Newer
Older
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
static int final_renegotiate(SSL *s, unsigned int context, int sent);
static int init_server_name(SSL *s, unsigned int context);
static int final_server_name(SSL *s, unsigned int context, int sent);
#ifndef OPENSSL_NO_EC
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
#endif
static int init_session_ticket(SSL *s, unsigned int context);
static int init_status_request(SSL *s, unsigned int context);
#ifndef OPENSSL_NO_NEXTPROTONEG
static int init_npn(SSL *s, unsigned int context);
static int init_alpn(SSL *s, unsigned int context);
static int final_alpn(SSL *s, unsigned int context, int sent);
static int init_sig_algs(SSL *s, unsigned int context);
static int init_certificate_authorities(SSL *s, unsigned int context);
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
unsigned int context,
X509 *x,
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x,
#ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context);
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent);
static int init_psk_kex_modes(SSL *s, unsigned int context);
static int final_key_share(SSL *s, unsigned int context, int sent);
#ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context);
static int final_sig_algs(SSL *s, unsigned int context, int sent);
static int final_early_data(SSL *s, unsigned int context, int sent);
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
/* Structure to define a built-in extension */
typedef struct extensions_definition_st {
/* The defined type for the extension */
/*
* The context that this extension applies to, e.g. what messages and
* protocol versions
*/
unsigned int context;
* Initialise extension before parsing. Always called for relevant contexts
* even if extension not present
int (*init)(SSL *s, unsigned int context);
/* Parse extension sent from client to server */
int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Parse extension send from server to client */
int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Construct extension sent from server to client */
EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx);
/* Construct extension sent from client to server */
EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx);
* Finalise extension after parsing. Always called where an extensions was
* initialised even if the extension was not present. |sent| is set to 1 if
* the extension was seen, or 0 otherwise.
int (*final)(SSL *s, unsigned int context, int sent);
* Definitions of all built-in extensions. NOTE: Changes in the number or order
* of these extensions should be mirrored with equivalent changes to the
* Each extension has an initialiser, a client and
* server side parser and a finaliser. The initialiser is called (if the
* extension is relevant to the given context) even if we did not see the
* extension in the message that we received. The parser functions are only
* called if we see the extension in the message. The finalisers are always
* called if the initialiser was called.
* There are also server and client side constructor functions which are always
* called during message construction if the extension is relevant for the
* given context.
* The initialisation, parsing, finalisation and construction functions are
* always called in the order defined in this list. Some extensions may depend
* on others having been processed first, so the order of this list is
* significant.
* The extension context is defined by a series of flags which specify which
* messages the extension is relevant to. These flags also specify whether the
* extension is relevant to a particular protocol or protocol version.
* TODO(TLS1.3): Make sure we have a test to check the consistency of these
*
* NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
* the end, keep these extensions before signature_algorithm.
#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
static const EXTENSION_DEFINITION ext_defs[] = {
{
TLSEXT_TYPE_renegotiate,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
final_renegotiate
},
{
TLSEXT_TYPE_server_name,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_server_name,
tls_parse_ctos_server_name, tls_parse_stoc_server_name,
tls_construct_stoc_server_name, tls_construct_ctos_server_name,
final_server_name
{
TLSEXT_TYPE_max_fragment_length,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
final_maxfragmentlen
},
#ifndef OPENSSL_NO_SRP
{
TLSEXT_TYPE_srp,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
#endif
#ifndef OPENSSL_NO_EC
{
TLSEXT_TYPE_ec_point_formats,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
/*
* "supported_groups" is spread across several specifications.
* It was originally specified as "elliptic_curves" in RFC 4492,
* and broadened to include named FFDH groups by RFC 7919.
* Both RFCs 4492 and 7919 do not include a provision for the server
* to indicate to the client the complete list of groups supported
* by the server, with the server instead just indicating the
* selected group for this connection in the ServerKeyExchange
* message. TLS 1.3 adds a scheme for the server to indicate
* to the client its list of supported groups in the
* EncryptedExtensions message, but none of the relevant
* specifications permit sending supported_groups in the ServerHello.
* Nonetheless (possibly due to the close proximity to the
* "ec_point_formats" extension, which is allowed in the ServerHello),
* there are several servers that send this extension in the
* ServerHello anyway. Up to and including the 1.1.0 release,
* we did not check for the presence of nonpermitted extensions,
* so to avoid a regression, we must permit this extension in the
* TLS 1.2 ServerHello as well.
*
* Note that there is no tls_parse_stoc_supported_groups function,
* so we do not perform any additional parsing, validation, or
* processing on the server's group list -- this is just a minimal
* change to preserve compatibility with these misbehaving servers.
*/
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
| SSL_EXT_TLS1_2_SERVER_HELLO,
NULL, tls_parse_ctos_supported_groups, NULL,
tls_construct_stoc_supported_groups,
tls_construct_ctos_supported_groups, NULL
#else
INVALID_EXTENSION,
INVALID_EXTENSION,
#endif
{
TLSEXT_TYPE_session_ticket,
Loading
Loading full blame…