]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | #include "../ssl_locl.h" | |
11 | #include "statem_locl.h" | |
12 | ||
13 | static int final_renegotiate(SSL *s, unsigned int context, int sent, | |
14 | int *al); | |
15 | static int init_server_name(SSL *s, unsigned int context); | |
16 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
17 | int *al); | |
18 | #ifndef OPENSSL_NO_EC | |
19 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, | |
20 | int *al); | |
21 | #endif | |
22 | static int init_session_ticket(SSL *s, unsigned int context); | |
23 | #ifndef OPENSSL_NO_OCSP | |
24 | static int init_status_request(SSL *s, unsigned int context); | |
25 | #endif | |
26 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
27 | static int init_npn(SSL *s, unsigned int context); | |
28 | #endif | |
29 | static int init_alpn(SSL *s, unsigned int context); | |
30 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al); | |
31 | static int init_sig_algs(SSL *s, unsigned int context); | |
32 | #ifndef OPENSSL_NO_SRP | |
33 | static int init_srp(SSL *s, unsigned int context); | |
34 | #endif | |
35 | static int init_etm(SSL *s, unsigned int context); | |
36 | static int init_ems(SSL *s, unsigned int context); | |
37 | static int final_ems(SSL *s, unsigned int context, int sent, int *al); | |
38 | #ifndef OPENSSL_NO_SRTP | |
39 | static int init_srtp(SSL *s, unsigned int context); | |
40 | #endif | |
41 | ||
42 | /* Structure to define a built-in extension */ | |
43 | typedef struct extensions_definition_st { | |
44 | /* The defined type for the extension */ | |
45 | unsigned int type; | |
46 | /* | |
47 | * The context that this extension applies to, e.g. what messages and | |
48 | * protocol versions | |
49 | */ | |
50 | unsigned int context; | |
51 | /* | |
52 | * Initialise extension before parsing. Always called for relevant contexts | |
53 | * even if extension not present | |
54 | */ | |
55 | int (*init)(SSL *s, unsigned int context); | |
56 | /* Parse extension sent from client to server */ | |
57 | int (*parse_ctos)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al); | |
58 | /* Parse extension send from server to client */ | |
59 | int (*parse_stoc)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al); | |
60 | /* Construct extension sent from server to client */ | |
61 | int (*construct_stoc)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, | |
62 | int *al); | |
63 | /* Construct extension sent from client to server */ | |
64 | int (*construct_ctos)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, | |
65 | int *al); | |
66 | /* | |
67 | * Finalise extension after parsing. Always called where an extensions was | |
68 | * initialised even if the extension was not present. |sent| is set to 1 if | |
69 | * the extension was seen, or 0 otherwise. | |
70 | */ | |
71 | int (*final)(SSL *s, unsigned int context, int sent, int *al); | |
72 | } EXTENSION_DEFINITION; | |
73 | ||
74 | /* | |
75 | * Definitions of all built-in extensions. NOTE: Changes in the number or order | |
76 | * of these extensions should be mirrored with equivalent changes to the indexes | |
77 | * defined in statem_locl.h. | |
78 | * Each extension has an initialiser, a client and | |
79 | * server side parser and a finaliser. The initialiser is called (if the | |
80 | * extension is relevant to the given context) even if we did not see the | |
81 | * extension in the message that we received. The parser functions are only | |
82 | * called if we see the extension in the message. The finalisers are always | |
83 | * called if the initialiser was called. | |
84 | * There are also server and client side constructor functions which are always | |
85 | * called during message construction if the extension is relevant for the | |
86 | * given context. | |
87 | * The initialisation, parsing, finalisation and construction functions are | |
88 | * always called in the order defined in this list. Some extensions may depend | |
89 | * on others having been processed first, so the order of this list is | |
90 | * significant. | |
91 | * The extension context is defined by a series of flags which specify which | |
92 | * messages the extension is relevant to. These flags also specify whether the | |
93 | * extension is relevant to a paricular protocol or protocol version. | |
94 | * | |
95 | * TODO(TLS1.3): Make sure we have a test to check the consistency of these | |
96 | */ | |
97 | #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } | |
98 | static const EXTENSION_DEFINITION ext_defs[] = { | |
99 | { | |
100 | TLSEXT_TYPE_renegotiate, | |
101 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED | |
102 | | EXT_TLS1_2_AND_BELOW_ONLY, | |
103 | NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, | |
104 | tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, | |
105 | final_renegotiate | |
106 | }, | |
107 | { | |
108 | TLSEXT_TYPE_server_name, | |
109 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | |
110 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | |
111 | init_server_name, | |
112 | tls_parse_ctos_server_name, tls_parse_stoc_server_name, | |
113 | tls_construct_stoc_server_name, tls_construct_ctos_server_name, | |
114 | final_server_name | |
115 | }, | |
116 | #ifndef OPENSSL_NO_SRP | |
117 | { | |
118 | TLSEXT_TYPE_srp, | |
119 | EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
120 | init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL | |
121 | }, | |
122 | #else | |
123 | INVALID_EXTENSION, | |
124 | #endif | |
125 | #ifndef OPENSSL_NO_EC | |
126 | { | |
127 | TLSEXT_TYPE_ec_point_formats, | |
128 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
129 | NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, | |
130 | tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, | |
131 | final_ec_pt_formats | |
132 | }, | |
133 | { | |
134 | TLSEXT_TYPE_supported_groups, | |
135 | EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | |
136 | NULL, tls_parse_ctos_supported_groups, NULL, | |
137 | NULL /* TODO(TLS1.3): Need to add this */, | |
138 | tls_construct_ctos_supported_groups, NULL | |
139 | }, | |
140 | #else | |
141 | INVALID_EXTENSION, | |
142 | INVALID_EXTENSION, | |
143 | #endif | |
144 | { | |
145 | TLSEXT_TYPE_session_ticket, | |
146 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
147 | init_session_ticket, tls_parse_ctos_session_ticket, | |
148 | tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, | |
149 | tls_construct_ctos_session_ticket, NULL | |
150 | }, | |
151 | { | |
152 | TLSEXT_TYPE_signature_algorithms, | |
153 | EXT_CLIENT_HELLO, | |
154 | init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL, | |
155 | tls_construct_ctos_sig_algs, NULL | |
156 | }, | |
157 | #ifndef OPENSSL_NO_OCSP | |
158 | { | |
159 | TLSEXT_TYPE_status_request, | |
160 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | |
161 | | EXT_TLS1_3_CERTIFICATE, | |
162 | init_status_request, tls_parse_ctos_status_request, | |
163 | tls_parse_stoc_status_request, tls_construct_stoc_status_request, | |
164 | tls_construct_ctos_status_request, NULL | |
165 | }, | |
166 | #else | |
167 | INVALID_EXTENSION, | |
168 | #endif | |
169 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
170 | { | |
171 | TLSEXT_TYPE_next_proto_neg, | |
172 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
173 | init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, | |
174 | tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL | |
175 | }, | |
176 | #else | |
177 | INVALID_EXTENSION, | |
178 | #endif | |
179 | { | |
180 | /* | |
181 | * Must appear in this list after server_name so that finalisation | |
182 | * happens after server_name callbacks | |
183 | */ | |
184 | TLSEXT_TYPE_application_layer_protocol_negotiation, | |
185 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | |
186 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | |
187 | init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, | |
188 | tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn | |
189 | }, | |
190 | #ifndef OPENSSL_NO_SRTP | |
191 | { | |
192 | TLSEXT_TYPE_use_srtp, | |
193 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | |
194 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY, | |
195 | init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, | |
196 | tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL | |
197 | }, | |
198 | #else | |
199 | INVALID_EXTENSION, | |
200 | #endif | |
201 | { | |
202 | TLSEXT_TYPE_encrypt_then_mac, | |
203 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
204 | init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, | |
205 | tls_construct_stoc_etm, tls_construct_ctos_etm, NULL | |
206 | }, | |
207 | #ifndef OPENSSL_NO_CT | |
208 | { | |
209 | TLSEXT_TYPE_signed_certificate_timestamp, | |
210 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | |
211 | | EXT_TLS1_3_CERTIFICATE, | |
212 | NULL, | |
213 | /* | |
214 | * No server side support for this, but can be provided by a custom | |
215 | * extension. This is an exception to the rule that custom extensions | |
216 | * cannot override built in ones. | |
217 | */ | |
218 | NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL | |
219 | }, | |
220 | #else | |
221 | INVALID_EXTENSION, | |
222 | #endif | |
223 | { | |
224 | TLSEXT_TYPE_extended_master_secret, | |
225 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
226 | init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, | |
227 | tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems | |
228 | }, | |
229 | { | |
230 | TLSEXT_TYPE_supported_versions, | |
231 | EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, | |
232 | NULL, | |
233 | /* Processed inline as part of version selection */ | |
234 | NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL | |
235 | }, | |
236 | { | |
237 | /* | |
238 | * Must be in this list after supported_groups. We need that to have | |
239 | * been parsed before we do this one. | |
240 | */ | |
241 | TLSEXT_TYPE_key_share, | |
242 | EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | |
243 | | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY | |
244 | | EXT_TLS1_3_ONLY, | |
245 | NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, | |
246 | tls_construct_stoc_key_share, tls_construct_ctos_key_share, NULL | |
247 | }, | |
248 | { | |
249 | /* | |
250 | * Special unsolicited ServerHello extension only used when | |
251 | * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set | |
252 | */ | |
253 | TLSEXT_TYPE_cryptopro_bug, | |
254 | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, | |
255 | NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL | |
256 | }, | |
257 | { | |
258 | /* Last in the list because it must be added as the last extension */ | |
259 | TLSEXT_TYPE_padding, | |
260 | EXT_CLIENT_HELLO, | |
261 | NULL, | |
262 | /* We send this, but don't read it */ | |
263 | NULL, NULL, NULL, tls_construct_ctos_padding, NULL | |
264 | } | |
265 | }; | |
266 | ||
267 | /* | |
268 | * Verify whether we are allowed to use the extension |type| in the current | |
269 | * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to | |
270 | * indicate the extension is not allowed. If returning 1 then |*found| is set to | |
271 | * 1 if we found a definition for the extension, and |*idx| is set to its index | |
272 | */ | |
273 | static int verify_extension(SSL *s, unsigned int context, unsigned int type, | |
274 | custom_ext_methods *meths, RAW_EXTENSION *rawexlist, | |
275 | RAW_EXTENSION **found) | |
276 | { | |
277 | size_t i; | |
278 | size_t builtin_num = OSSL_NELEM(ext_defs); | |
279 | const EXTENSION_DEFINITION *thisext; | |
280 | ||
281 | for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { | |
282 | if (type == thisext->type) { | |
283 | /* Check we're allowed to use this extension in this context */ | |
284 | if ((context & thisext->context) == 0) | |
285 | return 0; | |
286 | ||
287 | if (SSL_IS_DTLS(s)) { | |
288 | if ((thisext->context & EXT_TLS_ONLY) != 0) | |
289 | return 0; | |
290 | } else if ((thisext->context & EXT_DTLS_ONLY) != 0) { | |
291 | return 0; | |
292 | } | |
293 | ||
294 | *found = &rawexlist[i]; | |
295 | return 1; | |
296 | } | |
297 | } | |
298 | ||
299 | if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) { | |
300 | /* | |
301 | * Custom extensions only apply to <=TLS1.2. This extension is unknown | |
302 | * in this context - we allow it | |
303 | */ | |
304 | *found = NULL; | |
305 | return 1; | |
306 | } | |
307 | ||
308 | /* Check the custom extensions */ | |
309 | if (meths != NULL) { | |
310 | for (i = builtin_num; i < builtin_num + meths->meths_count; i++) { | |
311 | if (meths->meths[i - builtin_num].ext_type == type) { | |
312 | *found = &rawexlist[i]; | |
313 | return 1; | |
314 | } | |
315 | } | |
316 | } | |
317 | ||
318 | /* Unknown extension. We allow it */ | |
319 | *found = NULL; | |
320 | return 1; | |
321 | } | |
322 | ||
323 | /* | |
324 | * Check whether the context defined for an extension |extctx| means whether | |
325 | * the extension is relevant for the current context |thisctx| or not. Returns | |
326 | * 1 if the extension is relevant for this context, and 0 otherwise | |
327 | */ | |
328 | static int extension_is_relevant(SSL *s, unsigned int extctx, | |
329 | unsigned int thisctx) | |
330 | { | |
331 | if ((SSL_IS_DTLS(s) | |
332 | && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0) | |
333 | || (s->version == SSL3_VERSION | |
334 | && (extctx & EXT_SSL3_ALLOWED) == 0) | |
335 | || (SSL_IS_TLS13(s) | |
336 | && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0) | |
337 | || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0)) | |
338 | return 0; | |
339 | ||
340 | return 1; | |
341 | } | |
342 | ||
343 | /* | |
344 | * Gather a list of all the extensions from the data in |packet]. |context| | |
345 | * tells us which message this extension is for. The raw extension data is | |
346 | * stored in |*res| on success. In the event of an error the alert type to use | |
347 | * is stored in |*al|. We don't actually process the content of the extensions | |
348 | * yet, except to check their types. This function also runs the initialiser | |
349 | * functions for all known extensions (whether we have collected them or not). | |
350 | * If successful the caller is responsible for freeing the contents of |*res|. | |
351 | * | |
352 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be | |
353 | * more than one extension of the same type in a ClientHello or ServerHello. | |
354 | * This function returns 1 if all extensions are unique and we have parsed their | |
355 | * types, and 0 if the extensions contain duplicates, could not be successfully | |
356 | * found, or an internal error occurred. We only check duplicates for | |
357 | * extensions that we know about. We ignore others. | |
358 | */ | |
359 | int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, | |
360 | RAW_EXTENSION **res, int *al) | |
361 | { | |
362 | PACKET extensions = *packet; | |
363 | size_t i = 0; | |
364 | custom_ext_methods *exts = NULL; | |
365 | RAW_EXTENSION *raw_extensions = NULL; | |
366 | const EXTENSION_DEFINITION *thisexd; | |
367 | ||
368 | *res = NULL; | |
369 | ||
370 | /* | |
371 | * Initialise server side custom extensions. Client side is done during | |
372 | * construction of extensions for the ClientHello. | |
373 | */ | |
374 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
375 | exts = &s->cert->srv_ext; | |
376 | custom_ext_init(&s->cert->srv_ext); | |
377 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
378 | exts = &s->cert->cli_ext; | |
379 | } | |
380 | ||
381 | raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs) | |
382 | + (exts != NULL ? exts->meths_count : 0)) | |
383 | * sizeof(*raw_extensions)); | |
384 | if (raw_extensions == NULL) { | |
385 | *al = SSL_AD_INTERNAL_ERROR; | |
386 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); | |
387 | return 0; | |
388 | } | |
389 | ||
390 | while (PACKET_remaining(&extensions) > 0) { | |
391 | unsigned int type; | |
392 | PACKET extension; | |
393 | RAW_EXTENSION *thisex; | |
394 | ||
395 | if (!PACKET_get_net_2(&extensions, &type) || | |
396 | !PACKET_get_length_prefixed_2(&extensions, &extension)) { | |
397 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
398 | *al = SSL_AD_DECODE_ERROR; | |
399 | goto err; | |
400 | } | |
401 | /* | |
402 | * Verify this extension is allowed. We only check duplicates for | |
403 | * extensions that we recognise. | |
404 | */ | |
405 | if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) | |
406 | || (thisex != NULL && thisex->present == 1)) { | |
407 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
408 | *al = SSL_AD_ILLEGAL_PARAMETER; | |
409 | goto err; | |
410 | } | |
411 | if (thisex != NULL) { | |
412 | thisex->data = extension; | |
413 | thisex->present = 1; | |
414 | thisex->type = type; | |
415 | } | |
416 | } | |
417 | ||
418 | /* | |
419 | * Initialise all known extensions relevant to this context, whether we have | |
420 | * found them or not | |
421 | */ | |
422 | for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) { | |
423 | if(thisexd->init != NULL && (thisexd->context & context) != 0 | |
424 | && extension_is_relevant(s, thisexd->context, context) | |
425 | && !thisexd->init(s, context)) { | |
426 | *al = SSL_AD_INTERNAL_ERROR; | |
427 | goto err; | |
428 | } | |
429 | } | |
430 | ||
431 | *res = raw_extensions; | |
432 | return 1; | |
433 | ||
434 | err: | |
435 | OPENSSL_free(raw_extensions); | |
436 | return 0; | |
437 | } | |
438 | ||
439 | /* | |
440 | * Runs the parser for a given extension with index |idx|. |exts| contains the | |
441 | * list of all parsed extensions previously collected by | |
442 | * tls_collect_extensions(). The parser is only run if it is applicable for the | |
443 | * given |context| and the parser has not already been run. If this is for a | |
444 | * Certificate message, then we also provide the parser with the relevant | |
445 | * Certificate |x| and its position in the |chainidx| with 0 being the first | |
446 | * Certificate. Returns 1 on success or 0 on failure. In the event of a failure | |
447 | * |*al| is populated with a suitable alert code. If an extension is not present | |
448 | * this counted as success. | |
449 | */ | |
450 | int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, | |
451 | RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al) | |
452 | { | |
453 | RAW_EXTENSION *currext = &exts[idx]; | |
454 | int (*parser)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) = NULL; | |
455 | ||
456 | /* Skip if the extension is not present */ | |
457 | if (!currext->present) | |
458 | return 1; | |
459 | ||
460 | if (s->ext.debug_cb) | |
461 | s->ext.debug_cb(s, !s->server, currext->type, | |
462 | PACKET_data(&currext->data), | |
463 | PACKET_remaining(&currext->data), | |
464 | s->ext.debug_arg); | |
465 | ||
466 | /* Skip if we've already parsed this extension */ | |
467 | if (currext->parsed) | |
468 | return 1; | |
469 | ||
470 | currext->parsed = 1; | |
471 | ||
472 | if (idx < OSSL_NELEM(ext_defs)) { | |
473 | /* We are handling a built-in extension */ | |
474 | const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; | |
475 | ||
476 | /* Check if extension is defined for our protocol. If not, skip */ | |
477 | if (!extension_is_relevant(s, extdef->context, context)) | |
478 | return 1; | |
479 | ||
480 | parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; | |
481 | ||
482 | if (parser != NULL) | |
483 | return parser(s, &currext->data, x, chainidx, al); | |
484 | ||
485 | /* | |
486 | * If the parser is NULL we fall through to the custom extension | |
487 | * processing | |
488 | */ | |
489 | } | |
490 | ||
491 | /* | |
492 | * This is a custom extension. We only allow this if it is a non | |
493 | * resumed session on the server side. | |
494 | *chain | |
495 | * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions. | |
496 | * We're going to need a new mechanism for TLS1.3 to specify which | |
497 | * messages to add the custom extensions to. | |
498 | */ | |
499 | if ((!s->hit || !s->server) | |
500 | && (context | |
501 | & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 | |
502 | && custom_ext_parse(s, s->server, currext->type, | |
503 | PACKET_data(&currext->data), | |
504 | PACKET_remaining(&currext->data), | |
505 | al) <= 0) | |
506 | return 0; | |
507 | ||
508 | return 1; | |
509 | } | |
510 | ||
511 | /* | |
512 | * Parse all remaining extensions that have not yet been parsed. Also calls the | |
513 | * finalisation for all extensions at the end, whether we collected them or not. | |
514 | * Returns 1 for success or 0 for failure. If we are working on a Certificate | |
515 | * message then we also pass the Certificate |x| and its position in the | |
516 | * |chainidx|, with 0 being the first certificate. On failure, |*al| is | |
517 | * populated with a suitable alert code. | |
518 | */ | |
519 | int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, | |
520 | size_t chainidx, int *al) | |
521 | { | |
522 | size_t i, numexts = OSSL_NELEM(ext_defs); | |
523 | const EXTENSION_DEFINITION *thisexd; | |
524 | ||
525 | /* Calculate the number of extensions in the extensions list */ | |
526 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
527 | numexts += s->cert->srv_ext.meths_count; | |
528 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
529 | numexts += s->cert->cli_ext.meths_count; | |
530 | } | |
531 | ||
532 | /* Parse each extension in turn */ | |
533 | for (i = 0; i < numexts; i++) { | |
534 | if (!tls_parse_extension(s, i, context, exts, x, chainidx, al)) | |
535 | return 0; | |
536 | } | |
537 | ||
538 | /* | |
539 | * Finalise all known extensions relevant to this context, whether we have | |
540 | * found them or not | |
541 | */ | |
542 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { | |
543 | if(thisexd->final != NULL | |
544 | && (thisexd->context & context) != 0 | |
545 | && !thisexd->final(s, context, exts[i].present, al)) | |
546 | return 0; | |
547 | } | |
548 | ||
549 | return 1; | |
550 | } | |
551 | ||
552 | /* | |
553 | * Construct all the extensions relevant to the current |context| and write | |
554 | * them to |pkt|. If this is an extension for a Certificate in a Certificate | |
555 | * message, then |x| will be set to the Certificate we are handling, and | |
556 | * |chainidx| will indicate the position in the chainidx we are processing (with | |
557 | * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a | |
558 | * failure occurs then |al| is populated with a suitable alert code. On a | |
559 | * failure construction stops at the first extension to fail to construct. | |
560 | */ | |
561 | int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, | |
562 | X509 *x, size_t chainidx, int *al) | |
563 | { | |
564 | size_t i; | |
565 | int addcustom = 0, min_version, max_version = 0, reason, tmpal; | |
566 | const EXTENSION_DEFINITION *thisexd; | |
567 | ||
568 | /* | |
569 | * Normally if something goes wrong during construction it's an internal | |
570 | * error. We can always override this later. | |
571 | */ | |
572 | tmpal = SSL_AD_INTERNAL_ERROR; | |
573 | ||
574 | if (!WPACKET_start_sub_packet_u16(pkt) | |
575 | /* | |
576 | * If extensions are of zero length then we don't even add the | |
577 | * extensions length bytes to a ClientHello/ServerHello in SSLv3 | |
578 | */ | |
579 | || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 | |
580 | && s->version == SSL3_VERSION | |
581 | && !WPACKET_set_flags(pkt, | |
582 | WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { | |
583 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); | |
584 | goto err; | |
585 | } | |
586 | ||
587 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
588 | reason = ssl_get_client_min_max_version(s, &min_version, &max_version); | |
589 | if (reason != 0) { | |
590 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); | |
591 | goto err; | |
592 | } | |
593 | } | |
594 | ||
595 | /* Add custom extensions first */ | |
596 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
597 | custom_ext_init(&s->cert->cli_ext); | |
598 | addcustom = 1; | |
599 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
600 | /* | |
601 | * We already initialised the custom extensions during ClientHello | |
602 | * parsing. | |
603 | * | |
604 | * TODO(TLS1.3): We're going to need a new custom extension mechanism | |
605 | * for TLS1.3, so that custom extensions can specify which of the | |
606 | * multiple message they wish to add themselves to. | |
607 | */ | |
608 | addcustom = 1; | |
609 | } | |
610 | ||
611 | if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) { | |
612 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); | |
613 | goto err; | |
614 | } | |
615 | ||
616 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { | |
617 | int (*construct)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, | |
618 | int *al); | |
619 | ||
620 | /* Skip if not relevant for our context */ | |
621 | if ((thisexd->context & context) == 0) | |
622 | continue; | |
623 | ||
624 | construct = s->server ? thisexd->construct_stoc | |
625 | : thisexd->construct_ctos; | |
626 | ||
627 | /* Check if this extension is defined for our protocol. If not, skip */ | |
628 | if ((SSL_IS_DTLS(s) | |
629 | && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY) | |
630 | != 0) | |
631 | || (s->version == SSL3_VERSION | |
632 | && (thisexd->context & EXT_SSL3_ALLOWED) == 0) | |
633 | || (SSL_IS_TLS13(s) | |
634 | && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY) | |
635 | != 0) | |
636 | || (!SSL_IS_TLS13(s) | |
637 | && (thisexd->context & EXT_TLS1_3_ONLY) != 0 | |
638 | && (context & EXT_CLIENT_HELLO) == 0) | |
639 | || ((thisexd->context & EXT_TLS1_3_ONLY) != 0 | |
640 | && (context & EXT_CLIENT_HELLO) != 0 | |
641 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) | |
642 | || construct == NULL) | |
643 | continue; | |
644 | ||
645 | if (!construct(s, pkt, x, chainidx, &tmpal)) | |
646 | goto err; | |
647 | } | |
648 | ||
649 | if (!WPACKET_close(pkt)) { | |
650 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); | |
651 | goto err; | |
652 | } | |
653 | ||
654 | return 1; | |
655 | ||
656 | err: | |
657 | *al = tmpal; | |
658 | return 0; | |
659 | } | |
660 | ||
661 | /* | |
662 | * Built in extension finalisation and initialisation functions. All initialise | |
663 | * or finalise the associated extension type for the given |context|. For | |
664 | * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 | |
665 | * otherwise. These functions return 1 on success or 0 on failure. In the event | |
666 | * of a failure then |*al| is populated with a suitable error code. | |
667 | */ | |
668 | ||
669 | static int final_renegotiate(SSL *s, unsigned int context, int sent, | |
670 | int *al) | |
671 | { | |
672 | if (!s->server) { | |
673 | /* | |
674 | * Check if we can connect to a server that doesn't support safe | |
675 | * renegotiation | |
676 | */ | |
677 | if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
678 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
679 | && !sent) { | |
680 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
681 | SSLerr(SSL_F_FINAL_RENEGOTIATE, | |
682 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
683 | return 0; | |
684 | } | |
685 | ||
686 | return 1; | |
687 | } | |
688 | ||
689 | /* Need RI if renegotiating */ | |
690 | if (s->renegotiate | |
691 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
692 | && !sent) { | |
693 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
694 | SSLerr(SSL_F_FINAL_RENEGOTIATE, | |
695 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
696 | return 0; | |
697 | } | |
698 | ||
699 | ||
700 | return 1; | |
701 | } | |
702 | ||
703 | static int init_server_name(SSL *s, unsigned int context) | |
704 | { | |
705 | if (s->server) | |
706 | s->servername_done = 0; | |
707 | ||
708 | return 1; | |
709 | } | |
710 | ||
711 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
712 | int *al) | |
713 | { | |
714 | int ret = SSL_TLSEXT_ERR_NOACK; | |
715 | int altmp = SSL_AD_UNRECOGNIZED_NAME; | |
716 | ||
717 | if (s->ctx != NULL && s->ctx->ext.servername_cb != 0) | |
718 | ret = s->ctx->ext.servername_cb(s, &altmp, | |
719 | s->ctx->ext.servername_arg); | |
720 | else if (s->initial_ctx != NULL | |
721 | && s->initial_ctx->ext.servername_cb != 0) | |
722 | ret = s->initial_ctx->ext.servername_cb(s, &altmp, | |
723 | s->initial_ctx->ext.servername_arg); | |
724 | ||
725 | switch (ret) { | |
726 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
727 | *al = altmp; | |
728 | return 0; | |
729 | ||
730 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
731 | *al = altmp; | |
732 | return 1; | |
733 | ||
734 | case SSL_TLSEXT_ERR_NOACK: | |
735 | s->servername_done = 0; | |
736 | return 1; | |
737 | ||
738 | default: | |
739 | return 1; | |
740 | } | |
741 | } | |
742 | ||
743 | #ifndef OPENSSL_NO_EC | |
744 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, | |
745 | int *al) | |
746 | { | |
747 | unsigned long alg_k, alg_a; | |
748 | ||
749 | if (s->server) | |
750 | return 1; | |
751 | ||
752 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
753 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
754 | ||
755 | /* | |
756 | * If we are client and using an elliptic curve cryptography cipher | |
757 | * suite, then if server returns an EC point formats lists extension it | |
758 | * must contain uncompressed. | |
759 | */ | |
760 | if (s->ext.ecpointformats != NULL | |
761 | && s->ext.ecpointformats_len > 0 | |
762 | && s->session->ext.ecpointformats != NULL | |
763 | && s->session->ext.ecpointformats_len > 0 | |
764 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { | |
765 | /* we are using an ECC cipher */ | |
766 | size_t i; | |
767 | unsigned char *list = s->session->ext.ecpointformats; | |
768 | ||
769 | for (i = 0; i < s->session->ext.ecpointformats_len; i++) { | |
770 | if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) | |
771 | break; | |
772 | } | |
773 | if (i == s->session->ext.ecpointformats_len) { | |
774 | SSLerr(SSL_F_FINAL_EC_PT_FORMATS, | |
775 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); | |
776 | return 0; | |
777 | } | |
778 | } | |
779 | ||
780 | return 1; | |
781 | } | |
782 | #endif | |
783 | ||
784 | static int init_session_ticket(SSL *s, unsigned int context) | |
785 | { | |
786 | if (!s->server) | |
787 | s->ext.ticket_expected = 0; | |
788 | ||
789 | return 1; | |
790 | } | |
791 | ||
792 | #ifndef OPENSSL_NO_OCSP | |
793 | static int init_status_request(SSL *s, unsigned int context) | |
794 | { | |
795 | if (s->server) { | |
796 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing; | |
797 | } else { | |
798 | /* | |
799 | * Ensure we get sensible values passed to tlsext_status_cb in the event | |
800 | * that we don't receive a status message | |
801 | */ | |
802 | OPENSSL_free(s->tlsext_ocsp_resp); | |
803 | s->ext.ocsp_resp = NULL; | |
804 | s->ext.ocsp_resplen = 0; | |
805 | } | |
806 | ||
807 | return 1; | |
808 | } | |
809 | ||
810 | static int final_status_request(SSL *s, unsigned int context, int sent, | |
811 | int *al) | |
812 | { | |
813 | if (s->server) | |
814 | return 1; | |
815 | ||
816 | /* | |
817 | * Ensure we get sensible values passed to ext.status_cb in the event | |
818 | * that we don't receive a status message | |
819 | */ | |
820 | OPENSSL_free(s->ext.ocsp.resp); | |
821 | s->ext.ocsp.resp = NULL; | |
822 | s->ext.ocsp.resp_len = 0; | |
823 | >>>>>>> Move extension data into sub-structs | |
824 | ||
825 | return 1; | |
826 | } | |
827 | #endif | |
828 | ||
829 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
830 | static int init_npn(SSL *s, unsigned int context) | |
831 | { | |
832 | s->s3->npn_seen = 0; | |
833 | ||
834 | return 1; | |
835 | } | |
836 | #endif | |
837 | ||
838 | static int init_alpn(SSL *s, unsigned int context) | |
839 | { | |
840 | OPENSSL_free(s->s3->alpn_selected); | |
841 | s->s3->alpn_selected = NULL; | |
842 | if (s->server) { | |
843 | s->s3->alpn_selected_len = 0; | |
844 | OPENSSL_free(s->s3->alpn_proposed); | |
845 | s->s3->alpn_proposed = NULL; | |
846 | s->s3->alpn_proposed_len = 0; | |
847 | } | |
848 | return 1; | |
849 | } | |
850 | ||
851 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al) | |
852 | { | |
853 | const unsigned char *selected = NULL; | |
854 | unsigned char selected_len = 0; | |
855 | ||
856 | if (!s->server) | |
857 | return 1; | |
858 | ||
859 | if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { | |
860 | int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, | |
861 | s->s3->alpn_proposed, | |
862 | (unsigned int)s->s3->alpn_proposed_len, | |
863 | s->ctx->ext.alpn_select_cb_arg); | |
864 | ||
865 | if (r == SSL_TLSEXT_ERR_OK) { | |
866 | OPENSSL_free(s->s3->alpn_selected); | |
867 | s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); | |
868 | if (s->s3->alpn_selected == NULL) { | |
869 | *al = SSL_AD_INTERNAL_ERROR; | |
870 | return 0; | |
871 | } | |
872 | s->s3->alpn_selected_len = selected_len; | |
873 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
874 | /* ALPN takes precedence over NPN. */ | |
875 | s->s3->npn_seen = 0; | |
876 | #endif | |
877 | } else { | |
878 | *al = SSL_AD_NO_APPLICATION_PROTOCOL; | |
879 | return 0; | |
880 | } | |
881 | } | |
882 | ||
883 | return 1; | |
884 | } | |
885 | ||
886 | static int init_sig_algs(SSL *s, unsigned int context) | |
887 | { | |
888 | /* Clear any signature algorithms extension received */ | |
889 | OPENSSL_free(s->s3->tmp.peer_sigalgs); | |
890 | s->s3->tmp.peer_sigalgs = NULL; | |
891 | ||
892 | return 1; | |
893 | } | |
894 | ||
895 | #ifndef OPENSSL_NO_SRP | |
896 | static int init_srp(SSL *s, unsigned int context) | |
897 | { | |
898 | OPENSSL_free(s->srp_ctx.login); | |
899 | s->srp_ctx.login = NULL; | |
900 | ||
901 | return 1; | |
902 | } | |
903 | #endif | |
904 | ||
905 | static int init_etm(SSL *s, unsigned int context) | |
906 | { | |
907 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; | |
908 | ||
909 | return 1; | |
910 | } | |
911 | ||
912 | static int init_ems(SSL *s, unsigned int context) | |
913 | { | |
914 | if (!s->server) | |
915 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | |
916 | ||
917 | return 1; | |
918 | } | |
919 | ||
920 | static int final_ems(SSL *s, unsigned int context, int sent, int *al) | |
921 | { | |
922 | if (!s->server && s->hit) { | |
923 | /* | |
924 | * Check extended master secret extension is consistent with | |
925 | * original session. | |
926 | */ | |
927 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != | |
928 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { | |
929 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
930 | SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); | |
931 | return 0; | |
932 | } | |
933 | } | |
934 | ||
935 | return 1; | |
936 | } | |
937 | ||
938 | #ifndef OPENSSL_NO_SRTP | |
939 | static int init_srtp(SSL *s, unsigned int context) | |
940 | { | |
941 | if (s->server) | |
942 | s->srtp_profile = NULL; | |
943 | ||
944 | return 1; | |
945 | } | |
946 | #endif |