extensions: mark the message validity of each supported extension

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
index 3f222bec3d4ea319b013f21b1cd765f42146fe7a..7497436bede28f8a7a2fd18796aae8baed00f1fe 100644 (file)
--- a/lib/ext/alpn.c
+++ b/lib/ext/alpn.c
@@ -39,6 +39,7 @@ const extension_entry_st ext_mod_alpn = {
        .id = GNUTLS_EXTENSION_ALPN,
        /* this extension must be parsed even on resumption */
        .parse_type = GNUTLS_EXT_MANDATORY,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_alpn_recv_params,
        .send_func = _gnutls_alpn_send_params,

diff --git a/lib/ext/dumbfw.c b/lib/ext/dumbfw.c
index bdf4109e8423e13d087b0384d39f9b4527bd6641..517f5e74f14471e9ee26fe83f801bd1841b0b304 100644 (file)
--- a/lib/ext/dumbfw.c
+++ b/lib/ext/dumbfw.c
@@ -39,6 +39,7 @@ const extension_entry_st ext_mod_dumbfw = {
        .name = "ClientHello Padding",
        .id = GNUTLS_EXTENSION_DUMBFW,
        .parse_type = GNUTLS_EXT_APPLICATION,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_HRR,
 
        .recv_func = NULL,
        .send_func = _gnutls_dumbfw_send_params,

diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c
index 9b71689ae182de7248a854eeafec527db973a462..cfefbe8bdb0bc94c14e9f52fe1d94b27280f6c4d 100644 (file)
--- a/lib/ext/ecc.c
+++ b/lib/ext/ecc.c
@@ -53,6 +53,7 @@ const extension_entry_st ext_mod_supported_ecc = {
        .name = "Negotiated Groups",
        .id = GNUTLS_EXTENSION_SUPPORTED_ECC,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_supported_ecc_recv_params,
        .send_func = _gnutls_supported_ecc_send_params,
@@ -66,6 +67,7 @@ const extension_entry_st ext_mod_supported_ecc_pf = {
        .name = "Supported ECC Point Formats",
        .id = GNUTLS_EXTENSION_SUPPORTED_ECC_PF,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_supported_ecc_pf_recv_params,
        .send_func = _gnutls_supported_ecc_pf_send_params,

diff --git a/lib/ext/etm.c b/lib/ext/etm.c
index 49360e3d50511b91ec570e49159a621c7b885951..083a8595d55e07d63aaa8afc3092ca9e7d4cb0ef 100644 (file)
--- a/lib/ext/etm.c
+++ b/lib/ext/etm.c
@@ -39,6 +39,7 @@ const extension_entry_st ext_mod_etm = {
        .name = "Encrypt-then-MAC",
        .id = GNUTLS_EXTENSION_ETM,
        .parse_type = GNUTLS_EXT_MANDATORY,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_ext_etm_recv_params,
        .send_func = _gnutls_ext_etm_send_params,

diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c
index 4712d3227357b36ed1726aafa9a070ad325329c0..8d832a182b969d045a3786d09292b332b18a9e1e 100644 (file)
--- a/lib/ext/ext_master_secret.c
+++ b/lib/ext/ext_master_secret.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Red Hat, Inc.
+ * Copyright (C) 2014-2017 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -20,7 +20,7 @@
  *
  */
 
-/* This file contains the code for the Max Record Size TLS extension.
+/* This file contains the code for the RFC7627 (ext master secret) TLS extension.
  */
 
 #include "gnutls_int.h"
@@ -39,6 +39,7 @@ const extension_entry_st ext_mod_ext_master_secret = {
        .name = "Extended Master Secret",
        .id = GNUTLS_EXTENSION_EXT_MASTER_SECRET,
        .parse_type = GNUTLS_EXT_MANDATORY,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_ext_master_secret_recv_params,
        .send_func = _gnutls_ext_master_secret_send_params,

diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c
index 23676a6c79c61cf4bbed6fcf1c0b5044fdb0e99d..344757d2301170d7f5c44a7efa26364bc0e93ebd 100644 (file)
--- a/lib/ext/heartbeat.c
+++ b/lib/ext/heartbeat.c
@@ -526,6 +526,7 @@ const extension_entry_st ext_mod_heartbeat = {
        .name = "Heartbeat",
        .id = GNUTLS_EXTENSION_HEARTBEAT,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_heartbeat_recv_params,
        .send_func = _gnutls_heartbeat_send_params,

diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 2a7dc0e5a47d4688e7f637e7f87aa201c2388452..1a6a2658d90fa3be4367a91da47edc8411085748 100644 (file)
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -47,6 +47,7 @@ const extension_entry_st ext_mod_key_share = {
        .name = "Key Share",
        .id = GNUTLS_EXTENSION_KEY_SHARE,
        .parse_type = _GNUTLS_EXT_TLS_POST_CS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO|GNUTLS_EXT_FLAG_HRR,
 
        .recv_func = key_share_recv_params,
        .send_func = key_share_send_params,

diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
index 2ced8fd0a7ba46a6a037c4dc1036e397191657c1..33ca05874bbfa455916bcfa5b888b2008e84d498 100644 (file)
--- a/lib/ext/max_record.c
+++ b/lib/ext/max_record.c
@@ -51,6 +51,7 @@ const extension_entry_st ext_mod_max_record_size = {
        .name = "Maximum Record Size",
        .id = GNUTLS_EXTENSION_MAX_RECORD_SIZE,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
 
        .recv_func = _gnutls_max_record_recv_params,
        .send_func = _gnutls_max_record_send_params,

diff --git a/lib/ext/post_handshake.c b/lib/ext/post_handshake.c
index ba788d6b8f148df616a925f9e7ca4116b3d80ac6..116a41b0567929b28799354aa79d027391c708c3 100644 (file)
--- a/lib/ext/post_handshake.c
+++ b/lib/ext/post_handshake.c
@@ -40,6 +40,7 @@ const extension_entry_st ext_mod_post_handshake = {
        .name = "Post Handshake Auth",
        .id = GNUTLS_EXTENSION_POST_HANDSHAKE,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO,
 
        .recv_func = _gnutls_post_handshake_recv_params,
        .send_func = _gnutls_post_handshake_send_params,

diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index f8083cf095082eeb729780abfa068fe613a146f0..d8720ac2d5a6cb7a8df87737bb5e8ab65d5515fe 100644 (file)
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -34,6 +34,7 @@ static void _gnutls_sr_deinit_data(gnutls_ext_priv_data_t priv);
 const extension_entry_st ext_mod_sr = {
        .name = "Safe Renegotiation",
        .id = GNUTLS_EXTENSION_SAFE_RENEGOTIATION,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
        .parse_type = GNUTLS_EXT_MANDATORY,
 
        .recv_func = _gnutls_sr_recv_params,

diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index bf8d00fa092e4f72b22e422f8a7d3d072f2ab6b6..c2948ba711a7316859463d3dbd251f904ae70ee0 100644 (file)
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -48,6 +48,8 @@ _gnutls_server_name_set_raw(gnutls_session_t session,
 const extension_entry_st ext_mod_server_name = {
        .name = "Server Name Indication",
        .id = GNUTLS_EXTENSION_SERVER_NAME,
+
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
        .parse_type = GNUTLS_EXT_MANDATORY,
 
        .recv_func = _gnutls_server_name_recv_params,

diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index c3a3c29d8cbd2423e4b487a5b7be6e81b230d04a..71df2eeafcff2b76bf6d7c0840302fe87a1b45d7 100644 (file)
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -62,6 +62,7 @@ static void session_ticket_deinit_data(gnutls_ext_priv_data_t priv);
 const extension_entry_st ext_mod_session_ticket = {
        .name = "Session Ticket",
        .id = GNUTLS_EXTENSION_SESSION_TICKET,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
        .parse_type = GNUTLS_EXT_TLS,
 
        .recv_func = session_ticket_recv_params,

diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 992d2abac21f9cd96e4146ca65fbb5a738568ad7..e504be1c6b7d1b36351be256c09eec612f78313e 100644 (file)
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -52,6 +52,7 @@ static int signature_algorithms_unpack(gnutls_buffer_st * ps,
 const extension_entry_st ext_mod_sig = {
        .name = "Signature Algorithms",
        .id = GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_CR,
        .parse_type = GNUTLS_EXT_TLS,
 
        .recv_func = _gnutls_signature_algorithm_recv_params,

diff --git a/lib/ext/srp.c b/lib/ext/srp.c
index 31fcb68f1252073624ee01a5f8135ad0c0ee6a0b..a765250eb3f42f3a4bfd5678e922d18774d338ee 100644 (file)
--- a/lib/ext/srp.c
+++ b/lib/ext/srp.c
@@ -46,6 +46,7 @@ const extension_entry_st ext_mod_srp = {
        .name = "SRP",
        .id = GNUTLS_EXTENSION_SRP,
        .parse_type = GNUTLS_EXT_TLS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO,
 
        .recv_func = _gnutls_srp_recv_params,
        .send_func = _gnutls_srp_send_params,

diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
index f915af25ac4fcc4a095c4039b9b91532580ae744..e8a3f679e772e2fce324aded6221999af7d71103 100644 (file)
--- a/lib/ext/srtp.c
+++ b/lib/ext/srtp.c
@@ -42,6 +42,7 @@ static void _gnutls_srtp_deinit_data(gnutls_ext_priv_data_t priv);
 const extension_entry_st ext_mod_srtp = {
        .name = "SRTP",
        .id = GNUTLS_EXTENSION_SRTP,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_EE|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
        .parse_type = GNUTLS_EXT_APPLICATION,
 
        .recv_func = _gnutls_srtp_recv_params,

diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index 0454320dfc9dda236e1a351158ff847427ae82a7..a68f1024b02afc516273270d41d19b0cf34c664f 100644 (file)
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -532,6 +532,7 @@ _gnutls_status_request_unpack(gnutls_buffer_st * ps,
 const extension_entry_st ext_mod_status_request = {
        .name = "OCSP Status Request",
        .id = GNUTLS_EXTENSION_STATUS_REQUEST,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_CT|GNUTLS_EXT_FLAG_CR|GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
        .parse_type = _GNUTLS_EXT_TLS_POST_CS,
        .recv_func = _gnutls_status_request_recv_params,
        .send_func = _gnutls_status_request_send_params,

diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
index 39a69674d0a6414e4c07661db6b6d81a6d786ed9..bafa4ee51b26b8124597218403176c32deb38ef3 100644 (file)
--- a/lib/ext/supported_versions.c
+++ b/lib/ext/supported_versions.c
@@ -39,6 +39,7 @@ static int supported_versions_send_params(gnutls_session_t session,
 const extension_entry_st ext_mod_supported_versions = {
        .name = "Supported Versions",
        .id = GNUTLS_EXTENSION_SUPPORTED_VERSIONS,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO,
        .parse_type = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
 
        .recv_func = supported_versions_recv_params,

diff --git a/lib/extensions.h b/lib/extensions.h
index 0cc2ab47be929c851c6856632c4ec9b8d11fe454..b06ff6c94c52555347ba367c65e3336ea1099b4b 100644 (file)
--- a/lib/extensions.h
+++ b/lib/extensions.h
@@ -62,6 +62,7 @@ typedef struct extension_entry_st {
 
        uint16_t id;
        gnutls_ext_parse_type_t parse_type;
+       unsigned validity; /* multiple items of gnutls_ext_flags_t */
 
        /* this function must return 0 when Not Applicable
         * size of extension data if ok

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 92454316424d59e6877a42581b6672d0a6f8241f..3ed7901514761b8c60326f13eab0ebffd6cfdb82 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2647,11 +2647,12 @@ typedef int (*gnutls_ext_unpack_func) (gnutls_buffer_t packed_data,
  * @GNUTLS_EXT_TLS: TLS-internal extension.
  * @GNUTLS_EXT_MANDATORY: Extension parsed even if resuming (or extensions are disabled).
  *
- * Enumeration of different TLS extension types.  This type is
+ * Enumeration of different TLS extension parsing types.  This type is
  * to indicate whether an extension is useful to application
- * level or TLS level only.  This is used to parse the
- * application level extensions before the "client_hello" callback
- * is called.
+ * level or TLS level only.  This is used to decide the appropriate time
+ * each extension is parsed at during the server or client hello parsing.
+ *
+ * This applies to TLS 1.2 and earlier versions.
  */
 typedef enum {
   GNUTLS_EXT_ANY = 0,
@@ -2664,11 +2665,27 @@ typedef enum {
 /**
  * gnutls_ext_flags_t:
  * @GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL: If specified the extension registered will override the internal; this does not work with extensions existing prior to 3.6.0.
+ * @GNUTLS_EXT_FLAG_CLIENT_HELLO: This extension can be present in a client hello
+ * @GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO: This extension can be present in a TLS1.2 or earlier server hello
+ * @GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO: This extension can be present in a TLS1.3 server hello
+ * @GNUTLS_EXT_FLAG_EE: This extension can be present in encrypted extensions message
+ * @GNUTLS_EXT_FLAG_CT: This extension can be present in certificate message
+ * @GNUTLS_EXT_FLAG_CR: This extension can be present in certificate request message
+ * @GNUTLS_EXT_FLAG_NST: This extension can be present in new session ticket message
+ * @GNUTLS_EXT_FLAG_HRR: This extension can be present in hello retry request message
  *
  * Enumeration of different TLS extension registration flags.
  */
 typedef enum {
-  GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL = 1
+  GNUTLS_EXT_FLAG_OVERRIDE_INTERNAL = 1,
+  GNUTLS_EXT_FLAG_CLIENT_HELLO = (1<<1),
+  GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO = (1<<2),
+  GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO = (1<<3),
+  GNUTLS_EXT_FLAG_EE = (1<<4), /* ENCRYPTED */
+  GNUTLS_EXT_FLAG_CT = (1<<5),
+  GNUTLS_EXT_FLAG_CR = (1<<6),
+  GNUTLS_EXT_FLAG_NST = (1<<7),
+  GNUTLS_EXT_FLAG_HRR = (1<<8)
 } gnutls_ext_flags_t;
 
 /* Register a custom tls extension