
160 | { | |
161 | TLSEXT_TYPE_next_proto_neg, | |
1266eefd MC |
162 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
163 | init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, | |
164 | tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL | |
6b473aca MC |
165 | }, |
166 | #endif | |
167 | { | |
02f0274e MC |
168 | /* |
169 | * Must appear in this list after server_name so that finalisation | |
170 | * happens after server_name callbacks | |
171 | */ | |
6b473aca | 172 | TLSEXT_TYPE_application_layer_protocol_negotiation, |
6b473aca | 173 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
174 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
175 | init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, | |
176 | tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn | |
6b473aca | 177 | }, |
7da160b0 | 178 | #ifndef OPENSSL_NO_SRTP |
6b473aca MC |
179 | { |
180 | TLSEXT_TYPE_use_srtp, | |
6b473aca | 181 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
182 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY, |
183 | init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, | |
184 | tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL | |
6b473aca | 185 | }, |
7da160b0 | 186 | #endif |
6b473aca MC |
187 | { |
188 | TLSEXT_TYPE_encrypt_then_mac, | |
1266eefd MC |
189 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
190 | init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, | |
191 | tls_construct_stoc_etm, tls_construct_ctos_etm, NULL | |
6b473aca | 192 | }, |
6dd083fd | 193 | #ifndef OPENSSL_NO_CT |
6b473aca MC |
194 | { |
195 | TLSEXT_TYPE_signed_certificate_timestamp, | |
1266eefd MC |
196 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
197 | | EXT_TLS1_3_CERTIFICATE, | |
68db4dda | 198 | NULL, |
6b473aca MC |
199 | /* |
200 | * No server side support for this, but can be provided by a custom | |
201 | * extension. This is an exception to the rule that custom extensions | |
202 | * cannot override built in ones. | |
203 | */ | |
1266eefd | 204 | NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL |
6b473aca | 205 | }, |
6dd083fd | 206 | #endif |
6b473aca MC |
207 | { |
208 | TLSEXT_TYPE_extended_master_secret, | |
1266eefd MC |
209 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
210 | init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, | |
211 | tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems | |
6b473aca MC |
212 | }, |
213 | { | |
214 | TLSEXT_TYPE_supported_versions, | |
1266eefd | 215 | EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, |
68db4dda | 216 | NULL, |
6b473aca | 217 | /* Processed inline as part of version selection */ |
1266eefd | 218 | NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL |
6b473aca MC |
219 | }, |
220 | { | |
70af3d8e MC |
221 | /* |
222 | * Must be in this list after supported_groups. We need that to have | |
223 | * been parsed before we do this one. | |
224 | */ | |
6b473aca | 225 | TLSEXT_TYPE_key_share, |
6b473aca MC |
226 | EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO |
227 | | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY | |
1266eefd MC |
228 | | EXT_TLS1_3_ONLY, |
229 | NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, | |
230 | tls_construct_stoc_key_share, tls_construct_ctos_key_share, NULL | |
7da160b0 MC |
231 | }, |
232 | { | |
233 | /* | |
234 | * Special unsolicited ServerHello extension only used when | |
235 | * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set | |
236 | */ | |
237 | TLSEXT_TYPE_cryptopro_bug, | |
1266eefd MC |
238 | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
239 | NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL | |
ab83e314 MC |
240 | }, |
241 | { | |
242 | /* Last in the list because it must be added as the last extension */ | |
243 | TLSEXT_TYPE_padding, | |
1266eefd | 244 | EXT_CLIENT_HELLO, |
68db4dda | 245 | NULL, |
ab83e314 | 246 | /* We send this, but don't read it */ |
1266eefd | 247 | NULL, NULL, NULL, tls_construct_ctos_padding, NULL |
6b473aca MC |
248 | } |
249 | }; | |
250 | ||
6b473aca MC |
251 | /* |
252 | * Verify whether we are allowed to use the extension |type| in the current | |
253 | * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to | |
70af3d8e MC |
254 | * indicate the extension is not allowed. If returning 1 then |*found| is set to |
255 | * 1 if we found a definition for the extension, and |*idx| is set to its index | |
6b473aca | 256 | */ |
70af3d8e | 257 | static int verify_extension(SSL *s, unsigned int context, unsigned int type, |
1266eefd MC |
258 | custom_ext_methods *meths, RAW_EXTENSION *rawexlist, |
259 | RAW_EXTENSION **found) | |
6b473aca MC |
260 | { |
261 | size_t i; | |
70af3d8e | 262 | size_t builtin_num = OSSL_NELEM(ext_defs); |
d270de32 | 263 | const EXTENSION_DEFINITION *thisext; |
6b473aca | 264 | |
1266eefd MC |
265 | for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { |
266 | if (type == thisext->type) { | |
6b473aca | 267 | /* Check we're allowed to use this extension in this context */ |
1266eefd | 268 | if ((context & thisext->context) == 0) |
6b473aca MC |
269 | return 0; |
270 | ||
271 | if (SSL_IS_DTLS(s)) { | |
1266eefd | 272 | if ((thisext->context & EXT_TLS_ONLY) != 0) |
6b473aca | 273 | return 0; |
1266eefd | 274 | } else if ((thisext->context & EXT_DTLS_ONLY) != 0) { |
6b473aca MC |
275 | return 0; |
276 | } | |
277 | ||
1266eefd | 278 | *found = &rawexlist[i]; |
6b473aca MC |
279 | return 1; |
280 | } | |
281 | } | |
282 | ||
70af3d8e MC |
283 | if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) { |
284 | /* | |
285 | * Custom extensions only apply to <=TLS1.2. This extension is unknown | |
286 | * in this context - we allow it | |
287 | */ | |
1266eefd | 288 | *found = NULL; |
70af3d8e MC |
289 | return 1; |
290 | } | |
6b473aca | 291 | |
70af3d8e MC |
292 | /* Check the custom extensions */ |
293 | if (meths != NULL) { | |
294 | for (i = builtin_num; i < builtin_num + meths->meths_count; i++) { | |
295 | if (meths->meths[i - builtin_num].ext_type == type) { | |
1266eefd | 296 | *found = &rawexlist[i]; |
70af3d8e MC |
297 | return 1; |
298 | } | |
6b473aca MC |
299 | } |
300 | } | |
301 | ||
70af3d8e | 302 | /* Unknown extension. We allow it */ |
1266eefd | 303 | *found = NULL; |
70af3d8e | 304 | return 1; |
6b473aca MC |
305 | } |
306 | ||
70af3d8e MC |
307 | /* |
308 | * Check whether the context defined for an extension |extctx| means whether | |
309 | * the extension is relevant for the current context |thisctx| or not. Returns | |
310 | * 1 if the extension is relevant for this context, and 0 otherwise | |
311 | */ | |
805a2e9e MC |
312 | static int extension_is_relevant(SSL *s, unsigned int extctx, |
313 | unsigned int thisctx) | |
314 | { | |
315 | if ((SSL_IS_DTLS(s) | |
316 | && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0) | |
317 | || (s->version == SSL3_VERSION | |
318 | && (extctx & EXT_SSL3_ALLOWED) == 0) | |
319 | || (SSL_IS_TLS13(s) | |
320 | && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0) | |
321 | || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0)) | |
322 | return 0; | |
323 | ||
324 | return 1; | |
325 | } | |
326 | ||
6b473aca MC |
327 | /* |
328 | * Gather a list of all the extensions from the data in |packet]. |context| | |
70af3d8e | 329 | * tells us which message this extension is for. The raw extension data is |
1266eefd MC |
330 | * stored in |*res| on success. In the event of an error the alert type to use |
331 | * is stored in |*al|. We don't actually process the content of the extensions | |
332 | * yet, except to check their types. This function also runs the initialiser | |
333 | * functions for all known extensions (whether we have collected them or not). | |
334 | * If successful the caller is responsible for freeing the contents of |*res|. | |
6b473aca MC |
335 | * |
336 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be | |
337 | * more than one extension of the same type in a ClientHello or ServerHello. | |
338 | * This function returns 1 if all extensions are unique and we have parsed their | |
339 | * types, and 0 if the extensions contain duplicates, could not be successfully | |
1266eefd | 340 | * found, or an internal error occurred. We only check duplicates for |
70af3d8e | 341 | * extensions that we know about. We ignore others. |
6b473aca | 342 | */ |
6b473aca | 343 | int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, |
70af3d8e | 344 | RAW_EXTENSION **res, int *al) |
6b473aca MC |
345 | { |
346 | PACKET extensions = *packet; | |
d270de32 | 347 | size_t i = 0; |
70af3d8e | 348 | custom_ext_methods *exts = NULL; |
6b473aca | 349 | RAW_EXTENSION *raw_extensions = NULL; |
d270de32 | 350 | const EXTENSION_DEFINITION *thisexd; |
6b473aca | 351 | |
70af3d8e MC |
352 | /* |
353 | * Initialise server side custom extensions. Client side is done during | |
354 | * construction of extensions for the ClientHello. | |
355 | */ | |
356 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
357 | exts = &s->cert->srv_ext; | |
358 | custom_ext_init(&s->cert->srv_ext); | |
359 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
360 | exts = &s->cert->cli_ext; | |
361 | } | |
362 | ||
363 | raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs) | |
364 | + (exts != NULL ? exts->meths_count : 0)) | |
1266eefd | 365 | * sizeof(*raw_extensions)); |
70af3d8e MC |
366 | if (raw_extensions == NULL) { |
367 | *al = SSL_AD_INTERNAL_ERROR; | |
368 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); | |
369 | return 0; | |
370 | } | |
371 | ||
6b473aca MC |
372 | while (PACKET_remaining(&extensions) > 0) { |
373 | unsigned int type; | |
374 | PACKET extension; | |
1266eefd | 375 | RAW_EXTENSION *thisex; |
6b473aca MC |
376 | |
377 | if (!PACKET_get_net_2(&extensions, &type) || | |
378 | !PACKET_get_length_prefixed_2(&extensions, &extension)) { | |
379 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
70af3d8e | 380 | *al = SSL_AD_DECODE_ERROR; |
6b473aca MC |
381 | goto err; |
382 | } | |
70af3d8e MC |
383 | /* |
384 | * Verify this extension is allowed. We only check duplicates for | |
385 | * extensions that we recognise. | |
386 | */ | |
1266eefd MC |
387 | if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) |
388 | || (thisex != NULL && thisex->present == 1)) { | |
6b473aca | 389 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); |
70af3d8e | 390 | *al = SSL_AD_ILLEGAL_PARAMETER; |
6b473aca MC |
391 | goto err; |
392 | } | |
1266eefd MC |
393 | if (thisex != NULL) { |
394 | thisex->data = extension; | |
395 | thisex->present = 1; | |
396 | thisex->type = type; | |
6b473aca MC |
397 | } |
398 | } | |
399 | ||
68db4dda MC |
400 | /* |
401 | * Initialise all known extensions relevant to this context, whether we have | |
402 | * found them or not | |
403 | */ | |
1266eefd MC |
404 | for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
405 | if(thisexd->init != NULL && (thisexd->context & context) != 0 | |
406 | && extension_is_relevant(s, thisexd->context, context) | |
407 | && !thisexd->init(s, context)) { | |
70af3d8e | 408 | *al = SSL_AD_INTERNAL_ERROR; |
68db4dda MC |
409 | goto err; |
410 | } | |
411 | } | |
412 | ||
6b473aca | 413 | *res = raw_extensions; |
6b473aca MC |
414 | return 1; |
415 | ||
416 | err: | |
417 | OPENSSL_free(raw_extensions); | |
418 | return 0; | |
419 | } | |
420 | ||
68db4dda | 421 | /* |
70af3d8e MC |
422 | * Runs the parser for a given extension with index |idx|. |exts| contains the |
423 | * list of all parsed extensions previously collected by | |
424 | * tls_collect_extensions(). The parser is only run if it is applicable for the | |
425 | * given |context| and the parser has not already been run. Returns 1 on success | |
426 | * or 0 on failure. In the event of a failure |*al| is populated with a suitable | |
427 | * alert code. If an extension is not present this counted as success. | |
68db4dda | 428 | */ |
d270de32 | 429 | int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, |
70af3d8e | 430 | RAW_EXTENSION *exts, int *al) |
6b473aca | 431 | { |
70af3d8e MC |
432 | RAW_EXTENSION *currext = &exts[idx]; |
433 | int (*parser)(SSL *s, PACKET *pkt, int *al) = NULL; | |
6b473aca | 434 | |
70af3d8e MC |
435 | /* Skip if the extension is not present */ |
436 | if (!currext->present) | |
437 | return 1; | |
6b473aca | 438 | |
70af3d8e MC |
439 | if (s->tlsext_debug_cb) |
440 | s->tlsext_debug_cb(s, !s->server, currext->type, | |
441 | PACKET_data(&currext->data), | |
442 | PACKET_remaining(&currext->data), | |
443 | s->tlsext_debug_arg); | |
6b473aca | 444 | |
70af3d8e MC |
445 | /* Skip if we've already parsed this extension */ |
446 | if (currext->parsed) | |
447 | return 1; | |
6b473aca | 448 | |
70af3d8e MC |
449 | currext->parsed = 1; |
450 | ||
451 | if (idx < OSSL_NELEM(ext_defs)) { | |
452 | /* We are handling a built-in extension */ | |
453 | const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; | |
454 | ||
455 | /* Check if extension is defined for our protocol. If not, skip */ | |
456 | if (!extension_is_relevant(s, extdef->context, context)) | |
457 | return 1; | |
458 | ||
1266eefd | 459 | parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; |
224135e9 | 460 | |
1266eefd MC |
461 | if (parser != NULL) |
462 | return parser(s, &currext->data, al); | |
6b473aca | 463 | |
70af3d8e MC |
464 | /* |
465 | * If the parser is NULL we fall through to the custom extension | |
466 | * processing | |
467 | */ | |
6b473aca MC |
468 | } |
469 | ||
70af3d8e MC |
470 | /* |
471 | * This is a custom extension. We only allow this if it is a non | |
472 | * resumed session on the server side. | |
473 | * | |
474 | * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions. | |
475 | * We're going to need a new mechanism for TLS1.3 to specify which | |
476 | * messages to add the custom extensions to. | |
477 | */ | |
478 | if ((!s->hit || !s->server) | |
479 | && (context | |
480 | & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 | |
481 | && custom_ext_parse(s, s->server, currext->type, | |
482 | PACKET_data(&currext->data), | |
483 | PACKET_remaining(&currext->data), | |
484 | al) <= 0) | |
485 | return 0; | |
486 | ||
805a2e9e MC |
487 | return 1; |
488 | } | |
489 | ||
490 | /* | |
491 | * Parse all remaining extensions that have not yet been parsed. Also calls the | |
70af3d8e MC |
492 | * finalisation for all extensions at the end, whether we collected them or not. |
493 | * Returns 1 for success or 0 for failure. On failure, |*al| is populated with a | |
494 | * suitable alert code. | |
805a2e9e | 495 | */ |
70af3d8e | 496 | int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, int *al) |
805a2e9e | 497 | { |
1266eefd | 498 | size_t i, numexts = OSSL_NELEM(ext_defs); |
d270de32 | 499 | const EXTENSION_DEFINITION *thisexd; |
805a2e9e | 500 | |
70af3d8e MC |
501 | /* Calculate the number of extensions in the extensions list */ |
502 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
503 | numexts += s->cert->srv_ext.meths_count; | |
504 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
505 | numexts += s->cert->cli_ext.meths_count; | |
506 | } | |
507 | ||
508 | /* Parse each extension in turn */ | |
1266eefd | 509 | for (i = 0; i < numexts; i++) { |
d270de32 | 510 | if (!tls_parse_extension(s, i, context, exts, al)) |
70af3d8e MC |
511 | return 0; |
512 | } | |
805a2e9e | 513 | |
68db4dda MC |
514 | /* |
515 | * Finalise all known extensions relevant to this context, whether we have | |
516 | * found them or not | |
517 | */ | |
1266eefd MC |
518 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
519 | if(thisexd->final != NULL | |
520 | && (thisexd->context & context) != 0 | |
521 | && !thisexd->final(s, context, exts[i].present, al)) | |
68db4dda | 522 | return 0; |
68db4dda MC |
523 | } |
524 | ||
6b473aca MC |
525 | return 1; |
526 | } | |
527 | ||
528 | /* | |
70af3d8e MC |
529 | * Construct all the extensions relevant to the current |context| and write |
530 | * them to |pkt|. Returns 1 on success or 0 on failure. If a failure occurs then | |
1266eefd MC |
531 | * |al| is populated with a suitable alert code. On a failure construction stops |
532 | * at the first extension to fail to construct. | |
6b473aca | 533 | */ |
224135e9 MC |
534 | int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, |
535 | int *al) | |
536 | { | |
1266eefd MC |
537 | size_t i; |
538 | int addcustom = 0, min_version, max_version = 0, reason, tmpal; | |
d270de32 | 539 | const EXTENSION_DEFINITION *thisexd; |
224135e9 | 540 | |
7da160b0 | 541 | /* |
70af3d8e | 542 | * Normally if something goes wrong during construction it's an internal |
7da160b0 MC |
543 | * error. We can always override this later. |
544 | */ | |
70af3d8e | 545 | tmpal = SSL_AD_INTERNAL_ERROR; |
7da160b0 | 546 | |
224135e9 MC |
547 | if (!WPACKET_start_sub_packet_u16(pkt) |
548 | /* | |
549 | * If extensions are of zero length then we don't even add the | |
7da160b0 | 550 | * extensions length bytes to a ClientHello/ServerHello in SSLv3 |
224135e9 | 551 | */ |
7da160b0 MC |
552 | || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 |
553 | && s->version == SSL3_VERSION | |
224135e9 MC |
554 | && !WPACKET_set_flags(pkt, |
555 | WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { | |
224135e9 | 556 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 557 | goto err; |
224135e9 MC |
558 | } |
559 | ||
ab83e314 MC |
560 | if ((context & EXT_CLIENT_HELLO) != 0) { |
561 | reason = ssl_get_client_min_max_version(s, &min_version, &max_version); | |
562 | if (reason != 0) { | |
563 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); | |
70af3d8e | 564 | goto err; |
ab83e314 MC |
565 | } |
566 | } | |
567 | ||
568 | /* Add custom extensions first */ | |
569 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
570 | custom_ext_init(&s->cert->cli_ext); | |
571 | addcustom = 1; | |
572 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
573 | /* | |
574 | * We already initialised the custom extensions during ClientHello | |
575 | * parsing. | |
a1448c26 | 576 | * |
ab83e314 MC |
577 | * TODO(TLS1.3): We're going to need a new custom extension mechanism |
578 | * for TLS1.3, so that custom extensions can specify which of the | |
579 | * multiple message they wish to add themselves to. | |
580 | */ | |
581 | addcustom = 1; | |
582 | } | |
583 | ||
70af3d8e | 584 | if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) { |
ab83e314 | 585 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 586 | goto err; |
ab83e314 MC |
587 | } |
588 | ||
1266eefd | 589 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
4b299b8e MC |
590 | int (*construct)(SSL *s, WPACKET *pkt, int *al); |
591 | ||
224135e9 | 592 | /* Skip if not relevant for our context */ |
d270de32 | 593 | if ((thisexd->context & context) == 0) |
224135e9 MC |
594 | continue; |
595 | ||
1266eefd MC |
596 | construct = s->server ? thisexd->construct_stoc |
597 | : thisexd->construct_ctos; | |
224135e9 MC |
598 | |
599 | /* Check if this extension is defined for our protocol. If not, skip */ | |
600 | if ((SSL_IS_DTLS(s) | |
1266eefd | 601 | && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY) |
4b299b8e | 602 | != 0) |
224135e9 | 603 | || (s->version == SSL3_VERSION |
1266eefd | 604 | && (thisexd->context & EXT_SSL3_ALLOWED) == 0) |
224135e9 | 605 | || (SSL_IS_TLS13(s) |
1266eefd | 606 | && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY) |
4b299b8e | 607 | != 0) |
224135e9 | 608 | || (!SSL_IS_TLS13(s) |
1266eefd | 609 | && (thisexd->context & EXT_TLS1_3_ONLY) != 0 |
4b299b8e | 610 | && (context & EXT_CLIENT_HELLO) == 0) |
1266eefd | 611 | || ((thisexd->context & EXT_TLS1_3_ONLY) != 0 |
ab83e314 MC |
612 | && (context & EXT_CLIENT_HELLO) != 0 |
613 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) | |
224135e9 MC |
614 | || construct == NULL) |
615 | continue; | |
616 | ||
70af3d8e MC |
617 | if (!construct(s, pkt, &tmpal)) |
618 | goto err; | |
224135e9 MC |
619 | } |
620 | ||
224135e9 | 621 | if (!WPACKET_close(pkt)) { |
224135e9 | 622 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 623 | goto err; |
224135e9 MC |
624 | } |
625 | ||
626 | return 1; | |
70af3d8e MC |
627 | |
628 | err: | |
629 | *al = tmpal; | |
630 | return 0; | |
224135e9 | 631 | } |
805a2e9e | 632 | |
70af3d8e MC |
633 | /* |
634 | * Built in extension finalisation and initialisation functions. All initialise | |
635 | * or finalise the associated extension type for the given |context|. For | |
636 | * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 | |
637 | * otherwise. These functions return 1 on success or 0 on failure. In the event | |
638 | * of a failure then |*al| is populated with a suitable error code. | |
639 | */ | |
640 | ||
1266eefd | 641 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
642 | int *al) |
643 | { | |
332eb390 MC |
644 | if (!s->server) { |
645 | /* | |
646 | * Check if we can connect to a server that doesn't support safe | |
647 | * renegotiation | |
648 | */ | |
649 | if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
650 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
651 | && !sent) { | |
652 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
653 | SSLerr(SSL_F_TLS_EXT_FINAL_RENEGOTIATE, | |
654 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
655 | return 0; | |
656 | } | |
657 | ||
805a2e9e | 658 | return 1; |
332eb390 | 659 | } |
805a2e9e MC |
660 | |
661 | /* Need RI if renegotiating */ | |
662 | if (s->renegotiate | |
663 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
664 | && !sent) { | |
665 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
666 | SSLerr(SSL_F_TLS_EXT_FINAL_RENEGOTIATE, | |
667 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
668 | return 0; | |
669 | } | |
670 | ||
332eb390 | 671 | |
805a2e9e MC |
672 | return 1; |
673 | } | |
674 | ||
1266eefd | 675 | static int init_server_name(SSL *s, unsigned int context) |
805a2e9e MC |
676 | { |
677 | if (s->server) | |
678 | s->servername_done = 0; | |
679 | ||
680 | return 1; | |
681 | } | |
682 | ||
1266eefd | 683 | static int final_server_name(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
684 | int *al) |
685 | { | |
686 | int ret = SSL_TLSEXT_ERR_NOACK; | |
687 | int altmp = SSL_AD_UNRECOGNIZED_NAME; | |
688 | ||
805a2e9e MC |
689 | if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) |
690 | ret = s->ctx->tlsext_servername_callback(s, &altmp, | |
691 | s->ctx->tlsext_servername_arg); | |
692 | else if (s->initial_ctx != NULL | |
693 | && s->initial_ctx->tlsext_servername_callback != 0) | |
694 | ret = s->initial_ctx->tlsext_servername_callback(s, &altmp, | |
695 | s->initial_ctx->tlsext_servername_arg); | |
696 | ||
697 | switch (ret) { | |
698 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
699 | *al = altmp; | |
700 | return 0; | |
701 | ||
702 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
703 | *al = altmp; | |
704 | return 1; | |
705 | ||
706 | case SSL_TLSEXT_ERR_NOACK: | |
707 | s->servername_done = 0; | |
708 | return 1; | |
709 | ||
710 | default: | |
711 | return 1; | |
712 | } | |
713 | } | |
714 | ||
332eb390 | 715 | #ifndef OPENSSL_NO_EC |
1266eefd | 716 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
717 | int *al) |
718 | { | |
719 | unsigned long alg_k, alg_a; | |
720 | ||
721 | if (s->server) | |
722 | return 1; | |
723 | ||
724 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
725 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
726 | ||
727 | /* | |
728 | * If we are client and using an elliptic curve cryptography cipher | |
729 | * suite, then if server returns an EC point formats lists extension it | |
730 | * must contain uncompressed. | |
731 | */ | |
1266eefd MC |
732 | if (s->tlsext_ecpointformatlist != NULL |
733 | && s->tlsext_ecpointformatlist_length > 0 | |
734 | && s->session->tlsext_ecpointformatlist != NULL | |
735 | && s->session->tlsext_ecpointformatlist_length > 0 | |
736 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { | |
332eb390 MC |
737 | /* we are using an ECC cipher */ |
738 | size_t i; | |
1266eefd MC |
739 | unsigned char *list = s->session->tlsext_ecpointformatlist; |
740 | ||
332eb390 | 741 | for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { |
1266eefd | 742 | if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) |
332eb390 | 743 | break; |
332eb390 | 744 | } |
1266eefd | 745 | if (i == s->session->tlsext_ecpointformatlist_length) { |
332eb390 MC |
746 | SSLerr(SSL_F_TLS_EXT_FINAL_EC_PT_FORMATS, |
747 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); | |
748 | return 0; | |
749 | } | |
750 | } | |
751 | ||
752 | return 1; | |
753 | } | |
754 | #endif | |
755 | ||
1266eefd | 756 | static int init_session_ticket(SSL *s, unsigned int context) |
332eb390 MC |
757 | { |
758 | if (!s->server) | |
759 | s->tlsext_ticket_expected = 0; | |
760 | ||
761 | return 1; | |
762 | } | |
763 | ||
1266eefd | 764 | static int init_status_request(SSL *s, unsigned int context) |
805a2e9e MC |
765 | { |
766 | if (s->server) | |
cbb09544 | 767 | s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing; |
805a2e9e MC |
768 | |
769 | return 1; | |
770 | } | |
771 | ||
1266eefd | 772 | static int final_status_request(SSL *s, unsigned int context, int sent, |
332eb390 MC |
773 | int *al) |
774 | { | |
775 | if (s->server) | |
776 | return 1; | |
777 | ||
778 | /* | |
779 | * Ensure we get sensible values passed to tlsext_status_cb in the event | |
780 | * that we don't receive a status message | |
781 | */ | |
782 | OPENSSL_free(s->tlsext_ocsp_resp); | |
783 | s->tlsext_ocsp_resp = NULL; | |
784 | s->tlsext_ocsp_resplen = 0; | |
785 | ||
786 | return 1; | |
787 | } | |
788 | ||
805a2e9e | 789 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 790 | static int init_npn(SSL *s, unsigned int context) |
805a2e9e | 791 | { |
332eb390 | 792 | s->s3->next_proto_neg_seen = 0; |
805a2e9e MC |
793 | |
794 | return 1; | |
795 | } | |
796 | #endif | |
797 | ||
1266eefd | 798 | static int init_alpn(SSL *s, unsigned int context) |
805a2e9e | 799 | { |
332eb390 MC |
800 | OPENSSL_free(s->s3->alpn_selected); |
801 | s->s3->alpn_selected = NULL; | |
805a2e9e | 802 | if (s->server) { |
805a2e9e MC |
803 | s->s3->alpn_selected_len = 0; |
804 | OPENSSL_free(s->s3->alpn_proposed); | |
805 | s->s3->alpn_proposed = NULL; | |
806 | s->s3->alpn_proposed_len = 0; | |
807 | } | |
805a2e9e MC |
808 | return 1; |
809 | } | |
810 | ||
1266eefd | 811 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al) |
02f0274e MC |
812 | { |
813 | const unsigned char *selected = NULL; | |
814 | unsigned char selected_len = 0; | |
815 | ||
816 | if (!s->server) | |
817 | return 1; | |
818 | ||
819 | if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { | |
820 | int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, | |
821 | s->s3->alpn_proposed, | |
822 | (unsigned int)s->s3->alpn_proposed_len, | |
823 | s->ctx->alpn_select_cb_arg); | |
824 | ||
825 | if (r == SSL_TLSEXT_ERR_OK) { | |
826 | OPENSSL_free(s->s3->alpn_selected); | |
827 | s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); | |
828 | if (s->s3->alpn_selected == NULL) { | |
829 | *al = SSL_AD_INTERNAL_ERROR; | |
830 | return 0; | |
831 | } | |
832 | s->s3->alpn_selected_len = selected_len; | |
833 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
834 | /* ALPN takes precedence over NPN. */ | |
835 | s->s3->next_proto_neg_seen = 0; | |
836 | #endif | |
837 | } else { | |
838 | *al = SSL_AD_NO_APPLICATION_PROTOCOL; | |
839 | return 0; | |
840 | } | |
841 | } | |
842 | ||
843 | return 1; | |
844 | } | |
845 | ||
1266eefd | 846 | static int init_sig_algs(SSL *s, unsigned int context) |
805a2e9e MC |
847 | { |
848 | /* Clear any signature algorithms extension received */ | |
849 | OPENSSL_free(s->s3->tmp.peer_sigalgs); | |
850 | s->s3->tmp.peer_sigalgs = NULL; | |
851 | ||
852 | return 1; | |
853 | } | |
854 | ||
855 | #ifndef OPENSSL_NO_SRP | |
1266eefd | 856 | static int init_srp(SSL *s, unsigned int context) |
805a2e9e MC |
857 | { |
858 | OPENSSL_free(s->srp_ctx.login); | |
859 | s->srp_ctx.login = NULL; | |
860 | ||
861 | return 1; | |
862 | } | |
863 | #endif | |
864 | ||
1266eefd | 865 | static int init_etm(SSL *s, unsigned int context) |
805a2e9e | 866 | { |
332eb390 MC |
867 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; |
868 | ||
869 | return 1; | |
870 | } | |
871 | ||
1266eefd | 872 | static int init_ems(SSL *s, unsigned int context) |
332eb390 MC |
873 | { |
874 | if (!s->server) | |
875 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | |
876 | ||
877 | return 1; | |
878 | } | |
879 | ||
1266eefd | 880 | static int final_ems(SSL *s, unsigned int context, int sent, int *al) |
332eb390 MC |
881 | { |
882 | if (!s->server && s->hit) { | |
883 | /* | |
884 | * Check extended master secret extension is consistent with | |
885 | * original session. | |
886 | */ | |
887 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != | |
888 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { | |
889 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
890 | SSLerr(SSL_F_TLS_EXT_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); | |
891 | return 0; | |
892 | } | |
893 | } | |
805a2e9e MC |
894 | |
895 | return 1; | |
896 | } | |
897 | ||
898 | #ifndef OPENSSL_NO_SRTP | |
1266eefd | 899 | static int init_srtp(SSL *s, unsigned int context) |
805a2e9e MC |
900 | { |
901 | if (s->server) | |
902 | s->srtp_profile = NULL; | |
903 | ||
904 | return 1; | |
905 | } | |
906 | #endif |