Commit 6dd083fd authored by Matt Caswell's avatar Matt Caswell
Browse files

Move client parsing of ServerHello extensions into new framework 



Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent e56c33b9

include/openssl/ssl.h

+3 −0
Original line number Diff line number Diff line
@@ -2297,6 +2297,9 @@ int ERR_load_SSL_strings(void); 
# define SSL_F_TLS_PARSE_CLIENT_KEY_SHARE                 445

# define SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE               448

# define SSL_F_TLS_PARSE_CLIENT_USE_SRTP                  446

# define SSL_F_TLS_PARSE_SERVER_KEY_SHARE                 463

# define SSL_F_TLS_PARSE_SERVER_RENEGOTIATE               464

# define SSL_F_TLS_PARSE_SERVER_USE_SRTP                  465

# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO              378

# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE       384

# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE             360

ssl/build.info

+2 −2
Original line number Diff line number Diff line
@@ -3,13 +3,13 @@ SOURCE[../libssl]=\ 
        pqueue.c packet.c \

        statem/statem_srvr.c statem/statem_clnt.c  s3_lib.c  s3_enc.c record/rec_layer_s3.c \

        statem/statem_lib.c statem/extensions.c statem/extensions_srvr.c \

        s3_cbc.c s3_msg.c \

        statem/extensions_clnt.c s3_cbc.c s3_msg.c \

        methods.c   t1_lib.c  t1_enc.c tls13_enc.c t1_ext.c \

        d1_lib.c  record/rec_layer_d1.c d1_msg.c \

        statem/statem_dtls.c d1_srtp.c \

        ssl_lib.c ssl_cert.c ssl_sess.c \

        ssl_ciph.c ssl_stat.c ssl_rsa.c \

        ssl_asn1.c ssl_txt.c ssl_init.c ssl_conf.c  ssl_mcnf.c \

        bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \

        bio_ssl.c ssl_err.c tls_srp.c t1_trce.c ssl_utst.c \

        record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \

        statem/statem.c record/ssl3_record_tls13.c

ssl/d1_srtp.c

+0 −57
Original line number Diff line number Diff line
@@ -136,61 +136,4 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s) 
{

    return s->srtp_profile;

}



int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)

{

    unsigned int id, ct, mki;

    int i;



    STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;

    SRTP_PROTECTION_PROFILE *prof;



    if (!PACKET_get_net_2(pkt, &ct)

        || ct != 2 || !PACKET_get_net_2(pkt, &id)

        || !PACKET_get_1(pkt, &mki)

        || PACKET_remaining(pkt) != 0) {

        SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,

               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

        *al = SSL_AD_DECODE_ERROR;

        return 1;

    }



    if (mki != 0) {

        /* Must be no MKI, since we never offer one */

        SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,

               SSL_R_BAD_SRTP_MKI_VALUE);

        *al = SSL_AD_ILLEGAL_PARAMETER;

        return 1;

    }



    clnt = SSL_get_srtp_profiles(s);



    /* Throw an error if the server gave us an unsolicited extension */

    if (clnt == NULL) {

        SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,

               SSL_R_NO_SRTP_PROFILES);

        *al = SSL_AD_DECODE_ERROR;

        return 1;

    }



    /*

     * Check to see if the server gave us something we support (and

     * presumably offered)

     */

    for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {

        prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);



        if (prof->id == id) {

            s->srtp_profile = prof;

            *al = 0;

            return 0;

        }

    }



    SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,

           SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

    *al = SSL_AD_DECODE_ERROR;

    return 1;

}



#endif

ssl/ssl_err.c

+5 −0
Original line number Diff line number Diff line
@@ -319,6 +319,11 @@ static ERR_STRING_DATA SSL_str_functs[] = { 
    {ERR_FUNC(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE),

     "tls_parse_client_renegotiate"},

    {ERR_FUNC(SSL_F_TLS_PARSE_CLIENT_USE_SRTP), "tls_parse_client_use_srtp"},

    {ERR_FUNC(SSL_F_TLS_PARSE_SERVER_KEY_SHARE),

     "tls_parse_server_key_share"},

    {ERR_FUNC(SSL_F_TLS_PARSE_SERVER_RENEGOTIATE),

     "tls_parse_server_renegotiate"},

    {ERR_FUNC(SSL_F_TLS_PARSE_SERVER_USE_SRTP), "tls_parse_server_use_srtp"},

    {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO),

     "tls_post_process_client_hello"},

    {ERR_FUNC(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE),

ssl/ssl_locl.h

+0 −3
Original line number Diff line number Diff line
@@ -2117,7 +2117,6 @@ __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, 


__owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);

void ssl_clear_hash_ctx(EVP_MD_CTX **hash);

__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);

__owur long ssl_get_algorithm2(SSL *s);

__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,

                              const unsigned char *psig, size_t psiglen);
@@ -2129,8 +2128,6 @@ __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, 
void ssl_set_client_disabled(SSL *s);

__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);



__owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);



__owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,

                                 size_t *hashlen);

__owur const EVP_MD *ssl_md(int idx);