summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2018-11-05 20:29:52 +0000
committerjsing <>2018-11-05 20:29:52 +0000
commit10fbcf441c789825e293dcdf108f5d3a6066e929 (patch)
tree7fb2a12e0d2c50861552be67fd3bbf25deca5569 /src
parentcf97742ffbfc84800478e34a8d383f39db8618e9 (diff)
downloadopenbsd-10fbcf441c789825e293dcdf108f5d3a6066e929.tar.gz
openbsd-10fbcf441c789825e293dcdf108f5d3a6066e929.tar.bz2
openbsd-10fbcf441c789825e293dcdf108f5d3a6066e929.zip
Rework the TLS extension handling code to improve readability/flexibility,
by moving the needs/build/parse functions into their own struct. ok beck@ tb@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_tlsext.c201
1 files changed, 112 insertions, 89 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index b70be87f3a..1509c7d779 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.22 2018/05/12 17:27:22 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.23 2018/11/05 20:29:52 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1196,98 +1196,136 @@ tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1196 1196
1197#endif /* OPENSSL_NO_SRTP */ 1197#endif /* OPENSSL_NO_SRTP */
1198 1198
1199struct tls_extension_funcs {
1200 int (*needs)(SSL *s);
1201 int (*build)(SSL *s, CBB *cbb);
1202 int (*parse)(SSL *s, CBS *cbs, int *alert);
1203};
1204
1199struct tls_extension { 1205struct tls_extension {
1200 uint16_t type; 1206 uint16_t type;
1201 int (*clienthello_needs)(SSL *s); 1207 struct tls_extension_funcs clienthello;
1202 int (*clienthello_build)(SSL *s, CBB *cbb); 1208 struct tls_extension_funcs serverhello;
1203 int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert);
1204 int (*serverhello_needs)(SSL *s);
1205 int (*serverhello_build)(SSL *s, CBB *cbb);
1206 int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert);
1207}; 1209};
1208 1210
1209static struct tls_extension tls_extensions[] = { 1211static struct tls_extension tls_extensions[] = {
1210 { 1212 {
1211 .type = TLSEXT_TYPE_server_name, 1213 .type = TLSEXT_TYPE_server_name,
1212 .clienthello_needs = tlsext_sni_clienthello_needs, 1214 .clienthello = {
1213 .clienthello_build = tlsext_sni_clienthello_build, 1215 .needs = tlsext_sni_clienthello_needs,
1214 .clienthello_parse = tlsext_sni_clienthello_parse, 1216 .build = tlsext_sni_clienthello_build,
1215 .serverhello_needs = tlsext_sni_serverhello_needs, 1217 .parse = tlsext_sni_clienthello_parse,
1216 .serverhello_build = tlsext_sni_serverhello_build, 1218 },
1217 .serverhello_parse = tlsext_sni_serverhello_parse, 1219 .serverhello = {
1220 .needs = tlsext_sni_serverhello_needs,
1221 .build = tlsext_sni_serverhello_build,
1222 .parse = tlsext_sni_serverhello_parse,
1223 },
1218 }, 1224 },
1219 { 1225 {
1220 .type = TLSEXT_TYPE_renegotiate, 1226 .type = TLSEXT_TYPE_renegotiate,
1221 .clienthello_needs = tlsext_ri_clienthello_needs, 1227 .clienthello = {
1222 .clienthello_build = tlsext_ri_clienthello_build, 1228 .needs = tlsext_ri_clienthello_needs,
1223 .clienthello_parse = tlsext_ri_clienthello_parse, 1229 .build = tlsext_ri_clienthello_build,
1224 .serverhello_needs = tlsext_ri_serverhello_needs, 1230 .parse = tlsext_ri_clienthello_parse,
1225 .serverhello_build = tlsext_ri_serverhello_build, 1231 },
1226 .serverhello_parse = tlsext_ri_serverhello_parse, 1232 .serverhello = {
1233 .needs = tlsext_ri_serverhello_needs,
1234 .build = tlsext_ri_serverhello_build,
1235 .parse = tlsext_ri_serverhello_parse,
1236 },
1227 }, 1237 },
1228 { 1238 {
1229 .type = TLSEXT_TYPE_status_request, 1239 .type = TLSEXT_TYPE_status_request,
1230 .clienthello_needs = tlsext_ocsp_clienthello_needs, 1240 .clienthello = {
1231 .clienthello_build = tlsext_ocsp_clienthello_build, 1241 .needs = tlsext_ocsp_clienthello_needs,
1232 .clienthello_parse = tlsext_ocsp_clienthello_parse, 1242 .build = tlsext_ocsp_clienthello_build,
1233 .serverhello_needs = tlsext_ocsp_serverhello_needs, 1243 .parse = tlsext_ocsp_clienthello_parse,
1234 .serverhello_build = tlsext_ocsp_serverhello_build, 1244 },
1235 .serverhello_parse = tlsext_ocsp_serverhello_parse, 1245 .serverhello = {
1246 .needs = tlsext_ocsp_serverhello_needs,
1247 .build = tlsext_ocsp_serverhello_build,
1248 .parse = tlsext_ocsp_serverhello_parse,
1249 },
1236 }, 1250 },
1237 { 1251 {
1238 .type = TLSEXT_TYPE_ec_point_formats, 1252 .type = TLSEXT_TYPE_ec_point_formats,
1239 .clienthello_needs = tlsext_ecpf_clienthello_needs, 1253 .clienthello = {
1240 .clienthello_build = tlsext_ecpf_clienthello_build, 1254 .needs = tlsext_ecpf_clienthello_needs,
1241 .clienthello_parse = tlsext_ecpf_clienthello_parse, 1255 .build = tlsext_ecpf_clienthello_build,
1242 .serverhello_needs = tlsext_ecpf_serverhello_needs, 1256 .parse = tlsext_ecpf_clienthello_parse,
1243 .serverhello_build = tlsext_ecpf_serverhello_build, 1257 },
1244 .serverhello_parse = tlsext_ecpf_serverhello_parse, 1258 .serverhello = {
1259 .needs = tlsext_ecpf_serverhello_needs,
1260 .build = tlsext_ecpf_serverhello_build,
1261 .parse = tlsext_ecpf_serverhello_parse,
1262 },
1245 }, 1263 },
1246 { 1264 {
1247 .type = TLSEXT_TYPE_elliptic_curves, 1265 .type = TLSEXT_TYPE_elliptic_curves,
1248 .clienthello_needs = tlsext_ec_clienthello_needs, 1266 .clienthello = {
1249 .clienthello_build = tlsext_ec_clienthello_build, 1267 .needs = tlsext_ec_clienthello_needs,
1250 .clienthello_parse = tlsext_ec_clienthello_parse, 1268 .build = tlsext_ec_clienthello_build,
1251 .serverhello_needs = tlsext_ec_serverhello_needs, 1269 .parse = tlsext_ec_clienthello_parse,
1252 .serverhello_build = tlsext_ec_serverhello_build, 1270 },
1253 .serverhello_parse = tlsext_ec_serverhello_parse, 1271 .serverhello = {
1272 .needs = tlsext_ec_serverhello_needs,
1273 .build = tlsext_ec_serverhello_build,
1274 .parse = tlsext_ec_serverhello_parse,
1275 },
1254 }, 1276 },
1255 { 1277 {
1256 .type = TLSEXT_TYPE_session_ticket, 1278 .type = TLSEXT_TYPE_session_ticket,
1257 .clienthello_needs = tlsext_sessionticket_clienthello_needs, 1279 .clienthello = {
1258 .clienthello_build = tlsext_sessionticket_clienthello_build, 1280 .needs = tlsext_sessionticket_clienthello_needs,
1259 .clienthello_parse = tlsext_sessionticket_clienthello_parse, 1281 .build = tlsext_sessionticket_clienthello_build,
1260 .serverhello_needs = tlsext_sessionticket_serverhello_needs, 1282 .parse = tlsext_sessionticket_clienthello_parse,
1261 .serverhello_build = tlsext_sessionticket_serverhello_build, 1283 },
1262 .serverhello_parse = tlsext_sessionticket_serverhello_parse, 1284 .serverhello = {
1285 .needs = tlsext_sessionticket_serverhello_needs,
1286 .build = tlsext_sessionticket_serverhello_build,
1287 .parse = tlsext_sessionticket_serverhello_parse,
1288 },
1263 }, 1289 },
1264 { 1290 {
1265 .type = TLSEXT_TYPE_signature_algorithms, 1291 .type = TLSEXT_TYPE_signature_algorithms,
1266 .clienthello_needs = tlsext_sigalgs_clienthello_needs, 1292 .clienthello = {
1267 .clienthello_build = tlsext_sigalgs_clienthello_build, 1293 .needs = tlsext_sigalgs_clienthello_needs,
1268 .clienthello_parse = tlsext_sigalgs_clienthello_parse, 1294 .build = tlsext_sigalgs_clienthello_build,
1269 .serverhello_needs = tlsext_sigalgs_serverhello_needs, 1295 .parse = tlsext_sigalgs_clienthello_parse,
1270 .serverhello_build = tlsext_sigalgs_serverhello_build, 1296 },
1271 .serverhello_parse = tlsext_sigalgs_serverhello_parse, 1297 .serverhello = {
1298 .needs = tlsext_sigalgs_serverhello_needs,
1299 .build = tlsext_sigalgs_serverhello_build,
1300 .parse = tlsext_sigalgs_serverhello_parse,
1301 },
1272 }, 1302 },
1273 { 1303 {
1274 .type = TLSEXT_TYPE_application_layer_protocol_negotiation, 1304 .type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1275 .clienthello_needs = tlsext_alpn_clienthello_needs, 1305 .clienthello = {
1276 .clienthello_build = tlsext_alpn_clienthello_build, 1306 .needs = tlsext_alpn_clienthello_needs,
1277 .clienthello_parse = tlsext_alpn_clienthello_parse, 1307 .build = tlsext_alpn_clienthello_build,
1278 .serverhello_needs = tlsext_alpn_serverhello_needs, 1308 .parse = tlsext_alpn_clienthello_parse,
1279 .serverhello_build = tlsext_alpn_serverhello_build, 1309 },
1280 .serverhello_parse = tlsext_alpn_serverhello_parse, 1310 .serverhello = {
1311 .needs = tlsext_alpn_serverhello_needs,
1312 .build = tlsext_alpn_serverhello_build,
1313 .parse = tlsext_alpn_serverhello_parse,
1314 },
1281 }, 1315 },
1282#ifndef OPENSSL_NO_SRTP 1316#ifndef OPENSSL_NO_SRTP
1283 { 1317 {
1284 .type = TLSEXT_TYPE_use_srtp, 1318 .type = TLSEXT_TYPE_use_srtp,
1285 .clienthello_needs = tlsext_srtp_clienthello_needs, 1319 .clienthello = {
1286 .clienthello_build = tlsext_srtp_clienthello_build, 1320 .needs = tlsext_srtp_clienthello_needs,
1287 .clienthello_parse = tlsext_srtp_clienthello_parse, 1321 .build = tlsext_srtp_clienthello_build,
1288 .serverhello_needs = tlsext_srtp_serverhello_needs, 1322 .parse = tlsext_srtp_clienthello_parse,
1289 .serverhello_build = tlsext_srtp_serverhello_build, 1323 },
1290 .serverhello_parse = tlsext_srtp_serverhello_parse, 1324 .serverhello = {
1325 .needs = tlsext_srtp_serverhello_needs,
1326 .build = tlsext_srtp_serverhello_build,
1327 .parse = tlsext_srtp_serverhello_parse,
1328 },
1291 } 1329 }
1292#endif /* OPENSSL_NO_SRTP */ 1330#endif /* OPENSSL_NO_SRTP */
1293}; 1331};
@@ -1312,37 +1350,21 @@ tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1312 return NULL; 1350 return NULL;
1313} 1351}
1314 1352
1315static int 1353static struct tls_extension_funcs *
1316tls_extension_needs(struct tls_extension *tlsext, int is_serverhello, SSL *s) 1354tlsext_funcs(struct tls_extension *tlsext, int is_serverhello)
1317{
1318 if (is_serverhello)
1319 return tlsext->serverhello_needs(s);
1320 return tlsext->clienthello_needs(s);
1321}
1322
1323static int
1324tls_extension_build(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1325 CBB *cbb)
1326{ 1355{
1327 if (is_serverhello) 1356 if (is_serverhello)
1328 return tlsext->serverhello_build(s, cbb); 1357 return &tlsext->serverhello;
1329 return tlsext->clienthello_build(s, cbb);
1330}
1331 1358
1332static int 1359 return &tlsext->clienthello;
1333tls_extension_parse(struct tls_extension *tlsext, int is_serverhello, SSL *s,
1334 CBS *cbs, int *alert)
1335{
1336 if (is_serverhello)
1337 return tlsext->serverhello_parse(s, cbs, alert);
1338 return tlsext->clienthello_parse(s, cbs, alert);
1339} 1360}
1340 1361
1341static int 1362static int
1342tlsext_build(SSL *s, CBB *cbb, int is_serverhello) 1363tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1343{ 1364{
1344 CBB extensions, extension_data; 1365 struct tls_extension_funcs *ext;
1345 struct tls_extension *tlsext; 1366 struct tls_extension *tlsext;
1367 CBB extensions, extension_data;
1346 int extensions_present = 0; 1368 int extensions_present = 0;
1347 size_t i; 1369 size_t i;
1348 1370
@@ -1351,8 +1373,9 @@ tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1351 1373
1352 for (i = 0; i < N_TLS_EXTENSIONS; i++) { 1374 for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1353 tlsext = &tls_extensions[i]; 1375 tlsext = &tls_extensions[i];
1376 ext = tlsext_funcs(tlsext, is_serverhello);
1354 1377
1355 if (!tls_extension_needs(tlsext, is_serverhello, s)) 1378 if (!ext->needs(s))
1356 continue; 1379 continue;
1357 1380
1358 if (!CBB_add_u16(&extensions, tlsext->type)) 1381 if (!CBB_add_u16(&extensions, tlsext->type))
@@ -1360,8 +1383,7 @@ tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1360 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) 1383 if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1361 return 0; 1384 return 0;
1362 1385
1363 if (!tls_extension_build(tlsext, is_serverhello, s, 1386 if (!ext->build(s, &extension_data))
1364 &extension_data))
1365 return 0; 1387 return 0;
1366 1388
1367 extensions_present = 1; 1389 extensions_present = 1;
@@ -1379,8 +1401,9 @@ tlsext_build(SSL *s, CBB *cbb, int is_serverhello)
1379static int 1401static int
1380tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello) 1402tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello)
1381{ 1403{
1382 CBS extensions, extension_data; 1404 struct tls_extension_funcs *ext;
1383 struct tls_extension *tlsext; 1405 struct tls_extension *tlsext;
1406 CBS extensions, extension_data;
1384 uint32_t extensions_seen = 0; 1407 uint32_t extensions_seen = 0;
1385 uint16_t type; 1408 uint16_t type;
1386 size_t idx; 1409 size_t idx;
@@ -1415,8 +1438,8 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello)
1415 return 0; 1438 return 0;
1416 extensions_seen |= (1 << idx); 1439 extensions_seen |= (1 << idx);
1417 1440
1418 if (!tls_extension_parse(tlsext, is_serverhello, s, 1441 ext = tlsext_funcs(tlsext, is_serverhello);
1419 &extension_data, alert)) 1442 if (!ext->parse(s, &extension_data, alert))
1420 return 0; 1443 return 0;
1421 1444
1422 if (CBS_len(&extension_data) != 0) 1445 if (CBS_len(&extension_data) != 0)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 22:12:51 +0000