diff options
author | Matt Caswell <matt@openssl.org> | 2017-05-09 13:44:25 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-05-17 15:23:49 +0100 |
commit | b186a592833ea4efd8e18d053955abde179e1b3d (patch) | |
tree | ea7935b44e5e67c352c2e52486f501b449e9c3ea /ssl/statem/statem_locl.h | |
parent | 7a94f5b0f7c878b1056a08f659ce23aa97bfa3ad (diff) | |
download | openssl-b186a592833ea4efd8e18d053955abde179e1b3d.zip openssl-b186a592833ea4efd8e18d053955abde179e1b3d.tar.gz openssl-b186a592833ea4efd8e18d053955abde179e1b3d.tar.bz2 |
Fail if we receive a response to an extension that we didn't request
We already did this on an ad-hoc per extension basis (for some extensions).
This centralises it and makes sure we do it for all extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3418)
Diffstat (limited to 'ssl/statem/statem_locl.h')
-rw-r--r-- | ssl/statem/statem_locl.h | 168 |
1 files changed, 93 insertions, 75 deletions
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index 49a5ed5..13fe5bf 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -156,6 +156,12 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt); /* Extension processing */ +typedef enum { + EXT_RETURN_FAIL, + EXT_RETURN_SENT, + EXT_RETURN_NOT_SENT +} EXT_RETURN; + __owur int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx); __owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, @@ -223,113 +229,125 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); -int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #ifndef OPENSSL_NO_EC -int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #endif -int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #ifndef OPENSSL_NO_OCSP -int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #endif #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #endif -int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_SRTP -int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, +EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); #endif -int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); /* * Not in public headers as this is not an official extension. Only used when * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. */ #define TLSEXT_TYPE_cryptopro_bug 0xfde8 -int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); /* Client Extension processing */ -int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, +EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context, +EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_SRP -int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, +EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); #endif #ifndef OPENSSL_NO_EC -int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #endif -int tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #ifndef OPENSSL_NO_OCSP -int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); #endif #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #endif -int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_SRTP -int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #endif -int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #ifndef OPENSSL_NO_CT -int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); #endif -int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, - unsigned int context, X509 *x, - size_t chainidx, int *al); -int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, unsigned int context, +EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx, int *al); -int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, - size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx, int *al); +EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx, int *al); int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al); int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, |