int *al);
#endif
static int init_session_ticket(SSL *s, unsigned int context);
+#ifndef OPENSSL_NO_OCSP
static int init_status_request(SSL *s, unsigned int context);
-static int final_status_request(SSL *s, unsigned int context, int sent,
- int *al);
+#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
static int init_npn(SSL *s, unsigned int context);
#endif
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent, int *al);
+static int init_psk_kex_modes(SSL *s, unsigned int context);
#ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context);
#endif
+static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al);
/* Structure to define a built-in extension */
typedef struct extensions_definition_st {
*/
int (*init)(SSL *s, unsigned int context);
/* Parse extension sent from client to server */
- int (*parse_ctos)(SSL *s, PACKET *pkt, int *al);
+ int (*parse_ctos)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al);
/* Parse extension send from server to client */
- int (*parse_stoc)(SSL *s, PACKET *pkt, int *al);
+ int (*parse_stoc)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al);
/* Construct extension sent from server to client */
- int (*construct_stoc)(SSL *s, WPACKET *pkt, int *al);
+ int (*construct_stoc)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
+ int *al);
/* Construct extension sent from client to server */
- int (*construct_ctos)(SSL *s, WPACKET *pkt, int *al);
+ int (*construct_ctos)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
+ int *al);
/*
* Finalise extension after parsing. Always called where an extensions was
* initialised even if the extension was not present. |sent| is set to 1 if
/*
* Definitions of all built-in extensions. NOTE: Changes in the number or order
- * of these extensions should be mirrored with equivalent changes to the indexes
- * defined in statem_locl.h.
+ * of these extensions should be mirrored with equivalent changes to the
+ * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
* Each extension has an initialiser, a client and
* server side parser and a finaliser. The initialiser is called (if the
* extension is relevant to the given context) even if we did not see the
* significant.
* The extension context is defined by a series of flags which specify which
* messages the extension is relevant to. These flags also specify whether the
- * extension is relevant to a paricular protocol or protocol version.
+ * extension is relevant to a particular protocol or protocol version.
*
* TODO(TLS1.3): Make sure we have a test to check the consistency of these
*/
+#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
static const EXTENSION_DEFINITION ext_defs[] = {
{
TLSEXT_TYPE_renegotiate,
EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
},
+#else
+ INVALID_EXTENSION,
#endif
#ifndef OPENSSL_NO_EC
{
TLSEXT_TYPE_ec_point_formats,
- EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
NULL /* TODO(TLS1.3): Need to add this */,
tls_construct_ctos_supported_groups, NULL
},
+#else
+ INVALID_EXTENSION,
+ INVALID_EXTENSION,
#endif
{
TLSEXT_TYPE_session_ticket,
TLSEXT_TYPE_signature_algorithms,
EXT_CLIENT_HELLO,
init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL,
- tls_construct_ctos_sig_algs, NULL
+ tls_construct_ctos_sig_algs, final_sig_algs
},
#ifndef OPENSSL_NO_OCSP
{
| EXT_TLS1_3_CERTIFICATE,
init_status_request, tls_parse_ctos_status_request,
tls_parse_stoc_status_request, tls_construct_stoc_status_request,
- tls_construct_ctos_status_request, final_status_request
+ tls_construct_ctos_status_request, NULL
},
+#else
+ INVALID_EXTENSION,
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
{
init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
},
+#else
+ INVALID_EXTENSION,
#endif
{
/*
init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
},
+#else
+ INVALID_EXTENSION,
#endif
{
TLSEXT_TYPE_encrypt_then_mac,
*/
NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
},
+#else
+ INVALID_EXTENSION,
#endif
{
TLSEXT_TYPE_extended_master_secret,
/* Processed inline as part of version selection */
NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
},
+ {
+ /* Must be before key_share */
+ TLSEXT_TYPE_psk_kex_modes,
+ EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
+ init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
+ tls_construct_ctos_psk_kex_modes, NULL
+ },
{
/*
* Must be in this list after supported_groups. We need that to have
NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
},
{
- /* Last in the list because it must be added as the last extension */
+ /* Must be immediately before pre_shared_key */
+ /* TODO(TLS1.3): Fix me */
TLSEXT_TYPE_padding,
EXT_CLIENT_HELLO,
NULL,
/* We send this, but don't read it */
NULL, NULL, NULL, tls_construct_ctos_padding, NULL
+ },
+ {
+ /* Required by the TLSv1.3 spec to always be the last extension */
+ TLSEXT_TYPE_psk,
+ EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY
+ | EXT_TLS1_3_ONLY,
+ NULL, NULL, tls_parse_stoc_psk, NULL, tls_construct_ctos_psk, NULL
}
};
* Runs the parser for a given extension with index |idx|. |exts| contains the
* list of all parsed extensions previously collected by
* tls_collect_extensions(). The parser is only run if it is applicable for the
- * given |context| and the parser has not already been run. Returns 1 on success
- * or 0 on failure. In the event of a failure |*al| is populated with a suitable
- * alert code. If an extension is not present this counted as success.
+ * given |context| and the parser has not already been run. If this is for a
+ * Certificate message, then we also provide the parser with the relevant
+ * Certificate |x| and its position in the |chainidx| with 0 being the first
+ * Certificate. Returns 1 on success or 0 on failure. In the event of a failure
+ * |*al| is populated with a suitable alert code. If an extension is not present
+ * this counted as success.
*/
int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
- RAW_EXTENSION *exts, int *al)
+ RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al)
{
RAW_EXTENSION *currext = &exts[idx];
- int (*parser)(SSL *s, PACKET *pkt, int *al) = NULL;
+ int (*parser)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) = NULL;
/* Skip if the extension is not present */
if (!currext->present)
return 1;
- if (s->tlsext_debug_cb)
- s->tlsext_debug_cb(s, !s->server, currext->type,
- PACKET_data(&currext->data),
- PACKET_remaining(&currext->data),
- s->tlsext_debug_arg);
+ if (s->ext.debug_cb)
+ s->ext.debug_cb(s, !s->server, currext->type,
+ PACKET_data(&currext->data),
+ PACKET_remaining(&currext->data),
+ s->ext.debug_arg);
/* Skip if we've already parsed this extension */
if (currext->parsed)
parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
if (parser != NULL)
- return parser(s, &currext->data, al);
+ return parser(s, &currext->data, x, chainidx, al);
/*
* If the parser is NULL we fall through to the custom extension
/*
* This is a custom extension. We only allow this if it is a non
* resumed session on the server side.
- *
+ *chain
* TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions.
* We're going to need a new mechanism for TLS1.3 to specify which
* messages to add the custom extensions to.
/*
* Parse all remaining extensions that have not yet been parsed. Also calls the
* finalisation for all extensions at the end, whether we collected them or not.
- * Returns 1 for success or 0 for failure. On failure, |*al| is populated with a
- * suitable alert code.
+ * Returns 1 for success or 0 for failure. If we are working on a Certificate
+ * message then we also pass the Certificate |x| and its position in the
+ * |chainidx|, with 0 being the first certificate. On failure, |*al| is
+ * populated with a suitable alert code.
*/
-int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, int *al)
+int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
+ size_t chainidx, int *al)
{
size_t i, numexts = OSSL_NELEM(ext_defs);
const EXTENSION_DEFINITION *thisexd;
/* Parse each extension in turn */
for (i = 0; i < numexts; i++) {
- if (!tls_parse_extension(s, i, context, exts, al))
+ if (!tls_parse_extension(s, i, context, exts, x, chainidx, al))
return 0;
}
/*
* Construct all the extensions relevant to the current |context| and write
- * them to |pkt|. Returns 1 on success or 0 on failure. If a failure occurs then
- * |al| is populated with a suitable alert code. On a failure construction stops
- * at the first extension to fail to construct.
+ * them to |pkt|. If this is an extension for a Certificate in a Certificate
+ * message, then |x| will be set to the Certificate we are handling, and
+ * |chainidx| will indicate the position in the chainidx we are processing (with
+ * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a
+ * failure occurs then |al| is populated with a suitable alert code. On a
+ * failure construction stops at the first extension to fail to construct.
*/
int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
- int *al)
+ X509 *x, size_t chainidx, int *al)
{
size_t i;
int addcustom = 0, min_version, max_version = 0, reason, tmpal;
}
for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
- int (*construct)(SSL *s, WPACKET *pkt, int *al);
+ int (*construct)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
+ int *al);
/* Skip if not relevant for our context */
if ((thisexd->context & context) == 0)
|| construct == NULL)
continue;
- if (!construct(s, pkt, &tmpal))
+ if (!construct(s, pkt, x, chainidx, &tmpal))
goto err;
}
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
&& !sent) {
*al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_EXT_FINAL_RENEGOTIATE,
+ SSLerr(SSL_F_FINAL_RENEGOTIATE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
&& !sent) {
*al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_EXT_FINAL_RENEGOTIATE,
+ SSLerr(SSL_F_FINAL_RENEGOTIATE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
int ret = SSL_TLSEXT_ERR_NOACK;
int altmp = SSL_AD_UNRECOGNIZED_NAME;
- if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
- ret = s->ctx->tlsext_servername_callback(s, &altmp,
- s->ctx->tlsext_servername_arg);
+ if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
+ ret = s->ctx->ext.servername_cb(s, &altmp,
+ s->ctx->ext.servername_arg);
else if (s->initial_ctx != NULL
- && s->initial_ctx->tlsext_servername_callback != 0)
- ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
- s->initial_ctx->tlsext_servername_arg);
+ && s->initial_ctx->ext.servername_cb != 0)
+ ret = s->initial_ctx->ext.servername_cb(s, &altmp,
+ s->initial_ctx->ext.servername_arg);
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
* suite, then if server returns an EC point formats lists extension it
* must contain uncompressed.
*/
- if (s->tlsext_ecpointformatlist != NULL
- && s->tlsext_ecpointformatlist_length > 0
- && s->session->tlsext_ecpointformatlist != NULL
- && s->session->tlsext_ecpointformatlist_length > 0
+ if (s->ext.ecpointformats != NULL
+ && s->ext.ecpointformats_len > 0
+ && s->session->ext.ecpointformats != NULL
+ && s->session->ext.ecpointformats_len > 0
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */
size_t i;
- unsigned char *list = s->session->tlsext_ecpointformatlist;
+ unsigned char *list = s->session->ext.ecpointformats;
- for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
+ for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
break;
}
- if (i == s->session->tlsext_ecpointformatlist_length) {
- SSLerr(SSL_F_TLS_EXT_FINAL_EC_PT_FORMATS,
+ if (i == s->session->ext.ecpointformats_len) {
+ SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0;
}
static int init_session_ticket(SSL *s, unsigned int context)
{
if (!s->server)
- s->tlsext_ticket_expected = 0;
+ s->ext.ticket_expected = 0;
return 1;
}
+#ifndef OPENSSL_NO_OCSP
static int init_status_request(SSL *s, unsigned int context)
{
- if (s->server)
- s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
-
- return 1;
-}
-
-static int final_status_request(SSL *s, unsigned int context, int sent,
- int *al)
-{
- if (s->server)
- return 1;
-
- /*
- * Ensure we get sensible values passed to tlsext_status_cb in the event
- * that we don't receive a status message
- */
- OPENSSL_free(s->tlsext_ocsp_resp);
- s->tlsext_ocsp_resp = NULL;
- s->tlsext_ocsp_resplen = 0;
+ if (s->server) {
+ s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
+ } else {
+ /*
+ * Ensure we get sensible values passed to tlsext_status_cb in the event
+ * that we don't receive a status message
+ */
+ OPENSSL_free(s->ext.ocsp.resp);
+ s->ext.ocsp.resp = NULL;
+ s->ext.ocsp.resp_len = 0;
+ }
return 1;
}
+#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
static int init_npn(SSL *s, unsigned int context)
{
- s->s3->next_proto_neg_seen = 0;
+ s->s3->npn_seen = 0;
return 1;
}
if (!s->server)
return 1;
- if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
- int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
- s->s3->alpn_proposed,
- (unsigned int)s->s3->alpn_proposed_len,
- s->ctx->alpn_select_cb_arg);
+ if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
+ int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
+ s->s3->alpn_proposed,
+ (unsigned int)s->s3->alpn_proposed_len,
+ s->ctx->ext.alpn_select_cb_arg);
if (r == SSL_TLSEXT_ERR_OK) {
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
/* ALPN takes precedence over NPN. */
- s->s3->next_proto_neg_seen = 0;
+ s->s3->npn_seen = 0;
#endif
} else {
*al = SSL_AD_NO_APPLICATION_PROTOCOL;
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
!(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
*al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_EXT_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS);
+ SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS);
return 0;
}
}
return 1;
}
#endif
+
+static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
+{
+ if (!sent && SSL_IS_TLS13(s)) {
+ *al = TLS13_AD_MISSING_EXTENSION;
+ SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int init_psk_kex_modes(SSL *s, unsigned int context)
+{
+ s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
+
+ return 1;
+}