X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Ft1_ext.c;h=182164760fe674492970abb961693ae409b1e029;hb=6f68a52ebf39ad854e277cd6d7bae3cb32ab7049;hp=09f10440396c2ae492528e039b0c9c767136d90b;hpb=349807608f31b20af01a342d0072bb92e0b036e2;p=openssl.git diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index 09f1044039..182164760f 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -1,64 +1,19 @@ -/* ==================================================================== - * Copyright (c) 2014 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). +/* + * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ /* Custom extension utility functions */ +#include #include "ssl_locl.h" - /* Find a custom extension from the list. */ -static custom_ext_method *custom_ext_find(custom_ext_methods *exts, +static custom_ext_method *custom_ext_find(const custom_ext_methods *exts, unsigned int ext_type) { size_t i; @@ -112,25 +67,23 @@ int custom_ext_parse(SSL *s, int server, if (!meth->parse_cb) return 1; - return meth->parse_cb(s, ext_type, ext_data, ext_size, al, - meth->parse_arg); + return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->parse_arg); } /* * Request custom extension data from the application and add to the return * buffer. */ -int custom_ext_add(SSL *s, int server, - unsigned char **pret, unsigned char *limit, int *al) +int custom_ext_add(SSL *s, int server, WPACKET *pkt, int *al) { custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext; custom_ext_method *meth; - unsigned char *ret = *pret; size_t i; for (i = 0; i < exts->meths_count; i++) { const unsigned char *out = NULL; size_t outlen = 0; + meth = exts->meths + i; if (server) { @@ -152,13 +105,13 @@ int custom_ext_add(SSL *s, int server, if (cb_retval == 0) continue; /* skip this extension */ } - if (4 > limit - ret || outlen > (size_t)(limit - ret - 4)) + + if (!WPACKET_put_bytes_u16(pkt, meth->ext_type) + || !WPACKET_start_sub_packet_u16(pkt) + || (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen)) + || !WPACKET_close(pkt)) { + *al = SSL_AD_INTERNAL_ERROR; return 0; - s2n(meth->ext_type, ret); - s2n(outlen, ret); - if (outlen) { - memcpy(ret, out, outlen); - ret += outlen; } /* * We can't send duplicates: code logic should prevent this. @@ -173,7 +126,6 @@ int custom_ext_add(SSL *s, int server, if (meth->free_cb) meth->free_cb(s, meth->ext_type, out, meth->add_arg); } - *pret = ret; return 1; } @@ -183,7 +135,7 @@ int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src) if (src->meths_count) { dst->meths = OPENSSL_memdup(src->meths, - sizeof(custom_ext_method) * src->meths_count); + sizeof(custom_ext_method) * src->meths_count); if (dst->meths == NULL) return 0; dst->meths_count = src->meths_count; @@ -204,15 +156,19 @@ static int custom_ext_meth_add(custom_ext_methods *exts, void *add_arg, custom_ext_parse_cb parse_cb, void *parse_arg) { - custom_ext_method *meth; + custom_ext_method *meth, *tmp; /* * Check application error: if add_cb is not set free_cb will never be * called. */ if (!add_cb && free_cb) return 0; - /* Don't add if extension supported internally. */ - if (SSL_extension_supported(ext_type)) + /* + * Don't add if extension supported internally, but make exception + * for extension types that previously were not supported, but now are. + */ + if (SSL_extension_supported(ext_type) && + ext_type != TLSEXT_TYPE_signed_certificate_timestamp) return 0; /* Extension type must fit in 16 bits */ if (ext_type > 0xffff) @@ -220,15 +176,17 @@ static int custom_ext_meth_add(custom_ext_methods *exts, /* Search for duplicate */ if (custom_ext_find(exts, ext_type)) return 0; - exts->meths = OPENSSL_realloc(exts->meths, - (exts->meths_count + - 1) * sizeof(custom_ext_method)); + tmp = OPENSSL_realloc(exts->meths, + (exts->meths_count + 1) * sizeof(custom_ext_method)); - if (!exts->meths) { + if (tmp == NULL) { + OPENSSL_free(exts->meths); + exts->meths = NULL; exts->meths_count = 0; return 0; } + exts->meths = tmp; meth = exts->meths + exts->meths_count; memset(meth, 0, sizeof(*meth)); meth->parse_cb = parse_cb; @@ -241,24 +199,38 @@ static int custom_ext_meth_add(custom_ext_methods *exts, return 1; } +/* Return true if a client custom extension exists, false otherwise */ +int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) +{ + return custom_ext_find(&ctx->cert->cli_ext, ext_type) != NULL; +} + /* Application level functions to add custom extension callbacks */ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, custom_ext_add_cb add_cb, custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg) + custom_ext_parse_cb parse_cb, void *parse_arg) { - return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, - add_cb, free_cb, add_arg, parse_cb, parse_arg); +#ifndef OPENSSL_NO_CT + /* + * We don't want applications registering callbacks for SCT extensions + * whilst simultaneously using the built-in SCT validation features, as + * these two things may not play well together. + */ + if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp && + SSL_CTX_ct_is_enabled(ctx)) + return 0; +#endif + return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb, + free_cb, add_arg, parse_cb, parse_arg); } int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, custom_ext_add_cb add_cb, custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg) + custom_ext_parse_cb parse_cb, void *parse_arg) { return custom_ext_meth_add(&ctx->cert->srv_ext, ext_type, add_cb, free_cb, add_arg, parse_cb, parse_arg); @@ -270,9 +242,10 @@ int SSL_extension_supported(unsigned int ext_type) /* Internally supported extensions. */ case TLSEXT_TYPE_application_layer_protocol_negotiation: case TLSEXT_TYPE_ec_point_formats: - case TLSEXT_TYPE_elliptic_curves: - case TLSEXT_TYPE_heartbeat: + case TLSEXT_TYPE_supported_groups: +#ifndef OPENSSL_NO_NEXTPROTONEG case TLSEXT_TYPE_next_proto_neg: +#endif case TLSEXT_TYPE_padding: case TLSEXT_TYPE_renegotiate: case TLSEXT_TYPE_server_name: @@ -280,10 +253,14 @@ int SSL_extension_supported(unsigned int ext_type) case TLSEXT_TYPE_signature_algorithms: case TLSEXT_TYPE_srp: case TLSEXT_TYPE_status_request: + case TLSEXT_TYPE_signed_certificate_timestamp: case TLSEXT_TYPE_use_srtp: #ifdef TLSEXT_TYPE_encrypt_then_mac case TLSEXT_TYPE_encrypt_then_mac: #endif + case TLSEXT_TYPE_key_share: + case TLSEXT_TYPE_supported_versions: + case TLSEXT_TYPE_extended_master_secret: return 1; default: return 0;