GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/ssl_tlsext.c Lines: 411 601 68.4 %
Date: 2017-11-13 Branches: 257 447 57.5 %

Line Branch Exec Source
1
/* $OpenBSD: ssl_tlsext.c,v 1.17 2017/09/25 18:02:27 jsing Exp $ */
2
/*
3
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
5
 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
6
 *
7
 * Permission to use, copy, modify, and distribute this software for any
8
 * purpose with or without fee is hereby granted, provided that the above
9
 * copyright notice and this permission notice appear in all copies.
10
 *
11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
 */
19
#include <openssl/ocsp.h>
20
21
#include "ssl_locl.h"
22
23
#include "bytestring.h"
24
#include "ssl_tlsext.h"
25
26
/*
27
 * Supported Application-Layer Protocol Negotiation - RFC 7301
28
 */
29
30
int
31
tlsext_alpn_clienthello_needs(SSL *s)
32
{
33
	/* ALPN protos have been specified and this is the initial handshake */
34
47748
	return s->internal->alpn_client_proto_list != NULL &&
35
32
	    S3I(s)->tmp.finish_md_len == 0;
36
}
37
38
int
39
tlsext_alpn_clienthello_build(SSL *s, CBB *cbb)
40
{
41
64
	CBB protolist;
42
43
32
	if (!CBB_add_u16_length_prefixed(cbb, &protolist))
44
		return 0;
45
46
64
	if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list,
47
32
	    s->internal->alpn_client_proto_list_len))
48
		return 0;
49
50
32
	if (!CBB_flush(cbb))
51
		return 0;
52
53
32
	return 1;
54
32
}
55
56
int
57
tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert)
58
{
59
126
	CBS proto_name_list, alpn;
60
63
	const unsigned char *selected;
61
63
	unsigned char selected_len;
62
	int r;
63
64
63
	if (!CBS_get_u16_length_prefixed(cbs, &alpn))
65
		goto err;
66
54
	if (CBS_len(&alpn) < 2)
67
		goto err;
68
51
	if (CBS_len(cbs) != 0)
69
		goto err;
70
71
48
	CBS_dup(&alpn, &proto_name_list);
72
258
	while (CBS_len(&proto_name_list) > 0) {
73
87
		CBS proto_name;
74
75
87
		if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
76
6
			goto err;
77
81
		if (CBS_len(&proto_name) == 0)
78
			goto err;
79
246
	}
80
81
42
	if (s->ctx->internal->alpn_select_cb == NULL)
82
6
		return 1;
83
84
36
	r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len,
85
36
	    CBS_data(&alpn), CBS_len(&alpn),
86
36
	    s->ctx->internal->alpn_select_cb_arg);
87
36
	if (r == SSL_TLSEXT_ERR_OK) {
88
30
		free(S3I(s)->alpn_selected);
89
30
		if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) {
90
			*alert = SSL_AD_INTERNAL_ERROR;
91
			return 0;
92
		}
93
30
		memcpy(S3I(s)->alpn_selected, selected, selected_len);
94
30
		S3I(s)->alpn_selected_len = selected_len;
95
30
	}
96
97
36
	return 1;
98
99
 err:
100
21
	*alert = SSL_AD_DECODE_ERROR;
101
21
	return 0;
102
63
}
103
104
int
105
tlsext_alpn_serverhello_needs(SSL *s)
106
{
107
414
	return S3I(s)->alpn_selected != NULL;
108
}
109
110
int
111
tlsext_alpn_serverhello_build(SSL *s, CBB *cbb)
112
{
113
42
	CBB list, selected;
114
115
21
	if (!CBB_add_u16_length_prefixed(cbb, &list))
116
		return 0;
117
118
21
	if (!CBB_add_u8_length_prefixed(&list, &selected))
119
		return 0;
120
121
42
	if (!CBB_add_bytes(&selected, S3I(s)->alpn_selected,
122
21
	    S3I(s)->alpn_selected_len))
123
		return 0;
124
125
21
	if (!CBB_flush(cbb))
126
		return 0;
127
128
21
	return 1;
129
21
}
130
131
int
132
tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert)
133
{
134
118
	CBS list, proto;
135
136
59
	if (s->internal->alpn_client_proto_list == NULL) {
137
3
		*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
138
3
		return 0;
139
	}
140
141
56
	if (!CBS_get_u16_length_prefixed(cbs, &list))
142
		goto err;
143
47
	if (CBS_len(cbs) != 0)
144
		goto err;
145
146
44
	if (!CBS_get_u8_length_prefixed(&list, &proto))
147
		goto err;
148
149
41
	if (CBS_len(&list) != 0)
150
		goto err;
151
29
	if (CBS_len(&proto) == 0)
152
		goto err;
153
154
52
	if (!CBS_stow(&proto, &(S3I(s)->alpn_selected),
155
26
	    &(S3I(s)->alpn_selected_len)))
156
		goto err;
157
158
26
	return 1;
159
160
 err:
161
30
	*alert = TLS1_AD_DECODE_ERROR;
162
30
	return 0;
163
59
}
164
165
/*
166
 * Supported Elliptic Curves - RFC 4492 section 5.1.1
167
 */
168
int
169
tlsext_ec_clienthello_needs(SSL *s)
170
{
171
31838
	return ssl_has_ecc_ciphers(s);
172
}
173
174
int
175
tlsext_ec_clienthello_build(SSL *s, CBB *cbb)
176
{
177
31598
	CBB curvelist;
178
15799
	size_t curves_len;
179
	int i;
180
15799
	const uint16_t *curves;
181
182
15799
	tls1_get_curvelist(s, 0, &curves, &curves_len);
183
184
15799
	if (curves_len == 0) {
185
		SSLerror(s, ERR_R_INTERNAL_ERROR);
186
		return 0;
187
	}
188
189
15799
	if (!CBB_add_u16_length_prefixed(cbb, &curvelist))
190
		return 0;
191
192
126386
	for (i = 0; i < curves_len; i++) {
193
47394
		if (!CBB_add_u16(&curvelist, curves[i]))
194
			return 0;
195
	}
196
197
15799
	if (!CBB_flush(cbb))
198
		return 0;
199
200
15799
	return 1;
201
15799
}
202
203
int
204
tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert)
205
{
206
180
	CBS curvelist;
207
	size_t curves_len;
208
209
90
	if (!CBS_get_u16_length_prefixed(cbs, &curvelist))
210
		goto err;
211
90
	if (CBS_len(cbs) != 0)
212
		goto err;
213
214
90
	curves_len = CBS_len(&curvelist);
215

180
	if (curves_len == 0 || curves_len % 2 != 0)
216
		goto err;
217
90
	curves_len /= 2;
218
219
90
	if (!s->internal->hit) {
220
		int i;
221
		uint16_t *curves;
222
223
90
		if (SSI(s)->tlsext_supportedgroups != NULL)
224
			goto err;
225
226
180
		if ((curves = reallocarray(NULL, curves_len,
227
90
		    sizeof(uint16_t))) == NULL) {
228
			*alert = TLS1_AD_INTERNAL_ERROR;
229
			return 0;
230
		}
231
232
702
		for (i = 0; i < curves_len; i++) {
233
261
			if (!CBS_get_u16(&curvelist, &curves[i])) {
234
				free(curves);
235
				goto err;
236
			}
237
		}
238
239
90
		if (CBS_len(&curvelist) != 0) {
240
			free(curves);
241
			goto err;
242
		}
243
244
90
		SSI(s)->tlsext_supportedgroups = curves;
245
90
		SSI(s)->tlsext_supportedgroups_length = curves_len;
246
90
	}
247
248
90
	return 1;
249
250
 err:
251
	*alert = TLS1_AD_DECODE_ERROR;
252
	return 0;
253
90
}
254
255
/* This extension is never used by the server. */
256
int
257
tlsext_ec_serverhello_needs(SSL *s)
258
{
259
408
	return 0;
260
}
261
262
int
263
tlsext_ec_serverhello_build(SSL *s, CBB *cbb)
264
{
265
	return 0;
266
}
267
268
int
269
tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert)
270
{
271
	/*
272
	 * Servers should not send this extension per the RFC.
273
	 *
274
	 * However, F5 sends it by mistake (case ID 492780) so we need to skip
275
	 * over it.  This bug is from at least 2014 but as of 2017, there
276
	 * are still large sites with this bug in production.
277
	 *
278
	 * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server
279
	 */
280
	if (!CBS_skip(cbs, CBS_len(cbs))) {
281
		*alert = TLS1_AD_INTERNAL_ERROR;
282
		return 0;
283
	}
284
285
	return 1;
286
}
287
288
/*
289
 * Supported Point Formats Extension - RFC 4492 section 5.1.2
290
 */
291
static int
292
tlsext_ecpf_build(SSL *s, CBB *cbb)
293
{
294
31778
	CBB ecpf;
295
15889
	size_t formats_len;
296
15889
	const uint8_t *formats;
297
298
15889
	tls1_get_formatlist(s, 0, &formats, &formats_len);
299
300
15889
	if (formats_len == 0) {
301
		SSLerror(s, ERR_R_INTERNAL_ERROR);
302
		return 0;
303
	}
304
305
15889
	if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
306
		return 0;
307
15889
	if (!CBB_add_bytes(&ecpf, formats, formats_len))
308
		return 0;
309
15889
	if (!CBB_flush(cbb))
310
		return 0;
311
312
15889
	return 1;
313
15889
}
314
315
static int
316
tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert)
317
{
318
2576
	CBS ecpf;
319
320
1288
	if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
321
		goto err;
322
1288
	if (CBS_len(&ecpf) == 0)
323
		goto err;
324
1288
	if (CBS_len(cbs) != 0)
325
		goto err;
326
327
	/* Must contain uncompressed (0) */
328
1288
	if (!CBS_contains_zero_byte(&ecpf)) {
329
3
		SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
330
3
		goto err;
331
	}
332
333
1285
	if (!s->internal->hit) {
334
2570
		if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
335
1285
		    &(SSI(s)->tlsext_ecpointformatlist_length)))
336
			goto err;
337
	}
338
339
1285
	return 1;
340
341
 err:
342
3
	*alert = TLS1_AD_INTERNAL_ERROR;
343
3
	return 0;
344
1288
}
345
346
int
347
tlsext_ecpf_clienthello_needs(SSL *s)
348
{
349
31832
	return ssl_has_ecc_ciphers(s);
350
}
351
352
int
353
tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb)
354
{
355
31598
	return tlsext_ecpf_build(s, cbb);
356
}
357
358
int
359
tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert)
360
{
361
180
	return tlsext_ecpf_parse(s, cbs, alert);
362
}
363
364
int
365
tlsext_ecpf_serverhello_needs(SSL *s)
366
{
367
408
	if (s->version == DTLS1_VERSION)
368
36
		return 0;
369
370
168
	return ssl_using_ecc_cipher(s);
371
204
}
372
373
int
374
tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb)
375
{
376
180
	return tlsext_ecpf_build(s, cbb);
377
}
378
379
int
380
tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert)
381
{
382
2396
	return tlsext_ecpf_parse(s, cbs, alert);
383
}
384
385
/*
386
 * Renegotiation Indication - RFC 5746.
387
 */
388
int
389
tlsext_ri_clienthello_needs(SSL *s)
390
{
391
31820
	return (s->internal->renegotiate);
392
}
393
394
int
395
tlsext_ri_clienthello_build(SSL *s, CBB *cbb)
396
{
397
6
	CBB reneg;
398
399
3
	if (!CBB_add_u8_length_prefixed(cbb, &reneg))
400
		return 0;
401
6
	if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
402
3
	    S3I(s)->previous_client_finished_len))
403
		return 0;
404
3
	if (!CBB_flush(cbb))
405
		return 0;
406
407
3
	return 1;
408
3
}
409
410
int
411
tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert)
412
{
413
12
	CBS reneg;
414
415
6
	if (!CBS_get_u8_length_prefixed(cbs, &reneg))
416
		goto err;
417
6
	if (CBS_len(cbs) != 0)
418
		goto err;
419
420
12
	if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
421
6
	    S3I(s)->previous_client_finished_len)) {
422
3
		SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
423
3
		*alert = SSL_AD_HANDSHAKE_FAILURE;
424
3
		return 0;
425
	}
426
427
3
	S3I(s)->renegotiate_seen = 1;
428
3
	S3I(s)->send_connection_binding = 1;
429
430
3
	return 1;
431
432
 err:
433
	SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
434
	*alert = SSL_AD_DECODE_ERROR;
435
	return 0;
436
6
}
437
438
int
439
tlsext_ri_serverhello_needs(SSL *s)
440
{
441
408
	return (S3I(s)->send_connection_binding);
442
}
443
444
int
445
tlsext_ri_serverhello_build(SSL *s, CBB *cbb)
446
{
447
396
	CBB reneg;
448
449
198
	if (!CBB_add_u8_length_prefixed(cbb, &reneg))
450
		return 0;
451
396
	if (!CBB_add_bytes(&reneg, S3I(s)->previous_client_finished,
452
198
	    S3I(s)->previous_client_finished_len))
453
		return 0;
454
396
	if (!CBB_add_bytes(&reneg, S3I(s)->previous_server_finished,
455
198
	    S3I(s)->previous_server_finished_len))
456
		return 0;
457
198
	if (!CBB_flush(cbb))
458
		return 0;
459
460
198
	return 1;
461
198
}
462
463
int
464
tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert)
465
{
466
31754
	CBS reneg, prev_client, prev_server;
467
468
	/*
469
	 * Ensure that the previous client and server values are both not
470
	 * present, or that they are both present.
471
	 */
472

15883
	if ((S3I(s)->previous_client_finished_len == 0 &&
473
15871
	    S3I(s)->previous_server_finished_len != 0) ||
474
15877
	    (S3I(s)->previous_client_finished_len != 0 &&
475
6
	    S3I(s)->previous_server_finished_len == 0)) {
476
		*alert = TLS1_AD_INTERNAL_ERROR;
477
		return 0;
478
	}
479
480
15877
	if (!CBS_get_u8_length_prefixed(cbs, &reneg))
481
		goto err;
482
15877
	if (!CBS_get_bytes(&reneg, &prev_client,
483
15877
	    S3I(s)->previous_client_finished_len))
484
		goto err;
485
15877
	if (!CBS_get_bytes(&reneg, &prev_server,
486
15877
	    S3I(s)->previous_server_finished_len))
487
		goto err;
488
15877
	if (CBS_len(&reneg) != 0)
489
		goto err;
490
15877
	if (CBS_len(cbs) != 0)
491
		goto err;
492
493
31754
	if (!CBS_mem_equal(&prev_client, S3I(s)->previous_client_finished,
494
15877
	    S3I(s)->previous_client_finished_len)) {
495
3
		SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
496
3
		*alert = SSL_AD_HANDSHAKE_FAILURE;
497
3
		return 0;
498
	}
499
31748
	if (!CBS_mem_equal(&prev_server, S3I(s)->previous_server_finished,
500
15874
	    S3I(s)->previous_server_finished_len)) {
501
		SSLerror(s, SSL_R_RENEGOTIATION_MISMATCH);
502
		*alert = SSL_AD_HANDSHAKE_FAILURE;
503
		return 0;
504
	}
505
506
15874
	S3I(s)->renegotiate_seen = 1;
507
15874
	S3I(s)->send_connection_binding = 1;
508
509
15874
	return 1;
510
511
 err:
512
	SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR);
513
	*alert = SSL_AD_DECODE_ERROR;
514
	return 0;
515
15877
}
516
517
/*
518
 * Signature Algorithms - RFC 5246 section 7.4.1.4.1.
519
 */
520
int
521
tlsext_sigalgs_clienthello_needs(SSL *s)
522
{
523
63601
	return (TLS1_get_client_version(s) >= TLS1_2_VERSION);
524
}
525
526
int
527
tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb)
528
{
529
31592
	unsigned char *sigalgs_data;
530
15796
	size_t sigalgs_len;
531
15796
	CBB sigalgs;
532
533
15796
	tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len);
534
535
15796
	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
536
		return 0;
537
15796
	if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len))
538
		return 0;
539
15796
	if (!CBB_flush(cbb))
540
		return 0;
541
542
15796
	return 1;
543
15796
}
544
545
int
546
tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert)
547
{
548
210
	CBS sigalgs;
549
550
105
	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
551
		return 0;
552
553
105
	return tls1_process_sigalgs(s, &sigalgs);
554
105
}
555
556
int
557
tlsext_sigalgs_serverhello_needs(SSL *s)
558
{
559
402
	return 0;
560
}
561
562
int
563
tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb)
564
{
565
6
	return 0;
566
}
567
568
int
569
tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert)
570
{
571
	/* As per the RFC, servers must not send this extension. */
572
6
	return 0;
573
}
574
575
/*
576
 * Server Name Indication - RFC 6066, section 3.
577
 */
578
int
579
tlsext_sni_clienthello_needs(SSL *s)
580
{
581
31820
	return (s->tlsext_hostname != NULL);
582
}
583
584
int
585
tlsext_sni_clienthello_build(SSL *s, CBB *cbb)
586
{
587
30
	CBB server_name_list, host_name;
588
589
15
	if (!CBB_add_u16_length_prefixed(cbb, &server_name_list))
590
		return 0;
591
15
	if (!CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name))
592
		return 0;
593
15
	if (!CBB_add_u16_length_prefixed(&server_name_list, &host_name))
594
		return 0;
595
30
	if (!CBB_add_bytes(&host_name, (const uint8_t *)s->tlsext_hostname,
596
15
	    strlen(s->tlsext_hostname)))
597
		return 0;
598
15
	if (!CBB_flush(cbb))
599
		return 0;
600
601
15
	return 1;
602
15
}
603
604
int
605
tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert)
606
{
607
36
	CBS server_name_list, host_name;
608
18
	uint8_t name_type;
609
610
18
	if (!CBS_get_u16_length_prefixed(cbs, &server_name_list))
611
		goto err;
612
613
	/*
614
	 * RFC 6066 section 3 forbids multiple host names with the same type.
615
	 * Additionally, only one type (host_name) is specified.
616
	 */
617
18
	if (!CBS_get_u8(&server_name_list, &name_type))
618
		goto err;
619
18
	if (name_type != TLSEXT_NAMETYPE_host_name)
620
		goto err;
621
622
18
	if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name))
623
		goto err;
624

36
	if (CBS_len(&host_name) == 0 ||
625
18
	    CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
626
18
	    CBS_contains_zero_byte(&host_name)) {
627
		*alert = TLS1_AD_UNRECOGNIZED_NAME;
628
		return 0;
629
	}
630
631
18
	if (s->internal->hit) {
632
3
		if (s->session->tlsext_hostname == NULL) {
633
			*alert = TLS1_AD_UNRECOGNIZED_NAME;
634
			return 0;
635
		}
636
3
		if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname,
637
3
		    strlen(s->session->tlsext_hostname))) {
638
3
			*alert = TLS1_AD_UNRECOGNIZED_NAME;
639
3
			return 0;
640
		}
641
	} else {
642
15
		if (s->session->tlsext_hostname != NULL)
643
			goto err;
644
15
		if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) {
645
			*alert = TLS1_AD_INTERNAL_ERROR;
646
			return 0;
647
		}
648
	}
649
650
15
	if (CBS_len(&server_name_list) != 0)
651
		goto err;
652
15
	if (CBS_len(cbs) != 0)
653
		goto err;
654
655
15
	return 1;
656
657
 err:
658
	*alert = SSL_AD_DECODE_ERROR;
659
	return 0;
660
18
}
661
662
int
663
tlsext_sni_serverhello_needs(SSL *s)
664
{
665
408
	return (s->session->tlsext_hostname != NULL);
666
}
667
668
int
669
tlsext_sni_serverhello_build(SSL *s, CBB *cbb)
670
{
671
30
	return 1;
672
}
673
674
int
675
tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert)
676
{
677

45
	if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) {
678
		*alert = TLS1_AD_UNRECOGNIZED_NAME;
679
		return 0;
680
	}
681
682
15
	if (s->internal->hit) {
683
		if (s->session->tlsext_hostname == NULL) {
684
			*alert = TLS1_AD_UNRECOGNIZED_NAME;
685
			return 0;
686
		}
687
		if (strcmp(s->tlsext_hostname,
688
		    s->session->tlsext_hostname) != 0) {
689
			*alert = TLS1_AD_UNRECOGNIZED_NAME;
690
			return 0;
691
		}
692
	} else {
693
15
		if (s->session->tlsext_hostname != NULL) {
694
			*alert = SSL_AD_DECODE_ERROR;
695
			return 0;
696
		}
697
30
		if ((s->session->tlsext_hostname =
698
30
		    strdup(s->tlsext_hostname)) == NULL) {
699
			*alert = TLS1_AD_INTERNAL_ERROR;
700
			return 0;
701
		}
702
	}
703
704
15
	return 1;
705
15
}
706
707
708
/*
709
 *Certificate Status Request - RFC 6066 section 8.
710
 */
711
712
int
713
tlsext_ocsp_clienthello_needs(SSL *s)
714
{
715
47730
	return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
716
15
	    s->version != DTLS1_VERSION);
717
}
718
719
int
720
tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb)
721
{
722
30
	CBB respid_list, respid, exts;
723
15
	unsigned char *ext_data;
724
	size_t ext_len;
725
	int i;
726
727
15
	if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
728
		return 0;
729
15
	if (!CBB_add_u16_length_prefixed(cbb, &respid_list))
730
		return 0;
731
30
	for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) {
732
		unsigned char *respid_data;
733
		OCSP_RESPID *id;
734
		size_t id_len;
735
736
		if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids,
737
		    i)) ==  NULL)
738
			return 0;
739
		if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1)
740
			return 0;
741
		if (!CBB_add_u16_length_prefixed(&respid_list, &respid))
742
			return 0;
743
		if (!CBB_add_space(&respid, &respid_data, id_len))
744
			return 0;
745
		if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len)
746
			return 0;
747
	}
748
15
	if (!CBB_add_u16_length_prefixed(cbb, &exts))
749
		return 0;
750
30
	if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts,
751
15
	    NULL)) == -1)
752
		return 0;
753
15
	if (!CBB_add_space(&exts, &ext_data, ext_len))
754
		return 0;
755
15
	if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) !=
756
	    ext_len))
757
		return 0;
758
15
	if (!CBB_flush(cbb))
759
		return 0;
760
15
	return 1;
761
15
}
762
763
int
764
tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
765
{
766
	int failure = SSL_AD_DECODE_ERROR;
767
30
	CBS respid_list, respid, exts;
768
15
	const unsigned char *p;
769
15
	uint8_t status_type;
770
	int ret = 0;
771
772
15
	if (!CBS_get_u8(cbs, &status_type))
773
		goto err;
774
15
	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
775
		/* ignore unknown status types */
776
		s->tlsext_status_type = -1;
777
778
		if (!CBS_skip(cbs, CBS_len(cbs))) {
779
			*alert = TLS1_AD_INTERNAL_ERROR;
780
			return 0;
781
		}
782
		return 1;
783
	}
784
15
	s->tlsext_status_type = status_type;
785
15
	if (!CBS_get_u16_length_prefixed(cbs, &respid_list))
786
		goto err;
787
788
	/* XXX */
789
15
	sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free);
790
15
	s->internal->tlsext_ocsp_ids = NULL;
791
15
	if (CBS_len(&respid_list) > 0) {
792
		s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
793
		if (s->internal->tlsext_ocsp_ids == NULL) {
794
			failure = SSL_AD_INTERNAL_ERROR;
795
			goto err;
796
		}
797
	}
798
799
30
	while (CBS_len(&respid_list) > 0) {
800
		OCSP_RESPID *id;
801
802
		if (!CBS_get_u16_length_prefixed(&respid_list, &respid))
803
			goto err;
804
		p = CBS_data(&respid);
805
		if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL)
806
			goto err;
807
		if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) {
808
			failure = SSL_AD_INTERNAL_ERROR;
809
			OCSP_RESPID_free(id);
810
			goto err;
811
		}
812
	}
813
814
	/* Read in request_extensions */
815
15
	if (!CBS_get_u16_length_prefixed(cbs, &exts))
816
		goto err;
817
15
	if (CBS_len(&exts) > 0) {
818
		sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts,
819
		    X509_EXTENSION_free);
820
		p = CBS_data(&exts);
821
		if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL,
822
		    &p, CBS_len(&exts))) == NULL)
823
			goto err;
824
	}
825
826
	/* should be nothing left */
827
15
	if (CBS_len(cbs) > 0)
828
		goto err;
829
830
15
	ret = 1;
831
 err:
832
15
	if (ret == 0)
833
		*alert = failure;
834
15
	return ret;
835
15
}
836
837
int
838
tlsext_ocsp_serverhello_needs(SSL *s)
839
{
840
408
	return s->internal->tlsext_status_expected;
841
}
842
843
int
844
tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb)
845
{
846
6
	return 1;
847
}
848
849
int
850
tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
851
{
852
	if (s->tlsext_status_type == -1) {
853
		*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
854
		return 0;
855
	}
856
	/* Set flag to expect CertificateStatus message */
857
	s->internal->tlsext_status_expected = 1;
858
	return 1;
859
}
860
861
/*
862
 * SessionTicket extension - RFC 5077 section 3.2
863
 */
864
int
865
tlsext_sessionticket_clienthello_needs(SSL *s)
866
{
867
	/*
868
	 * Send session ticket extension when enabled and not overridden.
869
	 *
870
	 * When renegotiating, send an empty session ticket to indicate support.
871
	 */
872
31856
	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
873
15
		return 0;
874
875
15913
	if (s->internal->new_session)
876
		return 1;
877
878

15919
	if (s->internal->tlsext_session_ticket != NULL &&
879
6
	    s->internal->tlsext_session_ticket->data == NULL)
880
3
		return 0;
881
882
15910
	return 1;
883
15928
}
884
885
int
886
tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb)
887
{
888
	/*
889
	 * Signal that we support session tickets by sending an empty
890
	 * extension when renegotiating or no session found.
891
	 */
892

47712
	if (s->internal->new_session || s->session == NULL)
893
3
		return 1;
894
895
15901
	if (s->session->tlsext_tick != NULL) {
896
		/* Attempt to resume with an existing session ticket */
897
14574
		if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
898
14574
		    s->session->tlsext_ticklen))
899
			return 0;
900
901
1327
	} else if (s->internal->tlsext_session_ticket != NULL) {
902
		/*
903
		 * Attempt to resume with a custom provided session ticket set
904
		 * by SSL_set_session_ticket_ext().
905
		 */
906
3
		if (s->internal->tlsext_session_ticket->length > 0) {
907
3
			size_t ticklen = s->internal->tlsext_session_ticket->length;
908
909
3
			if ((s->session->tlsext_tick = malloc(ticklen)) == NULL)
910
				return 0;
911
6
			memcpy(s->session->tlsext_tick,
912
3
			    s->internal->tlsext_session_ticket->data,
913
			    ticklen);
914
3
			s->session->tlsext_ticklen = ticklen;
915
916
6
			if (!CBB_add_bytes(cbb, s->session->tlsext_tick,
917
3
			    s->session->tlsext_ticklen))
918
				return 0;
919
3
		}
920
	}
921
922
15901
	if (!CBB_flush(cbb))
923
		return 0;
924
925
15901
	return 1;
926
15904
}
927
928
int
929
tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert)
930
{
931
360
	if (s->internal->tls_session_ticket_ext_cb) {
932
		if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
933
		    (int)CBS_len(cbs),
934
		    s->internal->tls_session_ticket_ext_cb_arg)) {
935
			*alert = TLS1_AD_INTERNAL_ERROR;
936
			return 0;
937
		}
938
	}
939
940
	/* We need to signal that this was processed fully */
941
180
	if (!CBS_skip(cbs, CBS_len(cbs))) {
942
		*alert = TLS1_AD_INTERNAL_ERROR;
943
		return 0;
944
	}
945
946
180
	return 1;
947
180
}
948
949
int
950
tlsext_sessionticket_serverhello_needs(SSL *s)
951
{
952
630
	return (s->internal->tlsext_ticket_expected &&
953
183
	    !(SSL_get_options(s) & SSL_OP_NO_TICKET));
954
}
955
956
int
957
tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb)
958
{
959
	/* Empty ticket */
960
961
366
	return 1;
962
}
963
964
int
965
tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert)
966
{
967
2576
	if (s->internal->tls_session_ticket_ext_cb) {
968
		if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs),
969
		    (int)CBS_len(cbs),
970
		    s->internal->tls_session_ticket_ext_cb_arg)) {
971
			*alert = TLS1_AD_INTERNAL_ERROR;
972
			return 0;
973
		}
974
	}
975
976

2576
	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0 || CBS_len(cbs) > 0) {
977
		*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
978
		return 0;
979
	}
980
981
1288
	s->internal->tlsext_ticket_expected = 1;
982
983
1288
	return 1;
984
1288
}
985
986
/*
987
 * DTLS extension for SRTP key establishment - RFC 5764
988
 */
989
990
#ifndef OPENSSL_NO_SRTP
991
992
int
993
tlsext_srtp_clienthello_needs(SSL *s)
994
{
995
47787
	return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL;
996
}
997
998
int
999
tlsext_srtp_clienthello_build(SSL *s, CBB *cbb)
1000
{
1001
12
	CBB profiles, mki;
1002
	int ct, i;
1003
	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL;
1004
	SRTP_PROTECTION_PROFILE *prof;
1005
1006
6
	if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1007
		SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1008
		return 0;
1009
	}
1010
1011
6
	if ((ct = sk_SRTP_PROTECTION_PROFILE_num(clnt)) < 1) {
1012
		SSLerror(s, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
1013
		return 0;
1014
	}
1015
1016
6
	if (!CBB_add_u16_length_prefixed(cbb, &profiles))
1017
		return 0;
1018
1019
30
	for (i = 0; i < ct; i++) {
1020
9
		if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL)
1021
			return 0;
1022
9
		if (!CBB_add_u16(&profiles, prof->id))
1023
			return 0;
1024
	}
1025
1026
6
	if (!CBB_add_u8_length_prefixed(cbb, &mki))
1027
		return 0;
1028
1029
6
	if (!CBB_flush(cbb))
1030
		return 0;
1031
1032
6
	return 1;
1033
6
}
1034
1035
int
1036
tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
1037
{
1038
24
	SRTP_PROTECTION_PROFILE *cprof, *sprof;
1039
	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr;
1040
	int i, j;
1041
	int ret;
1042
12
	uint16_t id;
1043
12
	CBS profiles, mki;
1044
1045
	ret = 0;
1046
1047
12
	if (!CBS_get_u16_length_prefixed(cbs, &profiles))
1048
		goto err;
1049

24
	if (CBS_len(&profiles) == 0 || CBS_len(&profiles) % 2 != 0)
1050
		goto err;
1051
1052
12
	if ((clnt = sk_SRTP_PROTECTION_PROFILE_new_null()) == NULL)
1053
		goto err;
1054
1055
66
	while (CBS_len(&profiles) > 0) {
1056
21
		if (!CBS_get_u16(&profiles, &id))
1057
			goto err;
1058
1059
21
		if (!srtp_find_profile_by_num(id, &cprof)) {
1060
12
			if (!sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof))
1061
				goto err;
1062
		}
1063
	}
1064
1065

24
	if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1066
		SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1067
		*alert = SSL_AD_DECODE_ERROR;
1068
		goto done;
1069
	}
1070
12
	if (CBS_len(cbs) != 0)
1071
		goto err;
1072
1073
	/*
1074
	 * Per RFC 5764 section 4.1.1
1075
	 *
1076
	 * Find the server preferred profile using the client's list.
1077
	 *
1078
	 * The server MUST send a profile if it sends the use_srtp
1079
	 * extension.  If one is not found, it should fall back to the
1080
	 * negotiated DTLS cipher suite or return a DTLS alert.
1081
	 */
1082
12
	if ((srvr = SSL_get_srtp_profiles(s)) == NULL)
1083
		goto err;
1084
42
	for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
1085
36
		if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i))
1086
18
		    == NULL)
1087
			goto err;
1088
1089
42
		for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
1090
24
			if ((cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j))
1091
12
			    == NULL)
1092
				goto err;
1093
1094
12
			if (cprof->id == sprof->id) {
1095
9
				s->internal->srtp_profile = sprof;
1096
				ret = 1;
1097
9
				goto done;
1098
			}
1099
		}
1100
	}
1101
1102
	/* If we didn't find anything, fall back to the negotiated */
1103
	ret = 1;
1104
3
	goto done;
1105
1106
 err:
1107
	SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1108
	*alert = SSL_AD_DECODE_ERROR;
1109
1110
 done:
1111
12
	sk_SRTP_PROTECTION_PROFILE_free(clnt);
1112
12
	return ret;
1113
12
}
1114
1115
int
1116
tlsext_srtp_serverhello_needs(SSL *s)
1117
{
1118
702
	return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL;
1119
}
1120
1121
int
1122
tlsext_srtp_serverhello_build(SSL *s, CBB *cbb)
1123
{
1124
	SRTP_PROTECTION_PROFILE *profile;
1125
6
	CBB srtp, mki;
1126
1127
3
	if (!CBB_add_u16_length_prefixed(cbb, &srtp))
1128
		return 0;
1129
1130
3
	if ((profile = SSL_get_selected_srtp_profile(s)) == NULL)
1131
		return 0;
1132
1133
3
	if (!CBB_add_u16(&srtp, profile->id))
1134
		return 0;
1135
1136
3
	if (!CBB_add_u8_length_prefixed(cbb, &mki))
1137
		return 0;
1138
1139
3
	if (!CBB_flush(cbb))
1140
		return 0;
1141
1142
3
	return 1;
1143
3
}
1144
1145
int
1146
tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert)
1147
{
1148
	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1149
	SRTP_PROTECTION_PROFILE *prof;
1150
	int i;
1151
18
	uint16_t id;
1152
9
	CBS profile_ids, mki;
1153
1154
9
	if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) {
1155
		SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1156
		goto err;
1157
	}
1158
1159

18
	if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
1160
3
		SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1161
3
		goto err;
1162
	}
1163
1164

12
	if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) {
1165
		SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE);
1166
		*alert = SSL_AD_ILLEGAL_PARAMETER;
1167
		return 0;
1168
	}
1169
1170
6
	if ((clnt = SSL_get_srtp_profiles(s)) == NULL) {
1171
		SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1172
		goto err;
1173
	}
1174
1175
24
	for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1176
18
		if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i))
1177
9
		    == NULL) {
1178
			SSLerror(s, SSL_R_NO_SRTP_PROFILES);
1179
			goto err;
1180
		}
1181
1182
9
		if (prof->id == id) {
1183
3
			s->internal->srtp_profile = prof;
1184
3
			return 1;
1185
		}
1186
	}
1187
1188
3
	SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1189
 err:
1190
6
	*alert = SSL_AD_DECODE_ERROR;
1191
6
	return 0;
1192
9
}
1193
1194
#endif /* OPENSSL_NO_SRTP */
1195
1196
struct tls_extension {
1197
	uint16_t type;
1198
	int (*clienthello_needs)(SSL *s);
1199
	int (*clienthello_build)(SSL *s, CBB *cbb);
1200
	int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert);
1201
	int (*serverhello_needs)(SSL *s);
1202
	int (*serverhello_build)(SSL *s, CBB *cbb);
1203
	int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert);
1204
};
1205
1206
static struct tls_extension tls_extensions[] = {
1207
	{
1208
		.type = TLSEXT_TYPE_server_name,
1209
		.clienthello_needs = tlsext_sni_clienthello_needs,
1210
		.clienthello_build = tlsext_sni_clienthello_build,
1211
		.clienthello_parse = tlsext_sni_clienthello_parse,
1212
		.serverhello_needs = tlsext_sni_serverhello_needs,
1213
		.serverhello_build = tlsext_sni_serverhello_build,
1214
		.serverhello_parse = tlsext_sni_serverhello_parse,
1215
	},
1216
	{
1217
		.type = TLSEXT_TYPE_renegotiate,
1218
		.clienthello_needs = tlsext_ri_clienthello_needs,
1219
		.clienthello_build = tlsext_ri_clienthello_build,
1220
		.clienthello_parse = tlsext_ri_clienthello_parse,
1221
		.serverhello_needs = tlsext_ri_serverhello_needs,
1222
		.serverhello_build = tlsext_ri_serverhello_build,
1223
		.serverhello_parse = tlsext_ri_serverhello_parse,
1224
	},
1225
	{
1226
		.type = TLSEXT_TYPE_status_request,
1227
		.clienthello_needs = tlsext_ocsp_clienthello_needs,
1228
		.clienthello_build = tlsext_ocsp_clienthello_build,
1229
		.clienthello_parse = tlsext_ocsp_clienthello_parse,
1230
		.serverhello_needs = tlsext_ocsp_serverhello_needs,
1231
		.serverhello_build = tlsext_ocsp_serverhello_build,
1232
		.serverhello_parse = tlsext_ocsp_serverhello_parse,
1233
	},
1234
	{
1235
		.type = TLSEXT_TYPE_ec_point_formats,
1236
		.clienthello_needs = tlsext_ecpf_clienthello_needs,
1237
		.clienthello_build = tlsext_ecpf_clienthello_build,
1238
		.clienthello_parse = tlsext_ecpf_clienthello_parse,
1239
		.serverhello_needs = tlsext_ecpf_serverhello_needs,
1240
		.serverhello_build = tlsext_ecpf_serverhello_build,
1241
		.serverhello_parse = tlsext_ecpf_serverhello_parse,
1242
	},
1243
	{
1244
		.type = TLSEXT_TYPE_elliptic_curves,
1245
		.clienthello_needs = tlsext_ec_clienthello_needs,
1246
		.clienthello_build = tlsext_ec_clienthello_build,
1247
		.clienthello_parse = tlsext_ec_clienthello_parse,
1248
		.serverhello_needs = tlsext_ec_serverhello_needs,
1249
		.serverhello_build = tlsext_ec_serverhello_build,
1250
		.serverhello_parse = tlsext_ec_serverhello_parse,
1251
	},
1252
	{
1253
		.type = TLSEXT_TYPE_session_ticket,
1254
		.clienthello_needs = tlsext_sessionticket_clienthello_needs,
1255
		.clienthello_build = tlsext_sessionticket_clienthello_build,
1256
		.clienthello_parse = tlsext_sessionticket_clienthello_parse,
1257
		.serverhello_needs = tlsext_sessionticket_serverhello_needs,
1258
		.serverhello_build = tlsext_sessionticket_serverhello_build,
1259
		.serverhello_parse = tlsext_sessionticket_serverhello_parse,
1260
	},
1261
	{
1262
		.type = TLSEXT_TYPE_signature_algorithms,
1263
		.clienthello_needs = tlsext_sigalgs_clienthello_needs,
1264
		.clienthello_build = tlsext_sigalgs_clienthello_build,
1265
		.clienthello_parse = tlsext_sigalgs_clienthello_parse,
1266
		.serverhello_needs = tlsext_sigalgs_serverhello_needs,
1267
		.serverhello_build = tlsext_sigalgs_serverhello_build,
1268
		.serverhello_parse = tlsext_sigalgs_serverhello_parse,
1269
	},
1270
	{
1271
		.type = TLSEXT_TYPE_application_layer_protocol_negotiation,
1272
		.clienthello_needs = tlsext_alpn_clienthello_needs,
1273
		.clienthello_build = tlsext_alpn_clienthello_build,
1274
		.clienthello_parse = tlsext_alpn_clienthello_parse,
1275
		.serverhello_needs = tlsext_alpn_serverhello_needs,
1276
		.serverhello_build = tlsext_alpn_serverhello_build,
1277
		.serverhello_parse = tlsext_alpn_serverhello_parse,
1278
	},
1279
#ifndef OPENSSL_NO_SRTP
1280
	{
1281
		.type = TLSEXT_TYPE_use_srtp,
1282
		.clienthello_needs = tlsext_srtp_clienthello_needs,
1283
		.clienthello_build = tlsext_srtp_clienthello_build,
1284
		.clienthello_parse = tlsext_srtp_clienthello_parse,
1285
		.serverhello_needs = tlsext_srtp_serverhello_needs,
1286
		.serverhello_build = tlsext_srtp_serverhello_build,
1287
		.serverhello_parse = tlsext_srtp_serverhello_parse,
1288
	}
1289
#endif /* OPENSSL_NO_SRTP */
1290
};
1291
1292
#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))
1293
1294
int
1295
tlsext_clienthello_build(SSL *s, CBB *cbb)
1296
{
1297
31808
	CBB extensions, extension_data;
1298
	struct tls_extension *tlsext;
1299
	size_t i;
1300
1301
15904
	if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1302
		return 0;
1303
1304
318080
	for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1305
143136
		tlsext = &tls_extensions[i];
1306
1307
143136
		if (!tlsext->clienthello_needs(s))
1308
			continue;
1309
1310
63321
		if (!CBB_add_u16(&extensions, tlsext->type))
1311
			return 0;
1312
63321
		if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1313
			return 0;
1314
63321
		if (!tls_extensions[i].clienthello_build(s, &extension_data))
1315
			return 0;
1316
	}
1317
1318
15904
	if (!CBB_flush(cbb))
1319
		return 0;
1320
1321
15904
	return 1;
1322
15904
}
1323
1324
int
1325
tlsext_clienthello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert)
1326
{
1327
	struct tls_extension *tlsext;
1328
	size_t i;
1329
1330
6639
	for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1331
3054
		tlsext = &tls_extensions[i];
1332
1333
3054
		if (tlsext->type != type)
1334
			continue;
1335
531
		if (!tlsext->clienthello_parse(s, cbs, alert))
1336
21
			return 0;
1337
510
		if (CBS_len(cbs) != 0) {
1338
			*alert = SSL_AD_DECODE_ERROR;
1339
			return 0;
1340
		}
1341
1342
510
		return 1;
1343
	}
1344
1345
	/* Not found. */
1346
	return 2;
1347
531
}
1348
1349
int
1350
tlsext_serverhello_build(SSL *s, CBB *cbb)
1351
{
1352
396
	CBB extensions, extension_data;
1353
	struct tls_extension *tlsext;
1354
	size_t i;
1355
1356
198
	if (!CBB_add_u16_length_prefixed(cbb, &extensions))
1357
		return 0;
1358
1359
3960
	for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1360
1782
		tlsext = &tls_extensions[i];
1361
1362
1782
		if (!tlsext->serverhello_needs(s))
1363
			continue;
1364
1365
489
		if (!CBB_add_u16(&extensions, tlsext->type))
1366
			return 0;
1367
489
		if (!CBB_add_u16_length_prefixed(&extensions, &extension_data))
1368
			return 0;
1369
489
		if (!tlsext->serverhello_build(s, &extension_data))
1370
			return 0;
1371
	}
1372
1373
198
	if (!CBB_flush(cbb))
1374
		return 0;
1375
1376
198
	return 1;
1377
198
}
1378
1379
int
1380
tlsext_serverhello_parse_one(SSL *s, CBS *cbs, uint16_t type, int *alert)
1381
{
1382
	struct tls_extension *tlsext;
1383
	size_t i;
1384
1385
107764
	for (i = 0; i < N_TLS_EXTENSIONS; i++) {
1386
44674
		tlsext = &tls_extensions[i];
1387
1388
44674
		if (tlsext->type != type)
1389
			continue;
1390
18416
		if (!tlsext->serverhello_parse(s, cbs, alert))
1391
30
			return 0;
1392
18386
		if (CBS_len(cbs) != 0) {
1393
			*alert = SSL_AD_DECODE_ERROR;
1394
			return 0;
1395
		}
1396
1397
18386
		return 1;
1398
	}
1399
1400
	/* Not found. */
1401
	return 2;
1402
18416
}