search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update libressl to v2.7.4
[unleashed.git] / lib / libssl / ssl_tlsext.c
blob3735b719db1bc4f09532aa5badbb658b7c2a33a5
1 /* $OpenBSD: ssl_tlsext.c,v 1.21 2018/02/08 11:30:30 jsing Exp $ */
2 /*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19 #include <openssl/ocsp.h>
20
21 #include "ssl_locl.h"
22
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
25
26 /*
27 * Supported Application-Layer Protocol Negotiation - RFC 7301
28 */
29
30 int
31 tlsext_alpn_clienthello_needs(SSL *s)
32 {
33 /* ALPN protos have been specified and this is the initial handshake */
34 return s->internal->alpn_client_proto_list != NULL &&
35 S3I(s)->tmp.finish_md_len == 0;
36 }
37
38 int
39 tlsext_alpn_clienthello_build(SSL *s, CBB *cbb)
40 {
41 CBB protolist;
42
43 if (!CBB_add_u16_length_prefixed(cbb, &protolist))
44 return 0;
45
46 if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
47 s->internal->alpn_client_proto_list_len))
48 return 0;
49
50 if (!CBB_flush(cbb))
51 return 0;
52
53 return 1;
54 }
55
56 int
57 tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
58 {
59 CBS proto_name_list, alpn;
60 const unsigned char *selected;
61 unsigned char selected_len;
62 int r;
63
64 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
65 goto err;
66 if (CBS_len(&alpn) < 2)
67 goto err;
68 if (CBS_len(cbs) != 0)
69 goto err;
70
71 CBS_dup(&alpn, &proto_name_list);
72 while (CBS_len(&proto_name_list) > 0) {
73 CBS proto_name;
74
75 if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
76 goto err;
77 if (CBS_len(&proto_name) == 0)
78 goto err;
79 }
80
81 if (s->ctx->internal->alpn_select_cb == NULL)
82 return 1;
83
84 r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
85 CBS_data(&alpn), CBS_len(&alpn),
86 s->ctx->internal->alpn_select_cb_arg);
87 if (r == SSL_TLSEXT_ERR_OK) {
88 free(S3I(s)->alpn_selected);
89 if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
90 *alert = SSL_AD_INTERNAL_ERROR;
91 return 0;
92 }
93 memcpy(S3I(s)->alpn_selected, selected, selected_len);
94 S3I(s)->alpn_selected_len = selected_len;
95 }
96
97 return 1;
98
99 err:
100 *alert = SSL_AD_DECODE_ERROR;
101 return 0;
102 }
103
104 int
105 tlsext_alpn_serverhello_needs(SSL *s)
106 {
107 return S3I(s)->alpn_selected != NULL;
108 }
109
110 int
111 tlsext_alpn_serverhello_build(SSL *s, CBB *cbb)
112 {
113 CBB list, selected;
114
115 if (!CBB_add_u16_length_prefixed(cbb, &list))
116 return 0;
117
118 if (!CBB_add_u8_length_prefixed(&list, &selected))
119 return 0;
120
121 if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
122 S3I(s)->alpn_selected_len))
123 return 0;
124
125 if (!CBB_flush(cbb))
126 return 0;
127
128 return 1;
129 }
130
131 int
132 tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert)
133 {
134 CBS list, proto;
135
136 if (s->internal->alpn_client_proto_list == NULL) {
137 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
138 return 0;
139 }
140
141 if (!CBS_get_u16_length_prefixed(cbs, &list))
142 goto err;
143 if (CBS_len(cbs) != 0)
144 goto err;
145
146 if (!CBS_get_u8_length_prefixed(&list, &proto))
147 goto err;
148
149 if (CBS_len(&list) != 0)
150 goto err;
151 if (CBS_len(&proto) == 0)
152 goto err;
153
154 if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
155 &(S3I(s)->alpn_selected_len)))
156 goto err;
157
158 return 1;
159
160 err:
161 *alert = TLS1_AD_DECODE_ERROR;
162 return 0;
163 }
164
165 /*
166 * Supported Elliptic Curves - RFC 4492 section 5.1.1
167 */
168 int
169 tlsext_ec_clienthello_needs(SSL *s)
170 {
171 return ssl_has_ecc_ciphers(s);
172 }
173
174 int
175 tlsext_ec_clienthello_build(SSL *s, CBB *cbb)
176 {
177 CBB curvelist;
178 size_t curves_len;
179 int i;
180 const uint16_t *curves;
181
182 tls1_get_curvelist(s, 0, &curves, &curves_len);
183
184 if (curves_len == 0) {
185 SSLerror(s, ERR_R_INTERNAL_ERROR);
186 return 0;
187 }
188
189 if (!CBB_add_u16_length_prefixed(cbb, &curvelist))
190 return 0;
191
192 for (i = 0; i < curves_len; i++) {
193 if (!CBB_add_u16(&curvelist, curves[i]))
194 return 0;
195 }
196
197 if (!CBB_flush(cbb))
198 return 0;
199
200 return 1;
201 }
202
203 int
204 tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert)
205 {
206 CBS curvelist;
207 size_t curves_len;
208
209 if (!CBS_get_u16_length_prefixed(cbs, &curvelist))
210 goto err;
211 if (CBS_len(cbs) != 0)
212 goto err;
213
214 curves_len = CBS_len(&curvelist);
215 if (curves_len == 0 || curves_len % 2 != 0)
216 goto err;
217 curves_len /= 2;
218
219 if (!s->internal->hit) {
220 int i;
221 uint16_t *curves;
222
223 if (SSI(s)->tlsext_supportedgroups != NULL)
224 goto err;
225
226 if ((curves = reallocarray(NULL, curves_len,
227 sizeof(uint16_t))) == NULL) {
228 *alert = TLS1_AD_INTERNAL_ERROR;
229 return 0;
230 }
231
232 for (i = 0; i < curves_len; i++) {
233 if (!CBS_get_u16(&curvelist, &curves[i])) {
234 free(curves);
235 goto err;
236 }
237 }
238
239 if (CBS_len(&curvelist) != 0) {
240 free(curves);
241 goto err;
242 }
243
244 SSI(s)->tlsext_supportedgroups = curves;
245 SSI(s)->tlsext_supportedgroups_length = curves_len;
246 }
247
248 return 1;
249
250 err:
251 *alert = TLS1_AD_DECODE_ERROR;
252 return 0;
253 }
254
255 /* This extension is never used by the server. */
256 int
257 tlsext_ec_serverhello_needs(SSL *s)
258 {
259 return 0;
260 }
261
262 int
263 tlsext_ec_serverhello_build(SSL *s, CBB *cbb)
264 {
265 return 0;
266 }
267
268 int
269 tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert)
270 {
271 /*
272 * Servers should not send this extension per the RFC.
273 *
274 * However, certain F5 BIG-IP systems incorrectly send it. This bug is
275 * from at least 2014 but as of 2017, there are still large sites with
276 * this unpatched in production. As a result, we need to currently skip
277 * over the extension and ignore its content:
278 *
279 * https://support.f5.com/csp/article/K37345003
280 */
281 if (!CBS_skip(cbs, CBS_len(cbs))) {
282 *alert = TLS1_AD_INTERNAL_ERROR;
283 return 0;
284 }
285
286 return 1;
287 }
288
289 /*
290 * Supported Point Formats Extension - RFC 4492 section 5.1.2
291 */
292 static int
293 tlsext_ecpf_build(SSL *s, CBB *cbb)
294 {
295 CBB ecpf;
296 size_t formats_len;
297 const uint8_t *formats;
298
299 tls1_get_formatlist(s, 0, &formats, &formats_len);
300
301 if (formats_len == 0) {
302 SSLerror(s, ERR_R_INTERNAL_ERROR);
303 return 0;
304 }
305
306 if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
307 return 0;
308 if (!CBB_add_bytes(&ecpf, formats, formats_len))
309 return 0;
310 if (!CBB_flush(cbb))
311 return 0;
312
313 return 1;
314 }
315
316 static int
317 tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert)
318 {
319 CBS ecpf;
320
321 if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
322 goto err;
323 if (CBS_len(&ecpf) == 0)
324 goto err;
325 if (CBS_len(cbs) != 0)
326 goto err;
327
328 /* Must contain uncompressed (0) */
329 if (!CBS_contains_zero_byte(&ecpf)) {
330 SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
331 goto err;
332 }
333
334 if (!s->internal->hit) {
335 if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
336 &(SSI(s)->tlsext_ecpointformatlist_length)))
337 goto err;
338 }
339
340 return 1;
341
342 err:
343 *alert = TLS1_AD_INTERNAL_ERROR;
344 return 0;
345 }
346
347 int
348 tlsext_ecpf_clienthello_needs(SSL *s)
349 {
350 return ssl_has_ecc_ciphers(s);
351 }
352
353 int
354 tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb)
355 {
356 return tlsext_ecpf_build(s, cbb);
357 }
358
359 int
360 tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert)
361 {
362 return tlsext_ecpf_parse(s, cbs, alert);
363 }
364
365 int
366 tlsext_ecpf_serverhello_needs(SSL *s)
367 {
368 if (s->version == DTLS1_VERSION)
369 return 0;
370
371 return ssl_using_ecc_cipher(s);
372 }
373
374 int
375 tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb)
376 {
377 return tlsext_ecpf_build(s, cbb);
378 }
379
380 int
381 tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert)
382 {
383 return tlsext_ecpf_parse(s, cbs, alert);
384 }
385
386 /*
387 * Renegotiation Indication - RFC 5746.
388 */
389 int
390 tlsext_ri_clienthello_needs(SSL *s)
391 {
392 return (s->internal->renegotiate);
393 }
394
395 int
396 tlsext_ri_clienthello_build(SSL *s, CBB *cbb)
397 {
398 CBB reneg;
399
400 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
401 return 0;
402 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
403 S3I(s)->previous_client_finished_len))
404 return 0;
405 if (!CBB_flush(cbb))
406 return 0;
407
408 return 1;
409 }
410
411 int
412 tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert)
413 {
414 CBS reneg;
415
416 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
417 goto err;
418 if (CBS_len(cbs) != 0)
419 goto err;
420
421 if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
422 S3I(s)->previous_client_finished_len)) {
423 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
424 *alert = SSL_AD_HANDSHAKE_FAILURE;
425 return 0;
426 }
427
428 S3I(s)->renegotiate_seen = 1;
429 S3I(s)->send_connection_binding = 1;
430
431 return 1;
432
433 err:
434 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
435 *alert = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 int
440 tlsext_ri_serverhello_needs(SSL *s)
441 {
442 return (S3I(s)->send_connection_binding);
443 }
444
445 int
446 tlsext_ri_serverhello_build(SSL *s, CBB *cbb)
447 {
448 CBB reneg;
449
450 if (!CBB_add_u8_length_prefixed(cbb, &reneg))
451 return 0;
452 if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
453 S3I(s)->previous_client_finished_len))
454 return 0;
455 if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
456 S3I(s)->previous_server_finished_len))
457 return 0;
458 if (!CBB_flush(cbb))
459 return 0;
460
461 return 1;
462 }
463
464 int
465 tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert)
466 {
467 CBS reneg, prev_client, prev_server;
468
469 /*
470 * Ensure that the previous client and server values are both not
471 * present, or that they are both present.
472 */
473 if ((S3I(s)->previous_client_finished_len == 0 &&
474 S3I(s)->previous_server_finished_len != 0) ||
475 (S3I(s)->previous_client_finished_len != 0 &&
476 S3I(s)->previous_server_finished_len == 0)) {
477 *alert = TLS1_AD_INTERNAL_ERROR;
478 return 0;
479 }
480
481 if (!CBS_get_u8_length_prefixed(cbs, &reneg))
482 goto err;
483 if (!CBS_get_bytes(&reneg, &prev_client,
484 S3I(s)->previous_client_finished_len))
485 goto err;
486 if (!CBS_get_bytes(&reneg, &prev_server,
487 S3I(s)->previous_server_finished_len))
488 goto err;
489 if (CBS_len(&reneg) != 0)
490 goto err;
491 if (CBS_len(cbs) != 0)
492 goto err;
493
494 if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
495 S3I(s)->previous_client_finished_len)) {
496 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
497 *alert = SSL_AD_HANDSHAKE_FAILURE;
498 return 0;
499 }
500 if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
501 S3I(s)->previous_server_finished_len)) {
502 SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
503 *alert = SSL_AD_HANDSHAKE_FAILURE;
504 return 0;
505 }
506
507 S3I(s)->renegotiate_seen = 1;
508 S3I(s)->send_connection_binding = 1;
509
510 return 1;
511
512 err:
513 SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
514 *alert = SSL_AD_DECODE_ERROR;
515 return 0;
516 }
517
518 /*
519 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
520 */
521 int
522 tlsext_sigalgs_clienthello_needs(SSL *s)
523 {
524 return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
525 }
526
527 int
528 tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
529 {
530 unsigned char *sigalgs_data;
531 size_t sigalgs_len;
532 CBB sigalgs;
533
534 tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
535
536 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
537 return 0;
538 if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len))
539 return 0;
540 if (!CBB_flush(cbb))
541 return 0;
542
543 return 1;
544 }
545
546 int
547 tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert)
548 {
549 CBS sigalgs;
550
551 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
552 return 0;
553
554 return tls1_process_sigalgs(s, &sigalgs);
555 }
556
557 int
558 tlsext_sigalgs_serverhello_needs(SSL *s)
559 {
560 return 0;
561 }
562
563 int
564 tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb)
565 {
566 return 0;
567 }
568
569 int
570 tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert)
571 {
572 /* As per the RFC, servers must not send this extension. */
573 return 0;
574 }
575
576 /*
577 * Server Name Indication - RFC 6066, section 3.
578 */
579 int
580 tlsext_sni_clienthello_needs(SSL *s)
581 {
582 return (s->tlsext_hostname != NULL);
583 }
584
585 int
586 tlsext_sni_clienthello_build(SSL *s, CBB *cbb)
587 {
588 CBB server_name_list, host_name;
589
590 if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
591 return 0;
592 if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
593 return 0;
594 if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
595 return 0;
596 if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
597 strlen(s->tlsext_hostname)))
598 return 0;
599 if (!CBB_flush(cbb))
600 return 0;
601
602 return 1;
603 }
604
605 int
606 tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert)
607 {
608 CBS server_name_list, host_name;
609 uint8_t name_type;
610
611 if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
612 goto err;
613
614 /*
615 * RFC 6066 section 3 forbids multiple host names with the same type.
616 * Additionally, only one type (host_name) is specified.
617 */
618 if (!CBS_get_u8(&server_name_list, &name_type))
619 goto err;
620 if (name_type != TLSEXT_NAMETYPE_host_name)
621 goto err;
622
623 if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
624 goto err;
625 if (CBS_len(&host_name) == 0 ||
626 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
627 CBS_contains_zero_byte(&host_name)) {
628 *alert = TLS1_AD_UNRECOGNIZED_NAME;
629 return 0;
630 }
631
632 if (s->internal->hit) {
633 if (s->session->tlsext_hostname == NULL) {
634 *alert = TLS1_AD_UNRECOGNIZED_NAME;
635 return 0;
636 }
637 if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
638 strlen(s->session->tlsext_hostname))) {
639 *alert = TLS1_AD_UNRECOGNIZED_NAME;
640 return 0;
641 }
642 } else {
643 if (s->session->tlsext_hostname != NULL)
644 goto err;
645 if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
646 *alert = TLS1_AD_INTERNAL_ERROR;
647 return 0;
648 }
649 }
650
651 if (CBS_len(&server_name_list) != 0)
652 goto err;
653 if (CBS_len(cbs) != 0)
654 goto err;
655
656 return 1;
657
658 err:
659 *alert = SSL_AD_DECODE_ERROR;
660 return 0;
661 }
662
663 int
664 tlsext_sni_serverhello_needs(SSL *s)
665 {
666 return (s->session->tlsext_hostname != NULL);
667 }
668
669 int
670 tlsext_sni_serverhello_build(SSL *s, CBB *cbb)
671 {
672 return 1;
673 }
674
675 int
676 tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
677 {
678 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
679 *alert = TLS1_AD_UNRECOGNIZED_NAME;
680 return 0;
681 }
682
683 if (s->internal->hit) {
684 if (s->session->tlsext_hostname == NULL) {
685 *alert = TLS1_AD_UNRECOGNIZED_NAME;
686 return 0;
687 }
688 if (strcmp(s->tlsext_hostname,
689 s->session->tlsext_hostname) != 0) {
690 *alert = TLS1_AD_UNRECOGNIZED_NAME;
691 return 0;
692 }
693 } else {
694 if (s->session->tlsext_hostname != NULL) {
695 *alert = SSL_AD_DECODE_ERROR;
696 return 0;
697 }
698 if ((s->session->tlsext_hostname =
699 strdup(s->tlsext_hostname)) == NULL) {
700 *alert = TLS1_AD_INTERNAL_ERROR;
701 return 0;
702 }
703 }
704
705 return 1;
706 }
707
708
709 /*
710 *Certificate Status Request - RFC 6066 section 8.
711 */
712
713 int
714 tlsext_ocsp_clienthello_needs(SSL *s)
715 {
716 return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
717 s->version != DTLS1_VERSION);
718 }
719
720 int
721 tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
722 {
723 CBB respid_list, respid, exts;
724 unsigned char *ext_data;
725 size_t ext_len;
726 int i;
727
728 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
729 return 0;
730 if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
731 return 0;
732 for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
733 unsigned char *respid_data;
734 OCSP_RESPID *id;
735 size_t id_len;
736
737 if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
738 i)) == NULL)
739 return 0;
740 if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
741 return 0;
742 if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
743 return 0;
744 if (!CBB_add_space(&respid, &respid_data, id_len))
745 return 0;
746 if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
747 return 0;
748 }
749 if (!CBB_add_u16_length_prefixed(cbb, &exts))
750 return 0;
751 if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
752 NULL)) == -1)
753 return 0;
754 if (!CBB_add_space(&exts, &ext_data, ext_len))
755 return 0;
756 if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
757 ext_len))
758 return 0;
759 if (!CBB_flush(cbb))
760 return 0;
761 return 1;
762 }
763
764 int
765 tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
766 {
767 int failure = SSL_AD_DECODE_ERROR;
768 CBS respid_list, respid, exts;
769 const unsigned char *p;
770 uint8_t status_type;
771 int ret = 0;
772
773 if (!CBS_get_u8(cbs, &status_type))
774 goto err;
775 if (status_type != TLSEXT_STATUSTYPE_ocsp) {
776 /* ignore unknown status types */
777 s->tlsext_status_type = -1;
778
779 if (!CBS_skip(cbs, CBS_len(cbs))) {
780 *alert = TLS1_AD_INTERNAL_ERROR;
781 return 0;
782 }
783 return 1;
784 }
785 s->tlsext_status_type = status_type;
786 if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
787 goto err;
788
789 /* XXX */
790 sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
791 s->internal->tlsext_ocsp_ids = NULL;
792 if (CBS_len(&respid_list) > 0) {
793 s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
794 if (s->internal->tlsext_ocsp_ids == NULL) {
795 failure = SSL_AD_INTERNAL_ERROR;
796 goto err;
797 }
798 }
799
800 while (CBS_len(&respid_list) > 0) {
801 OCSP_RESPID *id;
802
803 if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
804 goto err;
805 p = CBS_data(&respid);
806 if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
807 goto err;
808 if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
809 failure = SSL_AD_INTERNAL_ERROR;
810 OCSP_RESPID_free(id);
811 goto err;
812 }
813 }
814
815 /* Read in request_extensions */
816 if (!CBS_get_u16_length_prefixed(cbs, &exts))
817 goto err;
818 if (CBS_len(&exts) > 0) {
819 sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
820 X509_EXTENSION_free);
821 p = CBS_data(&exts);
822 if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
823 &p, CBS_len(&exts))) == NULL)
824 goto err;
825 }
826
827 /* should be nothing left */
828 if (CBS_len(cbs) > 0)
829 goto err;
830
831 ret = 1;
832 err:
833 if (ret == 0)
834 *alert = failure;
835 return ret;
836 }
837
838 int
839 tlsext_ocsp_serverhello_needs(SSL *s)
840 {
841 return s->internal->tlsext_status_expected;
842 }
843
844 int
845 tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
846 {
847 return 1;
848 }
849
850 int
851 tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
852 {
853 if (s->tlsext_status_type == -1) {
854 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
855 return 0;
856 }
857 /* Set flag to expect CertificateStatus message */
858 s->internal->tlsext_status_expected = 1;
859 return 1;
860 }
861
862 /*
863 * SessionTicket extension - RFC 5077 section 3.2
864 */
865 int
866 tlsext_sessionticket_clienthello_needs(SSL *s)
867 {
868 /*
869 * Send session ticket extension when enabled and not overridden.
870 *
871 * When renegotiating, send an empty session ticket to indicate support.
872 */
873 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
874 return 0;
875
876 if (s->internal->new_session)
877 return 1;
878
879 if (s->internal->tlsext_session_ticket != NULL &&
880 s->internal->tlsext_session_ticket->data == NULL)
881 return 0;
882
883 return 1;
884 }
885
886 int
887 tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb)
888 {
889 /*
890 * Signal that we support session tickets by sending an empty
891 * extension when renegotiating or no session found.
892 */
893 if (s->internal->new_session || s->session == NULL)
894 return 1;
895
896 if (s->session->tlsext_tick != NULL) {
897 /* Attempt to resume with an existing session ticket */
898 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
899 s->session->tlsext_ticklen))
900 return 0;
901
902 } else if (s->internal->tlsext_session_ticket != NULL) {
903 /*
904 * Attempt to resume with a custom provided session ticket set
905 * by SSL_set_session_ticket_ext().
906 */
907 if (s->internal->tlsext_session_ticket->length > 0) {
908 size_t ticklen = s->internal->tlsext_session_ticket->length;
909
910 if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
911 return 0;
912 memcpy(s->session->tlsext_tick,
913 s->internal->tlsext_session_ticket->data,
914 ticklen);
915 s->session->tlsext_ticklen = ticklen;
916
917 if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
918 s->session->tlsext_ticklen))
919 return 0;
920 }
921 }
922
923 if (!CBB_flush(cbb))
924 return 0;
925
926 return 1;
927 }
928
929 int
930 tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert)
931 {
932 if (s->internal->tls_session_ticket_ext_cb) {
933 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
934 (int)CBS_len(cbs),
935 s->internal->tls_session_ticket_ext_cb_arg)) {
936 *alert = TLS1_AD_INTERNAL_ERROR;
937 return 0;
938 }
939 }
940
941 /* We need to signal that this was processed fully */
942 if (!CBS_skip(cbs, CBS_len(cbs))) {
943 *alert = TLS1_AD_INTERNAL_ERROR;
944 return 0;
945 }
946
947 return 1;
948 }
949
950 int
951 tlsext_sessionticket_serverhello_needs(SSL *s)
952 {
953 return (s->internal->tlsext_ticket_expected &&
954 !(SSL_get_options(s) & SSL_OP_NO_TICKET));
955 }
956
957 int
958 tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb)
959 {
960 /* Empty ticket */
961
962 return 1;
963 }
964
965 int
966 tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert)
967 {
968 if (s->internal->tls_session_ticket_ext_cb) {
969 if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
970 (int)CBS_len(cbs),
971 s->internal->tls_session_ticket_ext_cb_arg)) {
972 *alert = TLS1_AD_INTERNAL_ERROR;
973 return 0;
974 }
975 }
976
977 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
978 *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
979 return 0;
980 }
981
982 s->internal->tlsext_ticket_expected = 1;
983
984 return 1;
985 }
986
987 /*
988 * DTLS extension for SRTP key establishment - RFC 5764
989 */
990
991 #ifndef OPENSSL_NO_SRTP
992
993 int
994 tlsext_srtp_clienthello_needs(SSL *s)
995 {
996 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL;
997 }
998
999 int
1000 tlsext_srtp_clienthello_build(SSL *s, CBB *cbb)
1001 {
1002 CBB profiles, mki;
1003 int ct, i;
1004 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1005 SRTP_PROTECTION_PROFILE *prof;
1006
1007 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1008 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1009 return 0;
1010 }
1011
1012 if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1013 SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1014 return 0;
1015 }
1016
1017 if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1018 return 0;
1019
1020 for (i = 0; i < ct; i++) {
1021 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1022 return 0;
1023 if (!CBB_add_u16(&profiles, prof->id))
1024 return 0;
1025 }
1026
1027 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1028 return 0;
1029
1030 if (!CBB_flush(cbb))
1031 return 0;
1032
1033 return 1;
1034 }
1035
1036 int
1037 tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1038 {
1039 SRTP_PROTECTION_PROFILE *cprof, *sprof;
1040 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1041 int i, j;
1042 int ret;
1043 uint16_t id;
1044 CBS profiles, mki;
1045
1046 ret = 0;
1047
1048 if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1049 goto err;
1050 if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1051 goto err;
1052
1053 if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1054 goto err;
1055
1056 while (CBS_len(&profiles) > 0) {
1057 if (!CBS_get_u16(&profiles, &id))
1058 goto err;
1059
1060 if (!srtp_find_profile_by_num(id, &cprof)) {
1061 if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1062 goto err;
1063 }
1064 }
1065
1066 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1067 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1068 *alert = SSL_AD_DECODE_ERROR;
1069 goto done;
1070 }
1071 if (CBS_len(cbs) != 0)
1072 goto err;
1073
1074 /*
1075 * Per RFC 5764 section 4.1.1
1076 *
1077 * Find the server preferred profile using the client's list.
1078 *
1079 * The server MUST send a profile if it sends the use_srtp
1080 * extension. If one is not found, it should fall back to the
1081 * negotiated DTLS cipher suite or return a DTLS alert.
1082 */
1083 if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1084 goto err;
1085 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1086 if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1087 == NULL)
1088 goto err;
1089
1090 for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1091 if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1092 == NULL)
1093 goto err;
1094
1095 if (cprof->id == sprof->id) {
1096 s->internal->srtp_profile = sprof;
1097 ret = 1;
1098 goto done;
1099 }
1100 }
1101 }
1102
1103 /* If we didn't find anything, fall back to the negotiated */
1104 ret = 1;
1105 goto done;
1106
1107 err:
1108 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1109 *alert = SSL_AD_DECODE_ERROR;
1110
1111 done:
1112 sk_SRTP_PROTECTION_PROFILE_free(clnt);
1113 return ret;
1114 }
1115
1116 int
1117 tlsext_srtp_serverhello_needs(SSL *s)
1118 {
1119 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL;
1120 }
1121
1122 int
1123 tlsext_srtp_serverhello_build(SSL *s, CBB *cbb)
1124 {
1125 SRTP_PROTECTION_PROFILE *profile;
1126 CBB srtp, mki;
1127
1128 if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1129 return 0;
1130
1131 if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1132 return 0;
1133
1134 if (!CBB_add_u16(&srtp, profile->id))
1135 return 0;
1136
1137 if (!CBB_add_u8_length_prefixed(cbb, &mki))
1138 return 0;
1139
1140 if (!CBB_flush(cbb))
1141 return 0;
1142
1143 return 1;
1144 }
1145
1146 int
1147 tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1148 {
1149 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1150 SRTP_PROTECTION_PROFILE *prof;
1151 int i;
1152 uint16_t id;
1153 CBS profile_ids, mki;
1154
1155 if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1156 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1157 goto err;
1158 }
1159
1160 if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1161 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1162 goto err;
1163 }
1164
1165 if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1166 SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1167 *alert = SSL_AD_ILLEGAL_PARAMETER;
1168 return 0;
1169 }
1170
1171 if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1172 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1173 goto err;
1174 }
1175
1176 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1177 if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1178 == NULL) {
1179 SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1180 goto err;
1181 }
1182
1183 if (prof->id == id) {
1184 s->internal->srtp_profile = prof;
1185 return 1;
1186 }
1187 }
1188
1189 SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1190 err:
1191 *alert = SSL_AD_DECODE_ERROR;
1192 return 0;
1193 }
1194
1195 #endif /* OPENSSL_NO_SRTP */
1196
1197 struct tls_extension {
1198 uint16_t type;
1199 int (*clienthello_needs)(SSL *s);
1200 int (*clienthello_build)(SSL *s, CBB *cbb);
1201 int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert);
1202 int (*serverhello_needs)(SSL *s);
1203 int (*serverhello_build)(SSL *s, CBB *cbb);
1204 int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert);
1205 };
1206
1207 static struct tls_extension tls_extensions[] = {
1208 {
1209 .type = TLSEXT_TYPE_server_name,
1210 .clienthello_needs = tlsext_sni_clienthello_needs,
1211 .clienthello_build = tlsext_sni_clienthello_build,
1212 .clienthello_parse = tlsext_sni_clienthello_parse,
1213 .serverhello_needs = tlsext_sni_serverhello_needs,
1214 .serverhello_build = tlsext_sni_serverhello_build,
1215 .serverhello_parse = tlsext_sni_serverhello_parse,
1216 },
1217 {
1218 .type = TLSEXT_TYPE_renegotiate,
1219 .clienthello_needs = tlsext_ri_clienthello_needs,
1220 .clienthello_build = tlsext_ri_clienthello_build,
1221 .clienthello_parse = tlsext_ri_clienthello_parse,
1222 .serverhello_needs = tlsext_ri_serverhello_needs,
1223 .serverhello_build = tlsext_ri_serverhello_build,
1224 .serverhello_parse = tlsext_ri_serverhello_parse,
1225 },
1226 {
1227 .type = TLSEXT_TYPE_status_request,
1228 .clienthello_needs = tlsext_ocsp_clienthello_needs,
1229 .clienthello_build = tlsext_ocsp_clienthello_build,
1230 .clienthello_parse = tlsext_ocsp_clienthello_parse,
1231 .serverhello_needs = tlsext_ocsp_serverhello_needs,
1232 .serverhello_build = tlsext_ocsp_serverhello_build,
1233 .serverhello_parse = tlsext_ocsp_serverhello_parse,
1234 },
1235 {
1236 .type = TLSEXT_TYPE_ec_point_formats,
1237 .clienthello_needs = tlsext_ecpf_clienthello_needs,
1238 .clienthello_build = tlsext_ecpf_clienthello_build,
1239 .clienthello_parse = tlsext_ecpf_clienthello_parse,
1240 .serverhello_needs = tlsext_ecpf_serverhello_needs,
1241 .serverhello_build = tlsext_ecpf_serverhello_build,
1242 .serverhello_parse = tlsext_ecpf_serverhello_parse,
1243 },
1244 {
1245 .type = TLSEXT_TYPE_elliptic_curves,
1246 .clienthello_needs = tlsext_ec_clienthello_needs,
1247 .clienthello_build = tlsext_ec_clienthello_build,
1248 .clienthello_parse = tlsext_ec_clienthello_parse,
1249 .serverhello_needs = tlsext_ec_serverhello_needs,
1250 .serverhello_build = tlsext_ec_serverhello_build,
1251 .serverhello_parse = tlsext_ec_serverhello_parse,
1252 },
1253 {
1254 .type = TLSEXT_TYPE_session_ticket,
1255 .clienthello_needs = tlsext_sessionticket_clienthello_needs,
1256 .clienthello_build = tlsext_sessionticket_clienthello_build,
1257 .clienthello_parse = tlsext_sessionticket_clienthello_parse,
1258 .serverhello_needs = tlsext_sessionticket_serverhello_needs,
1259 .serverhello_build = tlsext_sessionticket_serverhello_build,
1260 .serverhello_parse = tlsext_sessionticket_serverhello_parse,
1261 },
1262 {
1263 .type = TLSEXT_TYPE_signature_algorithms,
1264 .clienthello_needs = tlsext_sigalgs_clienthello_needs,
1265 .clienthello_build = tlsext_sigalgs_clienthello_build,
1266 .clienthello_parse = tlsext_sigalgs_clienthello_parse,
1267 .serverhello_needs = tlsext_sigalgs_serverhello_needs,
1268 .serverhello_build = tlsext_sigalgs_serverhello_build,
1269 .serverhello_parse = tlsext_sigalgs_serverhello_parse,
1270 },
1271 {
1272 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1273 .clienthello_needs = tlsext_alpn_clienthello_needs,
1274 .clienthello_build = tlsext_alpn_clienthello_build,
1275 .clienthello_parse = tlsext_alpn_clienthello_parse,
1276 .serverhello_needs = tlsext_alpn_serverhello_needs,
1277 .serverhello_build = tlsext_alpn_serverhello_build,
1278 .serverhello_parse = tlsext_alpn_serverhello_parse,
1279 },
1280 #ifndef OPENSSL_NO_SRTP
1281 {
1282 .type = TLSEXT_TYPE_use_srtp,
1283 .clienthello_needs = tlsext_srtp_clienthello_needs,
1284 .clienthello_build = tlsext_srtp_clienthello_build,
1285 .clienthello_parse = tlsext_srtp_clienthello_parse,
1286 .serverhello_needs = tlsext_srtp_serverhello_needs,
1287 .serverhello_build = tlsext_srtp_serverhello_build,
1288 .serverhello_parse = tlsext_srtp_serverhello_parse,
1289 }
1290 #endif /* OPENSSL_NO_SRTP */
1291 };
1292
1293 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1294
1295 /* Ensure that extensions fit in a uint32_t bitmask. */
1296 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1297
1298 static struct tls_extension *
1299 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1300 {
1301 size_t i;
1302
1303 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1304 if (tls_extensions[i].type == type) {
1305 *tls_extensions_idx = i;
1306 return &tls_extensions[i];
1307 }
1308 }
1309
1310 return NULL;
1311 }
1312
1313 static int
1314 tls_extension_needs(struct tls_extension *tlsext, int is_serverhello, SSL *s)
1315 {
1316 if (is_serverhello)
1317 return tlsext->serverhello_needs(s);
1318 return tlsext->clienthello_needs(s);
1319 }
1320
1321 static int
1322 tls_extension_build(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1323 CBB *cbb)
1324 {
1325 if (is_serverhello)
1326 return tlsext->serverhello_build(s, cbb);
1327 return tlsext->clienthello_build(s, cbb);
1328 }
1329
1330 static int
1331 tls_extension_parse(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1332 CBS *cbs, int *alert)
1333 {
1334 if (is_serverhello)
1335 return tlsext->serverhello_parse(s, cbs, alert);
1336 return tlsext->clienthello_parse(s, cbs, alert);
1337 }
1338
1339 static int
1340 tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1341 {
1342 CBB extensions, extension_data;
1343 struct tls_extension *tlsext;
1344 int extensions_present = 0;
1345 size_t i;
1346
1347 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1348 return 0;
1349
1350 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1351 tlsext = &tls_extensions[i];
1352
1353 if (!tls_extension_needs(tlsext, is_serverhello, s))
1354 continue;
1355
1356 if (!CBB_add_u16(&extensions, tlsext->type))
1357 return 0;
1358 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1359 return 0;
1360
1361 if (!tls_extension_build(tlsext, is_serverhello, s,
1362 &extension_data))
1363 return 0;
1364
1365 extensions_present = 1;
1366 }
1367
1368 if (!extensions_present)
1369 CBB_discard_child(cbb);
1370
1371 if (!CBB_flush(cbb))
1372 return 0;
1373
1374 return 1;
1375 }
1376
1377 static int
1378 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello)
1379 {
1380 CBS extensions, extension_data;
1381 struct tls_extension *tlsext;
1382 uint32_t extensions_seen = 0;
1383 uint16_t type;
1384 size_t idx;
1385
1386 /* An empty extensions block is valid. */
1387 if (CBS_len(cbs) == 0)
1388 return 1;
1389
1390 *alert = SSL_AD_DECODE_ERROR;
1391
1392 if (!CBS_get_u16_length_prefixed(cbs, &extensions))
1393 return 0;
1394
1395 while (CBS_len(&extensions) > 0) {
1396 if (!CBS_get_u16(&extensions, &type))
1397 return 0;
1398 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
1399 return 0;
1400
1401 if (s->internal->tlsext_debug_cb != NULL)
1402 s->internal->tlsext_debug_cb(s, is_serverhello, type,
1403 (unsigned char *)CBS_data(&extension_data),
1404 CBS_len(&extension_data),
1405 s->internal->tlsext_debug_arg);
1406
1407 /* Unknown extensions are ignored. */
1408 if ((tlsext = tls_extension_find(type, &idx)) == NULL)
1409 continue;
1410
1411 /* Check for duplicate known extensions. */
1412 if ((extensions_seen & (1 << idx)) != 0)
1413 return 0;
1414 extensions_seen |= (1 << idx);
1415
1416 if (!tls_extension_parse(tlsext, is_serverhello, s,
1417 &extension_data, alert))
1418 return 0;
1419
1420 if (CBS_len(&extension_data) != 0)
1421 return 0;
1422 }
1423
1424 return 1;
1425 }
1426
1427 static void
1428 tlsext_clienthello_reset_state(SSL *s)
1429 {
1430 s->internal->servername_done = 0;
1431 s->tlsext_status_type = -1;
1432 S3I(s)->renegotiate_seen = 0;
1433 free(S3I(s)->alpn_selected);
1434 S3I(s)->alpn_selected = NULL;
1435 s->internal->srtp_profile = NULL;
1436 }
1437
1438 int
1439 tlsext_clienthello_build(SSL *s, CBB *cbb)
1440 {
1441 return tlsext_build(s, cbb, 0);
1442 }
1443
1444 int
1445 tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1446 {
1447 /* XXX - this possibly should be done by the caller... */
1448 tlsext_clienthello_reset_state(s);
1449
1450 return tlsext_parse(s, cbs, alert, 0);
1451 }
1452
1453 static void
1454 tlsext_serverhello_reset_state(SSL *s)
1455 {
1456 S3I(s)->renegotiate_seen = 0;
1457 free(S3I(s)->alpn_selected);
1458 S3I(s)->alpn_selected = NULL;
1459 }
1460
1461 int
1462 tlsext_serverhello_build(SSL *s, CBB *cbb)
1463 {
1464 return tlsext_build(s, cbb, 1);
1465 }
1466
1467 int
1468 tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1469 {
1470 /* XXX - this possibly should be done by the caller... */
1471 tlsext_serverhello_reset_state(s);
1472
1473 return tlsext_parse(s, cbs, alert, 1);
1474 }
Unleashed OS