*/
#include <string.h>
+#include "internal/nelem.h"
#include "../ssl_locl.h"
#include "statem_locl.h"
static int init_npn(SSL *s, unsigned int context);
#endif
static int init_alpn(SSL *s, unsigned int context);
+static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
static int init_sig_algs(SSL *s, unsigned int context);
static int init_certificate_authorities(SSL *s, unsigned int context);
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
#endif
static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al);
static int final_early_data(SSL *s, unsigned int context, int sent, int *al);
+static int final_maxfragmentlen(SSL *s, unsigned int context, int sent, int *al);
/* Structure to define a built-in extension */
typedef struct extensions_definition_st {
tls_construct_stoc_server_name, tls_construct_ctos_server_name,
final_server_name
},
+ {
+ TLSEXT_TYPE_max_fragment_length,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+ NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
+ tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
+ final_maxfragmentlen
+ },
#ifndef OPENSSL_NO_SRP
{
TLSEXT_TYPE_srp,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
- tls_construct_stoc_alpn, tls_construct_ctos_alpn, NULL
+ tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
},
#ifndef OPENSSL_NO_SRTP
{
*/
int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
{
+ int is_tls13;
+
+ /*
+ * For HRR we haven't selected the version yet but we know it will be
+ * TLSv1.3
+ */
+ if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
+ is_tls13 = 1;
+ else
+ is_tls13 = SSL_IS_TLS13(s);
+
if ((SSL_IS_DTLS(s)
&& (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
|| (s->version == SSL3_VERSION
&& (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
- || (SSL_IS_TLS13(s)
- && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
- || (!SSL_IS_TLS13(s) && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
+ || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
+ || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
|| (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
return 0;
if (!WPACKET_start_sub_packet_u16(pkt)
/*
* If extensions are of zero length then we don't even add the
- * extensions length bytes to a ClientHello/ServerHello in SSLv3
+ * extensions length bytes to a ClientHello/ServerHello
+ * (for non-TLSv1.3).
*/
|| ((context &
(SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
- && s->version == SSL3_VERSION
&& !WPACKET_set_flags(pkt,
WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
static int final_server_name(SSL *s, unsigned int context, int sent,
int *al)
{
- int ret = SSL_TLSEXT_ERR_NOACK;
+ int ret = SSL_TLSEXT_ERR_NOACK, discard;
int altmp = SSL_AD_UNRECOGNIZED_NAME;
+ int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
ret = s->ctx->ext.servername_cb(s, &altmp,
ret = s->session_ctx->ext.servername_cb(s, &altmp,
s->session_ctx->ext.servername_arg);
+ if (!sent) {
+ OPENSSL_free(s->session->ext.hostname);
+ s->session->ext.hostname = NULL;
+ }
+
+ /*
+ * If we switched contexts (whether here or in the client_hello callback),
+ * move the sess_accept increment from the session_ctx to the new
+ * context, to avoid the confusing situation of having sess_accept_good
+ * exceed sess_accept (zero) for the new context.
+ */
+ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+ CRYPTO_atomic_add(&s->ctx->stats.sess_accept, 1, &discard,
+ s->ctx->lock);
+ CRYPTO_atomic_add(&s->session_ctx->stats.sess_accept, -1, &discard,
+ s->session_ctx->lock);
+ }
+
+ /*
+ * If we're expecting to send a ticket, and tickets were previously enabled,
+ * and now tickets are disabled, then turn off expected ticket.
+ * Also, if this is not a resumption, create a new session ID
+ */
+ if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
+ && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
+ s->ext.ticket_expected = 0;
+ if (!s->hit) {
+ SSL_SESSION* ss = SSL_get_session(s);
+
+ if (ss != NULL) {
+ OPENSSL_free(ss->ext.tick);
+ ss->ext.tick = NULL;
+ ss->ext.ticklen = 0;
+ ss->ext.tick_lifetime_hint = 0;
+ ss->ext.tick_age_add = 0;
+ ss->ext.tick_identity = 0;
+ if (!ssl_generate_session_id(s, ss)) {
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ altmp = SSL_AD_INTERNAL_ERROR;
+ }
+ } else {
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ altmp = SSL_AD_INTERNAL_ERROR;
+ }
+ }
+ }
+
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
*al = altmp;
return 1;
}
+static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
+{
+ if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
+ s->ext.early_data_ok = 0;
+
+ if (!s->server || !SSL_IS_TLS13(s))
+ return 1;
+
+ /*
+ * Call alpn_select callback if needed. Has to be done after SNI and
+ * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
+ * we also have to do this before we decide whether to accept early_data.
+ * In TLSv1.3 we've already negotiated our cipher so we do this call now.
+ * For < TLSv1.3 we defer it until after cipher negotiation.
+ */
+ return tls_handle_alpn(s, al);
+}
+
static int init_sig_algs(SSL *s, unsigned int context)
{
/* Clear any signature algorithms extension received */
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
!= 0)) {
- const unsigned char *pcurves, *pcurvestmp, *clntcurves;
- size_t num_curves, clnt_num_curves, i;
+ const uint16_t *pgroups, *clntgroups;
+ size_t num_groups, clnt_num_groups, i;
unsigned int group_id = 0;
/* Check if a shared group exists */
/* Get the clients list of supported groups. */
- if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
- *al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
- /* Get our list of available groups */
- if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
- *al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
- return 0;
- }
+ tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
+ tls1_get_supported_groups(s, &pgroups, &num_groups);
/* Find the first group we allow that is also in client's list */
- for (i = 0, pcurvestmp = pcurves; i < num_curves;
- i++, pcurvestmp += 2) {
- group_id = bytestogroup(pcurvestmp);
+ for (i = 0; i < num_groups; i++) {
+ group_id = pgroups[i];
- if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1))
+ if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1))
break;
}
- if (i < num_curves) {
+ if (i < num_groups) {
/* A shared group exists so send a HelloRetryRequest */
s->s3->group_id = group_id;
s->hello_retry_request = 1;
const char *label;
size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
int ret = -1;
+ int usepskfored = 0;
+
+ if (external
+ && s->early_data_state == SSL_EARLY_DATA_CONNECTING
+ && s->session->ext.max_early_data == 0
+ && sess->ext.max_early_data > 0)
+ usepskfored = 1;
if (external) {
label = external_label;
/*
* Generate the early_secret. On the server side we've selected a PSK to
* resume with (internal or external) so we always do this. On the client
- * side we do this for a non-external (i.e. resumption) PSK so that it
- * is in place for sending early data. For client side external PSK we
+ * side we do this for a non-external (i.e. resumption) PSK or external PSK
+ * that will be used for early_data so that it is in place for sending early
+ * data. For client side external PSK not being used for early_data we
* generate it but store it away for later use.
*/
- if (s->server || !external)
+ if (s->server || !external || usepskfored)
early_secret = (unsigned char *)s->early_secret;
else
early_secret = (unsigned char *)sess->early_secret;
static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
{
- if (!s->server || !sent)
+ if (!sent)
+ return 1;
+
+ if (!s->server) {
+ if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ && sent
+ && !s->ext.early_data_ok) {
+ /*
+ * If we get here then the server accepted our early_data but we
+ * later realised that it shouldn't have done (e.g. inconsistent
+ * ALPN)
+ */
+ *al = SSL_AD_ILLEGAL_PARAMETER;
+ return 0;
+ }
+
return 1;
+ }
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
- || s->hello_retry_request
- || s->s3->alpn_selected_len != s->session->ext.alpn_selected_len
- || (s->s3->alpn_selected_len > 0
- && memcmp(s->s3->alpn_selected, s->session->ext.alpn_selected,
- s->s3->alpn_selected_len) != 0)) {
+ || s->hello_retry_request) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
return 1;
}
+
+static int final_maxfragmentlen(SSL *ssl, unsigned int context, int sent, int *al)
+{
+ /*
+ * Session resumption on server-side with MFL extension active
+ * BUT MFL extension packet was not resent (i.e. sent == 0)
+ */
+ if (ssl->server && ssl->hit && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)
+ && !sent ) {
+ *al = SSL_AD_MISSING_EXTENSION;
+ return 0;
+ }
+
+ /* Current SSL buffer is lower than requested MFL */
+ if (ssl->session && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session)
+ && ssl->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(ssl->session))
+ /* trigger a larger buffer reallocation */
+ if (!ssl3_setup_buffers(ssl))
+ return 0;
+
+ return 1;
+}
projects / openssl.git / blobdiff