New extension callback features.
[openssl.git] / ssl / t1_ext.c
index ba6d3ded74bd1d6051242ca89c0c838b4c5e4ee4..115e4345eaae54e7e1ae7380653972f6acacad69 100644 (file)
@@ -73,23 +73,54 @@ static custom_ext_method *custom_ext_find(custom_ext_methods *exts,
                }
        return NULL;
        }
+/* Initialise custom extensions flags to indicate neither sent nor
+ * received.
+ */
+void custom_ext_init(custom_ext_methods *exts)
+       {
+       size_t i;
+       custom_ext_method *meth = exts->meths;
+       for (i = 0; i < exts->meths_count; i++, meth++)
+               meth->ext_flags = 0;
+       }
 
 /* pass received custom extension data to the application for parsing */
 
 int custom_ext_parse(SSL *s, int server,
-                       unsigned short ext_type,
+                       unsigned int ext_type,
                        const unsigned char *ext_data, 
-                       unsigned short ext_size,
+                       size_t ext_size,
                        int *al)
        {
        custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext;
        custom_ext_method *meth;
        meth = custom_ext_find(exts, ext_type);
        /* If not found or no parse function set, return success */
-       if (!meth || !meth->parse_cb)
+       /* If not found return success */
+       if (!meth)
+               return 1;
+       if (!server)
+               {
+               /* If it's ServerHello we can't have any extensions not 
+                * sent in ClientHello.
+                */
+               if (!(meth->ext_flags & SSL_EXT_FLAG_SENT))
+                       {
+                       *al = TLS1_AD_UNSUPPORTED_EXTENSION;
+                       return 0;
+                       }
+               }
+       /* If already present it's a duplicate */
+       if (meth->ext_flags & SSL_EXT_FLAG_RECEIVED)
+               {
+               *al = TLS1_AD_DECODE_ERROR;
+               return 0;
+               }
+       meth->ext_flags |= SSL_EXT_FLAG_RECEIVED;
+       if (!meth->parse_cb)
                return 1;
 
-       return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->arg);
+       return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->parse_arg);
        }
 
 /* request custom extension data from the application and add to the
@@ -109,26 +140,32 @@ int custom_ext_add(SSL *s, int server,
        for (i = 0; i < exts->meths_count; i++)
                {
                const unsigned char *out = NULL;
-               unsigned short outlen = 0;
+               size_t outlen = 0;
                meth = exts->meths + i;
 
-               /* For servers no callback omits extension,
-                * For clients it sends empty extension.
-                */
-               if (server && !meth->add_cb)
-                       continue;
+               if (server)
+                       {
+                       /* For ServerHello only send extensions present
+                        * in ClientHello.
+                        */
+                       if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
+                               continue;
+                       /* If callback absent for server skip it */
+                       if (!meth->add_cb)
+                               continue;
+                       }
                if (meth->add_cb)
                        {
                        int cb_retval = 0;
                        cb_retval = meth->add_cb(s, meth->ext_type,
                                                        &out, &outlen, al,
-                                                       meth->arg);
-                       if (cb_retval == 0)
+                                                       meth->add_arg);
+                       if (cb_retval < 0)
                                return 0; /* error */
-                       if (cb_retval == -1)
+                       if (cb_retval == 0)
                                        continue; /* skip this extension */
                        }
-               if (4 > limit - ret || outlen > limit - ret - 4)
+               if (4 > limit - ret || outlen > (size_t)(limit - ret - 4))
                        return 0;
                s2n(meth->ext_type, ret);
                s2n(outlen, ret);
@@ -137,6 +174,16 @@ int custom_ext_add(SSL *s, int server,
                        memcpy(ret, out, outlen);
                        ret += outlen;
                        }
+               /* We can't send duplicates: code logic should prevent this */
+               OPENSSL_assert(!(meth->ext_flags & SSL_EXT_FLAG_SENT));
+               /* Indicate extension has been sent: this is both a sanity
+                * check to ensure we don't send duplicate extensions
+                * and indicates to servers that an extension can be
+                * sent in ServerHello.
+                */
+               meth->ext_flags |= SSL_EXT_FLAG_SENT;
+               if (meth->free_cb)
+                       meth->free_cb(s, meth->ext_type, out, meth->add_arg);
                }
        *pret = ret;
        return 1;
@@ -164,12 +211,40 @@ void custom_exts_free(custom_ext_methods *exts)
 
 /* Set callbacks for a custom extension */
 static int custom_ext_set(custom_ext_methods *exts,
-                       unsigned short ext_type,
-                       custom_ext_parse_cb parse_cb,
+                       unsigned int ext_type,
                        custom_ext_add_cb add_cb,
-                       void *arg)
+                       custom_ext_free_cb free_cb,
+                       void *add_arg,
+                       custom_ext_parse_cb parse_cb, void *parse_arg)
        {
        custom_ext_method *meth;
+       /* See if it is a supported internally */
+       switch(ext_type)
+               {
+       case TLSEXT_TYPE_application_layer_protocol_negotiation:
+       case TLSEXT_TYPE_ec_point_formats:
+       case TLSEXT_TYPE_elliptic_curves:
+       case TLSEXT_TYPE_heartbeat:
+       case TLSEXT_TYPE_next_proto_neg:
+       case TLSEXT_TYPE_padding:
+       case TLSEXT_TYPE_renegotiate:
+       case TLSEXT_TYPE_server_name:
+       case TLSEXT_TYPE_session_ticket:
+       case TLSEXT_TYPE_signature_algorithms:
+       case TLSEXT_TYPE_srp:
+       case TLSEXT_TYPE_status_request:
+       case TLSEXT_TYPE_use_srtp:
+#ifdef TLSEXT_TYPE_opaque_prf_input
+       case TLSEXT_TYPE_opaque_prf_input:
+#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+       case TLSEXT_TYPE_encrypt_then_mac:
+#endif
+               return 0;
+               }
+       /* Extension type must fit in 16 bits */
+       if (ext_type > 0xffff)
+               return 0;
        /* Search for duplicate */
        if (custom_ext_find(exts, ext_type))
                return 0;
@@ -183,27 +258,39 @@ static int custom_ext_set(custom_ext_methods *exts,
                }
 
        meth = exts->meths + exts->meths_count;
+       memset(meth, 0, sizeof(custom_ext_method));
        meth->parse_cb = parse_cb;
        meth->add_cb = add_cb;
+       meth->free_cb = free_cb;
        meth->ext_type = ext_type;
-       meth->arg = arg;
+       meth->add_arg = add_arg;
+       meth->parse_arg = parse_arg;
        exts->meths_count++;
        return 1;
        }
 
 /* Application level functions to add custom extension callbacks */
 
-int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
-                              custom_cli_ext_first_cb_fn fn1, 
-                              custom_cli_ext_second_cb_fn fn2, void *arg)
+int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned int ext_type,
+                              custom_ext_add_cb add_cb,
+                              custom_ext_free_cb free_cb,
+                               void *add_arg,
+                              custom_ext_parse_cb parse_cb, void *parse_arg)
+
        {
-       return custom_ext_set(&ctx->cert->cli_ext, ext_type, fn2, fn1, arg);
+       return custom_ext_set(&ctx->cert->cli_ext, ext_type,
+                               add_cb, free_cb, add_arg,
+                               parse_cb, parse_arg);
        }
 
-int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
-                              custom_srv_ext_first_cb_fn fn1, 
-                              custom_srv_ext_second_cb_fn fn2, void *arg)
+int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned int ext_type,
+                              custom_ext_add_cb add_cb,
+                              custom_ext_free_cb free_cb,
+                               void *add_arg,
+                              custom_ext_parse_cb parse_cb, void *parse_arg)
        {
-       return custom_ext_set(&ctx->cert->srv_ext, ext_type, fn1, fn2, arg);
+       return custom_ext_set(&ctx->cert->srv_ext, ext_type,
+                               add_cb, free_cb, add_arg,
+                               parse_cb, parse_arg);
        }
 #endif