Add extensions construction support (4b299b8e) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

include/openssl/ssl.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -2270,6 +2270,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE 357
		# define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY 358
		# define SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS 443
		# define SSL_F_TLS_CONSTRUCT_EXTENSIONS 447
		# define SSL_F_TLS_CONSTRUCT_FINISHED 359
		# define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST 373
		# define SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET 428
		@@ -2281,6 +2282,8 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_TLS_GET_MESSAGE_BODY 351
		# define SSL_F_TLS_GET_MESSAGE_HEADER 387
		# define SSL_F_TLS_PARSE_CLIENTHELLO_KEY_SHARE 445
		# define SSL_F_TLS_PARSE_CLIENTHELLO_RENEGOTIATE 448
		# define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 449
		# define SSL_F_TLS_PARSE_CLIENTHELLO_USE_SRTP 446
		# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378
		# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384
		@@ -2311,6 +2314,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_TLS_PROCESS_SKE_ECDHE 420
		# define SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE 421
		# define SSL_F_TLS_PROCESS_SKE_SRP 422
		# define SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT 450
		# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 220

		/* Reason codes. */

ssl/ssl_err.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
		"tls_construct_client_verify"},
		{ERR_FUNC(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS),
		"tls_construct_encrypted_extensions"},
		{ERR_FUNC(SSL_F_TLS_CONSTRUCT_EXTENSIONS), "tls_construct_extensions"},
		{ERR_FUNC(SSL_F_TLS_CONSTRUCT_FINISHED), "tls_construct_finished"},
		{ERR_FUNC(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST),
		"tls_construct_hello_request"},
		@@ -292,6 +293,10 @@ static ERR_STRING_DATA SSL_str_functs[] = {
		{ERR_FUNC(SSL_F_TLS_GET_MESSAGE_HEADER), "tls_get_message_header"},
		{ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_KEY_SHARE),
		"tls_parse_clienthello_key_share"},
		{ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_RENEGOTIATE),
		"tls_parse_clienthello_renegotiate"},
		{ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT),
		"tls_parse_clienthello_tlsext"},
		{ERR_FUNC(SSL_F_TLS_PARSE_CLIENTHELLO_USE_SRTP),
		"tls_parse_clienthello_use_srtp"},
		{ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO),
		@@ -336,6 +341,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
		{ERR_FUNC(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE),
		"tls_process_ske_psk_preamble"},
		{ERR_FUNC(SSL_F_TLS_PROCESS_SKE_SRP), "tls_process_ske_srp"},
		{ERR_FUNC(SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT),
		"tls_scan_clienthello_tlsext"},
		{ERR_FUNC(SSL_F_USE_CERTIFICATE_CHAIN_FILE),
		"use_certificate_chain_file"},
		{0, NULL}

ssl/statem/extensions.c

+38 −25

Original line number	Diff line number	Diff line
		@@ -45,6 +45,11 @@ typedef struct {
		unsigned int context;
		} EXTENSION_DEFINITION;

		/*
		* TODO(TLS1.3): Temporarily modified the definitions below to put all TLS1.3
		* extensions in the ServerHello for now. That needs to be put back to correct
		* setting once encrypted extensions is working properly.
		*/
		static const EXTENSION_DEFINITION ext_defs[] = {
		{
		TLSEXT_TYPE_renegotiate,
		@@ -62,7 +67,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO
		\| EXT_TLS1_3_ENCRYPTED_EXTENSIONS
		\| /EXT_TLS1_3_ENCRYPTED_EXTENSIONS/EXT_TLS1_3_SERVER_HELLO
		},
		#ifndef OPENSSL_NO_SRP
		{
		@@ -89,7 +94,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		NULL,
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_3_ENCRYPTED_EXTENSIONS
		EXT_CLIENT_HELLO
		\| /EXT_TLS1_3_ENCRYPTED_EXTENSIONS/EXT_TLS1_3_SERVER_HELLO
		},
		#endif
		{
		@@ -114,7 +120,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		NULL,
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO \| EXT_TLS1_3_CERTIFICATE
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO
		\| /EXT_TLS1_3_CERTIFICATE/EXT_TLS1_3_SERVER_HELLO
		},
		#ifndef OPENSSL_NO_NEXTPROTONEG
		{
		@@ -133,7 +140,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO
		\| EXT_TLS1_3_ENCRYPTED_EXTENSIONS
		\| /EXT_TLS1_3_ENCRYPTED_EXTENSIONS/EXT_TLS1_3_SERVER_HELLO
		},
		{
		TLSEXT_TYPE_use_srtp,
		@@ -163,12 +170,15 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		NULL,
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO \| EXT_TLS1_3_CERTIFICATE
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO
		\| /EXT_TLS1_3_CERTIFICATE/EXT_TLS1_3_SERVER_HELLO
		},
		{
		TLSEXT_TYPE_extended_master_secret,
		tls_parse_clienthello_ems,
		NULL,
		NULL,
		NULL,
		EXT_CLIENT_HELLO \| EXT_TLS1_2_SERVER_HELLO \| EXT_TLS1_2_AND_BELOW_ONLY
		},
		{
		@@ -365,8 +375,8 @@ int tls_collect_extensions(SSL s, PACKET packet, unsigned int context,
		return 0;
		}

		int tls_parse_all_extensions(SSL s, RAW_EXTENSION exts, size_t numexts,
		int *al)
		int tls_parse_all_extensions(SSL s, int context, RAW_EXTENSION exts,
		size_t numexts, int *al)
		{
		size_t loop;

		@@ -437,15 +447,15 @@ int tls_parse_all_extensions(SSL s, RAW_EXTENSION exts, size_t numexts,
		* failure. If a failure has occurred then \|*al\| will also be set to the alert
		* to be sent.
		*/
		int tls_parse_extension(SSL s, int type, RAW_EXTENSION exts, size_t numexts,
		int *al)
		int tls_parse_extension(SSL s, int type, int context, RAW_EXTENSION exts,
		size_t numexts, int *al)
		{
		RAW_EXTENSION *ext = tls_get_extension_by_type(exts, numexts, type);

		if (ext == NULL)
		return 1;

		return tls_parse_all_extensions(s, ext, 1, al);
		return tls_parse_all_extensions(s, context, ext, 1, al);
		}

		int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		@@ -468,23 +478,27 @@ int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		}

		for (loop = 0; loop < OSSL_NELEM(ext_defs); loop++) {
		int (construct)(SSL s, WPACKET pkt, int al);

		/* Skip if not relevant for our context */
		if ((ext_defs[loop].context & context) == 0)
		continue;

		construct = s->server ? extdef->server_construct
		: extdef->client_construct;
		construct = s->server ? ext_defs[loop].server_construct
		: ext_defs[loop].client_construct;

		/* Check if this extension is defined for our protocol. If not, skip */
		if ((SSL_IS_DTLS(s)
		&& (extdef->context & EXT_TLS_IMPLEMENTATION_ONLY) != 0)
		&& (ext_defs[loop].context & EXT_TLS_IMPLEMENTATION_ONLY)
		!= 0)
		\|\| (s->version == SSL3_VERSION
		&& (extdef->context & EXT_SSL3_ALLOWED) == 0)
		&& (ext_defs[loop].context & EXT_SSL3_ALLOWED) == 0)
		\|\| (SSL_IS_TLS13(s)
		&& (extdef->context & EXT_TLS1_2_AND_BELOW_ONLY) != 0)
		&& (ext_defs[loop].context & EXT_TLS1_2_AND_BELOW_ONLY)
		!= 0)
		\|\| (!SSL_IS_TLS13(s)
		&& ((extdef->context & EXT_TLS1_3_ONLY) != 0
		\|\| (context & EXT_CLIENT_HELLO) != 0))
		&& (ext_defs[loop].context & EXT_TLS1_3_ONLY) != 0
		&& (context & EXT_CLIENT_HELLO) == 0)
		\|\| construct == NULL)
		continue;

		@@ -492,12 +506,11 @@ int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		return 0;
		}


		/* Add custom extensions */
		if ((context & EXT_CLIENT_HELLO) != 0) {
		custom_ext_init(&s->cert->cli_ext);
		addcustom = 1;
		} else if (context & (EXT_TLS1_2_SERVER_HELLO) {
		} else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
		/*
		* We already initialised the custom extensions during ClientHello
		* parsing.
		@@ -508,13 +521,14 @@ int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		*/
		addcustom = 1;
		}

		if (addcustom && !custom_ext_add(s, s->server, pkt, al)) {
		SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
		SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
		return 0;
		}

		if (!WPACKET_close(pkt)) {
		*sl = SSL_AD_INTERNAL_ERROR;
		*al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
		return 0;
		}
		@@ -522,7 +536,6 @@ int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		return 1;
		}


		/*
		* Parse the client's renegotiation binding and abort if it's not right
		*/
		@@ -534,7 +547,7 @@ static int tls_parse_clienthello_renegotiate(SSL s, PACKET pkt, int *al)
		/* Parse the length byte */
		if (!PACKET_get_1(pkt, &ilen)
		\|\| !PACKET_get_bytes(pkt, &data, ilen)) {
		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
		SSLerr(SSL_F_TLS_PARSE_CLIENTHELLO_RENEGOTIATE,
		SSL_R_RENEGOTIATION_ENCODING_ERR);
		*al = SSL_AD_ILLEGAL_PARAMETER;
		return 0;
		@@ -542,7 +555,7 @@ static int tls_parse_clienthello_renegotiate(SSL s, PACKET pkt, int *al)

		/* Check that the extension matches */
		if (ilen != s->s3->previous_client_finished_len) {
		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
		SSLerr(SSL_F_TLS_PARSE_CLIENTHELLO_RENEGOTIATE,
		SSL_R_RENEGOTIATION_MISMATCH);
		*al = SSL_AD_HANDSHAKE_FAILURE;
		return 0;
		@@ -550,7 +563,7 @@ static int tls_parse_clienthello_renegotiate(SSL s, PACKET pkt, int *al)

		if (memcmp(data, s->s3->previous_client_finished,
		s->s3->previous_client_finished_len)) {
		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
		SSLerr(SSL_F_TLS_PARSE_CLIENTHELLO_RENEGOTIATE,
		SSL_R_RENEGOTIATION_MISMATCH);
		*al = SSL_AD_HANDSHAKE_FAILURE;
		return 0;

ssl/statem/statem_locl.h

+5 −3

Original line number	Diff line number	Diff line
		@@ -149,7 +149,9 @@ __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL s, PACKET pkt);
		#endif
		__owur int tls_construct_new_session_ticket(SSL s, WPACKET pkt);

		__owur int tls_parse_all_extensions(SSL s, RAW_EXTENSION exts, size_t numexts,
		int *al);
		__owur int tls_parse_extension(SSL s, int type, RAW_EXTENSION exts,
		__owur int tls_parse_all_extensions(SSL s, int context, RAW_EXTENSION exts,
		size_t numexts, int *al);
		__owur int tls_parse_extension(SSL s, int type, int context, RAW_EXTENSION exts,
		size_t numexts, int *al);
		__owur int tls_construct_extensions(SSL s, WPACKET pkt, unsigned int context,
		int *al);

ssl/statem/statem_srvr.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -1173,7 +1173,7 @@ static int tls_scan_clienthello_tlsext(SSL s, CLIENTHELLO_MSG hello, int *al)
		* We process the supported_groups extension first so that is done before
		* we get to key_share which needs to use the information in it.
		*/
		if (!tls_parse_extension(s, TLSEXT_TYPE_supported_groups,
		if (!tls_parse_extension(s, TLSEXT_TYPE_supported_groups, EXT_CLIENT_HELLO,
		hello->pre_proc_exts, hello->num_extensions, al)) {
		return 0;
		}
		@@ -1185,12 +1185,12 @@ static int tls_scan_clienthello_tlsext(SSL s, CLIENTHELLO_MSG hello, int *al)
		hello->num_extensions,
		TLSEXT_TYPE_renegotiate) == NULL) {
		*al = SSL_AD_HANDSHAKE_FAILURE;
		SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
		SSLerr(SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT,
		SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
		return 0;
		}

		return tls_parse_all_extensions(s, hello->pre_proc_exts,
		return tls_parse_all_extensions(s, EXT_CLIENT_HELLO, hello->pre_proc_exts,
		hello->num_extensions, al);
		}

		@@ -1245,7 +1245,7 @@ static int tls_parse_clienthello_tlsext(SSL s, CLIENTHELLO_MSG hello)
		}

		if (!tls_check_clienthello_tlsext(s)) {
		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
		SSLerr(SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
		return 0;
		}

		@@ -1527,6 +1527,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)

		/* We need to do this before getting the session */
		if (!tls_parse_extension(s, TLSEXT_TYPE_extended_master_secret,
		EXT_CLIENT_HELLO,
		clienthello.pre_proc_exts,
		clienthello.num_extensions, &al)) {
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);