extensions.c 31.3 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
/*
 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "../ssl_locl.h"
#include "statem_locl.h"

13
static int final_renegotiate(SSL *s, unsigned int context, int sent,
14
                                     int *al);
15 16
static int init_server_name(SSL *s, unsigned int context);
static int final_server_name(SSL *s, unsigned int context, int sent,
17
                                     int *al);
18
#ifndef OPENSSL_NO_EC
19
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
20 21
                                       int *al);
#endif
22
static int init_session_ticket(SSL *s, unsigned int context);
23
#ifndef OPENSSL_NO_OCSP
24
static int init_status_request(SSL *s, unsigned int context);
25
#endif
26
#ifndef OPENSSL_NO_NEXTPROTONEG
27
static int init_npn(SSL *s, unsigned int context);
28
#endif
29 30 31
static int init_alpn(SSL *s, unsigned int context);
static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
static int init_sig_algs(SSL *s, unsigned int context);
32
#ifndef OPENSSL_NO_SRP
33
static int init_srp(SSL *s, unsigned int context);
34
#endif
35 36 37
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent, int *al);
38
#ifndef OPENSSL_NO_SRTP
39
static int init_srtp(SSL *s, unsigned int context);
40 41
#endif

42
/* Structure to define a built-in extension */
43 44
typedef struct extensions_definition_st {
    /* The defined type for the extension */
45
    unsigned int type;
46 47 48 49 50
    /*
     * The context that this extension applies to, e.g. what messages and
     * protocol versions
     */
    unsigned int context;
51
    /*
52 53
     * Initialise extension before parsing. Always called for relevant contexts
     * even if extension not present
54
     */
55 56
    int (*init)(SSL *s, unsigned int context);
    /* Parse extension sent from client to server */
57
    int (*parse_ctos)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al);
58
    /* Parse extension send from server to client */
59
    int (*parse_stoc)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al);
60
    /* Construct extension sent from server to client */
61
    int (*construct_stoc)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
62
                          int *al);
63
    /* Construct extension sent from client to server */
64 65
    int (*construct_ctos)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
                          int *al);
66
    /*
67 68 69
     * Finalise extension after parsing. Always called where an extensions was
     * initialised even if the extension was not present. |sent| is set to 1 if
     * the extension was seen, or 0 otherwise.
70
     */
71
    int (*final)(SSL *s, unsigned int context, int sent, int *al);
72 73
} EXTENSION_DEFINITION;

M
Matt Caswell 已提交
74
/*
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
 * Definitions of all built-in extensions. NOTE: Changes in the number or order
 * of these extensions should be mirrored with equivalent changes to the indexes
 * defined in statem_locl.h.
 * Each extension has an initialiser, a client and
 * server side parser and a finaliser. The initialiser is called (if the
 * extension is relevant to the given context) even if we did not see the
 * extension in the message that we received. The parser functions are only
 * called if we see the extension in the message. The finalisers are always
 * called if the initialiser was called.
 * There are also server and client side constructor functions which are always
 * called during message construction if the extension is relevant for the
 * given context.
 * The initialisation, parsing, finalisation and construction functions are
 * always called in the order defined in this list. Some extensions may depend
 * on others having been processed first, so the order of this list is
 * significant.
 * The extension context is defined by a series of flags which specify which
 * messages the extension is relevant to. These flags also specify whether the
 * extension is relevant to a paricular protocol or protocol version.
M
Matt Caswell 已提交
94
 *
95
 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
M
Matt Caswell 已提交
96
 */
97
#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
98 99 100 101
static const EXTENSION_DEFINITION ext_defs[] = {
    {
        TLSEXT_TYPE_renegotiate,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED
102 103 104 105
        | EXT_TLS1_2_AND_BELOW_ONLY,
        NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
        tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
        final_renegotiate
106 107 108 109
    },
    {
        TLSEXT_TYPE_server_name,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
110 111 112 113 114
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        init_server_name,
        tls_parse_ctos_server_name, tls_parse_stoc_server_name,
        tls_construct_stoc_server_name, tls_construct_ctos_server_name,
        final_server_name
115 116 117 118
    },
#ifndef OPENSSL_NO_SRP
    {
        TLSEXT_TYPE_srp,
119 120
        EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
121
    },
122 123
#else
    INVALID_EXTENSION,
124 125 126 127
#endif
#ifndef OPENSSL_NO_EC
    {
        TLSEXT_TYPE_ec_point_formats,
M
Matt Caswell 已提交
128
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
129 130 131
        NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
        tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
        final_ec_pt_formats
132 133 134
    },
    {
        TLSEXT_TYPE_supported_groups,
135 136
        EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        NULL, tls_parse_ctos_supported_groups, NULL,
137
        NULL /* TODO(TLS1.3): Need to add this */,
138
        tls_construct_ctos_supported_groups, NULL
139
    },
140 141 142
#else
    INVALID_EXTENSION,
    INVALID_EXTENSION,
143 144 145
#endif
    {
        TLSEXT_TYPE_session_ticket,
146 147 148 149
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_session_ticket, tls_parse_ctos_session_ticket,
        tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
        tls_construct_ctos_session_ticket, NULL
150 151 152
    },
    {
        TLSEXT_TYPE_signature_algorithms,
153 154 155
        EXT_CLIENT_HELLO,
        init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL,
        tls_construct_ctos_sig_algs, NULL
156
    },
157
#ifndef OPENSSL_NO_OCSP
158 159
    {
        TLSEXT_TYPE_status_request,
M
Matt Caswell 已提交
160
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
161 162 163
        | EXT_TLS1_3_CERTIFICATE,
        init_status_request, tls_parse_ctos_status_request,
        tls_parse_stoc_status_request, tls_construct_stoc_status_request,
164
        tls_construct_ctos_status_request, NULL
165
    },
166 167
#else
    INVALID_EXTENSION,
168
#endif
169 170 171
#ifndef OPENSSL_NO_NEXTPROTONEG
    {
        TLSEXT_TYPE_next_proto_neg,
172 173 174
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
        tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
175
    },
176 177
#else
    INVALID_EXTENSION,
178 179
#endif
    {
180 181 182 183
        /*
         * Must appear in this list after server_name so that finalisation
         * happens after server_name callbacks
         */
184 185
        TLSEXT_TYPE_application_layer_protocol_negotiation,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
186 187 188
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
        tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
189
    },
190
#ifndef OPENSSL_NO_SRTP
191 192 193
    {
        TLSEXT_TYPE_use_srtp,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
194 195 196
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY,
        init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
        tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
197
    },
198 199
#else
    INVALID_EXTENSION,
200
#endif
201 202
    {
        TLSEXT_TYPE_encrypt_then_mac,
203 204 205
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
        tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
206
    },
207
#ifndef OPENSSL_NO_CT
208 209
    {
        TLSEXT_TYPE_signed_certificate_timestamp,
210 211
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
        | EXT_TLS1_3_CERTIFICATE,
212
        NULL,
213 214 215 216 217
        /*
         * No server side support for this, but can be provided by a custom
         * extension. This is an exception to the rule that custom extensions
         * cannot override built in ones.
         */
218
        NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct,  NULL
219
    },
220 221
#else
    INVALID_EXTENSION,
222
#endif
223 224
    {
        TLSEXT_TYPE_extended_master_secret,
225 226 227
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
        tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
228 229 230
    },
    {
        TLSEXT_TYPE_supported_versions,
231
        EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
232
        NULL,
233
        /* Processed inline as part of version selection */
234
        NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
235 236
    },
    {
237 238 239 240
        /*
         * Must be in this list after supported_groups. We need that to have
         * been parsed before we do this one.
         */
241 242 243
        TLSEXT_TYPE_key_share,
        EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
        | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY
244 245 246
        | EXT_TLS1_3_ONLY,
        NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
        tls_construct_stoc_key_share, tls_construct_ctos_key_share, NULL
247 248 249 250 251 252 253
    },
    {
        /*
         * Special unsolicited ServerHello extension only used when
         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
         */
        TLSEXT_TYPE_cryptopro_bug,
254 255
        EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
256 257 258 259
    },
    {
        /* Last in the list because it must be added as the last extension */
        TLSEXT_TYPE_padding,
260
        EXT_CLIENT_HELLO,
261
        NULL,
262
        /* We send this, but don't read it */
263
        NULL, NULL, NULL, tls_construct_ctos_padding, NULL
264 265 266 267 268 269
    }
};

/*
 * Verify whether we are allowed to use the extension |type| in the current
 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
270 271
 * indicate the extension is not allowed. If returning 1 then |*found| is set to
 * 1 if we found a definition for the extension, and |*idx| is set to its index
272
 */
273
static int verify_extension(SSL *s, unsigned int context, unsigned int type,
274 275
                            custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
                            RAW_EXTENSION **found)
276 277
{
    size_t i;
278
    size_t builtin_num = OSSL_NELEM(ext_defs);
279
    const EXTENSION_DEFINITION *thisext;
280

281 282
    for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
        if (type == thisext->type) {
283
            /* Check we're allowed to use this extension in this context */
284
            if ((context & thisext->context) == 0)
285 286 287
                return 0;

            if (SSL_IS_DTLS(s)) {
288
                if ((thisext->context & EXT_TLS_ONLY) != 0)
289
                    return 0;
290
            } else if ((thisext->context & EXT_DTLS_ONLY) != 0) {
291 292 293
                    return 0;
            }

294
            *found = &rawexlist[i];
295 296 297 298
            return 1;
        }
    }

299 300 301 302 303
    if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) {
        /*
         * Custom extensions only apply to <=TLS1.2. This extension is unknown
         * in this context - we allow it
         */
304
        *found = NULL;
305 306
        return 1;
    }
307

308 309 310 311
    /* Check the custom extensions */
    if (meths != NULL) {
        for (i = builtin_num; i < builtin_num + meths->meths_count; i++) {
            if (meths->meths[i - builtin_num].ext_type == type) {
312
                *found = &rawexlist[i];
313 314
                return 1;
            }
315 316 317
        }
    }

318
    /* Unknown extension. We allow it */
319
    *found = NULL;
320
    return 1;
321 322
}

323 324 325 326 327
/*
 * Check whether the context defined for an extension |extctx| means whether
 * the extension is relevant for the current context |thisctx| or not. Returns
 * 1 if the extension is relevant for this context, and 0 otherwise
 */
328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
static int extension_is_relevant(SSL *s, unsigned int extctx,
                                 unsigned int thisctx)
{
    if ((SSL_IS_DTLS(s)
                && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0)
            || (s->version == SSL3_VERSION
                    && (extctx & EXT_SSL3_ALLOWED) == 0)
            || (SSL_IS_TLS13(s)
                && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0)
            || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0))
        return 0;

    return 1;
}

343 344
/*
 * Gather a list of all the extensions from the data in |packet]. |context|
345
 * tells us which message this extension is for. The raw extension data is
346 347 348 349 350
 * stored in |*res| on success. In the event of an error the alert type to use
 * is stored in |*al|. We don't actually process the content of the extensions
 * yet, except to check their types. This function also runs the initialiser
 * functions for all known extensions (whether we have collected them or not).
 * If successful the caller is responsible for freeing the contents of |*res|.
351 352 353 354 355
 *
 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
 * more than one extension of the same type in a ClientHello or ServerHello.
 * This function returns 1 if all extensions are unique and we have parsed their
 * types, and 0 if the extensions contain duplicates, could not be successfully
356
 * found, or an internal error occurred. We only check duplicates for
357
 * extensions that we know about. We ignore others.
358 359
 */
int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
360
                           RAW_EXTENSION **res, int *al)
361 362
{
    PACKET extensions = *packet;
363
    size_t i = 0;
364
    custom_ext_methods *exts = NULL;
365
    RAW_EXTENSION *raw_extensions = NULL;
366
    const EXTENSION_DEFINITION *thisexd;
367

368 369
    *res = NULL;

370 371 372 373 374 375 376 377 378 379 380 381 382
    /*
     * Initialise server side custom extensions. Client side is done during
     * construction of extensions for the ClientHello.
     */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        exts = &s->cert->srv_ext;
        custom_ext_init(&s->cert->srv_ext);
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        exts = &s->cert->cli_ext;
    }

    raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs)
                                     + (exts != NULL ? exts->meths_count : 0))
383
                                     * sizeof(*raw_extensions));
384 385 386 387 388 389
    if (raw_extensions == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE);
        return 0;
    }

390 391 392
    while (PACKET_remaining(&extensions) > 0) {
        unsigned int type;
        PACKET extension;
393
        RAW_EXTENSION *thisex;
394 395 396 397

        if (!PACKET_get_net_2(&extensions, &type) ||
            !PACKET_get_length_prefixed_2(&extensions, &extension)) {
            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
398
            *al = SSL_AD_DECODE_ERROR;
399 400
            goto err;
        }
401 402 403 404
        /*
         * Verify this extension is allowed. We only check duplicates for
         * extensions that we recognise.
         */
405 406
        if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
                || (thisex != NULL && thisex->present == 1)) {
407
            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
408
            *al = SSL_AD_ILLEGAL_PARAMETER;
409 410
            goto err;
        }
411 412 413 414
        if (thisex != NULL) {
            thisex->data = extension;
            thisex->present = 1;
            thisex->type = type;
415 416 417
        }
    }

418 419 420 421
    /*
     * Initialise all known extensions relevant to this context, whether we have
     * found them or not
     */
422 423 424 425
    for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
        if(thisexd->init != NULL && (thisexd->context & context) != 0
                && extension_is_relevant(s, thisexd->context, context)
                && !thisexd->init(s, context)) {
426
            *al = SSL_AD_INTERNAL_ERROR;
427 428 429 430
            goto err;
        }
    }

431 432 433 434 435 436 437 438
    *res = raw_extensions;
    return 1;

 err:
    OPENSSL_free(raw_extensions);
    return 0;
}

439
/*
440 441 442
 * Runs the parser for a given extension with index |idx|. |exts| contains the
 * list of all parsed extensions previously collected by
 * tls_collect_extensions(). The parser is only run if it is applicable for the
443 444
 * given |context| and the parser has not already been run. If this is for a
 * Certificate message, then we also provide the parser with the relevant
445
 * Certificate |x| and its position in the |chainidx| with 0 being the first
446 447 448
 * Certificate. Returns 1 on success or 0 on failure. In the event of a failure
 * |*al| is populated with a suitable alert code. If an extension is not present
 * this counted as success.
449
 */
450
int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
451
                        RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al)
452
{
453
    RAW_EXTENSION *currext = &exts[idx];
454
    int (*parser)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) = NULL;
455

456 457 458
    /* Skip if the extension is not present */
    if (!currext->present)
        return 1;
459

460 461 462 463 464
    if (s->tlsext_debug_cb)
        s->tlsext_debug_cb(s, !s->server, currext->type,
                           PACKET_data(&currext->data),
                           PACKET_remaining(&currext->data),
                           s->tlsext_debug_arg);
465

466 467 468
    /* Skip if we've already parsed this extension */
    if (currext->parsed)
        return 1;
469

470 471 472 473 474 475 476 477 478 479
    currext->parsed = 1;

    if (idx < OSSL_NELEM(ext_defs)) {
        /* We are handling a built-in extension */
        const EXTENSION_DEFINITION *extdef = &ext_defs[idx];

        /* Check if extension is defined for our protocol. If not, skip */
        if (!extension_is_relevant(s, extdef->context, context))
            return 1;

480
        parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
M
Matt Caswell 已提交
481

482
        if (parser != NULL)
483
            return parser(s, &currext->data, x, chainidx, al);
484

485 486 487 488
        /*
         * If the parser is NULL we fall through to the custom extension
         * processing
         */
489 490
    }

491 492 493
    /*
     * This is a custom extension. We only allow this if it is a non
     * resumed session on the server side.
494
     *chain
495 496 497 498 499 500 501 502 503 504 505 506 507
     * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions.
     * We're going to need a new mechanism for TLS1.3 to specify which
     * messages to add the custom extensions to.
     */
    if ((!s->hit || !s->server)
            && (context
                & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
            && custom_ext_parse(s, s->server, currext->type,
                                PACKET_data(&currext->data),
                                PACKET_remaining(&currext->data),
                                al) <= 0)
        return 0;

508 509 510 511 512
    return 1;
}

/*
 * Parse all remaining extensions that have not yet been parsed. Also calls the
513
 * finalisation for all extensions at the end, whether we collected them or not.
514 515
 * Returns 1 for success or 0 for failure. If we are working on a Certificate
 * message then we also pass the Certificate |x| and its position in the
516 517
 * |chainidx|, with 0 being the first certificate. On failure, |*al| is
 * populated with a suitable alert code.
518
 */
519
int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
520
                             size_t chainidx, int *al)
521
{
522
    size_t i, numexts = OSSL_NELEM(ext_defs);
523
    const EXTENSION_DEFINITION *thisexd;
524

525 526 527 528 529 530 531 532
    /* Calculate the number of extensions in the extensions list */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        numexts += s->cert->srv_ext.meths_count;
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        numexts += s->cert->cli_ext.meths_count;
    }

    /* Parse each extension in turn */
533
    for (i = 0; i < numexts; i++) {
534
        if (!tls_parse_extension(s, i, context, exts, x, chainidx, al))
535 536
            return 0;
    }
537

538 539 540 541
    /*
     * Finalise all known extensions relevant to this context, whether we have
     * found them or not
     */
542 543 544 545
    for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
        if(thisexd->final != NULL
                && (thisexd->context & context) != 0
                && !thisexd->final(s, context, exts[i].present, al))
546 547 548
            return 0;
    }

549 550 551 552
    return 1;
}

/*
553
 * Construct all the extensions relevant to the current |context| and write
554
 * them to |pkt|. If this is an extension for a Certificate in a Certificate
555 556 557 558 559
 * message, then |x| will be set to the Certificate we are handling, and
 * |chainidx| will indicate the position in the chainidx we are processing (with
 * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a
 * failure occurs then |al| is populated with a suitable alert code. On a
 * failure construction stops at the first extension to fail to construct.
560
 */
M
Matt Caswell 已提交
561
int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
562
                             X509 *x, size_t chainidx, int *al)
M
Matt Caswell 已提交
563
{
564 565
    size_t i;
    int addcustom = 0, min_version, max_version = 0, reason, tmpal;
566
    const EXTENSION_DEFINITION *thisexd;
M
Matt Caswell 已提交
567

568
    /*
569
     * Normally if something goes wrong during construction it's an internal
570 571
     * error. We can always override this later.
     */
572
    tmpal = SSL_AD_INTERNAL_ERROR;
573

M
Matt Caswell 已提交
574 575 576
    if (!WPACKET_start_sub_packet_u16(pkt)
               /*
                * If extensions are of zero length then we don't even add the
577
                * extensions length bytes to a ClientHello/ServerHello in SSLv3
M
Matt Caswell 已提交
578
                */
579 580
            || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
               && s->version == SSL3_VERSION
M
Matt Caswell 已提交
581 582 583
               && !WPACKET_set_flags(pkt,
                                     WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
584
        goto err;
M
Matt Caswell 已提交
585 586
    }

587 588 589 590
    if ((context & EXT_CLIENT_HELLO) != 0) {
        reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
        if (reason != 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
591
            goto err;
592 593 594 595 596 597 598 599 600 601 602
        }
    }

    /* Add custom extensions first */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        custom_ext_init(&s->cert->cli_ext);
        addcustom = 1;
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        /*
         * We already initialised the custom extensions during ClientHello
         * parsing.
M
Matt Caswell 已提交
603
         *
604 605 606 607 608 609 610
         * TODO(TLS1.3): We're going to need a new custom extension mechanism
         * for TLS1.3, so that custom extensions can specify which of the
         * multiple message they wish to add themselves to.
         */
        addcustom = 1;
    }

611
    if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) {
612
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
613
        goto err;
614 615
    }

616
    for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
617 618
        int (*construct)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
                         int *al);
M
Matt Caswell 已提交
619

M
Matt Caswell 已提交
620
        /* Skip if not relevant for our context */
621
        if ((thisexd->context & context) == 0)
M
Matt Caswell 已提交
622 623
            continue;

624 625
        construct = s->server ? thisexd->construct_stoc
                              : thisexd->construct_ctos;
M
Matt Caswell 已提交
626 627 628

        /* Check if this extension is defined for our protocol. If not, skip */
        if ((SSL_IS_DTLS(s)
629
                    && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY)
M
Matt Caswell 已提交
630
                       != 0)
M
Matt Caswell 已提交
631
                || (s->version == SSL3_VERSION
632
                        && (thisexd->context & EXT_SSL3_ALLOWED) == 0)
M
Matt Caswell 已提交
633
                || (SSL_IS_TLS13(s)
634
                    && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY)
M
Matt Caswell 已提交
635
                       != 0)
M
Matt Caswell 已提交
636
                || (!SSL_IS_TLS13(s)
637
                    && (thisexd->context & EXT_TLS1_3_ONLY) != 0
M
Matt Caswell 已提交
638
                    && (context & EXT_CLIENT_HELLO) == 0)
639
                || ((thisexd->context & EXT_TLS1_3_ONLY) != 0
640 641
                    && (context & EXT_CLIENT_HELLO) != 0
                    && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
M
Matt Caswell 已提交
642 643 644
                || construct == NULL)
            continue;

645
        if (!construct(s, pkt, x, chainidx, &tmpal))
646
            goto err;
M
Matt Caswell 已提交
647 648 649 650
    }

    if (!WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
651
        goto err;
M
Matt Caswell 已提交
652 653 654
    }

    return 1;
655 656 657 658

 err:
    *al = tmpal;
    return 0;
M
Matt Caswell 已提交
659
}
660

661 662 663 664 665 666 667 668
/*
 * Built in extension finalisation and initialisation functions. All initialise
 * or finalise the associated extension type for the given |context|. For
 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
 * otherwise. These functions return 1 on success or 0 on failure. In the event
 * of a failure then |*al| is populated with a suitable error code.
 */

669
static int final_renegotiate(SSL *s, unsigned int context, int sent,
670 671
                                     int *al)
{
672 673 674 675 676 677 678 679 680
    if (!s->server) {
        /*
         * Check if we can connect to a server that doesn't support safe
         * renegotiation
         */
        if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
                && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
                && !sent) {
            *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
681
            SSLerr(SSL_F_FINAL_RENEGOTIATE,
682 683 684 685
                   SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
            return 0;
        }

686
        return 1;
687
    }
688 689 690 691 692 693

    /* Need RI if renegotiating */
    if (s->renegotiate
            && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
            && !sent) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
694
        SSLerr(SSL_F_FINAL_RENEGOTIATE,
695 696 697 698
               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
        return 0;
    }

699

700 701 702
    return 1;
}

703
static int init_server_name(SSL *s, unsigned int context)
704 705 706 707 708 709 710
{
    if (s->server)
        s->servername_done = 0;

    return 1;
}

711
static int final_server_name(SSL *s, unsigned int context, int sent,
712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742
                                     int *al)
{
    int ret = SSL_TLSEXT_ERR_NOACK;
    int altmp = SSL_AD_UNRECOGNIZED_NAME;

    if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
        ret = s->ctx->tlsext_servername_callback(s, &altmp,
                                                 s->ctx->tlsext_servername_arg);
    else if (s->initial_ctx != NULL
             && s->initial_ctx->tlsext_servername_callback != 0)
        ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
                                       s->initial_ctx->tlsext_servername_arg);

    switch (ret) {
    case SSL_TLSEXT_ERR_ALERT_FATAL:
        *al = altmp;
        return 0;

    case SSL_TLSEXT_ERR_ALERT_WARNING:
        *al = altmp;
        return 1;

    case SSL_TLSEXT_ERR_NOACK:
        s->servername_done = 0;
        return 1;

    default:
        return 1;
    }
}

743
#ifndef OPENSSL_NO_EC
744
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
745 746 747 748 749 750 751 752 753 754 755 756 757 758 759
                                       int *al)
{
    unsigned long alg_k, alg_a;

    if (s->server)
        return 1;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;

    /*
     * If we are client and using an elliptic curve cryptography cipher
     * suite, then if server returns an EC point formats lists extension it
     * must contain uncompressed.
     */
760 761 762 763 764
    if (s->tlsext_ecpointformatlist != NULL
            && s->tlsext_ecpointformatlist_length > 0
            && s->session->tlsext_ecpointformatlist != NULL
            && s->session->tlsext_ecpointformatlist_length > 0
            && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
765 766
        /* we are using an ECC cipher */
        size_t i;
767 768
        unsigned char *list = s->session->tlsext_ecpointformatlist;

769
        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
770
            if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
771 772
                break;
        }
773
        if (i == s->session->tlsext_ecpointformatlist_length) {
M
Matt Caswell 已提交
774
            SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
775 776 777 778 779 780 781 782 783
                   SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
            return 0;
        }
    }

    return 1;
}
#endif

784
static int init_session_ticket(SSL *s, unsigned int context)
785 786 787 788 789 790 791
{
    if (!s->server)
        s->tlsext_ticket_expected = 0;

    return 1;
}

792
#ifndef OPENSSL_NO_OCSP
793
static int init_status_request(SSL *s, unsigned int context)
794
{
795
    if (s->server) {
796
        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
797 798 799 800 801 802 803 804 805
    } else {
        /*
         * Ensure we get sensible values passed to tlsext_status_cb in the event
         * that we don't receive a status message
         */
        OPENSSL_free(s->tlsext_ocsp_resp);
        s->tlsext_ocsp_resp = NULL;
        s->tlsext_ocsp_resplen = 0;
    }
806 807 808

    return 1;
}
809
#endif
810

811
#ifndef OPENSSL_NO_NEXTPROTONEG
812
static int init_npn(SSL *s, unsigned int context)
813
{
814
    s->s3->next_proto_neg_seen = 0;
815 816 817 818 819

    return 1;
}
#endif

820
static int init_alpn(SSL *s, unsigned int context)
821
{
822 823
    OPENSSL_free(s->s3->alpn_selected);
    s->s3->alpn_selected = NULL;
824 825 826 827 828 829 830 831 832
    if (s->server) {
        s->s3->alpn_selected_len = 0;
        OPENSSL_free(s->s3->alpn_proposed);
        s->s3->alpn_proposed = NULL;
        s->s3->alpn_proposed_len = 0;
    }
    return 1;
}

833
static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867
{
    const unsigned char *selected = NULL;
    unsigned char selected_len = 0;

    if (!s->server)
        return 1;

    if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
        int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
                                       s->s3->alpn_proposed,
                                       (unsigned int)s->s3->alpn_proposed_len,
                                       s->ctx->alpn_select_cb_arg);

        if (r == SSL_TLSEXT_ERR_OK) {
            OPENSSL_free(s->s3->alpn_selected);
            s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
            if (s->s3->alpn_selected == NULL) {
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
            s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
            /* ALPN takes precedence over NPN. */
            s->s3->next_proto_neg_seen = 0;
#endif
        } else {
            *al = SSL_AD_NO_APPLICATION_PROTOCOL;
            return 0;
        }
    }

    return 1;
}

868
static int init_sig_algs(SSL *s, unsigned int context)
869 870 871 872 873 874 875 876 877
{
    /* Clear any signature algorithms extension received */
    OPENSSL_free(s->s3->tmp.peer_sigalgs);
    s->s3->tmp.peer_sigalgs = NULL;

    return 1;
}

#ifndef OPENSSL_NO_SRP
878
static int init_srp(SSL *s, unsigned int context)
879 880 881 882 883 884 885 886
{
    OPENSSL_free(s->srp_ctx.login);
    s->srp_ctx.login = NULL;

    return 1;
}
#endif

887
static int init_etm(SSL *s, unsigned int context)
888
{
889 890 891 892 893
    s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;

    return 1;
}

894
static int init_ems(SSL *s, unsigned int context)
895 896 897 898 899 900 901
{
    if (!s->server)
        s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;

    return 1;
}

902
static int final_ems(SSL *s, unsigned int context, int sent, int *al)
903 904 905 906 907 908 909 910 911
{
    if (!s->server && s->hit) {
        /*
         * Check extended master secret extension is consistent with
         * original session.
         */
        if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
            !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
            *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
912
            SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS);
913 914 915
            return 0;
        }
    }
916 917 918 919 920

    return 1;
}

#ifndef OPENSSL_NO_SRTP
921
static int init_srtp(SSL *s, unsigned int context)
922 923 924 925 926 927 928
{
    if (s->server)
        s->srtp_profile = NULL;

    return 1;
}
#endif