{
size_t pcurveslen = 0;
if (sess) {
- *pcurves = s->session->tlsext_ellipticcurvelist;
- pcurveslen = s->session->tlsext_ellipticcurvelist_length;
+ *pcurves = s->session->tlsext_supportedgroupslist;
+ pcurveslen = s->session->tlsext_supportedgroupslist_length;
} else {
/* For Suite B mode only include P-256, P-384 */
switch (tls1_suiteb(s)) {
pcurveslen = 2;
break;
default:
- *pcurves = s->tlsext_ellipticcurvelist;
- pcurveslen = s->tlsext_ellipticcurvelist_length;
+ *pcurves = s->tlsext_supportedgroupslist;
+ pcurveslen = s->tlsext_supportedgroupslist_length;
}
if (!*pcurves) {
*pcurves = eccurves_default;
}
/*-
- * For nmatch >= 0, return the NID of the |nmatch|th shared curve or NID_undef
+ * For nmatch >= 0, return the NID of the |nmatch|th shared group or NID_undef
* if there is no match.
* For nmatch == -1, return number of matches
- * For nmatch == -2, return the NID of the curve to use for
+ * For nmatch == -2, return the NID of the group to use for
* an EC tmp key, or NID_undef if there is no match.
*/
-int tls1_shared_curve(SSL *s, int nmatch)
+int tls1_shared_group(SSL *s, int nmatch)
{
const unsigned char *pref, *supp;
size_t num_pref, num_supp, i, j;
return NID_undef;
}
-int tls1_set_curves(unsigned char **pext, size_t *pextlen,
- int *curves, size_t ncurves)
+int tls1_set_groups(unsigned char **pext, size_t *pextlen,
+ int *groups, size_t ngroups)
{
- unsigned char *clist, *p;
+ unsigned char *glist, *p;
size_t i;
/*
- * Bitmap of curves included to detect duplicates: only works while curve
+ * Bitmap of groups included to detect duplicates: only works while group
* ids < 32
*/
unsigned long dup_list = 0;
- clist = OPENSSL_malloc(ncurves * 2);
- if (clist == NULL)
+ glist = OPENSSL_malloc(ngroups * 2);
+ if (glist == NULL)
return 0;
- for (i = 0, p = clist; i < ncurves; i++) {
+ for (i = 0, p = glist; i < ngroups; i++) {
unsigned long idmask;
int id;
- id = tls1_ec_nid2curve_id(curves[i]);
+ /* TODO(TLS1.3): Convert for DH groups */
+ id = tls1_ec_nid2curve_id(groups[i]);
idmask = 1L << id;
if (!id || (dup_list & idmask)) {
- OPENSSL_free(clist);
+ OPENSSL_free(glist);
return 0;
}
dup_list |= idmask;
s2n(id, p);
}
OPENSSL_free(*pext);
- *pext = clist;
- *pextlen = ncurves * 2;
+ *pext = glist;
+ *pextlen = ngroups * 2;
return 1;
}
return 1;
}
-/* Set curves based on a colon separate list */
-int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
+/* Set groups based on a colon separate list */
+int tls1_set_groups_list(unsigned char **pext, size_t *pextlen, const char *str)
{
nid_cb_st ncb;
ncb.nidcnt = 0;
return 0;
if (pext == NULL)
return 1;
- return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
+ return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
}
/* For an EC key set TLS id and required compression based on parameters */
return 1;
}
/* Need a shared curve */
- if (tls1_shared_curve(s, 0))
+ if (tls1_shared_group(s, 0))
return 1;
return 0;
}
}
/*
- * Add TLS extension EllipticCurves to the ClientHello message
+ * Add TLS extension supported_groups to the ClientHello message
*/
- pcurves = s->tlsext_ellipticcurvelist;
+ /* TODO(TLS1.3): Add support for DHE groups */
+ pcurves = s->tlsext_supportedgroupslist;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_elliptic_curves)
- /* Sub-packet for curves extension */
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
+ /* Sub-packet for supported_groups extension */
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
+ if (SSL_IS_TLS13(s)) {
+ int min_version, max_version, reason, currv;
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_start_sub_packet_u8(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ if (reason != 0) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, reason);
+ return 0;
+ }
+ /*
+ * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
+ * we should include versions <TLS1.2. For the moment we do. To be
+ * reviewed later.
+ */
+ for (currv = max_version; currv >= min_version; currv--) {
+ /* TODO(TLS1.3): Remove this first if clause prior to release!! */
+ if (currv == TLS1_3_VERSION) {
+ if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+
/*
* Add padding to workaround bugs in F5 terminators. See
* https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
#ifndef OPENSSL_NO_EC
/*-
* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |pkt|.
+ * SecureTransport using the TLS extension block in |hello|.
* Safari, since 10.6, sends exactly these extensions, in this order:
* SNI,
* elliptic_curves
* Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
* 10.8..10.8.3 (which don't work).
*/
-static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
+static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
unsigned int type;
PACKET sni, tmppkt;
/* Length of the common prefix (first two extensions). */
static const size_t kSafariCommonExtensionsLength = 18;
- tmppkt = *pkt;
+ tmppkt = hello->extensions;
if (!PACKET_forward(&tmppkt, 2)
|| !PACKET_get_net_2(&tmppkt, &type)
#endif /* !OPENSSL_NO_EC */
/*
- * Parse ClientHello extensions and stash extension info in various parts of
- * the SSL object. Verify that there are no duplicate extensions.
+ * Loop through all remaining ClientHello extensions that we collected earlier
+ * and haven't already processed. For each one parse it and update the SSL
+ * object as required.
*
* Behaviour upon resumption is extension-specific. If the extension has no
* effect during resumption, it is parsed (to verify its format) but otherwise
* ignored.
*
- * Consumes the entire packet in |pkt|. Returns 1 on success and 0 on failure.
+ * Returns 1 on success and 0 on failure.
* Upon failure, sets |al| to the appropriate alert.
*/
-static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
+static int ssl_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al)
{
- unsigned int type;
+ size_t loop;
int renegotiate_seen = 0;
- PACKET extensions;
*al = SSL_AD_DECODE_ERROR;
s->servername_done = 0;
#ifndef OPENSSL_NO_EC
if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
- ssl_check_for_safari(s, pkt);
+ ssl_check_for_safari(s, hello);
#endif /* !OPENSSL_NO_EC */
/* Clear any signature algorithms extension received */
s->srtp_profile = NULL;
- if (PACKET_remaining(pkt) == 0)
- goto ri_check;
-
- if (!PACKET_as_length_prefixed_2(pkt, &extensions))
- return 0;
-
- if (!tls1_check_duplicate_extensions(&extensions))
- return 0;
-
/*
* We parse all extensions to ensure the ClientHello is well-formed but,
* unless an extension specifies otherwise, we ignore extensions upon
* resumption.
*/
- while (PACKET_get_net_2(&extensions, &type)) {
- PACKET extension;
- if (!PACKET_get_length_prefixed_2(&extensions, &extension))
- return 0;
+ for (loop = 0; loop < hello->num_extensions; loop++) {
+ RAW_EXTENSION *currext = &hello->pre_proc_exts[loop];
if (s->tlsext_debug_cb)
- s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
- (int)PACKET_remaining(&extension),
+ s->tlsext_debug_cb(s, 0, currext->type,
+ PACKET_data(&currext->data),
+ PACKET_remaining(&currext->data),
s->tlsext_debug_arg);
- if (type == TLSEXT_TYPE_renegotiate) {
- if (!ssl_parse_clienthello_renegotiate_ext(s, &extension, al))
+ if (currext->type == TLSEXT_TYPE_renegotiate) {
+ if (!ssl_parse_clienthello_renegotiate_ext(s,
+ &currext->data, al))
return 0;
renegotiate_seen = 1;
} else if (s->version == SSL3_VERSION) {
*
*/
- else if (type == TLSEXT_TYPE_server_name) {
+ else if (currext->type == TLSEXT_TYPE_server_name) {
unsigned int servname_type;
PACKET sni, hostname;
- if (!PACKET_as_length_prefixed_2(&extension, &sni)
+ if (!PACKET_as_length_prefixed_2(&currext->data, &sni)
/* ServerNameList must be at least 1 byte long. */
|| PACKET_remaining(&sni) == 0) {
return 0;
}
}
#ifndef OPENSSL_NO_SRP
- else if (type == TLSEXT_TYPE_srp) {
+ else if (currext->type == TLSEXT_TYPE_srp) {
PACKET srp_I;
- if (!PACKET_as_length_prefixed_1(&extension, &srp_I))
+ if (!PACKET_as_length_prefixed_1(&currext->data, &srp_I))
return 0;
if (PACKET_contains_zero_byte(&srp_I))
#endif
#ifndef OPENSSL_NO_EC
- else if (type == TLSEXT_TYPE_ec_point_formats) {
+ else if (currext->type == TLSEXT_TYPE_ec_point_formats) {
PACKET ec_point_format_list;
- if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
+ if (!PACKET_as_length_prefixed_1(&currext->data,
+ &ec_point_format_list)
|| PACKET_remaining(&ec_point_format_list) == 0) {
return 0;
}
return 0;
}
}
- } else if (type == TLSEXT_TYPE_elliptic_curves) {
- PACKET elliptic_curve_list;
-
- /* Each NamedCurve is 2 bytes and we must have at least 1. */
- if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
- || PACKET_remaining(&elliptic_curve_list) == 0
- || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
+ } else if (currext->type == TLSEXT_TYPE_supported_groups) {
+ PACKET supported_groups_list;
+
+ /* Each group is 2 bytes and we must have at least 1. */
+ if (!PACKET_as_length_prefixed_2(&currext->data,
+ &supported_groups_list)
+ || PACKET_remaining(&supported_groups_list) == 0
+ || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
return 0;
}
if (!s->hit) {
- if (!PACKET_memdup(&elliptic_curve_list,
- &s->session->tlsext_ellipticcurvelist,
+ if (!PACKET_memdup(&supported_groups_list,
+ &s->session->tlsext_supportedgroupslist,
&s->
- session->tlsext_ellipticcurvelist_length)) {
+ session->tlsext_supportedgroupslist_length)) {
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
}
}
#endif /* OPENSSL_NO_EC */
- else if (type == TLSEXT_TYPE_session_ticket) {
+ else if (currext->type == TLSEXT_TYPE_session_ticket) {
if (s->tls_session_ticket_ext_cb &&
- !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
- (int)PACKET_remaining(&extension),
- s->tls_session_ticket_ext_cb_arg))
- {
+ !s->tls_session_ticket_ext_cb(s,
+ PACKET_data(&currext->data),
+ PACKET_remaining(&currext->data),
+ s->tls_session_ticket_ext_cb_arg)) {
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
- } else if (type == TLSEXT_TYPE_signature_algorithms) {
+ } else if (currext->type == TLSEXT_TYPE_signature_algorithms) {
PACKET supported_sig_algs;
- if (!PACKET_as_length_prefixed_2(&extension, &supported_sig_algs)
+ if (!PACKET_as_length_prefixed_2(&currext->data,
+ &supported_sig_algs)
|| (PACKET_remaining(&supported_sig_algs) % 2) != 0
|| PACKET_remaining(&supported_sig_algs) == 0) {
return 0;
return 0;
}
}
- } else if (type == TLSEXT_TYPE_status_request) {
- if (!PACKET_get_1(&extension,
+ } else if (currext->type == TLSEXT_TYPE_status_request) {
+ if (!PACKET_get_1(&currext->data,
(unsigned int *)&s->tlsext_status_type)) {
return 0;
}
const unsigned char *ext_data;
PACKET responder_id_list, exts;
if (!PACKET_get_length_prefixed_2
- (&extension, &responder_id_list))
+ (&currext->data, &responder_id_list))
return 0;
/*
}
/* Read in request_extensions */
- if (!PACKET_as_length_prefixed_2(&extension, &exts))
+ if (!PACKET_as_length_prefixed_2(
+ &currext->data, &exts))
return 0;
if (PACKET_remaining(&exts) > 0) {
}
}
#ifndef OPENSSL_NO_HEARTBEATS
- else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_heartbeat) {
+ else if (SSL_IS_DTLS(s) && currext->type == TLSEXT_TYPE_heartbeat) {
unsigned int hbtype;
- if (!PACKET_get_1(&extension, &hbtype)
- || PACKET_remaining(&extension)) {
+ if (!PACKET_get_1(&currext->data, &hbtype)
+ || PACKET_remaining(&currext->data)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
- else if (type == TLSEXT_TYPE_next_proto_neg &&
- s->s3->tmp.finish_md_len == 0) {
+ else if (currext->type == TLSEXT_TYPE_next_proto_neg
+ && s->s3->tmp.finish_md_len == 0) {
/*-
* We shouldn't accept this extension on a
* renegotiation.
}
#endif
- else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
- s->s3->tmp.finish_md_len == 0) {
- if (!tls1_alpn_handle_client_hello(s, &extension, al))
+ else if (currext->type
+ == TLSEXT_TYPE_application_layer_protocol_negotiation
+ && s->s3->tmp.finish_md_len == 0) {
+ if (!tls1_alpn_handle_client_hello(s,
+ &currext->data, al))
return 0;
}
/* session ticket processed earlier */
#ifndef OPENSSL_NO_SRTP
else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
- && type == TLSEXT_TYPE_use_srtp) {
- if (ssl_parse_clienthello_use_srtp_ext(s, &extension, al))
+ && currext->type == TLSEXT_TYPE_use_srtp) {
+ if (ssl_parse_clienthello_use_srtp_ext(s,
+ &currext->data, al))
return 0;
}
#endif
- else if (type == TLSEXT_TYPE_encrypt_then_mac &&
- !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
+ else if (currext->type == TLSEXT_TYPE_encrypt_then_mac
+ && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
/*
* Note: extended master secret extension handled in
- * tls_check_serverhello_tlsext_early()
+ * tls_check_client_ems_support()
*/
/*
* ServerHello may be later returned.
*/
else if (!s->hit) {
- if (custom_ext_parse(s, 1, type, PACKET_data(&extension),
- PACKET_remaining(&extension), al) <= 0)
+ if (custom_ext_parse(s, 1, currext->type,
+ PACKET_data(&currext->data),
+ PACKET_remaining(&currext->data), al) <= 0)
return 0;
}
}
- if (PACKET_remaining(pkt) != 0) {
- /*
- * tls1_check_duplicate_extensions should ensure this never happens.
- */
- *al = SSL_AD_INTERNAL_ERROR;
- return 0;
- }
-
- ri_check:
-
/* Need RI if renegotiating */
if (!renegotiate_seen && s->renegotiate &&
return 1;
}
-int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
+int ssl_parse_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello)
{
int al = -1;
custom_ext_init(&s->cert->srv_ext);
- if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
+ if (ssl_scan_clienthello_tlsext(s, hello, &al) <= 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
}
return 1;
}
-/*-
- * Since the server cache lookup is done early on in the processing of the
- * ClientHello and other operations depend on the result some extensions
- * need to be handled at the same time.
+/*
+ * Given a list of extensions that we collected earlier, find one of a given
+ * type and return it.
*
- * Two extensions are currently handled, session ticket and extended master
- * secret.
+ * |exts| is the set of extensions previously collected.
+ * |numexts| is the number of extensions that we have.
+ * |type| the type of the extension that we are looking for.
*
- * session_id: ClientHello session ID.
- * ext: ClientHello extensions (including length prefix)
+ * Returns a pointer to the found RAW_EXTENSION data, or NULL if not found.
+ */
+RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
+ unsigned int type)
+{
+ size_t loop;
+
+ for (loop = 0; loop < numexts; loop++) {
+ if (exts[loop].type == type)
+ return &exts[loop];
+ }
+
+ return NULL;
+}
+
+/*-
+ * Gets the ticket information supplied by the client if any.
+ *
+ * hello: The parsed ClientHello data
* ret: (output) on return, if a ticket was decrypted, then this is set to
* point to the resulting session.
*
* a session ticket or we couldn't use the one it gave us, or if
* s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
* Otherwise, s->tlsext_ticket_expected is set to 0.
- *
- * For extended master secret flag is set if the extension is present.
- *
*/
-int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
- const PACKET *session_id,
- SSL_SESSION **ret)
+int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
+ SSL_SESSION **ret)
{
- unsigned int i;
- PACKET local_ext = *ext;
- int retv = -1;
-
- int have_ticket = 0;
- int use_ticket = tls_use_ticket(s);
+ int retv;
+ const unsigned char *etick;
+ size_t size;
+ RAW_EXTENSION *ticketext;
*ret = NULL;
s->tlsext_ticket_expected = 0;
- s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
/*
* If tickets disabled behave as if no ticket present to permit stateful
* resumption.
*/
- if ((s->version <= SSL3_VERSION))
+ if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
return 0;
- if (!PACKET_get_net_2(&local_ext, &i)) {
- retv = 0;
- goto end;
+ ticketext = tls_get_extension_by_type(hello->pre_proc_exts,
+ hello->num_extensions,
+ TLSEXT_TYPE_session_ticket);
+ if (ticketext == NULL)
+ return 0;
+
+ size = PACKET_remaining(&ticketext->data);
+ if (size == 0) {
+ /*
+ * The client will accept a ticket but doesn't currently have
+ * one.
+ */
+ s->tlsext_ticket_expected = 1;
+ return 1;
+ }
+ if (s->tls_session_secret_cb) {
+ /*
+ * Indicate that the ticket couldn't be decrypted rather than
+ * generating the session from ticket now, trigger
+ * abbreviated handshake based on external mechanism to
+ * calculate the master secret later.
+ */
+ return 2;
+ }
+ if (!PACKET_get_bytes(&ticketext->data, &etick, size)) {
+ /* Shouldn't ever happen */
+ return -1;
}
- while (PACKET_remaining(&local_ext) >= 4) {
- unsigned int type, size;
+ retv = tls_decrypt_ticket(s, etick, size, hello->session_id,
+ hello->session_id_len, ret);
+ switch (retv) {
+ case 2: /* ticket couldn't be decrypted */
+ s->tlsext_ticket_expected = 1;
+ return 2;
- if (!PACKET_get_net_2(&local_ext, &type)
- || !PACKET_get_net_2(&local_ext, &size)) {
- /* Shouldn't ever happen */
- retv = -1;
- goto end;
- }
- if (PACKET_remaining(&local_ext) < size) {
- retv = 0;
- goto end;
- }
- if (type == TLSEXT_TYPE_session_ticket && use_ticket) {
- int r;
- const unsigned char *etick;
+ case 3: /* ticket was decrypted */
+ return 3;
- /* Duplicate extension */
- if (have_ticket != 0) {
- retv = -1;
- goto end;
- }
- have_ticket = 1;
+ case 4: /* ticket decrypted but need to renew */
+ s->tlsext_ticket_expected = 1;
+ return 3;
- if (size == 0) {
- /*
- * The client will accept a ticket but doesn't currently have
- * one.
- */
- s->tlsext_ticket_expected = 1;
- retv = 1;
- continue;
- }
- if (s->tls_session_secret_cb) {
- /*
- * Indicate that the ticket couldn't be decrypted rather than
- * generating the session from ticket now, trigger
- * abbreviated handshake based on external mechanism to
- * calculate the master secret later.
- */
- retv = 2;
- continue;
- }
- if (!PACKET_get_bytes(&local_ext, &etick, size)) {
- /* Shouldn't ever happen */
- retv = -1;
- goto end;
- }
- r = tls_decrypt_ticket(s, etick, size, PACKET_data(session_id),
- PACKET_remaining(session_id), ret);
- switch (r) {
- case 2: /* ticket couldn't be decrypted */
- s->tlsext_ticket_expected = 1;
- retv = 2;
- break;
- case 3: /* ticket was decrypted */
- retv = r;
- break;
- case 4: /* ticket decrypted but need to renew */
- s->tlsext_ticket_expected = 1;
- retv = 3;
- break;
- default: /* fatal error */
- retv = -1;
- break;
- }
- continue;
- } else {
- if (type == TLSEXT_TYPE_extended_master_secret)
- s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
- if (!PACKET_forward(&local_ext, size)) {
- retv = -1;
- goto end;
- }
- }
+ default: /* fatal error */
+ return -1;
}
- if (have_ticket == 0)
- retv = 0;
- end:
- return retv;
+}
+
+/*
+ * Sets the extended master secret flag if the extension is present in the
+ * ClientHello
+ * Returns:
+ * 1 on success
+ * 0 on error
+ */
+int tls_check_client_ems_support(SSL *s, const CLIENTHELLO_MSG *hello)
+{
+ RAW_EXTENSION *emsext;
+
+ s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+
+ if (s->version <= SSL3_VERSION)
+ return 1;
+
+ emsext = tls_get_extension_by_type(hello->pre_proc_exts,
+ hello->num_extensions,
+ TLSEXT_TYPE_extended_master_secret);
+
+ /*
+ * No extensions is a success - we have successfully discovered that the
+ * client doesn't support EMS.
+ */
+ if (emsext == NULL)
+ return 1;
+
+ /* The extensions must always be empty */
+ if (PACKET_remaining(&emsext->data) != 0)
+ return 0;
+
+ s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
+
+ return 1;
}
/*-