extensions.c 30.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12
/*
 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "../ssl_locl.h"
#include "statem_locl.h"

13
static int final_renegotiate(SSL *s, unsigned int context, int sent,
14
                                     int *al);
15 16
static int init_server_name(SSL *s, unsigned int context);
static int final_server_name(SSL *s, unsigned int context, int sent,
17
                                     int *al);
18
#ifndef OPENSSL_NO_EC
19
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
20 21
                                       int *al);
#endif
22
static int init_session_ticket(SSL *s, unsigned int context);
23
#ifndef OPENSSL_NO_OCSP
24 25
static int init_status_request(SSL *s, unsigned int context);
static int final_status_request(SSL *s, unsigned int context, int sent,
26
                                        int *al);
27
#endif
28
#ifndef OPENSSL_NO_NEXTPROTONEG
29
static int init_npn(SSL *s, unsigned int context);
30
#endif
31 32 33
static int init_alpn(SSL *s, unsigned int context);
static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
static int init_sig_algs(SSL *s, unsigned int context);
34
#ifndef OPENSSL_NO_SRP
35
static int init_srp(SSL *s, unsigned int context);
36
#endif
37 38 39
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent, int *al);
40
#ifndef OPENSSL_NO_SRTP
41
static int init_srtp(SSL *s, unsigned int context);
42 43
#endif

44
/* Structure to define a built-in extension */
45 46
typedef struct extensions_definition_st {
    /* The defined type for the extension */
47
    unsigned int type;
48 49 50 51 52
    /*
     * The context that this extension applies to, e.g. what messages and
     * protocol versions
     */
    unsigned int context;
53
    /*
54 55
     * Initialise extension before parsing. Always called for relevant contexts
     * even if extension not present
56
     */
57 58 59 60 61 62 63 64 65
    int (*init)(SSL *s, unsigned int context);
    /* Parse extension sent from client to server */
    int (*parse_ctos)(SSL *s, PACKET *pkt, int *al);
    /* Parse extension send from server to client */
    int (*parse_stoc)(SSL *s, PACKET *pkt, int *al);
    /* Construct extension sent from server to client */
    int (*construct_stoc)(SSL *s, WPACKET *pkt, int *al);
    /* Construct extension sent from client to server */
    int (*construct_ctos)(SSL *s, WPACKET *pkt, int *al);
66
    /*
67 68 69
     * Finalise extension after parsing. Always called where an extensions was
     * initialised even if the extension was not present. |sent| is set to 1 if
     * the extension was seen, or 0 otherwise.
70
     */
71
    int (*final)(SSL *s, unsigned int context, int sent, int *al);
72 73
} EXTENSION_DEFINITION;

M
Matt Caswell 已提交
74
/*
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
 * Definitions of all built-in extensions. NOTE: Changes in the number or order
 * of these extensions should be mirrored with equivalent changes to the indexes
 * defined in statem_locl.h.
 * Each extension has an initialiser, a client and
 * server side parser and a finaliser. The initialiser is called (if the
 * extension is relevant to the given context) even if we did not see the
 * extension in the message that we received. The parser functions are only
 * called if we see the extension in the message. The finalisers are always
 * called if the initialiser was called.
 * There are also server and client side constructor functions which are always
 * called during message construction if the extension is relevant for the
 * given context.
 * The initialisation, parsing, finalisation and construction functions are
 * always called in the order defined in this list. Some extensions may depend
 * on others having been processed first, so the order of this list is
 * significant.
 * The extension context is defined by a series of flags which specify which
 * messages the extension is relevant to. These flags also specify whether the
 * extension is relevant to a paricular protocol or protocol version.
M
Matt Caswell 已提交
94
 *
95
 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
M
Matt Caswell 已提交
96
 */
97
#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
98 99 100 101
static const EXTENSION_DEFINITION ext_defs[] = {
    {
        TLSEXT_TYPE_renegotiate,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED
102 103 104 105
        | EXT_TLS1_2_AND_BELOW_ONLY,
        NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
        tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
        final_renegotiate
106 107 108 109
    },
    {
        TLSEXT_TYPE_server_name,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
110 111 112 113 114
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        init_server_name,
        tls_parse_ctos_server_name, tls_parse_stoc_server_name,
        tls_construct_stoc_server_name, tls_construct_ctos_server_name,
        final_server_name
115 116 117 118
    },
#ifndef OPENSSL_NO_SRP
    {
        TLSEXT_TYPE_srp,
119 120
        EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
121
    },
122 123
#else
    INVALID_EXTENSION,
124 125 126 127
#endif
#ifndef OPENSSL_NO_EC
    {
        TLSEXT_TYPE_ec_point_formats,
M
Matt Caswell 已提交
128
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
129 130 131
        NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
        tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
        final_ec_pt_formats
132 133 134
    },
    {
        TLSEXT_TYPE_supported_groups,
135 136
        EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        NULL, tls_parse_ctos_supported_groups, NULL,
137
        NULL /* TODO(TLS1.3): Need to add this */,
138
        tls_construct_ctos_supported_groups, NULL
139
    },
140 141 142
#else
    INVALID_EXTENSION,
    INVALID_EXTENSION,
143 144 145
#endif
    {
        TLSEXT_TYPE_session_ticket,
146 147 148 149
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_session_ticket, tls_parse_ctos_session_ticket,
        tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
        tls_construct_ctos_session_ticket, NULL
150 151 152
    },
    {
        TLSEXT_TYPE_signature_algorithms,
153 154 155
        EXT_CLIENT_HELLO,
        init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL,
        tls_construct_ctos_sig_algs, NULL
156
    },
157
#ifndef OPENSSL_NO_OCSP
158 159
    {
        TLSEXT_TYPE_status_request,
M
Matt Caswell 已提交
160
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
161 162 163 164
        | EXT_TLS1_3_CERTIFICATE,
        init_status_request, tls_parse_ctos_status_request,
        tls_parse_stoc_status_request, tls_construct_stoc_status_request,
        tls_construct_ctos_status_request, final_status_request
165
    },
166 167
#else
    INVALID_EXTENSION,
168
#endif
169 170 171
#ifndef OPENSSL_NO_NEXTPROTONEG
    {
        TLSEXT_TYPE_next_proto_neg,
172 173 174
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
        tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
175
    },
176 177
#else
    INVALID_EXTENSION,
178 179
#endif
    {
180 181 182 183
        /*
         * Must appear in this list after server_name so that finalisation
         * happens after server_name callbacks
         */
184 185
        TLSEXT_TYPE_application_layer_protocol_negotiation,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
186 187 188
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
        init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
        tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
189
    },
190
#ifndef OPENSSL_NO_SRTP
191 192 193
    {
        TLSEXT_TYPE_use_srtp,
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
194 195 196
        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY,
        init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
        tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
197
    },
198 199
#else
    INVALID_EXTENSION,
200
#endif
201 202
    {
        TLSEXT_TYPE_encrypt_then_mac,
203 204 205
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
        tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
206
    },
207
#ifndef OPENSSL_NO_CT
208 209
    {
        TLSEXT_TYPE_signed_certificate_timestamp,
210 211
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
        | EXT_TLS1_3_CERTIFICATE,
212
        NULL,
213 214 215 216 217
        /*
         * No server side support for this, but can be provided by a custom
         * extension. This is an exception to the rule that custom extensions
         * cannot override built in ones.
         */
218
        NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct,  NULL
219
    },
220 221
#else
    INVALID_EXTENSION,
222
#endif
223 224
    {
        TLSEXT_TYPE_extended_master_secret,
225 226 227
        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
        tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
228 229 230
    },
    {
        TLSEXT_TYPE_supported_versions,
231
        EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
232
        NULL,
233
        /* Processed inline as part of version selection */
234
        NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
235 236
    },
    {
237 238 239 240
        /*
         * Must be in this list after supported_groups. We need that to have
         * been parsed before we do this one.
         */
241 242 243
        TLSEXT_TYPE_key_share,
        EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
        | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY
244 245 246
        | EXT_TLS1_3_ONLY,
        NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
        tls_construct_stoc_key_share, tls_construct_ctos_key_share, NULL
247 248 249 250 251 252 253
    },
    {
        /*
         * Special unsolicited ServerHello extension only used when
         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
         */
        TLSEXT_TYPE_cryptopro_bug,
254 255
        EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
        NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
256 257 258 259
    },
    {
        /* Last in the list because it must be added as the last extension */
        TLSEXT_TYPE_padding,
260
        EXT_CLIENT_HELLO,
261
        NULL,
262
        /* We send this, but don't read it */
263
        NULL, NULL, NULL, tls_construct_ctos_padding, NULL
264 265 266 267 268 269
    }
};

/*
 * Verify whether we are allowed to use the extension |type| in the current
 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
270 271
 * indicate the extension is not allowed. If returning 1 then |*found| is set to
 * 1 if we found a definition for the extension, and |*idx| is set to its index
272
 */
273
static int verify_extension(SSL *s, unsigned int context, unsigned int type,
274 275
                            custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
                            RAW_EXTENSION **found)
276 277
{
    size_t i;
278
    size_t builtin_num = OSSL_NELEM(ext_defs);
279
    const EXTENSION_DEFINITION *thisext;
280

281 282
    for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
        if (type == thisext->type) {
283
            /* Check we're allowed to use this extension in this context */
284
            if ((context & thisext->context) == 0)
285 286 287
                return 0;

            if (SSL_IS_DTLS(s)) {
288
                if ((thisext->context & EXT_TLS_ONLY) != 0)
289
                    return 0;
290
            } else if ((thisext->context & EXT_DTLS_ONLY) != 0) {
291 292 293
                    return 0;
            }

294
            *found = &rawexlist[i];
295 296 297 298
            return 1;
        }
    }

299 300 301 302 303
    if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) {
        /*
         * Custom extensions only apply to <=TLS1.2. This extension is unknown
         * in this context - we allow it
         */
304
        *found = NULL;
305 306
        return 1;
    }
307

308 309 310 311
    /* Check the custom extensions */
    if (meths != NULL) {
        for (i = builtin_num; i < builtin_num + meths->meths_count; i++) {
            if (meths->meths[i - builtin_num].ext_type == type) {
312
                *found = &rawexlist[i];
313 314
                return 1;
            }
315 316 317
        }
    }

318
    /* Unknown extension. We allow it */
319
    *found = NULL;
320
    return 1;
321 322
}

323 324 325 326 327
/*
 * Check whether the context defined for an extension |extctx| means whether
 * the extension is relevant for the current context |thisctx| or not. Returns
 * 1 if the extension is relevant for this context, and 0 otherwise
 */
328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
static int extension_is_relevant(SSL *s, unsigned int extctx,
                                 unsigned int thisctx)
{
    if ((SSL_IS_DTLS(s)
                && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0)
            || (s->version == SSL3_VERSION
                    && (extctx & EXT_SSL3_ALLOWED) == 0)
            || (SSL_IS_TLS13(s)
                && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0)
            || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0))
        return 0;

    return 1;
}

343 344
/*
 * Gather a list of all the extensions from the data in |packet]. |context|
345
 * tells us which message this extension is for. The raw extension data is
346 347 348 349 350
 * stored in |*res| on success. In the event of an error the alert type to use
 * is stored in |*al|. We don't actually process the content of the extensions
 * yet, except to check their types. This function also runs the initialiser
 * functions for all known extensions (whether we have collected them or not).
 * If successful the caller is responsible for freeing the contents of |*res|.
351 352 353 354 355
 *
 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
 * more than one extension of the same type in a ClientHello or ServerHello.
 * This function returns 1 if all extensions are unique and we have parsed their
 * types, and 0 if the extensions contain duplicates, could not be successfully
356
 * found, or an internal error occurred. We only check duplicates for
357
 * extensions that we know about. We ignore others.
358 359
 */
int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
360
                           RAW_EXTENSION **res, int *al)
361 362
{
    PACKET extensions = *packet;
363
    size_t i = 0;
364
    custom_ext_methods *exts = NULL;
365
    RAW_EXTENSION *raw_extensions = NULL;
366
    const EXTENSION_DEFINITION *thisexd;
367

368 369
    *res = NULL;

370 371 372 373 374 375 376 377 378 379 380 381 382
    /*
     * Initialise server side custom extensions. Client side is done during
     * construction of extensions for the ClientHello.
     */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        exts = &s->cert->srv_ext;
        custom_ext_init(&s->cert->srv_ext);
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        exts = &s->cert->cli_ext;
    }

    raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs)
                                     + (exts != NULL ? exts->meths_count : 0))
383
                                     * sizeof(*raw_extensions));
384 385 386 387 388 389
    if (raw_extensions == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE);
        return 0;
    }

390 391 392
    while (PACKET_remaining(&extensions) > 0) {
        unsigned int type;
        PACKET extension;
393
        RAW_EXTENSION *thisex;
394 395 396 397

        if (!PACKET_get_net_2(&extensions, &type) ||
            !PACKET_get_length_prefixed_2(&extensions, &extension)) {
            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
398
            *al = SSL_AD_DECODE_ERROR;
399 400
            goto err;
        }
401 402 403 404
        /*
         * Verify this extension is allowed. We only check duplicates for
         * extensions that we recognise.
         */
405 406
        if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
                || (thisex != NULL && thisex->present == 1)) {
407
            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
408
            *al = SSL_AD_ILLEGAL_PARAMETER;
409 410
            goto err;
        }
411 412 413 414
        if (thisex != NULL) {
            thisex->data = extension;
            thisex->present = 1;
            thisex->type = type;
415 416 417
        }
    }

418 419 420 421
    /*
     * Initialise all known extensions relevant to this context, whether we have
     * found them or not
     */
422 423 424 425
    for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
        if(thisexd->init != NULL && (thisexd->context & context) != 0
                && extension_is_relevant(s, thisexd->context, context)
                && !thisexd->init(s, context)) {
426
            *al = SSL_AD_INTERNAL_ERROR;
427 428 429 430
            goto err;
        }
    }

431 432 433 434 435 436 437 438
    *res = raw_extensions;
    return 1;

 err:
    OPENSSL_free(raw_extensions);
    return 0;
}

439
/*
440 441 442 443 444 445
 * Runs the parser for a given extension with index |idx|. |exts| contains the
 * list of all parsed extensions previously collected by
 * tls_collect_extensions(). The parser is only run if it is applicable for the
 * given |context| and the parser has not already been run. Returns 1 on success
 * or 0 on failure. In the event of a failure |*al| is populated with a suitable
 * alert code. If an extension is not present this counted as success.
446
 */
447
int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
448
                        RAW_EXTENSION *exts, int *al)
449
{
450 451
    RAW_EXTENSION *currext = &exts[idx];
    int (*parser)(SSL *s, PACKET *pkt, int *al) = NULL;
452

453 454 455
    /* Skip if the extension is not present */
    if (!currext->present)
        return 1;
456

457 458 459 460 461
    if (s->tlsext_debug_cb)
        s->tlsext_debug_cb(s, !s->server, currext->type,
                           PACKET_data(&currext->data),
                           PACKET_remaining(&currext->data),
                           s->tlsext_debug_arg);
462

463 464 465
    /* Skip if we've already parsed this extension */
    if (currext->parsed)
        return 1;
466

467 468 469 470 471 472 473 474 475 476
    currext->parsed = 1;

    if (idx < OSSL_NELEM(ext_defs)) {
        /* We are handling a built-in extension */
        const EXTENSION_DEFINITION *extdef = &ext_defs[idx];

        /* Check if extension is defined for our protocol. If not, skip */
        if (!extension_is_relevant(s, extdef->context, context))
            return 1;

477
        parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
M
Matt Caswell 已提交
478

479 480
        if (parser != NULL)
            return parser(s, &currext->data, al);
481

482 483 484 485
        /*
         * If the parser is NULL we fall through to the custom extension
         * processing
         */
486 487
    }

488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504
    /*
     * This is a custom extension. We only allow this if it is a non
     * resumed session on the server side.
     *
     * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions.
     * We're going to need a new mechanism for TLS1.3 to specify which
     * messages to add the custom extensions to.
     */
    if ((!s->hit || !s->server)
            && (context
                & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
            && custom_ext_parse(s, s->server, currext->type,
                                PACKET_data(&currext->data),
                                PACKET_remaining(&currext->data),
                                al) <= 0)
        return 0;

505 506 507 508 509
    return 1;
}

/*
 * Parse all remaining extensions that have not yet been parsed. Also calls the
510 511 512
 * finalisation for all extensions at the end, whether we collected them or not.
 * Returns 1 for success or 0 for failure. On failure, |*al| is populated with a
 * suitable alert code.
513
 */
514
int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, int *al)
515
{
516
    size_t i, numexts = OSSL_NELEM(ext_defs);
517
    const EXTENSION_DEFINITION *thisexd;
518

519 520 521 522 523 524 525 526
    /* Calculate the number of extensions in the extensions list */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        numexts += s->cert->srv_ext.meths_count;
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        numexts += s->cert->cli_ext.meths_count;
    }

    /* Parse each extension in turn */
527
    for (i = 0; i < numexts; i++) {
528
        if (!tls_parse_extension(s, i, context, exts, al))
529 530
            return 0;
    }
531

532 533 534 535
    /*
     * Finalise all known extensions relevant to this context, whether we have
     * found them or not
     */
536 537 538 539
    for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
        if(thisexd->final != NULL
                && (thisexd->context & context) != 0
                && !thisexd->final(s, context, exts[i].present, al))
540 541 542
            return 0;
    }

543 544 545 546
    return 1;
}

/*
547 548
 * Construct all the extensions relevant to the current |context| and write
 * them to |pkt|. Returns 1 on success or 0 on failure. If a failure occurs then
549 550
 * |al| is populated with a suitable alert code. On a failure construction stops
 * at the first extension to fail to construct.
551
 */
M
Matt Caswell 已提交
552 553 554
int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
                             int *al)
{
555 556
    size_t i;
    int addcustom = 0, min_version, max_version = 0, reason, tmpal;
557
    const EXTENSION_DEFINITION *thisexd;
M
Matt Caswell 已提交
558

559
    /*
560
     * Normally if something goes wrong during construction it's an internal
561 562
     * error. We can always override this later.
     */
563
    tmpal = SSL_AD_INTERNAL_ERROR;
564

M
Matt Caswell 已提交
565 566 567
    if (!WPACKET_start_sub_packet_u16(pkt)
               /*
                * If extensions are of zero length then we don't even add the
568
                * extensions length bytes to a ClientHello/ServerHello in SSLv3
M
Matt Caswell 已提交
569
                */
570 571
            || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
               && s->version == SSL3_VERSION
M
Matt Caswell 已提交
572 573 574
               && !WPACKET_set_flags(pkt,
                                     WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
575
        goto err;
M
Matt Caswell 已提交
576 577
    }

578 579 580 581
    if ((context & EXT_CLIENT_HELLO) != 0) {
        reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
        if (reason != 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
582
            goto err;
583 584 585 586 587 588 589 590 591 592 593
        }
    }

    /* Add custom extensions first */
    if ((context & EXT_CLIENT_HELLO) != 0) {
        custom_ext_init(&s->cert->cli_ext);
        addcustom = 1;
    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
        /*
         * We already initialised the custom extensions during ClientHello
         * parsing.
M
Matt Caswell 已提交
594
         *
595 596 597 598 599 600 601
         * TODO(TLS1.3): We're going to need a new custom extension mechanism
         * for TLS1.3, so that custom extensions can specify which of the
         * multiple message they wish to add themselves to.
         */
        addcustom = 1;
    }

602
    if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) {
603
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
604
        goto err;
605 606
    }

607
    for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
M
Matt Caswell 已提交
608 609
        int (*construct)(SSL *s, WPACKET *pkt, int *al);

M
Matt Caswell 已提交
610
        /* Skip if not relevant for our context */
611
        if ((thisexd->context & context) == 0)
M
Matt Caswell 已提交
612 613
            continue;

614 615
        construct = s->server ? thisexd->construct_stoc
                              : thisexd->construct_ctos;
M
Matt Caswell 已提交
616 617 618

        /* Check if this extension is defined for our protocol. If not, skip */
        if ((SSL_IS_DTLS(s)
619
                    && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY)
M
Matt Caswell 已提交
620
                       != 0)
M
Matt Caswell 已提交
621
                || (s->version == SSL3_VERSION
622
                        && (thisexd->context & EXT_SSL3_ALLOWED) == 0)
M
Matt Caswell 已提交
623
                || (SSL_IS_TLS13(s)
624
                    && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY)
M
Matt Caswell 已提交
625
                       != 0)
M
Matt Caswell 已提交
626
                || (!SSL_IS_TLS13(s)
627
                    && (thisexd->context & EXT_TLS1_3_ONLY) != 0
M
Matt Caswell 已提交
628
                    && (context & EXT_CLIENT_HELLO) == 0)
629
                || ((thisexd->context & EXT_TLS1_3_ONLY) != 0
630 631
                    && (context & EXT_CLIENT_HELLO) != 0
                    && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
M
Matt Caswell 已提交
632 633 634
                || construct == NULL)
            continue;

635 636
        if (!construct(s, pkt, &tmpal))
            goto err;
M
Matt Caswell 已提交
637 638 639 640
    }

    if (!WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
641
        goto err;
M
Matt Caswell 已提交
642 643 644
    }

    return 1;
645 646 647 648

 err:
    *al = tmpal;
    return 0;
M
Matt Caswell 已提交
649
}
650

651 652 653 654 655 656 657 658
/*
 * Built in extension finalisation and initialisation functions. All initialise
 * or finalise the associated extension type for the given |context|. For
 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
 * otherwise. These functions return 1 on success or 0 on failure. In the event
 * of a failure then |*al| is populated with a suitable error code.
 */

659
static int final_renegotiate(SSL *s, unsigned int context, int sent,
660 661
                                     int *al)
{
662 663 664 665 666 667 668 669 670
    if (!s->server) {
        /*
         * Check if we can connect to a server that doesn't support safe
         * renegotiation
         */
        if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
                && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
                && !sent) {
            *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
671
            SSLerr(SSL_F_FINAL_RENEGOTIATE,
672 673 674 675
                   SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
            return 0;
        }

676
        return 1;
677
    }
678 679 680 681 682 683

    /* Need RI if renegotiating */
    if (s->renegotiate
            && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
            && !sent) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
684
        SSLerr(SSL_F_FINAL_RENEGOTIATE,
685 686 687 688
               SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
        return 0;
    }

689

690 691 692
    return 1;
}

693
static int init_server_name(SSL *s, unsigned int context)
694 695 696 697 698 699 700
{
    if (s->server)
        s->servername_done = 0;

    return 1;
}

701
static int final_server_name(SSL *s, unsigned int context, int sent,
702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732
                                     int *al)
{
    int ret = SSL_TLSEXT_ERR_NOACK;
    int altmp = SSL_AD_UNRECOGNIZED_NAME;

    if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
        ret = s->ctx->tlsext_servername_callback(s, &altmp,
                                                 s->ctx->tlsext_servername_arg);
    else if (s->initial_ctx != NULL
             && s->initial_ctx->tlsext_servername_callback != 0)
        ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
                                       s->initial_ctx->tlsext_servername_arg);

    switch (ret) {
    case SSL_TLSEXT_ERR_ALERT_FATAL:
        *al = altmp;
        return 0;

    case SSL_TLSEXT_ERR_ALERT_WARNING:
        *al = altmp;
        return 1;

    case SSL_TLSEXT_ERR_NOACK:
        s->servername_done = 0;
        return 1;

    default:
        return 1;
    }
}

733
#ifndef OPENSSL_NO_EC
734
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
735 736 737 738 739 740 741 742 743 744 745 746 747 748 749
                                       int *al)
{
    unsigned long alg_k, alg_a;

    if (s->server)
        return 1;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;

    /*
     * If we are client and using an elliptic curve cryptography cipher
     * suite, then if server returns an EC point formats lists extension it
     * must contain uncompressed.
     */
750 751 752 753 754
    if (s->tlsext_ecpointformatlist != NULL
            && s->tlsext_ecpointformatlist_length > 0
            && s->session->tlsext_ecpointformatlist != NULL
            && s->session->tlsext_ecpointformatlist_length > 0
            && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
755 756
        /* we are using an ECC cipher */
        size_t i;
757 758
        unsigned char *list = s->session->tlsext_ecpointformatlist;

759
        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
760
            if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
761 762
                break;
        }
763
        if (i == s->session->tlsext_ecpointformatlist_length) {
M
Matt Caswell 已提交
764
            SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
765 766 767 768 769 770 771 772 773
                   SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
            return 0;
        }
    }

    return 1;
}
#endif

774
static int init_session_ticket(SSL *s, unsigned int context)
775 776 777 778 779 780 781
{
    if (!s->server)
        s->tlsext_ticket_expected = 0;

    return 1;
}

782
#ifndef OPENSSL_NO_OCSP
783
static int init_status_request(SSL *s, unsigned int context)
784 785
{
    if (s->server)
786
        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
787 788 789 790

    return 1;
}

791
static int final_status_request(SSL *s, unsigned int context, int sent,
792 793 794 795 796 797 798 799 800 801 802 803 804 805 806
                                        int *al)
{
    if (s->server)
        return 1;

    /*
     * Ensure we get sensible values passed to tlsext_status_cb in the event
     * that we don't receive a status message
     */
    OPENSSL_free(s->tlsext_ocsp_resp);
    s->tlsext_ocsp_resp = NULL;
    s->tlsext_ocsp_resplen = 0;

    return 1;
}
807
#endif
808

809
#ifndef OPENSSL_NO_NEXTPROTONEG
810
static int init_npn(SSL *s, unsigned int context)
811
{
812
    s->s3->next_proto_neg_seen = 0;
813 814 815 816 817

    return 1;
}
#endif

818
static int init_alpn(SSL *s, unsigned int context)
819
{
820 821
    OPENSSL_free(s->s3->alpn_selected);
    s->s3->alpn_selected = NULL;
822 823 824 825 826 827 828 829 830
    if (s->server) {
        s->s3->alpn_selected_len = 0;
        OPENSSL_free(s->s3->alpn_proposed);
        s->s3->alpn_proposed = NULL;
        s->s3->alpn_proposed_len = 0;
    }
    return 1;
}

831
static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865
{
    const unsigned char *selected = NULL;
    unsigned char selected_len = 0;

    if (!s->server)
        return 1;

    if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
        int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
                                       s->s3->alpn_proposed,
                                       (unsigned int)s->s3->alpn_proposed_len,
                                       s->ctx->alpn_select_cb_arg);

        if (r == SSL_TLSEXT_ERR_OK) {
            OPENSSL_free(s->s3->alpn_selected);
            s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
            if (s->s3->alpn_selected == NULL) {
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
            s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
            /* ALPN takes precedence over NPN. */
            s->s3->next_proto_neg_seen = 0;
#endif
        } else {
            *al = SSL_AD_NO_APPLICATION_PROTOCOL;
            return 0;
        }
    }

    return 1;
}

866
static int init_sig_algs(SSL *s, unsigned int context)
867 868 869 870 871 872 873 874 875
{
    /* Clear any signature algorithms extension received */
    OPENSSL_free(s->s3->tmp.peer_sigalgs);
    s->s3->tmp.peer_sigalgs = NULL;

    return 1;
}

#ifndef OPENSSL_NO_SRP
876
static int init_srp(SSL *s, unsigned int context)
877 878 879 880 881 882 883 884
{
    OPENSSL_free(s->srp_ctx.login);
    s->srp_ctx.login = NULL;

    return 1;
}
#endif

885
static int init_etm(SSL *s, unsigned int context)
886
{
887 888 889 890 891
    s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;

    return 1;
}

892
static int init_ems(SSL *s, unsigned int context)
893 894 895 896 897 898 899
{
    if (!s->server)
        s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;

    return 1;
}

900
static int final_ems(SSL *s, unsigned int context, int sent, int *al)
901 902 903 904 905 906 907 908 909
{
    if (!s->server && s->hit) {
        /*
         * Check extended master secret extension is consistent with
         * original session.
         */
        if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
            !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
            *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
910
            SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS);
911 912 913
            return 0;
        }
    }
914 915 916 917 918

    return 1;
}

#ifndef OPENSSL_NO_SRTP
919
static int init_srtp(SSL *s, unsigned int context)
920 921 922 923 924 925 926
{
    if (s->server)
        s->srtp_profile = NULL;

    return 1;
}
#endif