-/* $OpenBSD: tlsexttest.c,v 1.83 2023/12/13 06:00:28 tb Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.84 2024/03/25 04:06:41 jsing Exp $ */
/*
* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
#include "bytestring.h"
#include "ssl_tlsext.h"
+struct tlsext_data {
+ CBS alpn;
+};
+
struct tls_extension_funcs {
int (*needs)(SSL *s, uint16_t msg_type);
int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
- int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
+ int (*parse)(SSL *s, struct tlsext_data *td, uint16_t msg_type,
+ CBS *cbs, int *alert);
+ int (*process)(SSL *s, struct tlsext_data *td, uint16_t msg_type,
+ int *alert);
};
uint16_t tls_extension_type(const struct tls_extension *);
return 1;
}
+static int
+tls_extension_parse(const struct tls_extension_funcs *tlsext_funcs, SSL *ssl,
+ uint16_t msg_type, CBS *cbs, int *alert)
+{
+ struct tlsext_data td;
+
+ memset(&td, 0, sizeof(td));
+
+ if (!tlsext_funcs->parse(ssl, &td, msg_type, cbs, alert))
+ return 0;
+
+ if (tlsext_funcs->process != NULL) {
+ if (!tlsext_funcs->process(ssl, &td, msg_type, alert))
+ return 0;
+ }
+
+ return 1;
+}
+
static void
hexdump(const unsigned char *buf, size_t len)
{
CBS_init(&cbs, tlsext_alpn_single_proto,
sizeof(tlsext_alpn_single_proto));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse ALPN\n");
goto err;
}
CBS_init(&cbs, tlsext_alpn_multiple_protos,
sizeof(tlsext_alpn_multiple_protos));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse ALPN\n");
goto err;
}
sizeof(tlsext_alpn_single_proto));
/* Shouldn't be able to parse without requesting */
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("Should only parse server if we requested it\n");
goto err;
}
FAIL("should be able to set ALPN to http/1.1\n");
goto err;
}
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("Should be able to parse server when we request it\n");
goto err;
}
CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1,
sizeof(tlsext_supportedgroups_client_secp384r1));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client Ellipticcurves\n");
goto err;
}
CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224,
sizeof(tlsext_supportedgroups_client_nistp192and224));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client Ellipticcurves\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_uncompressed,
sizeof(tlsext_ecpf_hello_uncompressed));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
sizeof(tlsext_ecpf_hello_prefer_order));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prime,
sizeof(tlsext_ecpf_hello_prime));
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("must include uncompressed in server ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
sizeof(tlsext_ecpf_hello_prefer_order));
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse server ECPointFormats\n");
goto err;
}
}
CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
- if (server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("parsed invalid client RI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse server RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("parsed invalid server RI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client SNI\n");
goto done;
}
errx(1, "failed to finish CBB");
CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("server should not parse sigalgs\n");
goto done;
}
ssl->hit = 0;
CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client SNI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
- if (server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("parsed client with mismatched SNI\n");
goto err;
}
ssl->session->tlsext_hostname = NULL;
CBS_init(&cbs, tlsext_sni_server, tlsext_sni_server_len);
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse server SNI\n");
goto err;
}
CBS_init(&cbs, tlsext_quic_transport_data,
sizeof(tlsext_quic_transport_data));
-
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("server_parse of QUIC from server failed\n");
goto err;
}
ssl->quic_method = NULL;
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_EE, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_EE,
+ &cbs, &alert)) {
FAIL("QUIC parse should have failed!\n");
goto err;
}
ssl->quic_method = &quic_method;
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("client_parse of QUIC from server failed\n");
goto err;
}
}
CBS_init(&cbs, tls_ocsp_client_default,
sizeof(tls_ocsp_client_default));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse TLSEXT_TYPE_status_request client\n");
goto err;
}
}
CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple,
sizeof(tlsext_srtp_multiple));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple_one_valid,
sizeof(tlsext_srtp_multiple_one_valid));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple_invalid,
sizeof(tlsext_srtp_multiple_invalid));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("should be able to fall back to negotiated\n");
goto err;
}
}
CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple,
sizeof(tlsext_srtp_multiple));
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("should not find multiple entries from the server\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_single_invalid,
sizeof(tlsext_srtp_single_invalid));
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("should not be able to parse this\n");
goto err;
}
}
CBS_init(&cbs, data, dlen);
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client versions\n");
goto done;
}
}
CBS_init(&cbs, data, dlen);
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse client versions\n");
goto done;
}
(ssl)->version = TLS1_3_VERSION;
CBS_init(&cbs, data, dlen);
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client keyshare\n");
goto done;
}
CBS_init(&cbs, data, dlen);
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse server keyshare\n");
goto done;
}
CBS_init(&cbs, data, dlen);
/* Checks cookie against what's in the hs.tls13 */
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse client cookie\n");
goto done;
}
CBS_init(&cbs, data, dlen);
- if (client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("client should not have parsed server cookie\n");
goto done;
}
ssl->s3->hs.tls13.cookie = NULL;
ssl->s3->hs.tls13.cookie_len = 0;
- if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_parse(client_funcs, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("failed to parse server cookie\n");
goto done;
}
CBS_init(&cbs, tlsext_default_psk_modes,
sizeof(tlsext_default_psk_modes));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes));
- if (!server_funcs->parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_parse(server_funcs, ssl, SSL_TLSEXT_MSG_CH,
+ &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
projects / openbsd / commitdiff