size_t chainidx, int *al)
{
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
- s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 1;
return 1;
}
}
if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
return 0;
}
return 0;
}
- /*
- * Get the clients list of supported curves.
- * TODO(TLS1.3): We should validate that we actually received
- * supported_groups!
- */
+ /* Get the clients list of supported curves. */
if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
}
+ if (clnt_num_curves == 0) {
+ /*
+ * This can only happen if the supported_groups extension was not sent,
+ * because we verify that the length is non-zero when we process that
+ * extension.
+ */
+ *al = SSL_AD_MISSING_EXTENSION;
+ SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
+ SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
+ return 0;
+ }
while (PACKET_remaining(&key_share_list) > 0) {
if (!PACKET_get_net_2(&key_share_list, &group_id)
|| !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
|| PACKET_remaining(&encoded_pt) == 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_LENGTH_MISMATCH);
return 0;
/* Check if this share is in supported_groups sent from client */
if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0;
}
return 1;
}
+
+int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx, int *al)
+{
+ if (PACKET_remaining(pkt) != 0) {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ return 1;
+}
+
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al)
{
SSL_SESSION *sess = NULL;
unsigned int id, i;
const EVP_MD *md = NULL;
+ uint32_t ticket_age = 0, now, agesec, agems;
/*
* If we have no PSK kex mode that we recognise then we can't resume so
for (id = 0; PACKET_remaining(&identities) != 0; id++) {
PACKET identity;
- unsigned long ticket_age;
+ unsigned long ticket_agel;
int ret;
if (!PACKET_get_length_prefixed_2(&identities, &identity)
- || !PACKET_get_net_4(&identities, &ticket_age)) {
+ || !PACKET_get_net_4(&identities, &ticket_agel)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
- /* TODO(TLS1.3): Should we validate the ticket age? */
+ ticket_age = (uint32_t)ticket_agel;
ret = tls_decrypt_ticket(s, PACKET_data(&identity),
PACKET_remaining(&identity), NULL, 0, &sess);
}
sess->ext.tick_identity = id;
+
+ now = (uint32_t)time(NULL);
+ agesec = now - (uint32_t)sess->time;
+ agems = agesec * (uint32_t)1000;
+ ticket_age -= sess->ext.tick_age_add;
+
+
+ /*
+ * For simplicity we do our age calculations in seconds. If the client does
+ * it in ms then it could appear that their ticket age is longer than ours
+ * (our ticket age calculation should always be slightly longer than the
+ * client's due to the network latency). Therefore we add 1000ms to our age
+ * calculation to adjust for rounding errors.
+ */
+ if (sess->timeout >= (long)agesec
+ && agems / (uint32_t)1000 == agesec
+ && ticket_age <= agems + 1000
+ && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
+ /*
+ * Ticket age is within tolerance and not expired. We allow it for early
+ * data
+ */
+ s->ext.early_data_ok = 1;
+ }
+
+
SSL_SESSION_free(s->session);
s->session = sess;
return 1;
err:
+ SSL_SESSION_free(sess);
return 0;
}
}
#endif
+#ifndef OPENSSL_NO_EC
+int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+ unsigned int context, X509 *x,
+ size_t chainidx, int *al)
+{
+ const unsigned char *groups;
+ size_t numgroups, i, first = 1;
+
+ /* s->s3->group_id is non zero if we accepted a key_share */
+ if (s->s3->group_id == 0)
+ return 1;
+
+ /* Get our list of supported groups */
+ if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /* Copy group ID if supported */
+ for (i = 0; i < numgroups; i++, groups += 2) {
+ if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
+ if (first) {
+ /*
+ * Check if the client is already using our preferred group. If
+ * so we don't need to add this extension
+ */
+ if (s->s3->group_id == GET_GROUP_ID(groups, 0))
+ return 1;
+
+ /* Add extension header */
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
+ /* Sub-packet for supported_groups extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ first = 0;
+ }
+ if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ }
+
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+}
+#endif
+
int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx, int *al)
int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al)
{
- if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
+ if (!s->ext.use_etm)
return 1;
/*
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
- s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 0;
return 1;
}
return 1;
}
+int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx, int *al)
+{
+ if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
+ if (s->max_early_data == 0)
+ return 1;
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+ }
+
+ if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
+ return 1;
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+}
+
int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al)
{
projects / openssl.git / blobdiff