}
/*
- * Although the server_name extension was intended to be
- * extensible to new name types, RFC 4366 defined the
- * syntax inextensibly and OpenSSL 1.0.x parses it as
- * such.
+ * Although the intent was for server_name to be extensible, RFC 4366
+ * was not clear about it; and so OpenSSL among other implementations,
+ * always and only allows a 'host_name' name types.
* RFC 6066 corrected the mistake but adding new name types
* is nevertheless no longer feasible, so act as if no other
* SNI types can exist, to simplify parsing.
while (PACKET_get_1(&psk_kex_modes, &mode)) {
if (mode == TLSEXT_KEX_MODE_KE_DHE)
s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
- else if (mode == TLSEXT_KEX_MODE_KE)
+ else if (mode == TLSEXT_KEX_MODE_KE
+ && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
}
#endif
return 0;
}
- OPENSSL_free(s->session->ext.supportedgroups);
- s->session->ext.supportedgroups = NULL;
- s->session->ext.supportedgroups_len = 0;
- if (!PACKET_memdup(&supported_groups_list,
- &s->session->ext.supportedgroups,
- &s->session->ext.supportedgroups_len)) {
- *al = SSL_AD_INTERNAL_ERROR;
- return 0;
+ if (!s->hit || SSL_IS_TLS13(s)) {
+ OPENSSL_free(s->session->ext.supportedgroups);
+ s->session->ext.supportedgroups = NULL;
+ s->session->ext.supportedgroups_len = 0;
+ if (!PACKET_memdup(&supported_groups_list,
+ &s->session->ext.supportedgroups,
+ &s->session->ext.supportedgroups_len)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
}
return 1;
return 0;
}
+ if (s->hello_retry_request) {
+ *al = SSL_AD_ILLEGAL_PARAMETER;
+ return 0;
+ }
+
return 1;
}
PACKET identities, binders, binder;
size_t binderoffset, hashsize;
SSL_SESSION *sess = NULL;
- unsigned int id, i;
+ unsigned int id, i, ext = 0;
const EVP_MD *md = NULL;
- uint32_t ticket_age = 0, now, agesec, agems;
/*
* If we have no PSK kex mode that we recognise then we can't resume so
for (id = 0; PACKET_remaining(&identities) != 0; id++) {
PACKET identity;
unsigned long ticket_agel;
- int ret;
if (!PACKET_get_length_prefixed_2(&identities, &identity)
|| !PACKET_get_net_4(&identities, &ticket_agel)) {
return 0;
}
- ticket_age = (uint32_t)ticket_agel;
-
- ret = tls_decrypt_ticket(s, PACKET_data(&identity),
- PACKET_remaining(&identity), NULL, 0, &sess);
- if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
+ if (s->psk_find_session_cb != NULL
+ && !s->psk_find_session_cb(s, PACKET_data(&identity),
+ PACKET_remaining(&identity),
+ &sess)) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
- if (ret == TICKET_NO_DECRYPT)
- continue;
- md = ssl_md(sess->cipher->algorithm2);
- if (md == NULL) {
+ if (sess != NULL) {
+ /* We found a PSK */
+ SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
+
+ if (sesstmp == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ SSL_SESSION_free(sess);
+ sess = sesstmp;
+
/*
- * Don't recognise this cipher so we can't use the session.
- * Ignore it
+ * We've just been told to use this session for this context so
+ * make sure the sid_ctx matches up.
*/
+ memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
+ sess->sid_ctx_length = s->sid_ctx_length;
+ ext = 1;
+ s->ext.early_data_ok = 1;
+ } else {
+ uint32_t ticket_age = 0, now, agesec, agems;
+ int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
+ PACKET_remaining(&identity), NULL, 0,
+ &sess);
+
+ if (ret == TICKET_FATAL_ERR_MALLOC
+ || ret == TICKET_FATAL_ERR_OTHER) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ if (ret == TICKET_NO_DECRYPT)
+ continue;
+
+ ticket_age = (uint32_t)ticket_agel;
+ now = (uint32_t)time(NULL);
+ agesec = now - (uint32_t)sess->time;
+ agems = agesec * (uint32_t)1000;
+ ticket_age -= sess->ext.tick_age_add;
+
+ /*
+ * For simplicity we do our age calculations in seconds. If the
+ * client does it in ms then it could appear that their ticket age
+ * is longer than ours (our ticket age calculation should always be
+ * slightly longer than the client's due to the network latency).
+ * Therefore we add 1000ms to our age calculation to adjust for
+ * rounding errors.
+ */
+ if (sess->timeout >= (long)agesec
+ && agems / (uint32_t)1000 == agesec
+ && ticket_age <= agems + 1000
+ && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
+ /*
+ * Ticket age is within tolerance and not expired. We allow it
+ * for early data
+ */
+ s->ext.early_data_ok = 1;
+ }
+ }
+
+ md = ssl_md(sess->cipher->algorithm2);
+ if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
+ /* The ciphersuite is not compatible with this session. */
SSL_SESSION_free(sess);
sess = NULL;
continue;
}
-
- /*
- * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
- * Ignored for now
- */
-
break;
}
|| tls_psk_do_binder(s, md,
(const unsigned char *)s->init_buf->data,
binderoffset, PACKET_data(&binder), NULL,
- sess, 0) != 1) {
+ sess, 0, ext) != 1) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
goto err;
sess->ext.tick_identity = id;
- now = (uint32_t)time(NULL);
- agesec = now - (uint32_t)sess->time;
- agems = agesec * (uint32_t)1000;
- ticket_age -= sess->ext.tick_age_add;
-
-
- /*
- * For simplicity we do our age calculations in seconds. If the client does
- * it in ms then it could appear that their ticket age is longer than ours
- * (our ticket age calculation should always be slightly longer than the
- * client's due to the network latency). Therefore we add 1000ms to our age
- * calculation to adjust for rounding errors.
- */
- if (sess->timeout >= (long)agesec
- && agems / (uint32_t)1000 == agesec
- && ticket_age <= agems + 1000
- && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
- /*
- * Ticket age is within tolerance and not expired. We allow it for early
- * data
- */
- s->ext.early_data_ok = 1;
- }
-
-
SSL_SESSION_free(s->session);
s->session = sess;
return 1;