search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update libressl to 2.8.2
[unleashed.git] / lib / libssl / ssl_tlsext.c
blobb70be87f3a8d46f3c057f286f69f527d42f27055
1 /* $OpenBSD: ssl_tlsext.c,v 1.22 2018/05/12 17:27:22 jsing Exp $ */
2 /*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19 #include <openssl/ocsp.h>
20
21 #include "ssl_locl.h"
22
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
25
26 /*
27 * Supported Application-Layer Protocol Negotiation - RFC 7301
28 */
29
30 int
31 tlsext_alpn_clienthello_needs(SSL *s)
32 {
33 /* ALPN protos have been specified and this is the initial handshake */
34 return s->internal->alpn_client_proto_list != NULL &&
35 S3I(s)->tmp.finish_md_len == 0;
36 }
37
38 int
39 tlsext_alpn_clienthello_build(SSL *s, CBB *cbb)
40 {
41 CBB protolist;
42
43 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
44 return 0;
45
46 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
47 s->internal->alpn_client_proto_list_len))
48 return 0;
49
50 if (!CBB_flush(cbb))
51 return 0;
52
53 return 1;
54 }
55
56 int
57 tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
58 {
59 CBS proto_name_list, alpn;
60 const unsigned char *selected;
61 unsigned char selected_len;
62 int r;
63
64 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
65 goto err;
66 if (CBS_len(&alpn) < 2)
67 goto err;
68 if (CBS_len(cbs) != 0)
69 goto err;
70
71 CBS_dup(&alpn, &proto_name_list);
72 while (CBS_len(&proto_name_list) > 0) {
73 CBS proto_name;
74
75 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
76 goto err;
77 if (CBS_len(&proto_name) == 0)
78 goto err;
79 }
80
81 if (s->ctx->internal->alpn_select_cb == NULL)
82 return 1;
83
84 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
85 CBS_data(&alpn), CBS_len(&alpn),
86 s->ctx->internal->alpn_select_cb_arg);
87 if (r == SSL_TLSEXT_ERR_OK) {
88 free(S3I(s)->alpn_selected);
89 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
90 *alert = SSL_AD_INTERNAL_ERROR;
91 return 0;
92 }
93 memcpy(S3I(s)->alpn_selected, selected, selected_len);
94 S3I(s)->alpn_selected_len = selected_len;
95 }
96
97 return 1;
98
99 err:
100 *alert = SSL_AD_DECODE_ERROR;
101 return 0;
102 }
103
104 int
105 tlsext_alpn_serverhello_needs(SSL *s)
106 {
107 return S3I(s)->alpn_selected != NULL;
108 }
109
110 int
111 tlsext_alpn_serverhello_build(SSL *s, CBB *cbb)
112 {
113 CBB list, selected;
114
115 if (!CBB_add_u16_length_prefixed(cbb, &list))
116 return 0;
117
118 if (!CBB_add_u8_length_prefixed(&list, &selected))
119 return 0;
120
121 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
122 S3I(s)->alpn_selected_len))
123 return 0;
124
125 if (!CBB_flush(cbb))
126 return 0;
127
128 return 1;
129 }
130
131 int
132 tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert)
133 {
134 CBS list, proto;
135
136 if (s->internal->alpn_client_proto_list == NULL) {
137 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
138 return 0;
139 }
140
141 if (!CBS_get_u16_length_prefixed(cbs, &list))
142 goto err;
143 if (CBS_len(cbs) != 0)
144 goto err;
145
146 if (!CBS_get_u8_length_prefixed(&list, &proto))
147 goto err;
148
149 if (CBS_len(&list) != 0)
150 goto err;
151 if (CBS_len(&proto) == 0)
152 goto err;
153
154 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
155 &(S3I(s)->alpn_selected_len)))
156 goto err;
157
158 return 1;
159
160 err:
161 *alert = TLS1_AD_DECODE_ERROR;
162 return 0;
163 }
164
165 /*
166 * Supported Elliptic Curves - RFC 4492 section 5.1.1
167 */
168 int
169 tlsext_ec_clienthello_needs(SSL *s)
170 {
171 return ssl_has_ecc_ciphers(s);
172 }
173
174 int
175 tlsext_ec_clienthello_build(SSL *s, CBB *cbb)
176 {
177 CBB curvelist;
178 size_t curves_len;
179 int i;
180 const uint16_t *curves;
181
182 tls1_get_curvelist(s, 0, &curves, &curves_len);
183
184 if (curves_len == 0) {
185 SSLerror(s, ERR_R_INTERNAL_ERROR);
186 return 0;
187 }
188
189 if (!CBB_add_u16_length_prefixed(cbb, &curvelist))
190 return 0;
191
192 for (i = 0; i < curves_len; i++) {
193 if (!CBB_add_u16(&curvelist, curves[i]))
194 return 0;
195 }
196
197 if (!CBB_flush(cbb))
198 return 0;
199
200 return 1;
201 }
202
203 int
204 tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert)
205 {
206 CBS curvelist;
207 size_t curves_len;
208
209 if (!CBS_get_u16_length_prefixed(cbs, &curvelist))
210 goto err;
211 if (CBS_len(cbs) != 0)
212 goto err;
213
214 curves_len = CBS_len(&curvelist);
215 if (curves_len == 0 || curves_len % 2 != 0)
216 goto err;
217 curves_len /= 2;
218
219 if (!s->internal->hit) {
220 int i;
221 uint16_t *curves;
222
223 if (SSI(s)->tlsext_supportedgroups != NULL)
224 goto err;
225
226 if ((curves = reallocarray(NULL, curves_len,
227 sizeof(uint16_t))) == NULL) {
228 *alert = TLS1_AD_INTERNAL_ERROR;
229 return 0;
230 }
231
232 for (i = 0; i < curves_len; i++) {
233 if (!CBS_get_u16(&curvelist, &curves[i])) {
234 free(curves);
235 goto err;
236 }
237 }
238
239 if (CBS_len(&curvelist) != 0) {
240 free(curves);
241 goto err;
242 }
243
244 SSI(s)->tlsext_supportedgroups = curves;
245 SSI(s)->tlsext_supportedgroups_length = curves_len;
246 }
247
248 return 1;
249
250 err:
251 *alert = TLS1_AD_DECODE_ERROR;
252 return 0;
253 }
254
255 /* This extension is never used by the server. */
256 int
257 tlsext_ec_serverhello_needs(SSL *s)
258 {
259 return 0;
260 }
261
262 int
263 tlsext_ec_serverhello_build(SSL *s, CBB *cbb)
264 {
265 return 0;
266 }
267
268 int
269 tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert)
270 {
271 /*
272 * Servers should not send this extension per the RFC.
273 *
274 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
275 * from at least 2014 but as of 2017, there are still large sites with
276 * this unpatched in production. As a result, we need to currently skip
277 * over the extension and ignore its content:
278 *
279 * https://support.f5.com/csp/article/K37345003
280 */
281 if (!CBS_skip(cbs, CBS_len(cbs))) {
282 *alert = TLS1_AD_INTERNAL_ERROR;
283 return 0;
284 }
285
286 return 1;
287 }
288
289 /*
290 * Supported Point Formats Extension - RFC 4492 section 5.1.2
291 */
292 static int
293 tlsext_ecpf_build(SSL *s, CBB *cbb)
294 {
295 CBB ecpf;
296 size_t formats_len;
297 const uint8_t *formats;
298
299 tls1_get_formatlist(s, 0, &formats, &formats_len);
300
301 if (formats_len == 0) {
302 SSLerror(s, ERR_R_INTERNAL_ERROR);
303 return 0;
304 }
305
306 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
307 return 0;
308 if (!CBB_add_bytes(&ecpf, formats, formats_len))
309 return 0;
310 if (!CBB_flush(cbb))
311 return 0;
312
313 return 1;
314 }
315
316 static int
317 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert)
318 {
319 CBS ecpf;
320
321 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
322 goto err;
323 if (CBS_len(&ecpf) == 0)
324 goto err;
325 if (CBS_len(cbs) != 0)
326 goto err;
327
328 /* Must contain uncompressed (0) */
329 if (!CBS_contains_zero_byte(&ecpf)) {
330 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
331 goto err;
332 }
333
334 if (!s->internal->hit) {
335 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
336 &(SSI(s)->tlsext_ecpointformatlist_length))) {
337 *alert = TLS1_AD_INTERNAL_ERROR;
338 return 0;
339 }
340 }
341
342 return 1;
343
344 err:
345 *alert = SSL_AD_DECODE_ERROR;
346 return 0;
347 }
348
349 int
350 tlsext_ecpf_clienthello_needs(SSL *s)
351 {
352 return ssl_has_ecc_ciphers(s);
353 }
354
355 int
356 tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb)
357 {
358 return tlsext_ecpf_build(s, cbb);
359 }
360
361 int
362 tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert)
363 {
364 return tlsext_ecpf_parse(s, cbs, alert);
365 }
366
367 int
368 tlsext_ecpf_serverhello_needs(SSL *s)
369 {
370 if (s->version == DTLS1_VERSION)
371 return 0;
372
373 return ssl_using_ecc_cipher(s);
374 }
375
376 int
377 tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb)
378 {
379 return tlsext_ecpf_build(s, cbb);
380 }
381
382 int
383 tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert)
384 {
385 return tlsext_ecpf_parse(s, cbs, alert);
386 }
387
388 /*
389 * Renegotiation Indication - RFC 5746.
390 */
391 int
392 tlsext_ri_clienthello_needs(SSL *s)
393 {
394 return (s->internal->renegotiate);
395 }
396
397 int
398 tlsext_ri_clienthello_build(SSL *s, CBB *cbb)
399 {
400 CBB reneg;
401
402 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
403 return 0;
404 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
405 S3I(s)->previous_client_finished_len))
406 return 0;
407 if (!CBB_flush(cbb))
408 return 0;
409
410 return 1;
411 }
412
413 int
414 tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert)
415 {
416 CBS reneg;
417
418 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
419 goto err;
420 if (CBS_len(cbs) != 0)
421 goto err;
422
423 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
424 S3I(s)->previous_client_finished_len)) {
425 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
426 *alert = SSL_AD_HANDSHAKE_FAILURE;
427 return 0;
428 }
429
430 S3I(s)->renegotiate_seen = 1;
431 S3I(s)->send_connection_binding = 1;
432
433 return 1;
434
435 err:
436 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
437 *alert = SSL_AD_DECODE_ERROR;
438 return 0;
439 }
440
441 int
442 tlsext_ri_serverhello_needs(SSL *s)
443 {
444 return (S3I(s)->send_connection_binding);
445 }
446
447 int
448 tlsext_ri_serverhello_build(SSL *s, CBB *cbb)
449 {
450 CBB reneg;
451
452 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
453 return 0;
454 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
455 S3I(s)->previous_client_finished_len))
456 return 0;
457 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
458 S3I(s)->previous_server_finished_len))
459 return 0;
460 if (!CBB_flush(cbb))
461 return 0;
462
463 return 1;
464 }
465
466 int
467 tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert)
468 {
469 CBS reneg, prev_client, prev_server;
470
471 /*
472 * Ensure that the previous client and server values are both not
473 * present, or that they are both present.
474 */
475 if ((S3I(s)->previous_client_finished_len == 0 &&
476 S3I(s)->previous_server_finished_len != 0) ||
477 (S3I(s)->previous_client_finished_len != 0 &&
478 S3I(s)->previous_server_finished_len == 0)) {
479 *alert = TLS1_AD_INTERNAL_ERROR;
480 return 0;
481 }
482
483 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
484 goto err;
485 if (!CBS_get_bytes(&reneg, &prev_client,
486 S3I(s)->previous_client_finished_len))
487 goto err;
488 if (!CBS_get_bytes(&reneg, &prev_server,
489 S3I(s)->previous_server_finished_len))
490 goto err;
491 if (CBS_len(&reneg) != 0)
492 goto err;
493 if (CBS_len(cbs) != 0)
494 goto err;
495
496 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
497 S3I(s)->previous_client_finished_len)) {
498 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
499 *alert = SSL_AD_HANDSHAKE_FAILURE;
500 return 0;
501 }
502 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
503 S3I(s)->previous_server_finished_len)) {
504 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
505 *alert = SSL_AD_HANDSHAKE_FAILURE;
506 return 0;
507 }
508
509 S3I(s)->renegotiate_seen = 1;
510 S3I(s)->send_connection_binding = 1;
511
512 return 1;
513
514 err:
515 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
516 *alert = SSL_AD_DECODE_ERROR;
517 return 0;
518 }
519
520 /*
521 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
522 */
523 int
524 tlsext_sigalgs_clienthello_needs(SSL *s)
525 {
526 return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
527 }
528
529 int
530 tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
531 {
532 unsigned char *sigalgs_data;
533 size_t sigalgs_len;
534 CBB sigalgs;
535
536 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
537
538 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
539 return 0;
540 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len))
541 return 0;
542 if (!CBB_flush(cbb))
543 return 0;
544
545 return 1;
546 }
547
548 int
549 tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert)
550 {
551 CBS sigalgs;
552
553 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
554 return 0;
555
556 return tls1_process_sigalgs(s, &sigalgs);
557 }
558
559 int
560 tlsext_sigalgs_serverhello_needs(SSL *s)
561 {
562 return 0;
563 }
564
565 int
566 tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb)
567 {
568 return 0;
569 }
570
571 int
572 tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert)
573 {
574 /* As per the RFC, servers must not send this extension. */
575 return 0;
576 }
577
578 /*
579 * Server Name Indication - RFC 6066, section 3.
580 */
581 int
582 tlsext_sni_clienthello_needs(SSL *s)
583 {
584 return (s->tlsext_hostname != NULL);
585 }
586
587 int
588 tlsext_sni_clienthello_build(SSL *s, CBB *cbb)
589 {
590 CBB server_name_list, host_name;
591
592 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
593 return 0;
594 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
595 return 0;
596 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
597 return 0;
598 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
599 strlen(s->tlsext_hostname)))
600 return 0;
601 if (!CBB_flush(cbb))
602 return 0;
603
604 return 1;
605 }
606
607 int
608 tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert)
609 {
610 CBS server_name_list, host_name;
611 uint8_t name_type;
612
613 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
614 goto err;
615
616 /*
617 * RFC 6066 section 3 forbids multiple host names with the same type.
618 * Additionally, only one type (host_name) is specified.
619 */
620 if (!CBS_get_u8(&server_name_list, &name_type))
621 goto err;
622 if (name_type != TLSEXT_NAMETYPE_host_name)
623 goto err;
624
625 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
626 goto err;
627 if (CBS_len(&host_name) == 0 ||
628 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
629 CBS_contains_zero_byte(&host_name)) {
630 *alert = TLS1_AD_UNRECOGNIZED_NAME;
631 return 0;
632 }
633
634 if (s->internal->hit) {
635 if (s->session->tlsext_hostname == NULL) {
636 *alert = TLS1_AD_UNRECOGNIZED_NAME;
637 return 0;
638 }
639 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
640 strlen(s->session->tlsext_hostname))) {
641 *alert = TLS1_AD_UNRECOGNIZED_NAME;
642 return 0;
643 }
644 } else {
645 if (s->session->tlsext_hostname != NULL)
646 goto err;
647 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
648 *alert = TLS1_AD_INTERNAL_ERROR;
649 return 0;
650 }
651 }
652
653 if (CBS_len(&server_name_list) != 0)
654 goto err;
655 if (CBS_len(cbs) != 0)
656 goto err;
657
658 return 1;
659
660 err:
661 *alert = SSL_AD_DECODE_ERROR;
662 return 0;
663 }
664
665 int
666 tlsext_sni_serverhello_needs(SSL *s)
667 {
668 return (s->session->tlsext_hostname != NULL);
669 }
670
671 int
672 tlsext_sni_serverhello_build(SSL *s, CBB *cbb)
673 {
674 return 1;
675 }
676
677 int
678 tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
679 {
680 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
681 *alert = TLS1_AD_UNRECOGNIZED_NAME;
682 return 0;
683 }
684
685 if (s->internal->hit) {
686 if (s->session->tlsext_hostname == NULL) {
687 *alert = TLS1_AD_UNRECOGNIZED_NAME;
688 return 0;
689 }
690 if (strcmp(s->tlsext_hostname,
691 s->session->tlsext_hostname) != 0) {
692 *alert = TLS1_AD_UNRECOGNIZED_NAME;
693 return 0;
694 }
695 } else {
696 if (s->session->tlsext_hostname != NULL) {
697 *alert = SSL_AD_DECODE_ERROR;
698 return 0;
699 }
700 if ((s->session->tlsext_hostname =
701 strdup(s->tlsext_hostname)) == NULL) {
702 *alert = TLS1_AD_INTERNAL_ERROR;
703 return 0;
704 }
705 }
706
707 return 1;
708 }
709
710
711 /*
712 *Certificate Status Request - RFC 6066 section 8.
713 */
714
715 int
716 tlsext_ocsp_clienthello_needs(SSL *s)
717 {
718 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
719 s->version != DTLS1_VERSION);
720 }
721
722 int
723 tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
724 {
725 CBB respid_list, respid, exts;
726 unsigned char *ext_data;
727 size_t ext_len;
728 int i;
729
730 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
731 return 0;
732 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
733 return 0;
734 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
735 unsigned char *respid_data;
736 OCSP_RESPID *id;
737 size_t id_len;
738
739 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
740 i)) == NULL)
741 return 0;
742 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
743 return 0;
744 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
745 return 0;
746 if (!CBB_add_space(&respid, &respid_data, id_len))
747 return 0;
748 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
749 return 0;
750 }
751 if (!CBB_add_u16_length_prefixed(cbb, &exts))
752 return 0;
753 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
754 NULL)) == -1)
755 return 0;
756 if (!CBB_add_space(&exts, &ext_data, ext_len))
757 return 0;
758 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
759 ext_len))
760 return 0;
761 if (!CBB_flush(cbb))
762 return 0;
763 return 1;
764 }
765
766 int
767 tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
768 {
769 int failure = SSL_AD_DECODE_ERROR;
770 CBS respid_list, respid, exts;
771 const unsigned char *p;
772 uint8_t status_type;
773 int ret = 0;
774
775 if (!CBS_get_u8(cbs, &status_type))
776 goto err;
777 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
778 /* ignore unknown status types */
779 s->tlsext_status_type = -1;
780
781 if (!CBS_skip(cbs, CBS_len(cbs))) {
782 *alert = TLS1_AD_INTERNAL_ERROR;
783 return 0;
784 }
785 return 1;
786 }
787 s->tlsext_status_type = status_type;
788 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
789 goto err;
790
791 /* XXX */
792 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
793 s->internal->tlsext_ocsp_ids = NULL;
794 if (CBS_len(&respid_list) > 0) {
795 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
796 if (s->internal->tlsext_ocsp_ids == NULL) {
797 failure = SSL_AD_INTERNAL_ERROR;
798 goto err;
799 }
800 }
801
802 while (CBS_len(&respid_list) > 0) {
803 OCSP_RESPID *id;
804
805 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
806 goto err;
807 p = CBS_data(&respid);
808 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
809 goto err;
810 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
811 failure = SSL_AD_INTERNAL_ERROR;
812 OCSP_RESPID_free(id);
813 goto err;
814 }
815 }
816
817 /* Read in request_extensions */
818 if (!CBS_get_u16_length_prefixed(cbs, &exts))
819 goto err;
820 if (CBS_len(&exts) > 0) {
821 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
822 X509_EXTENSION_free);
823 p = CBS_data(&exts);
824 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
825 &p, CBS_len(&exts))) == NULL)
826 goto err;
827 }
828
829 /* should be nothing left */
830 if (CBS_len(cbs) > 0)
831 goto err;
832
833 ret = 1;
834 err:
835 if (ret == 0)
836 *alert = failure;
837 return ret;
838 }
839
840 int
841 tlsext_ocsp_serverhello_needs(SSL *s)
842 {
843 return s->internal->tlsext_status_expected;
844 }
845
846 int
847 tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
848 {
849 return 1;
850 }
851
852 int
853 tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
854 {
855 if (s->tlsext_status_type == -1) {
856 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
857 return 0;
858 }
859 /* Set flag to expect CertificateStatus message */
860 s->internal->tlsext_status_expected = 1;
861 return 1;
862 }
863
864 /*
865 * SessionTicket extension - RFC 5077 section 3.2
866 */
867 int
868 tlsext_sessionticket_clienthello_needs(SSL *s)
869 {
870 /*
871 * Send session ticket extension when enabled and not overridden.
872 *
873 * When renegotiating, send an empty session ticket to indicate support.
874 */
875 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
876 return 0;
877
878 if (s->internal->new_session)
879 return 1;
880
881 if (s->internal->tlsext_session_ticket != NULL &&
882 s->internal->tlsext_session_ticket->data == NULL)
883 return 0;
884
885 return 1;
886 }
887
888 int
889 tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb)
890 {
891 /*
892 * Signal that we support session tickets by sending an empty
893 * extension when renegotiating or no session found.
894 */
895 if (s->internal->new_session || s->session == NULL)
896 return 1;
897
898 if (s->session->tlsext_tick != NULL) {
899 /* Attempt to resume with an existing session ticket */
900 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
901 s->session->tlsext_ticklen))
902 return 0;
903
904 } else if (s->internal->tlsext_session_ticket != NULL) {
905 /*
906 * Attempt to resume with a custom provided session ticket set
907 * by SSL_set_session_ticket_ext().
908 */
909 if (s->internal->tlsext_session_ticket->length > 0) {
910 size_t ticklen = s->internal->tlsext_session_ticket->length;
911
912 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
913 return 0;
914 memcpy(s->session->tlsext_tick,
915 s->internal->tlsext_session_ticket->data,
916 ticklen);
917 s->session->tlsext_ticklen = ticklen;
918
919 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
920 s->session->tlsext_ticklen))
921 return 0;
922 }
923 }
924
925 if (!CBB_flush(cbb))
926 return 0;
927
928 return 1;
929 }
930
931 int
932 tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert)
933 {
934 if (s->internal->tls_session_ticket_ext_cb) {
935 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
936 (int)CBS_len(cbs),
937 s->internal->tls_session_ticket_ext_cb_arg)) {
938 *alert = TLS1_AD_INTERNAL_ERROR;
939 return 0;
940 }
941 }
942
943 /* We need to signal that this was processed fully */
944 if (!CBS_skip(cbs, CBS_len(cbs))) {
945 *alert = TLS1_AD_INTERNAL_ERROR;
946 return 0;
947 }
948
949 return 1;
950 }
951
952 int
953 tlsext_sessionticket_serverhello_needs(SSL *s)
954 {
955 return (s->internal->tlsext_ticket_expected &&
956 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
957 }
958
959 int
960 tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb)
961 {
962 /* Empty ticket */
963
964 return 1;
965 }
966
967 int
968 tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert)
969 {
970 if (s->internal->tls_session_ticket_ext_cb) {
971 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
972 (int)CBS_len(cbs),
973 s->internal->tls_session_ticket_ext_cb_arg)) {
974 *alert = TLS1_AD_INTERNAL_ERROR;
975 return 0;
976 }
977 }
978
979 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
980 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
981 return 0;
982 }
983
984 s->internal->tlsext_ticket_expected = 1;
985
986 return 1;
987 }
988
989 /*
990 * DTLS extension for SRTP key establishment - RFC 5764
991 */
992
993 #ifndef OPENSSL_NO_SRTP
994
995 int
996 tlsext_srtp_clienthello_needs(SSL *s)
997 {
998 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL;
999 }
1000
1001 int
1002 tlsext_srtp_clienthello_build(SSL *s, CBB *cbb)
1003 {
1004 CBB profiles, mki;
1005 int ct, i;
1006 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1007 SRTP_PROTECTION_PROFILE *prof;
1008
1009 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1010 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1011 return 0;
1012 }
1013
1014 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1015 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1016 return 0;
1017 }
1018
1019 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1020 return 0;
1021
1022 for (i = 0; i < ct; i++) {
1023 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1024 return 0;
1025 if (!CBB_add_u16(&profiles, prof->id))
1026 return 0;
1027 }
1028
1029 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1030 return 0;
1031
1032 if (!CBB_flush(cbb))
1033 return 0;
1034
1035 return 1;
1036 }
1037
1038 int
1039 tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1040 {
1041 SRTP_PROTECTION_PROFILE *cprof, *sprof;
1042 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1043 int i, j;
1044 int ret;
1045 uint16_t id;
1046 CBS profiles, mki;
1047
1048 ret = 0;
1049
1050 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1051 goto err;
1052 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1053 goto err;
1054
1055 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1056 goto err;
1057
1058 while (CBS_len(&profiles) > 0) {
1059 if (!CBS_get_u16(&profiles, &id))
1060 goto err;
1061
1062 if (!srtp_find_profile_by_num(id, &cprof)) {
1063 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1064 goto err;
1065 }
1066 }
1067
1068 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1069 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1070 *alert = SSL_AD_DECODE_ERROR;
1071 goto done;
1072 }
1073 if (CBS_len(cbs) != 0)
1074 goto err;
1075
1076 /*
1077 * Per RFC 5764 section 4.1.1
1078 *
1079 * Find the server preferred profile using the client's list.
1080 *
1081 * The server MUST send a profile if it sends the use_srtp
1082 * extension. If one is not found, it should fall back to the
1083 * negotiated DTLS cipher suite or return a DTLS alert.
1084 */
1085 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1086 goto err;
1087 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1088 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1089 == NULL)
1090 goto err;
1091
1092 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1093 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1094 == NULL)
1095 goto err;
1096
1097 if (cprof->id == sprof->id) {
1098 s->internal->srtp_profile = sprof;
1099 ret = 1;
1100 goto done;
1101 }
1102 }
1103 }
1104
1105 /* If we didn't find anything, fall back to the negotiated */
1106 ret = 1;
1107 goto done;
1108
1109 err:
1110 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1111 *alert = SSL_AD_DECODE_ERROR;
1112
1113 done:
1114 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1115 return ret;
1116 }
1117
1118 int
1119 tlsext_srtp_serverhello_needs(SSL *s)
1120 {
1121 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL;
1122 }
1123
1124 int
1125 tlsext_srtp_serverhello_build(SSL *s, CBB *cbb)
1126 {
1127 SRTP_PROTECTION_PROFILE *profile;
1128 CBB srtp, mki;
1129
1130 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1131 return 0;
1132
1133 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1134 return 0;
1135
1136 if (!CBB_add_u16(&srtp, profile->id))
1137 return 0;
1138
1139 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1140 return 0;
1141
1142 if (!CBB_flush(cbb))
1143 return 0;
1144
1145 return 1;
1146 }
1147
1148 int
1149 tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1150 {
1151 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1152 SRTP_PROTECTION_PROFILE *prof;
1153 int i;
1154 uint16_t id;
1155 CBS profile_ids, mki;
1156
1157 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1158 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1159 goto err;
1160 }
1161
1162 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1163 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1164 goto err;
1165 }
1166
1167 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1168 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1169 *alert = SSL_AD_ILLEGAL_PARAMETER;
1170 return 0;
1171 }
1172
1173 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1174 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1175 goto err;
1176 }
1177
1178 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1179 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1180 == NULL) {
1181 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1182 goto err;
1183 }
1184
1185 if (prof->id == id) {
1186 s->internal->srtp_profile = prof;
1187 return 1;
1188 }
1189 }
1190
1191 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1192 err:
1193 *alert = SSL_AD_DECODE_ERROR;
1194 return 0;
1195 }
1196
1197 #endif /* OPENSSL_NO_SRTP */
1198
1199 struct tls_extension {
1200 uint16_t type;
1201 int (*clienthello_needs)(SSL *s);
1202 int (*clienthello_build)(SSL *s, CBB *cbb);
1203 int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert);
1204 int (*serverhello_needs)(SSL *s);
1205 int (*serverhello_build)(SSL *s, CBB *cbb);
1206 int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert);
1207 };
1208
1209 static struct tls_extension tls_extensions[] = {
1210 {
1211 .type = TLSEXT_TYPE_server_name,
1212 .clienthello_needs = tlsext_sni_clienthello_needs,
1213 .clienthello_build = tlsext_sni_clienthello_build,
1214 .clienthello_parse = tlsext_sni_clienthello_parse,
1215 .serverhello_needs = tlsext_sni_serverhello_needs,
1216 .serverhello_build = tlsext_sni_serverhello_build,
1217 .serverhello_parse = tlsext_sni_serverhello_parse,
1218 },
1219 {
1220 .type = TLSEXT_TYPE_renegotiate,
1221 .clienthello_needs = tlsext_ri_clienthello_needs,
1222 .clienthello_build = tlsext_ri_clienthello_build,
1223 .clienthello_parse = tlsext_ri_clienthello_parse,
1224 .serverhello_needs = tlsext_ri_serverhello_needs,
1225 .serverhello_build = tlsext_ri_serverhello_build,
1226 .serverhello_parse = tlsext_ri_serverhello_parse,
1227 },
1228 {
1229 .type = TLSEXT_TYPE_status_request,
1230 .clienthello_needs = tlsext_ocsp_clienthello_needs,
1231 .clienthello_build = tlsext_ocsp_clienthello_build,
1232 .clienthello_parse = tlsext_ocsp_clienthello_parse,
1233 .serverhello_needs = tlsext_ocsp_serverhello_needs,
1234 .serverhello_build = tlsext_ocsp_serverhello_build,
1235 .serverhello_parse = tlsext_ocsp_serverhello_parse,
1236 },
1237 {
1238 .type = TLSEXT_TYPE_ec_point_formats,
1239 .clienthello_needs = tlsext_ecpf_clienthello_needs,
1240 .clienthello_build = tlsext_ecpf_clienthello_build,
1241 .clienthello_parse = tlsext_ecpf_clienthello_parse,
1242 .serverhello_needs = tlsext_ecpf_serverhello_needs,
1243 .serverhello_build = tlsext_ecpf_serverhello_build,
1244 .serverhello_parse = tlsext_ecpf_serverhello_parse,
1245 },
1246 {
1247 .type = TLSEXT_TYPE_elliptic_curves,
1248 .clienthello_needs = tlsext_ec_clienthello_needs,
1249 .clienthello_build = tlsext_ec_clienthello_build,
1250 .clienthello_parse = tlsext_ec_clienthello_parse,
1251 .serverhello_needs = tlsext_ec_serverhello_needs,
1252 .serverhello_build = tlsext_ec_serverhello_build,
1253 .serverhello_parse = tlsext_ec_serverhello_parse,
1254 },
1255 {
1256 .type = TLSEXT_TYPE_session_ticket,
1257 .clienthello_needs = tlsext_sessionticket_clienthello_needs,
1258 .clienthello_build = tlsext_sessionticket_clienthello_build,
1259 .clienthello_parse = tlsext_sessionticket_clienthello_parse,
1260 .serverhello_needs = tlsext_sessionticket_serverhello_needs,
1261 .serverhello_build = tlsext_sessionticket_serverhello_build,
1262 .serverhello_parse = tlsext_sessionticket_serverhello_parse,
1263 },
1264 {
1265 .type = TLSEXT_TYPE_signature_algorithms,
1266 .clienthello_needs = tlsext_sigalgs_clienthello_needs,
1267 .clienthello_build = tlsext_sigalgs_clienthello_build,
1268 .clienthello_parse = tlsext_sigalgs_clienthello_parse,
1269 .serverhello_needs = tlsext_sigalgs_serverhello_needs,
1270 .serverhello_build = tlsext_sigalgs_serverhello_build,
1271 .serverhello_parse = tlsext_sigalgs_serverhello_parse,
1272 },
1273 {
1274 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1275 .clienthello_needs = tlsext_alpn_clienthello_needs,
1276 .clienthello_build = tlsext_alpn_clienthello_build,
1277 .clienthello_parse = tlsext_alpn_clienthello_parse,
1278 .serverhello_needs = tlsext_alpn_serverhello_needs,
1279 .serverhello_build = tlsext_alpn_serverhello_build,
1280 .serverhello_parse = tlsext_alpn_serverhello_parse,
1281 },
1282 #ifndef OPENSSL_NO_SRTP
1283 {
1284 .type = TLSEXT_TYPE_use_srtp,
1285 .clienthello_needs = tlsext_srtp_clienthello_needs,
1286 .clienthello_build = tlsext_srtp_clienthello_build,
1287 .clienthello_parse = tlsext_srtp_clienthello_parse,
1288 .serverhello_needs = tlsext_srtp_serverhello_needs,
1289 .serverhello_build = tlsext_srtp_serverhello_build,
1290 .serverhello_parse = tlsext_srtp_serverhello_parse,
1291 }
1292 #endif /* OPENSSL_NO_SRTP */
1293 };
1294
1295 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1296
1297 /* Ensure that extensions fit in a uint32_t bitmask. */
1298 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1299
1300 static struct tls_extension *
1301 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1302 {
1303 size_t i;
1304
1305 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1306 if (tls_extensions[i].type == type) {
1307 *tls_extensions_idx = i;
1308 return &tls_extensions[i];
1309 }
1310 }
1311
1312 return NULL;
1313 }
1314
1315 static int
1316 tls_extension_needs(struct tls_extension *tlsext, int is_serverhello, SSL *s)
1317 {
1318 if (is_serverhello)
1319 return tlsext->serverhello_needs(s);
1320 return tlsext->clienthello_needs(s);
1321 }
1322
1323 static int
1324 tls_extension_build(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1325 CBB *cbb)
1326 {
1327 if (is_serverhello)
1328 return tlsext->serverhello_build(s, cbb);
1329 return tlsext->clienthello_build(s, cbb);
1330 }
1331
1332 static int
1333 tls_extension_parse(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1334 CBS *cbs, int *alert)
1335 {
1336 if (is_serverhello)
1337 return tlsext->serverhello_parse(s, cbs, alert);
1338 return tlsext->clienthello_parse(s, cbs, alert);
1339 }
1340
1341 static int
1342 tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1343 {
1344 CBB extensions, extension_data;
1345 struct tls_extension *tlsext;
1346 int extensions_present = 0;
1347 size_t i;
1348
1349 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1350 return 0;
1351
1352 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1353 tlsext = &tls_extensions[i];
1354
1355 if (!tls_extension_needs(tlsext, is_serverhello, s))
1356 continue;
1357
1358 if (!CBB_add_u16(&extensions, tlsext->type))
1359 return 0;
1360 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1361 return 0;
1362
1363 if (!tls_extension_build(tlsext, is_serverhello, s,
1364 &extension_data))
1365 return 0;
1366
1367 extensions_present = 1;
1368 }
1369
1370 if (!extensions_present)
1371 CBB_discard_child(cbb);
1372
1373 if (!CBB_flush(cbb))
1374 return 0;
1375
1376 return 1;
1377 }
1378
1379 static int
1380 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello)
1381 {
1382 CBS extensions, extension_data;
1383 struct tls_extension *tlsext;
1384 uint32_t extensions_seen = 0;
1385 uint16_t type;
1386 size_t idx;
1387
1388 /* An empty extensions block is valid. */
1389 if (CBS_len(cbs) == 0)
1390 return 1;
1391
1392 *alert = SSL_AD_DECODE_ERROR;
1393
1394 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
1395 return 0;
1396
1397 while (CBS_len(&extensions) > 0) {
1398 if (!CBS_get_u16(&extensions, &type))
1399 return 0;
1400 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
1401 return 0;
1402
1403 if (s->internal->tlsext_debug_cb != NULL)
1404 s->internal->tlsext_debug_cb(s, is_serverhello, type,
1405 (unsigned char *)CBS_data(&extension_data),
1406 CBS_len(&extension_data),
1407 s->internal->tlsext_debug_arg);
1408
1409 /* Unknown extensions are ignored. */
1410 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
1411 continue;
1412
1413 /* Check for duplicate known extensions. */
1414 if ((extensions_seen & (1 << idx)) != 0)
1415 return 0;
1416 extensions_seen |= (1 << idx);
1417
1418 if (!tls_extension_parse(tlsext, is_serverhello, s,
1419 &extension_data, alert))
1420 return 0;
1421
1422 if (CBS_len(&extension_data) != 0)
1423 return 0;
1424 }
1425
1426 return 1;
1427 }
1428
1429 static void
1430 tlsext_clienthello_reset_state(SSL *s)
1431 {
1432 s->internal->servername_done = 0;
1433 s->tlsext_status_type = -1;
1434 S3I(s)->renegotiate_seen = 0;
1435 free(S3I(s)->alpn_selected);
1436 S3I(s)->alpn_selected = NULL;
1437 s->internal->srtp_profile = NULL;
1438 }
1439
1440 int
1441 tlsext_clienthello_build(SSL *s, CBB *cbb)
1442 {
1443 return tlsext_build(s, cbb, 0);
1444 }
1445
1446 int
1447 tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1448 {
1449 /* XXX - this possibly should be done by the caller... */
1450 tlsext_clienthello_reset_state(s);
1451
1452 return tlsext_parse(s, cbs, alert, 0);
1453 }
1454
1455 static void
1456 tlsext_serverhello_reset_state(SSL *s)
1457 {
1458 S3I(s)->renegotiate_seen = 0;
1459 free(S3I(s)->alpn_selected);
1460 S3I(s)->alpn_selected = NULL;
1461 }
1462
1463 int
1464 tlsext_serverhello_build(SSL *s, CBB *cbb)
1465 {
1466 return tlsext_build(s, cbb, 1);
1467 }
1468
1469 int
1470 tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1471 {
1472 /* XXX - this possibly should be done by the caller... */
1473 tlsext_serverhello_reset_state(s);
1474
1475 return tlsext_parse(s, cbs, alert, 1);
1476 }
Unleashed OS