if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
|| (alg_a & SSL_aECDSA)
|| c->min_tls >= TLS1_3_VERSION)
- break;
+ return 1;
}
- return i < end;
+ return 0;
}
int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
* Add TLS extension supported_groups to the ClientHello message
*/
/* TODO(TLS1.3): Add support for DHE groups */
- pcurves = s->ext.supportedgroups;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
}
/*
- * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
+ * TODO(TLS1.3): There is some discussion on the TLS list as to whether
* we should include versions <TLS1.2. For the moment we do. To be
* reviewed later.
*/
return 0;
}
- pcurves = s->ext.supportedgroups;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
ret = 1;
end:
OPENSSL_free(s->ext.tls13_cookie);
+ s->ext.tls13_cookie = NULL;
s->ext.tls13_cookie_len = 0;
return ret;
#define F5_WORKAROUND_MIN_MSG_LEN 0xff
#define F5_WORKAROUND_MAX_MSG_LEN 0x200
+/*
+ * PSK pre binder overhead =
+ * 2 bytes for TLSEXT_TYPE_psk
+ * 2 bytes for extension length
+ * 2 bytes for identities list length
+ * 2 bytes for identity length
+ * 4 bytes for obfuscated_ticket_age
+ * 2 bytes for binder list length
+ * 1 byte for binder length
+ * The above excludes the number of bytes for the identity itself and the
+ * subsequent binder bytes
+ */
+#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
+
int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al)
{
return 1;
/*
- * Add padding to workaround bugs in F5 terminators. See
- * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
- * code calculates the length of all existing extensions it MUST always
- * appear last.
+ * Add padding to workaround bugs in F5 terminators. See RFC7685.
+ * This code calculates the length of all extensions added so far but
+ * excludes the PSK extension (because that MUST be written last). Therefore
+ * this extension MUST always appear second to last.
*/
if (!WPACKET_get_total_written(pkt, &hlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
return 0;
}
+ /*
+ * If we're going to send a PSK then that will be written out after this
+ * extension, so we need to calculate how long it is going to be.
+ */
+ if (s->session->ssl_version == TLS1_3_VERSION
+ && s->session->ext.ticklen != 0
+ && s->session->cipher != NULL) {
+ const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
+
+ if (md != NULL) {
+ /*
+ * Add the fixed PSK overhead, the identity length and the binder
+ * length.
+ */
+ hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
+ + EVP_MD_size(md);
+ }
+ }
+
if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
- /* Calculate the amond of padding we need to add */
+ /* Calculate the amount of padding we need to add */
hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
/*
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
+ /*
+ * Note: At this stage of the code we only support adding a single
+ * resumption PSK. If we add support for multiple PSKs then the length
+ * calculations in the padding extension will need to be adjusted.
+ */
+
/*
* If this is an incompatible or new session then we have nothing to resume
* so don't add this extension.
md = ssl_md(s->session->cipher->algorithm2);
if (md == NULL) {
- /* Don't recognise this cipher so we can't use the session. Ignore it */
+ /* Don't recognize this cipher so we can't use the session. Ignore it */
+ return 1;
+ }
+
+ if (s->hello_retry_request && md != ssl_handshake_md(s)) {
+ /*
+ * Selected ciphersuite hash does not match the hash for the session so
+ * we can't use it.
+ */
return 1;
}
return 1;
}
-int tls_parse_stoc_early_data_info(SSL *s, PACKET *pkt, unsigned int context,
- X509 *x, size_t chainidx, int *al)
-{
- unsigned long max_early_data;
-
- if (!PACKET_get_net_4(pkt, &max_early_data)
- || PACKET_remaining(pkt) != 0) {
- SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO,
- SSL_R_INVALID_MAX_EARLY_DATA);
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- s->session->ext.max_early_data = max_early_data;
-
- return 1;
-}
-
#ifndef OPENSSL_NO_EC
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al)
* MUST only be sent if we've requested a status
* request message. In TLS <= 1.2 it must also be empty.
*/
- if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
+ if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
|| (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
*al = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
if (SSL_IS_TLS13(s)) {
/* We only know how to handle this if it's for the first Certificate in
- * the chain. We ignore any other repsonses.
+ * the chain. We ignore any other responses.
*/
if (chainidx != 0)
return 1;
}
/* Validate the selected group is one we support */
- pcurves = s->ext.supportedgroups;
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al)
{
+ if (context == EXT_TLS1_3_NEW_SESSION_TICKET) {
+ unsigned long max_early_data;
+
+ if (!PACKET_get_net_4(pkt, &max_early_data)
+ || PACKET_remaining(pkt) != 0) {
+ SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA,
+ SSL_R_INVALID_MAX_EARLY_DATA);
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ s->session->ext.max_early_data = max_early_data;
+
+ return 1;
+ }
+
if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR;
return 0;