search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
certtool is able to set certificate policies via a template
[gnutls.git] / lib / gnutls_extensions.c
blob2cf9c26d9271c36375f247ecc7d7b6422e1d6102
1 /*
2 * Copyright (C) 2001-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos, Simon Josefsson
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate to the TLS hello extension parsing.
24 * Hello extensions are packets appended in the TLS hello packet, and
25 * allow for extra functionality.
26 */
27
28 #include "gnutls_int.h"
29 #include "gnutls_extensions.h"
30 #include "gnutls_errors.h"
31 #include "ext/max_record.h"
32 #include <ext/cert_type.h>
33 #include <ext/server_name.h>
34 #include <ext/srp.h>
35 #include <ext/heartbeat.h>
36 #include <ext/session_ticket.h>
37 #include <ext/safe_renegotiation.h>
38 #include <ext/signature.h>
39 #include <ext/safe_renegotiation.h>
40 #include <ext/ecc.h>
41 #include <ext/status_request.h>
42 #include <ext/srtp.h>
43 #include <gnutls_num.h>
44
45
46 static void _gnutls_ext_unset_resumed_session_data (gnutls_session_t session,
47 uint16_t type);
48
49
50 static size_t extfunc_size = 0;
51 static extension_entry_st *extfunc = NULL;
52
53 static gnutls_ext_parse_type_t
54 _gnutls_ext_parse_type (uint16_t type)
55 {
56 size_t i;
57
58 for (i = 0; i < extfunc_size; i++)
59 {
60 if (extfunc[i].type == type)
61 return extfunc[i].parse_type;
62 }
63
64 return GNUTLS_EXT_NONE;
65 }
66
67 static gnutls_ext_recv_func
68 _gnutls_ext_func_recv (uint16_t type, gnutls_ext_parse_type_t parse_type)
69 {
70 size_t i;
71
72 for (i = 0; i < extfunc_size; i++)
73 if (extfunc[i].type == type)
74 if (parse_type == GNUTLS_EXT_ANY || extfunc[i].parse_type == parse_type)
75 return extfunc[i].recv_func;
76
77 return NULL;
78 }
79
80 static gnutls_ext_deinit_data_func
81 _gnutls_ext_func_deinit (uint16_t type)
82 {
83 size_t i;
84
85 for (i = 0; i < extfunc_size; i++)
86 if (extfunc[i].type == type)
87 return extfunc[i].deinit_func;
88
89 return NULL;
90 }
91
92 static gnutls_ext_unpack_func
93 _gnutls_ext_func_unpack (uint16_t type)
94 {
95 size_t i;
96
97 for (i = 0; i < extfunc_size; i++)
98 if (extfunc[i].type == type)
99 return extfunc[i].unpack_func;
100
101 return NULL;
102 }
103
104
105 static const char *
106 _gnutls_extension_get_name (uint16_t type)
107 {
108 size_t i;
109
110 for (i = 0; i < extfunc_size; i++)
111 if (extfunc[i].type == type)
112 return extfunc[i].name;
113
114 return NULL;
115 }
116
117 /* Checks if the extension we just received is one of the
118 * requested ones. Otherwise it's a fatal error.
119 */
120 static int
121 _gnutls_extension_list_check (gnutls_session_t session, uint16_t type)
122 {
123 if (session->security_parameters.entity == GNUTLS_CLIENT)
124 {
125 int i;
126
127 for (i = 0; i < session->internals.extensions_sent_size; i++)
128 {
129 if (type == session->internals.extensions_sent[i])
130 return 0; /* ok found */
131 }
132
133 return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION;
134 }
135
136 return 0;
137 }
138
139 int
140 _gnutls_parse_extensions (gnutls_session_t session,
141 gnutls_ext_parse_type_t parse_type,
142 const uint8_t * data, int data_size)
143 {
144 int next, ret;
145 int pos = 0;
146 uint16_t type;
147 const uint8_t *sdata;
148 gnutls_ext_recv_func ext_recv;
149 uint16_t size;
150
151 #ifdef DEBUG
152 int i;
153
154 if (session->security_parameters.entity == GNUTLS_CLIENT)
155 for (i = 0; i < session->internals.extensions_sent_size; i++)
156 {
157 _gnutls_handshake_log ("EXT[%d]: expecting extension '%s'\n",
158 session,
159 _gnutls_extension_get_name
160 (session->internals.extensions_sent[i]));
161 }
162 #endif
163
164 DECR_LENGTH_RET (data_size, 2, 0);
165 next = _gnutls_read_uint16 (data);
166 pos += 2;
167
168 DECR_LENGTH_RET (data_size, next, 0);
169
170 do
171 {
172 DECR_LENGTH_RET (next, 2, 0);
173 type = _gnutls_read_uint16 (&data[pos]);
174 pos += 2;
175
176 if ((ret = _gnutls_extension_list_check (session, type)) < 0)
177 {
178 gnutls_assert ();
179 return ret;
180 }
181
182 DECR_LENGTH_RET (next, 2, 0);
183 size = _gnutls_read_uint16 (&data[pos]);
184 pos += 2;
185
186 DECR_LENGTH_RET (next, size, 0);
187 sdata = &data[pos];
188 pos += size;
189
190 ext_recv = _gnutls_ext_func_recv (type, parse_type);
191 if (ext_recv == NULL)
192 {
193 _gnutls_handshake_log ("EXT[%p]: Found extension '%s/%d'\n", session,
194 _gnutls_extension_get_name (type), type);
195
196 continue;
197 }
198
199 _gnutls_handshake_log ("EXT[%p]: Parsing extension '%s/%d' (%d bytes)\n",
200 session, _gnutls_extension_get_name (type), type,
201 size);
202
203 if ((ret = ext_recv (session, sdata, size)) < 0)
204 {
205 gnutls_assert ();
206 return ret;
207 }
208
209 }
210 while (next > 2);
211
212 return 0;
213
214 }
215
216 /* Adds the extension we want to send in the extensions list.
217 * This list is used to check whether the (later) received
218 * extensions are the ones we requested.
219 */
220 void
221 _gnutls_extension_list_add (gnutls_session_t session, uint16_t type)
222 {
223
224 if (session->security_parameters.entity == GNUTLS_CLIENT)
225 {
226 if (session->internals.extensions_sent_size < MAX_EXT_TYPES)
227 {
228 session->internals.extensions_sent[session->internals.
229 extensions_sent_size] = type;
230 session->internals.extensions_sent_size++;
231 }
232 else
233 {
234 _gnutls_handshake_log ("extensions: Increase MAX_EXT_TYPES\n");
235 }
236 }
237 }
238
239 int
240 _gnutls_gen_extensions (gnutls_session_t session, gnutls_buffer_st * extdata,
241 gnutls_ext_parse_type_t parse_type)
242 {
243 int size;
244 int pos, size_pos, ret;
245 size_t i, init_size = extdata->length;
246
247 pos = extdata->length; /* we will store length later on */
248 _gnutls_buffer_append_prefix( extdata, 16, 0);
249
250 for (i = 0; i < extfunc_size; i++)
251 {
252 extension_entry_st *p = &extfunc[i];
253
254 if (p->send_func == NULL)
255 continue;
256
257 if (parse_type != GNUTLS_EXT_ANY && p->parse_type != parse_type)
258 continue;
259
260 ret = _gnutls_buffer_append_prefix( extdata, 16, p->type);
261 if (ret < 0)
262 return gnutls_assert_val(ret);
263
264 size_pos = extdata->length;
265 ret = _gnutls_buffer_append_prefix (extdata, 16, 0);
266 if (ret < 0)
267 return gnutls_assert_val(ret);
268
269 size = p->send_func (session, extdata);
270 /* returning GNUTLS_E_INT_RET_0 means to send an empty
271 * extension of this type.
272 */
273 if (size > 0 || size == GNUTLS_E_INT_RET_0)
274 {
275 if (size == GNUTLS_E_INT_RET_0)
276 size = 0;
277
278 /* write the real size */
279 _gnutls_write_uint16(size, &extdata->data[size_pos]);
280
281 /* add this extension to the extension list
282 */
283 _gnutls_extension_list_add (session, p->type);
284
285 _gnutls_handshake_log ("EXT[%p]: Sending extension %s (%d bytes)\n",
286 session, p->name, size);
287 }
288 else if (size < 0)
289 {
290 gnutls_assert ();
291 return size;
292 }
293 else if (size == 0)
294 extdata->length -= 4; /* reset type and size */
295 }
296
297 /* remove any initial data, and the size of the header */
298 size = extdata->length - init_size - 2;
299
300 if ( size > 0)
301 _gnutls_write_uint16(size, &extdata->data[pos]);
302 else if (size == 0) extdata->length -= 2; /* the length bytes */
303
304 return size;
305 }
306
307 int
308 _gnutls_ext_init (void)
309 {
310 int ret;
311
312 ret = _gnutls_ext_register (&ext_mod_max_record_size);
313 if (ret != GNUTLS_E_SUCCESS)
314 return ret;
315
316 ret = _gnutls_ext_register (&ext_mod_status_request);
317 if (ret != GNUTLS_E_SUCCESS)
318 return ret;
319
320 ret = _gnutls_ext_register (&ext_mod_cert_type);
321 if (ret != GNUTLS_E_SUCCESS)
322 return ret;
323
324 ret = _gnutls_ext_register (&ext_mod_server_name);
325 if (ret != GNUTLS_E_SUCCESS)
326 return ret;
327
328 ret = _gnutls_ext_register (&ext_mod_sr);
329 if (ret != GNUTLS_E_SUCCESS)
330 return ret;
331
332 #ifdef ENABLE_SRP
333 ret = _gnutls_ext_register (&ext_mod_srp);
334 if (ret != GNUTLS_E_SUCCESS)
335 return ret;
336 #endif
337
338 ret = _gnutls_ext_register (&ext_mod_heartbeat);
339 if (ret != GNUTLS_E_SUCCESS)
340 return ret;
341
342 ret = _gnutls_ext_register (&ext_mod_session_ticket);
343 if (ret != GNUTLS_E_SUCCESS)
344 return ret;
345
346 ret = _gnutls_ext_register (&ext_mod_supported_ecc);
347 if (ret != GNUTLS_E_SUCCESS)
348 return ret;
349
350 ret = _gnutls_ext_register (&ext_mod_supported_ecc_pf);
351 if (ret != GNUTLS_E_SUCCESS)
352 return ret;
353
354 ret = _gnutls_ext_register (&ext_mod_sig);
355 if (ret != GNUTLS_E_SUCCESS)
356 return ret;
357
358 #ifdef ENABLE_DTLS_SRTP
359 ret = _gnutls_ext_register (&ext_mod_srtp);
360 if (ret != GNUTLS_E_SUCCESS)
361 return ret;
362 #endif
363
364 return GNUTLS_E_SUCCESS;
365 }
366
367 void
368 _gnutls_ext_deinit (void)
369 {
370 gnutls_free (extfunc);
371 extfunc = NULL;
372 extfunc_size = 0;
373 }
374
375 int
376 _gnutls_ext_register (extension_entry_st * mod)
377 {
378 extension_entry_st *p;
379
380 p = gnutls_realloc (extfunc, sizeof (*extfunc) * (extfunc_size + 1));
381 if (!p)
382 {
383 gnutls_assert ();
384 return GNUTLS_E_MEMORY_ERROR;
385 }
386
387 extfunc = p;
388
389 memcpy (&extfunc[extfunc_size], mod, sizeof (*mod));
390
391 extfunc_size++;
392
393 return GNUTLS_E_SUCCESS;
394 }
395
396 int
397 _gnutls_ext_pack (gnutls_session_t session, gnutls_buffer_st * packed)
398 {
399 unsigned int i;
400 int ret;
401 extension_priv_data_t data;
402 int cur_size;
403 int size_offset;
404 int total_exts_pos;
405 int exts = 0;
406
407 total_exts_pos = packed->length;
408 BUFFER_APPEND_NUM (packed, 0);
409
410 for (i = 0; i < extfunc_size; i++)
411 {
412 ret = _gnutls_ext_get_session_data (session, extfunc[i].type, &data);
413 if (ret >= 0 && extfunc[i].pack_func != NULL)
414 {
415 BUFFER_APPEND_NUM (packed, extfunc[i].type);
416
417 size_offset = packed->length;
418 BUFFER_APPEND_NUM (packed, 0);
419
420 cur_size = packed->length;
421
422 ret = extfunc[i].pack_func (data, packed);
423 if (ret < 0)
424 {
425 gnutls_assert ();
426 return ret;
427 }
428
429 exts++;
430 /* write the actual size */
431 _gnutls_write_uint32 (packed->length - cur_size,
432 packed->data + size_offset);
433 }
434 }
435
436 _gnutls_write_uint32 (exts, packed->data + total_exts_pos);
437
438 return 0;
439
440 }
441
442 void
443 _gnutls_ext_restore_resumed_session (gnutls_session_t session)
444 {
445 int i;
446
447
448 /* clear everything except MANDATORY extensions */
449 for (i = 0; i < MAX_EXT_TYPES; i++)
450 {
451 if (session->internals.extension_int_data[i].set != 0 &&
452 _gnutls_ext_parse_type (session->internals.
453 extension_int_data[i].type) !=
454 GNUTLS_EXT_MANDATORY)
455 {
456 _gnutls_ext_unset_session_data (session,
457 session->
458 internals.extension_int_data[i].
459 type);
460 }
461 }
462
463 /* copy resumed to main */
464 for (i = 0; i < MAX_EXT_TYPES; i++)
465 {
466 if (session->internals.resumed_extension_int_data[i].set != 0 &&
467 _gnutls_ext_parse_type (session->
468 internals.resumed_extension_int_data[i].
469 type) != GNUTLS_EXT_MANDATORY)
470 {
471 _gnutls_ext_set_session_data (session,
472 session->
473 internals.resumed_extension_int_data
474 [i].type,
475 session->
476 internals.resumed_extension_int_data
477 [i].priv);
478 session->internals.resumed_extension_int_data[i].set = 0;
479 }
480 }
481
482 }
483
484
485 static void
486 _gnutls_ext_set_resumed_session_data (gnutls_session_t session, uint16_t type,
487 extension_priv_data_t data)
488 {
489 int i;
490
491 for (i = 0; i < MAX_EXT_TYPES; i++)
492 {
493 if (session->internals.resumed_extension_int_data[i].type == type
494 || session->internals.resumed_extension_int_data[i].set == 0)
495 {
496
497 if (session->internals.resumed_extension_int_data[i].set != 0)
498 _gnutls_ext_unset_resumed_session_data (session, type);
499
500 session->internals.resumed_extension_int_data[i].type = type;
501 session->internals.resumed_extension_int_data[i].priv = data;
502 session->internals.resumed_extension_int_data[i].set = 1;
503 return;
504 }
505 }
506 }
507
508 int
509 _gnutls_ext_unpack (gnutls_session_t session, gnutls_buffer_st * packed)
510 {
511 int i, ret;
512 extension_priv_data_t data;
513 gnutls_ext_unpack_func unpack;
514 int max_exts = 0;
515 uint16_t type;
516 int size_for_type, cur_pos;
517
518
519 BUFFER_POP_NUM (packed, max_exts);
520 for (i = 0; i < max_exts; i++)
521 {
522 BUFFER_POP_NUM (packed, type);
523 BUFFER_POP_NUM (packed, size_for_type);
524
525 cur_pos = packed->length;
526
527 unpack = _gnutls_ext_func_unpack (type);
528 if (unpack == NULL)
529 {
530 gnutls_assert ();
531 return GNUTLS_E_PARSING_ERROR;
532 }
533
534 ret = unpack (packed, &data);
535 if (ret < 0)
536 {
537 gnutls_assert ();
538 return ret;
539 }
540
541 /* verify that unpack read the correct bytes */
542 cur_pos = cur_pos - packed->length;
543 if (cur_pos /* read length */ != size_for_type)
544 {
545 gnutls_assert ();
546 return GNUTLS_E_PARSING_ERROR;
547 }
548
549 _gnutls_ext_set_resumed_session_data (session, type, data);
550 }
551
552 return 0;
553
554 error:
555 return ret;
556 }
557
558 void
559 _gnutls_ext_unset_session_data (gnutls_session_t session, uint16_t type)
560 {
561 gnutls_ext_deinit_data_func deinit;
562 extension_priv_data_t data;
563 int ret, i;
564
565 deinit = _gnutls_ext_func_deinit (type);
566 ret = _gnutls_ext_get_session_data (session, type, &data);
567
568 if (ret >= 0 && deinit != NULL)
569 {
570 deinit (data);
571 }
572
573 for (i = 0; i < MAX_EXT_TYPES; i++)
574 {
575 if (session->internals.extension_int_data[i].type == type)
576 {
577 session->internals.extension_int_data[i].set = 0;
578 return;
579 }
580 }
581
582 }
583
584 static void
585 _gnutls_ext_unset_resumed_session_data (gnutls_session_t session,
586 uint16_t type)
587 {
588 gnutls_ext_deinit_data_func deinit;
589 extension_priv_data_t data;
590 int ret, i;
591
592 deinit = _gnutls_ext_func_deinit (type);
593 ret = _gnutls_ext_get_resumed_session_data (session, type, &data);
594
595 if (ret >= 0 && deinit != NULL)
596 {
597 deinit (data);
598 }
599
600 for (i = 0; i < MAX_EXT_TYPES; i++)
601 {
602 if (session->internals.resumed_extension_int_data[i].type == type)
603 {
604 session->internals.resumed_extension_int_data[i].set = 0;
605 return;
606 }
607 }
608
609 }
610
611 /* Deinitializes all data that are associated with TLS extensions.
612 */
613 void
614 _gnutls_ext_free_session_data (gnutls_session_t session)
615 {
616 unsigned int i;
617
618 for (i = 0; i < extfunc_size; i++)
619 {
620 _gnutls_ext_unset_session_data (session, extfunc[i].type);
621 }
622
623 for (i = 0; i < extfunc_size; i++)
624 {
625 _gnutls_ext_unset_resumed_session_data (session, extfunc[i].type);
626 }
627
628 }
629
630 /* This function allows and extension to store data in the current session
631 * and retrieve them later on. We use functions instead of a pointer to a
632 * private pointer, to allow API additions by individual extensions.
633 */
634 void
635 _gnutls_ext_set_session_data (gnutls_session_t session, uint16_t type,
636 extension_priv_data_t data)
637 {
638 unsigned int i;
639 gnutls_ext_deinit_data_func deinit;
640
641 deinit = _gnutls_ext_func_deinit (type);
642
643 for (i = 0; i < MAX_EXT_TYPES; i++)
644 {
645 if (session->internals.extension_int_data[i].type == type
646 || session->internals.extension_int_data[i].set == 0)
647 {
648 if (session->internals.extension_int_data[i].set != 0)
649 {
650 if (deinit)
651 deinit (session->internals.extension_int_data[i].priv);
652 }
653 session->internals.extension_int_data[i].type = type;
654 session->internals.extension_int_data[i].priv = data;
655 session->internals.extension_int_data[i].set = 1;
656 return;
657 }
658 }
659 }
660
661 int
662 _gnutls_ext_get_session_data (gnutls_session_t session,
663 uint16_t type, extension_priv_data_t * data)
664 {
665 int i;
666
667 for (i = 0; i < MAX_EXT_TYPES; i++)
668 {
669 if (session->internals.extension_int_data[i].set != 0 &&
670 session->internals.extension_int_data[i].type == type)
671 {
672 *data = session->internals.extension_int_data[i].priv;
673 return 0;
674 }
675 }
676 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
677 }
678
679 int
680 _gnutls_ext_get_resumed_session_data (gnutls_session_t session,
681 uint16_t type,
682 extension_priv_data_t * data)
683 {
684 int i;
685
686 for (i = 0; i < MAX_EXT_TYPES; i++)
687 {
688 if (session->internals.resumed_extension_int_data[i].set != 0 &&
689 session->internals.resumed_extension_int_data[i].type == type)
690 {
691 *data = session->internals.resumed_extension_int_data[i].priv;
692 return 0;
693 }
694 }
695 return GNUTLS_E_INVALID_REQUEST;
696 }
Implementation of the SSL/TLS protocol