2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 /* The ID for the extension */
17 int (*server_parse)(SSL *s, PACKET *pkt);
18 int (*client_parse)(SSL *s, PACKET *pkt);
20 } EXTENSION_DEFINITION;
23 static const EXTENSION_DEFINITION ext_defs[] = {
25 TLSEXT_TYPE_renegotiate,
27 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
30 TLSEXT_TYPE_server_name,
32 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
33 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
38 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
41 TLSEXT_TYPE_ec_point_formats,
46 TLSEXT_TYPE_supported_groups,
48 EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
51 TLSEXT_TYPE_session_ticket,
53 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
56 TLSEXT_TYPE_signature_algorithms,
61 TLSEXT_TYPE_status_request,
63 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_3_CERTIFICATE
66 TLSEXT_TYPE_next_proto_neg,
68 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
71 TLSEXT_TYPE_application_layer_protocol_negotiation,
73 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
74 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
79 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
80 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY
83 TLSEXT_TYPE_encrypt_then_mac,
85 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
88 TLSEXT_TYPE_signed_certificate_timestamp,
90 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_3_CERTIFICATE
93 TLSEXT_TYPE_extended_master_secret,
95 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
98 TLSEXT_TYPE_supported_versions,
108 TLSEXT_TYPE_key_share,
110 EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
111 | EXT_TLS1_3_HELLO_RETRY_REQUEST
116 * Comparison function used in a call to qsort (see tls_collect_extensions()
118 * The two arguments |p1| and |p2| are expected to be pointers to RAW_EXTENSIONs
121 * 1 if the type for p1 is greater than p2
122 * 0 if the type for p1 and p2 are the same
123 * -1 if the type for p1 is less than p2
125 static int compare_extensions(const void *p1, const void *p2)
127 const RAW_EXTENSION *e1 = (const RAW_EXTENSION *)p1;
128 const RAW_EXTENSION *e2 = (const RAW_EXTENSION *)p2;
130 if (e1->type < e2->type)
132 else if (e1->type > e2->type)
139 * Verify whether we are allowed to use the extension |type| in the current
140 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
141 * indicate the extension is not allowed.
143 static int verify_extension(SSL *s, unsigned int context, unsigned int type)
147 for (i = 0; i < OSSL_NELEM(ext_defs); i++) {
148 if (type == ext_defs[i].type) {
149 /* Check we're allowed to use this extension in this context */
150 if ((context & ext_defs[i].context) == 0)
152 /* Make sure we don't use DTLS extensions in TLS */
153 if ((ext_defs[i].context & EXT_DTLS_ONLY) && !SSL_IS_DTLS(s))
160 /* Unknown extension. We allow it */
165 * Gather a list of all the extensions from the data in |packet]. |context|
166 * tells us which message this extension is for. The raw extension data is
167 * stored in |*res| with the number of found extensions in |*numfound|. In the
168 * event of an error the alert type to use is stored in |*ad|. We don't actually
169 * process the content of the extensions yet, except to check their types.
171 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
172 * more than one extension of the same type in a ClientHello or ServerHello.
173 * This function returns 1 if all extensions are unique and we have parsed their
174 * types, and 0 if the extensions contain duplicates, could not be successfully
175 * parsed, or an internal error occurred.
178 * TODO(TLS1.3): Refactor ServerHello extension parsing to use this and then
179 * remove tls1_check_duplicate_extensions()
181 int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
182 RAW_EXTENSION **res, size_t *numfound, int *ad)
184 PACKET extensions = *packet;
185 size_t num_extensions = 0, i = 0;
186 RAW_EXTENSION *raw_extensions = NULL;
188 /* First pass: count the extensions. */
189 while (PACKET_remaining(&extensions) > 0) {
193 if (!PACKET_get_net_2(&extensions, &type) ||
194 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
195 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
196 *ad = SSL_AD_DECODE_ERROR;
199 /* Verify this extension is allowed */
200 if (!verify_extension(s, context, type)) {
201 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
202 *ad = SSL_AD_ILLEGAL_PARAMETER;
208 if (num_extensions > 0) {
209 raw_extensions = OPENSSL_malloc(sizeof(*raw_extensions)
211 if (raw_extensions == NULL) {
212 *ad = SSL_AD_INTERNAL_ERROR;
213 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE);
217 /* Second pass: collect the extensions. */
218 for (i = 0; i < num_extensions; i++) {
219 if (!PACKET_get_net_2(packet, &raw_extensions[i].type) ||
220 !PACKET_get_length_prefixed_2(packet,
221 &raw_extensions[i].data)) {
222 /* This should not happen. */
223 *ad = SSL_AD_INTERNAL_ERROR;
224 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
229 if (PACKET_remaining(packet) != 0) {
230 *ad = SSL_AD_DECODE_ERROR;
231 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
234 /* Sort the extensions and make sure there are no duplicates. */
235 qsort(raw_extensions, num_extensions, sizeof(*raw_extensions),
237 for (i = 1; i < num_extensions; i++) {
238 if (raw_extensions[i - 1].type == raw_extensions[i].type) {
239 *ad = SSL_AD_DECODE_ERROR;
245 *res = raw_extensions;
246 *numfound = num_extensions;
250 OPENSSL_free(raw_extensions);