summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2024-03-25 10:18:13 +0000
committerjsing <>2024-03-25 10:18:13 +0000
commit46e5c6478e8fb8c6d88de2eb807245309502fa4c (patch)
tree2e2ac4bb1dd60d08faf8e08f97c74583ac636475 /src
parentdf00900d0be92b7888abdf97dbe45c5bc07da576 (diff)
downloadopenbsd-46e5c6478e8fb8c6d88de2eb807245309502fa4c.tar.gz
openbsd-46e5c6478e8fb8c6d88de2eb807245309502fa4c.tar.bz2
openbsd-46e5c6478e8fb8c6d88de2eb807245309502fa4c.zip
Simplify TLS extension parsing and processing.
Rather than having a separate parse and process step for each TLS extension, do a first pass that parses all of the TLS outer extensions and retains the extension data, before running a second pass that calls the TLS extension processing code. ok beck@ tb@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_tlsext.c253
1 files changed, 98 insertions, 155 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index ff138084e8..26bd0c5f3e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.140 2024/03/25 05:48:39 tb Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.141 2024/03/25 10:18:13 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -34,22 +34,6 @@
34 34
35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation 35#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
36 36
37struct tlsext_data {
38 CBS alpn;
39};
40
41static struct tlsext_data *
42tlsext_data_new(void)
43{
44 return calloc(1, sizeof(struct tlsext_data));
45}
46
47static void
48tlsext_data_free(struct tlsext_data *td)
49{
50 freezero(td, sizeof(*td));
51}
52
53/* 37/*
54 * Supported Application-Layer Protocol Negotiation - RFC 7301 38 * Supported Application-Layer Protocol Negotiation - RFC 7301
55 */ 39 */
@@ -102,31 +86,16 @@ tlsext_alpn_check_format(CBS *cbs)
102} 86}
103 87
104static int 88static int
105tlsext_alpn_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 89tlsext_alpn_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
106 CBS *cbs, int *alert)
107{
108 CBS alpn;
109
110 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
111 return 0;
112 if (!tlsext_alpn_check_format(&alpn))
113 return 0;
114
115 CBS_dup(&alpn, &td->alpn);
116
117 return 1;
118}
119
120static int
121tlsext_alpn_server_process(SSL *s, struct tlsext_data *td, uint16_t msg_type,
122 int *alert)
123{ 90{
124 CBS selected_cbs; 91 CBS alpn, selected_cbs;
125 const unsigned char *selected; 92 const unsigned char *selected;
126 unsigned char selected_len; 93 unsigned char selected_len;
127 int r; 94 int r;
128 95
129 if (CBS_data(&td->alpn) == NULL) 96 if (!CBS_get_u16_length_prefixed(cbs, &alpn))
97 return 0;
98 if (!tlsext_alpn_check_format(&alpn))
130 return 0; 99 return 0;
131 100
132 if (s->ctx->alpn_select_cb == NULL) 101 if (s->ctx->alpn_select_cb == NULL)
@@ -139,8 +108,7 @@ tlsext_alpn_server_process(SSL *s, struct tlsext_data *td, uint16_t msg_type,
139 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. 108 * 3. TLSv1.2 and earlier: ensure that SNI has already been processed.
140 */ 109 */
141 r = s->ctx->alpn_select_cb(s, &selected, &selected_len, 110 r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
142 CBS_data(&td->alpn), CBS_len(&td->alpn), 111 CBS_data(&alpn), CBS_len(&alpn), s->ctx->alpn_select_cb_arg);
143 s->ctx->alpn_select_cb_arg);
144 112
145 if (r == SSL_TLSEXT_ERR_OK) { 113 if (r == SSL_TLSEXT_ERR_OK) {
146 CBS_init(&selected_cbs, selected, selected_len); 114 CBS_init(&selected_cbs, selected, selected_len);
@@ -192,8 +160,7 @@ tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
192} 160}
193 161
194static int 162static int
195tlsext_alpn_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 163tlsext_alpn_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
196 CBS *cbs, int *alert)
197{ 164{
198 CBS list, proto; 165 CBS list, proto;
199 166
@@ -213,18 +180,7 @@ tlsext_alpn_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type,
213 if (CBS_len(&proto) == 0) 180 if (CBS_len(&proto) == 0)
214 return 0; 181 return 0;
215 182
216 CBS_dup(&proto, &td->alpn); 183 if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
217
218 return 1;
219}
220
221static int
222tlsext_alpn_client_process(SSL *s, struct tlsext_data *td, uint16_t msg_type,
223 int *alert)
224{
225 if (CBS_data(&td->alpn) == NULL)
226 return 0;
227 if (!CBS_stow(&td->alpn, &s->s3->alpn_selected, &s->s3->alpn_selected_len))
228 return 0; 184 return 0;
229 185
230 return 1; 186 return 1;
@@ -271,8 +227,8 @@ tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
271} 227}
272 228
273static int 229static int
274tlsext_supportedgroups_server_parse(SSL *s, struct tlsext_data *td, 230tlsext_supportedgroups_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
275 uint16_t msg_type, CBS *cbs, int *alert) 231 int *alert)
276{ 232{
277 CBS grouplist; 233 CBS grouplist;
278 uint16_t *groups; 234 uint16_t *groups;
@@ -344,8 +300,8 @@ tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
344} 300}
345 301
346static int 302static int
347tlsext_supportedgroups_client_parse(SSL *s, struct tlsext_data *td, 303tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
348 uint16_t msg_type, CBS *cbs, int *alert) 304 int *alert)
349{ 305{
350 /* 306 /*
351 * Servers should not send this extension per the RFC. 307 * Servers should not send this extension per the RFC.
@@ -393,8 +349,7 @@ tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb)
393} 349}
394 350
395static int 351static int
396tlsext_ecpf_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, CBS *cbs, 352tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
397 int *alert)
398{ 353{
399 CBS ecpf; 354 CBS ecpf;
400 355
@@ -434,10 +389,9 @@ tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
434} 389}
435 390
436static int 391static int
437tlsext_ecpf_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 392tlsext_ecpf_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
438 CBS *cbs, int *alert)
439{ 393{
440 return tlsext_ecpf_parse(s, td, msg_type, cbs, alert); 394 return tlsext_ecpf_process(s, msg_type, cbs, alert);
441} 395}
442 396
443static int 397static int
@@ -453,10 +407,9 @@ tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
453} 407}
454 408
455static int 409static int
456tlsext_ecpf_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 410tlsext_ecpf_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
457 CBS *cbs, int *alert)
458{ 411{
459 return tlsext_ecpf_parse(s, td, msg_type, cbs, alert); 412 return tlsext_ecpf_process(s, msg_type, cbs, alert);
460} 413}
461 414
462/* 415/*
@@ -485,8 +438,7 @@ tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
485} 438}
486 439
487static int 440static int
488tlsext_ri_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 441tlsext_ri_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
489 CBS *cbs, int *alert)
490{ 442{
491 CBS reneg; 443 CBS reneg;
492 444
@@ -535,8 +487,7 @@ tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
535} 487}
536 488
537static int 489static int
538tlsext_ri_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 490tlsext_ri_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
539 CBS *cbs, int *alert)
540{ 491{
541 CBS reneg, prev_client, prev_server; 492 CBS reneg, prev_client, prev_server;
542 493
@@ -619,8 +570,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
619} 570}
620 571
621static int 572static int
622tlsext_sigalgs_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 573tlsext_sigalgs_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
623 CBS *cbs, int *alert)
624{ 574{
625 CBS sigalgs; 575 CBS sigalgs;
626 576
@@ -657,8 +607,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
657} 607}
658 608
659static int 609static int
660tlsext_sigalgs_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 610tlsext_sigalgs_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
661 CBS *cbs, int *alert)
662{ 611{
663 CBS sigalgs; 612 CBS sigalgs;
664 613
@@ -785,8 +734,7 @@ tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip)
785} 734}
786 735
787static int 736static int
788tlsext_sni_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 737tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
789 CBS *cbs, int *alert)
790{ 738{
791 CBS server_name_list, host_name; 739 CBS server_name_list, host_name;
792 uint8_t name_type; 740 uint8_t name_type;
@@ -882,8 +830,7 @@ tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
882} 830}
883 831
884static int 832static int
885tlsext_sni_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 833tlsext_sni_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
886 CBS *cbs, int *alert)
887{ 834{
888 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { 835 if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
889 *alert = SSL_AD_UNRECOGNIZED_NAME; 836 *alert = SSL_AD_UNRECOGNIZED_NAME;
@@ -971,8 +918,7 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
971} 918}
972 919
973static int 920static int
974tlsext_ocsp_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 921tlsext_ocsp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
975 CBS *cbs, int *alert)
976{ 922{
977 int alert_desc = SSL_AD_DECODE_ERROR; 923 int alert_desc = SSL_AD_DECODE_ERROR;
978 CBS respid_list, respid, exts; 924 CBS respid_list, respid, exts;
@@ -1080,8 +1026,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1080} 1026}
1081 1027
1082static int 1028static int
1083tlsext_ocsp_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1029tlsext_ocsp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1084 CBS *cbs, int *alert)
1085{ 1030{
1086 uint8_t status_type; 1031 uint8_t status_type;
1087 CBS response; 1032 CBS response;
@@ -1201,8 +1146,8 @@ tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1201} 1146}
1202 1147
1203static int 1148static int
1204tlsext_sessionticket_server_parse(SSL *s, struct tlsext_data *td, 1149tlsext_sessionticket_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
1205 uint16_t msg_type, CBS *cbs, int *alert) 1150 int *alert)
1206{ 1151{
1207 if (s->tls_session_ticket_ext_cb) { 1152 if (s->tls_session_ticket_ext_cb) {
1208 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1153 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
@@ -1238,8 +1183,8 @@ tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1238} 1183}
1239 1184
1240static int 1185static int
1241tlsext_sessionticket_client_parse(SSL *s, struct tlsext_data *td, 1186tlsext_sessionticket_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
1242 uint16_t msg_type, CBS *cbs, int *alert) 1187 int *alert)
1243{ 1188{
1244 if (s->tls_session_ticket_ext_cb) { 1189 if (s->tls_session_ticket_ext_cb) {
1245 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), 1190 if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs),
@@ -1310,8 +1255,7 @@ tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1310} 1255}
1311 1256
1312static int 1257static int
1313tlsext_srtp_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1258tlsext_srtp_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1314 CBS *cbs, int *alert)
1315{ 1259{
1316 const SRTP_PROTECTION_PROFILE *cprof, *sprof; 1260 const SRTP_PROTECTION_PROFILE *cprof, *sprof;
1317 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; 1261 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
@@ -1416,8 +1360,7 @@ tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1416} 1360}
1417 1361
1418static int 1362static int
1419tlsext_srtp_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1363tlsext_srtp_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1420 CBS *cbs, int *alert)
1421{ 1364{
1422 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1365 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1423 const SRTP_PROTECTION_PROFILE *prof; 1366 const SRTP_PROTECTION_PROFILE *prof;
@@ -1498,8 +1441,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1498} 1441}
1499 1442
1500static int 1443static int
1501tlsext_keyshare_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1444tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1502 CBS *cbs, int *alert)
1503{ 1445{
1504 CBS client_shares, key_exchange; 1446 CBS client_shares, key_exchange;
1505 int decode_error; 1447 int decode_error;
@@ -1586,8 +1528,7 @@ tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1586} 1528}
1587 1529
1588static int 1530static int
1589tlsext_keyshare_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1531tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1590 CBS *cbs, int *alert)
1591{ 1532{
1592 CBS key_exchange; 1533 CBS key_exchange;
1593 int decode_error; 1534 int decode_error;
@@ -1662,8 +1603,7 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1662} 1603}
1663 1604
1664static int 1605static int
1665tlsext_versions_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1606tlsext_versions_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1666 CBS *cbs, int *alert)
1667{ 1607{
1668 CBS versions; 1608 CBS versions;
1669 uint16_t version; 1609 uint16_t version;
@@ -1710,8 +1650,7 @@ tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1710} 1650}
1711 1651
1712static int 1652static int
1713tlsext_versions_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1653tlsext_versions_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1714 CBS *cbs, int *alert)
1715{ 1654{
1716 uint16_t selected_version; 1655 uint16_t selected_version;
1717 1656
@@ -1761,8 +1700,7 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1761} 1700}
1762 1701
1763static int 1702static int
1764tlsext_cookie_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1703tlsext_cookie_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1765 CBS *cbs, int *alert)
1766{ 1704{
1767 CBS cookie; 1705 CBS cookie;
1768 1706
@@ -1819,8 +1757,7 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1819} 1757}
1820 1758
1821static int 1759static int
1822tlsext_cookie_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1760tlsext_cookie_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1823 CBS *cbs, int *alert)
1824{ 1761{
1825 CBS cookie; 1762 CBS cookie;
1826 1763
@@ -1875,8 +1812,8 @@ tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1875} 1812}
1876 1813
1877static int 1814static int
1878tlsext_psk_kex_modes_server_parse(SSL *s, struct tlsext_data *td, 1815tlsext_psk_kex_modes_server_process(SSL *s, uint16_t msg_type, CBS *cbs,
1879 uint16_t msg_type, CBS *cbs, int *alert) 1816 int *alert)
1880{ 1817{
1881 CBS ke_modes; 1818 CBS ke_modes;
1882 uint8_t ke_mode; 1819 uint8_t ke_mode;
@@ -1909,8 +1846,8 @@ tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1909} 1846}
1910 1847
1911static int 1848static int
1912tlsext_psk_kex_modes_client_parse(SSL *s, struct tlsext_data *td, 1849tlsext_psk_kex_modes_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
1913 uint16_t msg_type, CBS *cbs, int *alert) 1850 int *alert)
1914{ 1851{
1915 return 0; 1852 return 0;
1916} 1853}
@@ -1932,8 +1869,7 @@ tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1932} 1869}
1933 1870
1934static int 1871static int
1935tlsext_psk_client_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1872tlsext_psk_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1936 CBS *cbs, int *alert)
1937{ 1873{
1938 return CBS_skip(cbs, CBS_len(cbs)); 1874 return CBS_skip(cbs, CBS_len(cbs));
1939} 1875}
@@ -1951,8 +1887,7 @@ tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1951} 1887}
1952 1888
1953static int 1889static int
1954tlsext_psk_server_parse(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1890tlsext_psk_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1955 CBS *cbs, int *alert)
1956{ 1891{
1957 return CBS_skip(cbs, CBS_len(cbs)); 1892 return CBS_skip(cbs, CBS_len(cbs));
1958} 1893}
@@ -1979,8 +1914,8 @@ tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type,
1979} 1914}
1980 1915
1981static int 1916static int
1982tlsext_quic_transport_parameters_client_parse(SSL *s, struct tlsext_data *td, 1917tlsext_quic_transport_parameters_client_process(SSL *s, uint16_t msg_type,
1983 uint16_t msg_type, CBS *cbs, int *alert) 1918 CBS *cbs, int *alert)
1984{ 1919{
1985 if (!SSL_is_quic(s)) { 1920 if (!SSL_is_quic(s)) {
1986 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1921 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
@@ -2014,8 +1949,8 @@ tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type,
2014} 1949}
2015 1950
2016static int 1951static int
2017tlsext_quic_transport_parameters_server_parse(SSL *s, struct tlsext_data *td, 1952tlsext_quic_transport_parameters_server_process(SSL *s, uint16_t msg_type,
2018 uint16_t msg_type, CBS *cbs, int *alert) 1953 CBS *cbs, int *alert)
2019{ 1954{
2020 if (!SSL_is_quic(s)) { 1955 if (!SSL_is_quic(s)) {
2021 *alert = SSL_AD_UNSUPPORTED_EXTENSION; 1956 *alert = SSL_AD_UNSUPPORTED_EXTENSION;
@@ -2034,10 +1969,7 @@ tlsext_quic_transport_parameters_server_parse(SSL *s, struct tlsext_data *td,
2034struct tls_extension_funcs { 1969struct tls_extension_funcs {
2035 int (*needs)(SSL *s, uint16_t msg_type); 1970 int (*needs)(SSL *s, uint16_t msg_type);
2036 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); 1971 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
2037 int (*parse)(SSL *s, struct tlsext_data *td, uint16_t msg_type, 1972 int (*process)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
2038 CBS *cbs, int *alert);
2039 int (*process)(SSL *s, struct tlsext_data *td, uint16_t msg_type,
2040 int *alert);
2041}; 1973};
2042 1974
2043struct tls_extension { 1975struct tls_extension {
@@ -2058,12 +1990,12 @@ static const struct tls_extension tls_extensions[] = {
2058 .client = { 1990 .client = {
2059 .needs = tlsext_versions_client_needs, 1991 .needs = tlsext_versions_client_needs,
2060 .build = tlsext_versions_client_build, 1992 .build = tlsext_versions_client_build,
2061 .parse = tlsext_versions_client_parse, 1993 .process = tlsext_versions_client_process,
2062 }, 1994 },
2063 .server = { 1995 .server = {
2064 .needs = tlsext_versions_server_needs, 1996 .needs = tlsext_versions_server_needs,
2065 .build = tlsext_versions_server_build, 1997 .build = tlsext_versions_server_build,
2066 .parse = tlsext_versions_server_parse, 1998 .process = tlsext_versions_server_process,
2067 }, 1999 },
2068 }, 2000 },
2069 { 2001 {
@@ -2073,12 +2005,12 @@ static const struct tls_extension tls_extensions[] = {
2073 .client = { 2005 .client = {
2074 .needs = tlsext_keyshare_client_needs, 2006 .needs = tlsext_keyshare_client_needs,
2075 .build = tlsext_keyshare_client_build, 2007 .build = tlsext_keyshare_client_build,
2076 .parse = tlsext_keyshare_client_parse, 2008 .process = tlsext_keyshare_client_process,
2077 }, 2009 },
2078 .server = { 2010 .server = {
2079 .needs = tlsext_keyshare_server_needs, 2011 .needs = tlsext_keyshare_server_needs,
2080 .build = tlsext_keyshare_server_build, 2012 .build = tlsext_keyshare_server_build,
2081 .parse = tlsext_keyshare_server_parse, 2013 .process = tlsext_keyshare_server_process,
2082 }, 2014 },
2083 }, 2015 },
2084 { 2016 {
@@ -2087,12 +2019,12 @@ static const struct tls_extension tls_extensions[] = {
2087 .client = { 2019 .client = {
2088 .needs = tlsext_sni_client_needs, 2020 .needs = tlsext_sni_client_needs,
2089 .build = tlsext_sni_client_build, 2021 .build = tlsext_sni_client_build,
2090 .parse = tlsext_sni_client_parse, 2022 .process = tlsext_sni_client_process,
2091 }, 2023 },
2092 .server = { 2024 .server = {
2093 .needs = tlsext_sni_server_needs, 2025 .needs = tlsext_sni_server_needs,
2094 .build = tlsext_sni_server_build, 2026 .build = tlsext_sni_server_build,
2095 .parse = tlsext_sni_server_parse, 2027 .process = tlsext_sni_server_process,
2096 }, 2028 },
2097 }, 2029 },
2098 { 2030 {
@@ -2101,12 +2033,12 @@ static const struct tls_extension tls_extensions[] = {
2101 .client = { 2033 .client = {
2102 .needs = tlsext_ri_client_needs, 2034 .needs = tlsext_ri_client_needs,
2103 .build = tlsext_ri_client_build, 2035 .build = tlsext_ri_client_build,
2104 .parse = tlsext_ri_client_parse, 2036 .process = tlsext_ri_client_process,
2105 }, 2037 },
2106 .server = { 2038 .server = {
2107 .needs = tlsext_ri_server_needs, 2039 .needs = tlsext_ri_server_needs,
2108 .build = tlsext_ri_server_build, 2040 .build = tlsext_ri_server_build,
2109 .parse = tlsext_ri_server_parse, 2041 .process = tlsext_ri_server_process,
2110 }, 2042 },
2111 }, 2043 },
2112 { 2044 {
@@ -2116,12 +2048,12 @@ static const struct tls_extension tls_extensions[] = {
2116 .client = { 2048 .client = {
2117 .needs = tlsext_ocsp_client_needs, 2049 .needs = tlsext_ocsp_client_needs,
2118 .build = tlsext_ocsp_client_build, 2050 .build = tlsext_ocsp_client_build,
2119 .parse = tlsext_ocsp_client_parse, 2051 .process = tlsext_ocsp_client_process,
2120 }, 2052 },
2121 .server = { 2053 .server = {
2122 .needs = tlsext_ocsp_server_needs, 2054 .needs = tlsext_ocsp_server_needs,
2123 .build = tlsext_ocsp_server_build, 2055 .build = tlsext_ocsp_server_build,
2124 .parse = tlsext_ocsp_server_parse, 2056 .process = tlsext_ocsp_server_process,
2125 }, 2057 },
2126 }, 2058 },
2127 { 2059 {
@@ -2130,12 +2062,12 @@ static const struct tls_extension tls_extensions[] = {
2130 .client = { 2062 .client = {
2131 .needs = tlsext_ecpf_client_needs, 2063 .needs = tlsext_ecpf_client_needs,
2132 .build = tlsext_ecpf_client_build, 2064 .build = tlsext_ecpf_client_build,
2133 .parse = tlsext_ecpf_client_parse, 2065 .process = tlsext_ecpf_client_process,
2134 }, 2066 },
2135 .server = { 2067 .server = {
2136 .needs = tlsext_ecpf_server_needs, 2068 .needs = tlsext_ecpf_server_needs,
2137 .build = tlsext_ecpf_server_build, 2069 .build = tlsext_ecpf_server_build,
2138 .parse = tlsext_ecpf_server_parse, 2070 .process = tlsext_ecpf_server_process,
2139 }, 2071 },
2140 }, 2072 },
2141 { 2073 {
@@ -2144,12 +2076,12 @@ static const struct tls_extension tls_extensions[] = {
2144 .client = { 2076 .client = {
2145 .needs = tlsext_supportedgroups_client_needs, 2077 .needs = tlsext_supportedgroups_client_needs,
2146 .build = tlsext_supportedgroups_client_build, 2078 .build = tlsext_supportedgroups_client_build,
2147 .parse = tlsext_supportedgroups_client_parse, 2079 .process = tlsext_supportedgroups_client_process,
2148 }, 2080 },
2149 .server = { 2081 .server = {
2150 .needs = tlsext_supportedgroups_server_needs, 2082 .needs = tlsext_supportedgroups_server_needs,
2151 .build = tlsext_supportedgroups_server_build, 2083 .build = tlsext_supportedgroups_server_build,
2152 .parse = tlsext_supportedgroups_server_parse, 2084 .process = tlsext_supportedgroups_server_process,
2153 }, 2085 },
2154 }, 2086 },
2155 { 2087 {
@@ -2158,12 +2090,12 @@ static const struct tls_extension tls_extensions[] = {
2158 .client = { 2090 .client = {
2159 .needs = tlsext_sessionticket_client_needs, 2091 .needs = tlsext_sessionticket_client_needs,
2160 .build = tlsext_sessionticket_client_build, 2092 .build = tlsext_sessionticket_client_build,
2161 .parse = tlsext_sessionticket_client_parse, 2093 .process = tlsext_sessionticket_client_process,
2162 }, 2094 },
2163 .server = { 2095 .server = {
2164 .needs = tlsext_sessionticket_server_needs, 2096 .needs = tlsext_sessionticket_server_needs,
2165 .build = tlsext_sessionticket_server_build, 2097 .build = tlsext_sessionticket_server_build,
2166 .parse = tlsext_sessionticket_server_parse, 2098 .process = tlsext_sessionticket_server_process,
2167 }, 2099 },
2168 }, 2100 },
2169 { 2101 {
@@ -2172,12 +2104,12 @@ static const struct tls_extension tls_extensions[] = {
2172 .client = { 2104 .client = {
2173 .needs = tlsext_sigalgs_client_needs, 2105 .needs = tlsext_sigalgs_client_needs,
2174 .build = tlsext_sigalgs_client_build, 2106 .build = tlsext_sigalgs_client_build,
2175 .parse = tlsext_sigalgs_client_parse, 2107 .process = tlsext_sigalgs_client_process,
2176 }, 2108 },
2177 .server = { 2109 .server = {
2178 .needs = tlsext_sigalgs_server_needs, 2110 .needs = tlsext_sigalgs_server_needs,
2179 .build = tlsext_sigalgs_server_build, 2111 .build = tlsext_sigalgs_server_build,
2180 .parse = tlsext_sigalgs_server_parse, 2112 .process = tlsext_sigalgs_server_process,
2181 }, 2113 },
2182 }, 2114 },
2183 { 2115 {
@@ -2186,13 +2118,11 @@ static const struct tls_extension tls_extensions[] = {
2186 .client = { 2118 .client = {
2187 .needs = tlsext_alpn_client_needs, 2119 .needs = tlsext_alpn_client_needs,
2188 .build = tlsext_alpn_client_build, 2120 .build = tlsext_alpn_client_build,
2189 .parse = tlsext_alpn_client_parse,
2190 .process = tlsext_alpn_client_process, 2121 .process = tlsext_alpn_client_process,
2191 }, 2122 },
2192 .server = { 2123 .server = {
2193 .needs = tlsext_alpn_server_needs, 2124 .needs = tlsext_alpn_server_needs,
2194 .build = tlsext_alpn_server_build, 2125 .build = tlsext_alpn_server_build,
2195 .parse = tlsext_alpn_server_parse,
2196 .process = tlsext_alpn_server_process, 2126 .process = tlsext_alpn_server_process,
2197 }, 2127 },
2198 }, 2128 },
@@ -2202,12 +2132,12 @@ static const struct tls_extension tls_extensions[] = {
2202 .client = { 2132 .client = {
2203 .needs = tlsext_cookie_client_needs, 2133 .needs = tlsext_cookie_client_needs,
2204 .build = tlsext_cookie_client_build, 2134 .build = tlsext_cookie_client_build,
2205 .parse = tlsext_cookie_client_parse, 2135 .process = tlsext_cookie_client_process,
2206 }, 2136 },
2207 .server = { 2137 .server = {
2208 .needs = tlsext_cookie_server_needs, 2138 .needs = tlsext_cookie_server_needs,
2209 .build = tlsext_cookie_server_build, 2139 .build = tlsext_cookie_server_build,
2210 .parse = tlsext_cookie_server_parse, 2140 .process = tlsext_cookie_server_process,
2211 }, 2141 },
2212 }, 2142 },
2213#ifndef OPENSSL_NO_SRTP 2143#ifndef OPENSSL_NO_SRTP
@@ -2218,12 +2148,12 @@ static const struct tls_extension tls_extensions[] = {
2218 .client = { 2148 .client = {
2219 .needs = tlsext_srtp_client_needs, 2149 .needs = tlsext_srtp_client_needs,
2220 .build = tlsext_srtp_client_build, 2150 .build = tlsext_srtp_client_build,
2221 .parse = tlsext_srtp_client_parse, 2151 .process = tlsext_srtp_client_process,
2222 }, 2152 },
2223 .server = { 2153 .server = {
2224 .needs = tlsext_srtp_server_needs, 2154 .needs = tlsext_srtp_server_needs,
2225 .build = tlsext_srtp_server_build, 2155 .build = tlsext_srtp_server_build,
2226 .parse = tlsext_srtp_server_parse, 2156 .process = tlsext_srtp_server_process,
2227 }, 2157 },
2228 }, 2158 },
2229#endif /* OPENSSL_NO_SRTP */ 2159#endif /* OPENSSL_NO_SRTP */
@@ -2233,12 +2163,12 @@ static const struct tls_extension tls_extensions[] = {
2233 .client = { 2163 .client = {
2234 .needs = tlsext_quic_transport_parameters_client_needs, 2164 .needs = tlsext_quic_transport_parameters_client_needs,
2235 .build = tlsext_quic_transport_parameters_client_build, 2165 .build = tlsext_quic_transport_parameters_client_build,
2236 .parse = tlsext_quic_transport_parameters_client_parse, 2166 .process = tlsext_quic_transport_parameters_client_process,
2237 }, 2167 },
2238 .server = { 2168 .server = {
2239 .needs = tlsext_quic_transport_parameters_server_needs, 2169 .needs = tlsext_quic_transport_parameters_server_needs,
2240 .build = tlsext_quic_transport_parameters_server_build, 2170 .build = tlsext_quic_transport_parameters_server_build,
2241 .parse = tlsext_quic_transport_parameters_server_parse, 2171 .process = tlsext_quic_transport_parameters_server_process,
2242 }, 2172 },
2243 }, 2173 },
2244 { 2174 {
@@ -2247,12 +2177,12 @@ static const struct tls_extension tls_extensions[] = {
2247 .client = { 2177 .client = {
2248 .needs = tlsext_psk_kex_modes_client_needs, 2178 .needs = tlsext_psk_kex_modes_client_needs,
2249 .build = tlsext_psk_kex_modes_client_build, 2179 .build = tlsext_psk_kex_modes_client_build,
2250 .parse = tlsext_psk_kex_modes_client_parse, 2180 .process = tlsext_psk_kex_modes_client_process,
2251 }, 2181 },
2252 .server = { 2182 .server = {
2253 .needs = tlsext_psk_kex_modes_server_needs, 2183 .needs = tlsext_psk_kex_modes_server_needs,
2254 .build = tlsext_psk_kex_modes_server_build, 2184 .build = tlsext_psk_kex_modes_server_build,
2255 .parse = tlsext_psk_kex_modes_server_parse, 2185 .process = tlsext_psk_kex_modes_server_process,
2256 }, 2186 },
2257 }, 2187 },
2258 { 2188 {
@@ -2261,12 +2191,12 @@ static const struct tls_extension tls_extensions[] = {
2261 .client = { 2191 .client = {
2262 .needs = tlsext_psk_client_needs, 2192 .needs = tlsext_psk_client_needs,
2263 .build = tlsext_psk_client_build, 2193 .build = tlsext_psk_client_build,
2264 .parse = tlsext_psk_client_parse, 2194 .process = tlsext_psk_client_process,
2265 }, 2195 },
2266 .server = { 2196 .server = {
2267 .needs = tlsext_psk_server_needs, 2197 .needs = tlsext_psk_server_needs,
2268 .build = tlsext_psk_server_build, 2198 .build = tlsext_psk_server_build,
2269 .parse = tlsext_psk_server_parse, 2199 .process = tlsext_psk_server_process,
2270 }, 2200 },
2271 }, 2201 },
2272}; 2202};
@@ -2276,6 +2206,22 @@ static const struct tls_extension tls_extensions[] = {
2276/* Ensure that extensions fit in a uint32_t bitmask. */ 2206/* Ensure that extensions fit in a uint32_t bitmask. */
2277CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 2207CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
2278 2208
2209struct tlsext_data {
2210 CBS extensions[N_TLS_EXTENSIONS];
2211};
2212
2213static struct tlsext_data *
2214tlsext_data_new(void)
2215{
2216 return calloc(1, sizeof(struct tlsext_data));
2217}
2218
2219static void
2220tlsext_data_free(struct tlsext_data *td)
2221{
2222 freezero(td, sizeof(*td));
2223}
2224
2279uint16_t 2225uint16_t
2280tls_extension_type(const struct tls_extension *extension) 2226tls_extension_type(const struct tls_extension *extension)
2281{ 2227{
@@ -2467,7 +2413,6 @@ static int
2467tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type, 2413tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
2468 CBS *cbs, int *alert) 2414 CBS *cbs, int *alert)
2469{ 2415{
2470 const struct tls_extension_funcs *ext;
2471 const struct tls_extension *tlsext; 2416 const struct tls_extension *tlsext;
2472 CBS extensions, extension_data; 2417 CBS extensions, extension_data;
2473 uint16_t type; 2418 uint16_t type;
@@ -2523,12 +2468,7 @@ tlsext_parse(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
2523 goto err; 2468 goto err;
2524 s->s3->hs.extensions_seen |= (1 << idx); 2469 s->s3->hs.extensions_seen |= (1 << idx);
2525 2470
2526 ext = tlsext_funcs(tlsext, is_server); 2471 CBS_dup(&extension_data, &td->extensions[idx]);
2527 if (!ext->parse(s, td, msg_type, &extension_data, &alert_desc))
2528 goto err;
2529
2530 if (CBS_len(&extension_data) != 0)
2531 goto err;
2532 } 2472 }
2533 2473
2534 return 1; 2474 return 1;
@@ -2558,7 +2498,10 @@ tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
2558 ext = tlsext_funcs(tlsext, is_server); 2498 ext = tlsext_funcs(tlsext, is_server);
2559 if (ext->process == NULL) 2499 if (ext->process == NULL)
2560 continue; 2500 continue;
2561 if (!ext->process(s, td, msg_type, &alert_desc)) 2501 if (!ext->process(s, msg_type, &td->extensions[idx], &alert_desc))
2502 goto err;
2503
2504 if (CBS_len(&td->extensions[idx]) != 0)
2562 goto err; 2505 goto err;
2563 } 2506 }
2564 2507
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-28 18:24:40 +0000