Google Git
Sign in
boringssl / boringssl.git / 9bb15f58f75e0c831b207d446bc81547bf6576ef / . / ssl / custom_extensions.cc
blob: 85b8a33d7844d771c274801fd344221df8928843 [file] [log] [blame]
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]15#include <openssl/ssl.h>
16
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]17#include <assert.h>
18#include <string.h>
19
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]20#include <openssl/bytestring.h>
21#include <openssl/err.h>
22#include <openssl/mem.h>
23#include <openssl/stack.h>
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]24
25#include "internal.h"
26
27
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]28namespace bssl {
29
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]30void SSL_CUSTOM_EXTENSION_free(SSL_CUSTOM_EXTENSION *custom_extension) {
31 OPENSSL_free(custom_extension);
32}
33
34static const SSL_CUSTOM_EXTENSION *custom_ext_find(
35 STACK_OF(SSL_CUSTOM_EXTENSION) *stack,
36 unsigned *out_index, uint16_t value) {
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]37 for (size_t i = 0; i < sk_SSL_CUSTOM_EXTENSION_num(stack); i++) {
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]38 const SSL_CUSTOM_EXTENSION *ext = sk_SSL_CUSTOM_EXTENSION_value(stack, i);
39 if (ext->value == value) {
40 if (out_index != NULL) {
41 *out_index = i;
42 }
43 return ext;
44 }
45 }
46
47 return NULL;
48}
49
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]50// default_add_callback is used as the |add_callback| when the user doesn't
51// provide one. For servers, it does nothing while, for clients, it causes an
52// empty extension to be included.
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]53static int default_add_callback(SSL *ssl, unsigned extension_value,
54 const uint8_t **out, size_t *out_len,
55 int *out_alert_value, void *add_arg) {
56 if (ssl->server) {
57 return 0;
58 }
59 *out_len = 0;
60 return 1;
61}
62
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]63static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) {
64 SSL *const ssl = hs->ssl;
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]65 STACK_OF(SSL_CUSTOM_EXTENSION) *stack = ssl->ctx->client_custom_extensions;
66 if (ssl->server) {
67 stack = ssl->ctx->server_custom_extensions;
68 }
69
70 if (stack == NULL) {
71 return 1;
72 }
73
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]74 for (size_t i = 0; i < sk_SSL_CUSTOM_EXTENSION_num(stack); i++) {
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]75 const SSL_CUSTOM_EXTENSION *ext = sk_SSL_CUSTOM_EXTENSION_value(stack, i);
76
77 if (ssl->server &&
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]78 !(hs->custom_extensions.received & (1u << i))) {
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]79 // Servers cannot echo extensions that the client didn't send.
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]80 continue;
81 }
82
83 const uint8_t *contents;
84 size_t contents_len;
85 int alert = SSL_AD_DECODE_ERROR;
86 CBB contents_cbb;
87
88 switch (ext->add_callback(ssl, ext->value, &contents, &contents_len, &alert,
89 ext->add_arg)) {
90 case 1:
91 if (!CBB_add_u16(extensions, ext->value) ||
92 !CBB_add_u16_length_prefixed(extensions, &contents_cbb) ||
93 !CBB_add_bytes(&contents_cbb, contents, contents_len) ||
94 !CBB_flush(extensions)) {
95 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
Adam Langleyfbbef122016-11-17 12:55:14 -0800[diff] [blame]96 ERR_add_error_dataf("extension %u", (unsigned) ext->value);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]97 if (ext->free_callback && 0 < contents_len) {
98 ext->free_callback(ssl, ext->value, contents, ext->add_arg);
99 }
100 return 0;
101 }
102
103 if (ext->free_callback && 0 < contents_len) {
104 ext->free_callback(ssl, ext->value, contents, ext->add_arg);
105 }
106
107 if (!ssl->server) {
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]108 assert((hs->custom_extensions.sent & (1u << i)) == 0);
109 hs->custom_extensions.sent |= (1u << i);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]110 }
111 break;
112
113 case 0:
114 break;
115
116 default:
David Benjamind1e3ce12017-10-06 18:31:15 -0400[diff] [blame]117 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]118 OPENSSL_PUT_ERROR(SSL, SSL_R_CUSTOM_EXTENSION_ERROR);
Adam Langleyfbbef122016-11-17 12:55:14 -0800[diff] [blame]119 ERR_add_error_dataf("extension %u", (unsigned) ext->value);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]120 return 0;
121 }
122 }
123
124 return 1;
125}
126
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]127int custom_ext_add_clienthello(SSL_HANDSHAKE *hs, CBB *extensions) {
128 return custom_ext_add_hello(hs, extensions);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]129}
130
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]131int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert,
132 uint16_t value, const CBS *extension) {
133 SSL *const ssl = hs->ssl;
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]134 unsigned index;
135 const SSL_CUSTOM_EXTENSION *ext =
136 custom_ext_find(ssl->ctx->client_custom_extensions, &index, value);
137
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]138 if (// Unknown extensions are not allowed in a ServerHello.
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]139 ext == NULL ||
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]140 // Also, if we didn't send the extension, that's also unacceptable.
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]141 !(hs->custom_extensions.sent & (1u << index))) {
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]142 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
Adam Langleyfbbef122016-11-17 12:55:14 -0800[diff] [blame]143 ERR_add_error_dataf("extension %u", (unsigned)value);
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]144 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]145 return 0;
146 }
147
148 if (ext->parse_callback != NULL &&
149 !ext->parse_callback(ssl, value, CBS_data(extension), CBS_len(extension),
150 out_alert, ext->parse_arg)) {
151 OPENSSL_PUT_ERROR(SSL, SSL_R_CUSTOM_EXTENSION_ERROR);
Adam Langleyfbbef122016-11-17 12:55:14 -0800[diff] [blame]152 ERR_add_error_dataf("extension %u", (unsigned)ext->value);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]153 return 0;
154 }
155
156 return 1;
157}
158
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]159int custom_ext_parse_clienthello(SSL_HANDSHAKE *hs, int *out_alert,
160 uint16_t value, const CBS *extension) {
161 SSL *const ssl = hs->ssl;
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]162 unsigned index;
163 const SSL_CUSTOM_EXTENSION *ext =
164 custom_ext_find(ssl->ctx->server_custom_extensions, &index, value);
165
166 if (ext == NULL) {
167 return 1;
168 }
169
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]170 assert((hs->custom_extensions.received & (1u << index)) == 0);
171 hs->custom_extensions.received |= (1u << index);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]172
173 if (ext->parse_callback &&
174 !ext->parse_callback(ssl, value, CBS_data(extension), CBS_len(extension),
175 out_alert, ext->parse_arg)) {
176 OPENSSL_PUT_ERROR(SSL, SSL_R_CUSTOM_EXTENSION_ERROR);
Adam Langleyfbbef122016-11-17 12:55:14 -0800[diff] [blame]177 ERR_add_error_dataf("extension %u", (unsigned)ext->value);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]178 return 0;
179 }
180
181 return 1;
182}
183
David Benjamin2bd19172016-11-17 16:47:15 +0900[diff] [blame]184int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions) {
185 return custom_ext_add_hello(hs, extensions);
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]186}
187
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]188// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
189// can be set on an |SSL_CTX|. It's determined by the size of the bitset used
190// to track when an extension has been sent.
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]191#define MAX_NUM_CUSTOM_EXTENSIONS \
David Benjaminf5d2cd02016-10-06 19:39:20 -0400[diff] [blame]192 (sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8)
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]193
194static int custom_ext_append(STACK_OF(SSL_CUSTOM_EXTENSION) **stack,
195 unsigned extension_value,
196 SSL_custom_ext_add_cb add_cb,
197 SSL_custom_ext_free_cb free_cb, void *add_arg,
198 SSL_custom_ext_parse_cb parse_cb,
199 void *parse_arg) {
200 if (add_cb == NULL ||
201 0xffff < extension_value ||
202 SSL_extension_supported(extension_value) ||
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]203 // Specifying a free callback without an add callback is nonsensical
204 // and an error.
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]205 (*stack != NULL &&
206 (MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) ||
207 custom_ext_find(*stack, NULL, extension_value) != NULL))) {
208 return 0;
209 }
210
David Benjamine8703a32017-07-09 16:17:55 -0400[diff] [blame]211 SSL_CUSTOM_EXTENSION *ext =
212 (SSL_CUSTOM_EXTENSION *)OPENSSL_malloc(sizeof(SSL_CUSTOM_EXTENSION));
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]213 if (ext == NULL) {
214 return 0;
215 }
216 ext->add_callback = add_cb;
217 ext->add_arg = add_arg;
218 ext->free_callback = free_cb;
219 ext->parse_callback = parse_cb;
220 ext->parse_arg = parse_arg;
221 ext->value = extension_value;
222
223 if (*stack == NULL) {
224 *stack = sk_SSL_CUSTOM_EXTENSION_new_null();
225 if (*stack == NULL) {
226 SSL_CUSTOM_EXTENSION_free(ext);
227 return 0;
228 }
229 }
230
231 if (!sk_SSL_CUSTOM_EXTENSION_push(*stack, ext)) {
232 SSL_CUSTOM_EXTENSION_free(ext);
233 if (sk_SSL_CUSTOM_EXTENSION_num(*stack) == 0) {
234 sk_SSL_CUSTOM_EXTENSION_free(*stack);
235 *stack = NULL;
236 }
237 return 0;
238 }
239
240 return 1;
241}
242
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]243} // namespace bssl
244
245using namespace bssl;
246
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]247int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned extension_value,
248 SSL_custom_ext_add_cb add_cb,
249 SSL_custom_ext_free_cb free_cb, void *add_arg,
250 SSL_custom_ext_parse_cb parse_cb,
251 void *parse_arg) {
252 return custom_ext_append(&ctx->client_custom_extensions, extension_value,
253 add_cb ? add_cb : default_add_callback, free_cb,
254 add_arg, parse_cb, parse_arg);
255}
256
257int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned extension_value,
258 SSL_custom_ext_add_cb add_cb,
259 SSL_custom_ext_free_cb free_cb, void *add_arg,
260 SSL_custom_ext_parse_cb parse_cb,
261 void *parse_arg) {
262 return custom_ext_append(&ctx->server_custom_extensions, extension_value,
263 add_cb ? add_cb : default_add_callback, free_cb,
264 add_arg, parse_cb, parse_arg);
265}