*/
#include <openssl/ocsp.h>
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
#include "internal/cryptlib.h"
#define COOKIE_STATE_FORMAT_VERSION 0
return 0;
}
+ /*
+ * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
+ * we always use the SNI value from the handshake.
+ */
if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
}
s->servername_done = 1;
- }
- if (s->hit) {
+ } else {
+ /*
+ * In TLSv1.2 and below we should check if the SNI is consistent between
+ * the initial handshake and the resumption. In TLSv1.3 SNI is not
+ * associated with the session.
+ */
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
-
- if (!s->servername_done && s->session->ext.hostname != NULL)
- s->ext.early_data_ok = 0;
}
return 1;
if (!s->hit) {
if (!PACKET_memdup(&ec_point_format_list,
- &s->session->ext.ecpointformats,
- &s->session->ext.ecpointformats_len)) {
+ &s->ext.peer_ecpointformats,
+ &s->ext.peer_ecpointformats_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0;
return 1;
}
-#ifndef OPENSSL_NO_EC
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
}
if (!s->hit || SSL_IS_TLS13(s)) {
- OPENSSL_free(s->session->ext.supportedgroups);
- s->session->ext.supportedgroups = NULL;
- s->session->ext.supportedgroups_len = 0;
+ OPENSSL_free(s->ext.peer_supportedgroups);
+ s->ext.peer_supportedgroups = NULL;
+ s->ext.peer_supportedgroups_len = 0;
if (!tls1_save_u16(&supported_groups_list,
- &s->session->ext.supportedgroups,
- &s->session->ext.supportedgroups_len)) {
+ &s->ext.peer_supportedgroups,
+ &s->ext.peer_supportedgroups_len)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
}
}
- md = ssl_md(sess->cipher->algorithm2);
- if (md != ssl_md(s->s3.tmp.new_cipher->algorithm2)) {
+ md = ssl_md(s->ctx, sess->cipher->algorithm2);
+ if (!EVP_MD_is_a(md,
+ EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
/* The ciphersuite is not compatible with this session. */
SSL_SESSION_free(sess);
sess = NULL;
unsigned int context, X509 *x,
size_t chainidx)
{
- if (s->hit || s->servername_done != 1
- || s->ext.hostname == NULL)
+ if (s->servername_done != 1)
+ return EXT_RETURN_NOT_SENT;
+
+ /*
+ * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
+ * We just use the servername from the initial handshake.
+ */
+ if (s->hit && !SSL_IS_TLS13(s))
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
- && (s->session->ext.ecpointformats != NULL);
+ && (s->ext.peer_ecpointformats != NULL);
const unsigned char *plist;
size_t plistlen;
}
#endif
-#ifndef OPENSSL_NO_EC
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
for (i = 0; i < numgroups; i++) {
uint16_t group = groups[i];
- if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
+ if (tls_valid_group(s, group, SSL_version(s))
+ && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
if (first) {
/*
* Check if the client is already using our preferred group. If
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;
return EXT_RETURN_FAIL;
}
- skey = ssl_generate_pkey(ckey);
+ skey = ssl_generate_pkey(s, ckey);
if (skey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);