*/
#include <string.h>
+#include "internal/nelem.h"
#include "../ssl_locl.h"
#include "statem_locl.h"
static int init_npn(SSL *s, unsigned int context);
#endif
static int init_alpn(SSL *s, unsigned int context);
+static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
static int init_sig_algs(SSL *s, unsigned int context);
static int init_certificate_authorities(SSL *s, unsigned int context);
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
- tls_construct_stoc_alpn, tls_construct_ctos_alpn, NULL
+ tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
},
#ifndef OPENSSL_NO_SRTP
{
case SSL_TLSEXT_ERR_NOACK:
s->servername_done = 0;
+ if (s->server && s->session->ext.hostname != NULL)
+ s->ext.early_data_ok = 0;
return 1;
default:
return 1;
}
+static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
+{
+ if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
+ s->ext.early_data_ok = 0;
+
+ if (!s->server || !SSL_IS_TLS13(s))
+ return 1;
+
+ /*
+ * Call alpn_select callback if needed. Has to be done after SNI and
+ * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
+ * we also have to do this before we decide whether to accept early_data.
+ * In TLSv1.3 we've already negotiated our cipher so we do this call now.
+ * For < TLSv1.3 we defer it until after cipher negotiation.
+ */
+ return tls_handle_alpn(s, al);
+}
+
static int init_sig_algs(SSL *s, unsigned int context)
{
/* Clear any signature algorithms extension received */
const char *label;
size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
int ret = -1;
+ int usepskfored = 0;
+
+ if (external
+ && s->early_data_state == SSL_EARLY_DATA_CONNECTING
+ && s->session->ext.max_early_data == 0
+ && sess->ext.max_early_data > 0)
+ usepskfored = 1;
if (external) {
label = external_label;
/*
* Generate the early_secret. On the server side we've selected a PSK to
* resume with (internal or external) so we always do this. On the client
- * side we do this for a non-external (i.e. resumption) PSK so that it
- * is in place for sending early data. For client side external PSK we
+ * side we do this for a non-external (i.e. resumption) PSK or external PSK
+ * that will be used for early_data so that it is in place for sending early
+ * data. For client side external PSK not being used for early_data we
* generate it but store it away for later use.
*/
- if (s->server || !external)
+ if (s->server || !external || usepskfored)
early_secret = (unsigned char *)s->early_secret;
else
early_secret = (unsigned char *)sess->early_secret;
static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
{
- if (!s->server || !sent)
+ if (!sent)
return 1;
+ if (!s->server) {
+ if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ && sent
+ && !s->ext.early_data_ok) {
+ /*
+ * If we get here then the server accepted our early_data but we
+ * later realised that it shouldn't have done (e.g. inconsistent
+ * ALPN)
+ */
+ *al = SSL_AD_ILLEGAL_PARAMETER;
+ return 0;
+ }
+
+ return 1;
+ }
+
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
- || s->hello_retry_request
- || s->s3->alpn_selected_len != s->session->ext.alpn_selected_len
- || (s->s3->alpn_selected_len > 0
- && memcmp(s->s3->alpn_selected, s->session->ext.alpn_selected,
- s->s3->alpn_selected_len) != 0)) {
+ || s->hello_retry_request) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;