int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int compression;
unsigned int sversion;
+ unsigned int context;
int protverr;
RAW_EXTENSION *extensions = NULL;
#ifndef OPENSSL_NO_COMP
goto f_err;
}
- /*
- * TODO(TLS1.3): We give multiple contexts for now until we're ready to
- * give something more specific
- */
-
- if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
- | EXT_TLS1_3_CERTIFICATE,
- &extensions, &al))
- goto f_err;
-
-
- if (!tls_parse_all_extensions(s, EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
- | EXT_TLS1_3_CERTIFICATE,
- extensions, &al))
+ context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO
+ : EXT_TLS1_2_SERVER_HELLO;
+ if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al)
+ || !tls_parse_all_extensions(s, context, extensions, &al))
goto f_err;
#ifndef OPENSSL_NO_SCTP
{
int al = SSL_AD_INTERNAL_ERROR;
PACKET extensions;
+ RAW_EXTENSION *rawexts = NULL;
- /* TODO(TLS1.3): We need to process these extensions. For now ignore them */
if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
goto err;
}
+ /*
+ * TODO(TLS1.3): For now we are processing Encrypted Extensions and
+ * Certificate extensions as part of this one message. Later we need to
+ * split out the Certificate extensions into the Certificate message
+ */
+ if (!tls_collect_extensions(s, &extensions,
+ EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | EXT_TLS1_3_CERTIFICATE, &rawexts, &al)
+ || !tls_parse_all_extensions(s,
+ EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | EXT_TLS1_3_CERTIFICATE,
+ rawexts, &al))
+ goto err;
+
return MSG_PROCESS_CONTINUE_READING;
err:
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
|| (!SSL_IS_TLS13(s)
&& !WPACKET_put_bytes_u8(pkt, compm))
- /*
- * TODO(TLS1.3): For now we add all 1.2 and 1.3 extensions. Later
- * we will do this based on the actual protocol
- */
|| !tls_construct_extensions(s, pkt,
- EXT_TLS1_2_SERVER_HELLO
- | EXT_TLS1_3_SERVER_HELLO
- | EXT_TLS1_3_ENCRYPTED_EXTENSIONS
- | EXT_TLS1_3_CERTIFICATE, &al)) {
+ SSL_IS_TLS13(s)
+ ? EXT_TLS1_3_SERVER_HELLO
+ : EXT_TLS1_2_SERVER_HELLO, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
- /* TODO(TLS1.3): Zero length encrypted extensions message for now */
- if (!WPACKET_put_bytes_u16(pkt, 0)) {
+ int al;
+
+ /*
+ * TODO(TLS1.3): For now we send certificate extensions in with the
+ * encrypted extensions. Later we need to move these to the certificate
+ * message.
+ */
+ if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | EXT_TLS1_3_CERTIFICATE, &al)) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
}
#Test 1: Sending a status_request extension in both ClientHello and
#ServerHello but then omitting the CertificateStatus message is valid
-$proxy->clientflags("-status");
+#TODO(TLS1.3): Temporarily disabling this test in TLS1.3 until we've completed
+#the move the status request extension to the Certificate message.
+$proxy->clientflags("-status -no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1;
ok(TLSProxy::Message->success, "Missing CertificateStatus message");
projects / oweals / openssl.git / commitdiff