Verify that extensions are used in the correct context
[openssl.git] / ssl / statem / statem_extensions.c
index 78526bb6871b412f493addf93088f9728a00b972..21ce34ce71e7b1ef7b206dcfde0c9f579e19a056 100644 (file)
 #include "../ssl_locl.h"
 #include "statem_locl.h"
 
+typedef struct {
+    /* The ID for the extension */
+    unsigned int type;
+    int (*server_parse)(SSL *s, PACKET *pkt);
+    int (*client_parse)(SSL *s, PACKET *pkt);
+    unsigned int context;
+} EXTENSION_DEFINITION;
+
+
+static const EXTENSION_DEFINITION ext_defs[] = {
+    {
+        TLSEXT_TYPE_renegotiate,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_server_name,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+    },
+    {
+        TLSEXT_TYPE_srp,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_ec_point_formats,
+        NULL, NULL,
+        EXT_CLIENT_HELLO
+    },
+    {
+        TLSEXT_TYPE_supported_groups,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+    },
+    {
+        TLSEXT_TYPE_session_ticket,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_signature_algorithms,
+        NULL, NULL,
+        EXT_CLIENT_HELLO
+    },
+    {
+        TLSEXT_TYPE_status_request,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_3_CERTIFICATE
+    },
+    {
+        TLSEXT_TYPE_next_proto_neg,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_application_layer_protocol_negotiation,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+    },
+    {
+        TLSEXT_TYPE_use_srtp,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY
+    },
+    {
+        TLSEXT_TYPE_encrypt_then_mac,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_signed_certificate_timestamp,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_3_CERTIFICATE
+    },
+    {
+        TLSEXT_TYPE_extended_master_secret,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
+    },
+    {
+        TLSEXT_TYPE_supported_versions,
+        NULL, NULL,
+        EXT_CLIENT_HELLO
+    },
+    {
+        TLSEXT_TYPE_padding,
+        NULL, NULL,
+        EXT_CLIENT_HELLO
+    },
+    {
+        TLSEXT_TYPE_key_share,
+        NULL, NULL,
+        EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
+        | EXT_TLS1_3_HELLO_RETRY_REQUEST
+    }
+};
+
 /*
  * Comparison function used in a call to qsort (see tls_collect_extensions()
  * below.)
@@ -35,8 +136,37 @@ static int compare_extensions(const void *p1, const void *p2)
 }
 
 /*
- * Gather a list of all the extensions. We don't actually process the content
- * of the extensions yet, except to check their types.
+ * Verify whether we are allowed to use the extension |type| in the current
+ * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
+ * indicate the extension is not allowed.
+ */
+static int verify_extension(SSL *s, unsigned int context, unsigned int type)
+{
+    size_t i;
+
+    for (i = 0; i < OSSL_NELEM(ext_defs); i++) {
+        if (type == ext_defs[i].type) {
+            /* Check we're allowed to use this extension in this context */
+            if ((context & ext_defs[i].context) == 0)
+                return 0;
+            /* Make sure we don't use DTLS extensions in TLS */
+            if ((ext_defs[i].context & EXT_DTLS_ONLY) && !SSL_IS_DTLS(s))
+                return 0;
+
+            return 1;
+        }
+    }
+
+    /* Unknown extension. We allow it */
+    return 1;
+}
+
+/*
+ * Gather a list of all the extensions from the data in |packet]. |context|
+ * tells us which message this extension is for. The raw extension data is
+ * stored in |*res| with the number of found extensions in |*numfound|. In the
+ * event of an error the alert type to use is stored in |*ad|. We don't actually
+ * process the content of the extensions yet, except to check their types.
  *
  * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
  * more than one extension of the same type in a ClientHello or ServerHello.
@@ -48,8 +178,8 @@ static int compare_extensions(const void *p1, const void *p2)
  * TODO(TLS1.3): Refactor ServerHello extension parsing to use this and then
  * remove tls1_check_duplicate_extensions()
  */
-int tls_collect_extensions(PACKET *packet, RAW_EXTENSION **res,
-                             size_t *numfound, int *ad)
+int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
+                           RAW_EXTENSION **res, size_t *numfound, int *ad)
 {
     PACKET extensions = *packet;
     size_t num_extensions = 0, i = 0;
@@ -62,9 +192,16 @@ int tls_collect_extensions(PACKET *packet, RAW_EXTENSION **res,
 
         if (!PACKET_get_net_2(&extensions, &type) ||
             !PACKET_get_length_prefixed_2(&extensions, &extension)) {
+            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
             *ad = SSL_AD_DECODE_ERROR;
             goto err;
         }
+        /* Verify this extension is allowed */
+        if (!verify_extension(s, context, type)) {
+            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
+            *ad = SSL_AD_ILLEGAL_PARAMETER;
+            goto err;
+        }
         num_extensions++;
     }