summaryrefslogtreecommitdiffstats
path: root/ssl/statem/statem_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/statem/statem_lib.c')
-rw-r--r--ssl/statem/statem_lib.c86
1 files changed, 46 insertions, 40 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 7ef74b1f69..0938788384 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -261,7 +261,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs,
static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69"
"\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
size_t hashlen;
/* Set the first 64 bytes of to-be-signed data to octet 32 */
@@ -580,14 +580,14 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
}
/*
- * In TLSv1.3 on the client side we make sure we prepare the client
+ * In (D)TLSv1.3 on the client side we make sure we prepare the client
* certificate after the CertVerify instead of when we get the
- * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
- * comes *before* the Certificate message. In TLSv1.2 it comes after. We
+ * CertificateRequest. This is because in (D)TLSv1.3 the CertificateRequest
+ * comes *before* the Certificate message. In (D)TLSv1.2 it comes after. We
* want to make sure that SSL_get1_peer_certificate() will return the actual
* server certificate from the client_cert_cb callback.
*/
- if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
+ if (!s->server && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.cert_req == 1)
ret = MSG_PROCESS_CONTINUE_PROCESSING;
else
ret = MSG_PROCESS_CONTINUE_READING;
@@ -618,7 +618,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
* moment. If we didn't already do this when we sent the client certificate
* then we need to do it now.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !s->server
&& (s->early_data_state != SSL_EARLY_DATA_NONE
|| (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
@@ -654,9 +654,9 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt)
/*
* Log the master secret, if logging is enabled. We don't log it for
- * TLSv1.3: there's a different key schedule for that.
+ * (D)TLSv1.3: there's a different key schedule for that.
*/
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
s->session->master_key_length)) {
/* SSLfatal() already called */
@@ -838,13 +838,13 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
/*
* To get this far we must have read encrypted data from the client. We
* no longer tolerate unencrypted alerts. This is ignored if less than
- * TLSv1.3
+ * (D)TLSv1.3
*/
if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
if (s->post_handshake_auth != SSL_PHA_REQUESTED)
s->statem.cleanuphand = 1;
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !tls13_save_handshake_digest_for_pha(s)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
@@ -855,14 +855,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
* In TLSv1.3 a Finished message signals a key change so the end of the
* message must be on a record boundary.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& RECORD_LAYER_processed_read_pending(&s->rlayer)) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
return MSG_PROCESS_ERROR;
}
/* If this occurs, we have missed a message */
- if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->s3.change_cipher_spec) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
return MSG_PROCESS_ERROR;
}
@@ -910,7 +910,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
* In TLS1.3 we also have to change cipher state and do any final processing
* of the initial server flight (if we are a client)
*/
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (s->server) {
if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
!ssl->method->ssl3_enc->change_cipher_state(s,
@@ -919,7 +919,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt)
return MSG_PROCESS_ERROR;
}
} else {
- /* TLS 1.3 gets the secret size from the handshake md */
+ /* (D)TLS 1.3 gets the secret size from the handshake md */
size_t dummy;
if (!ssl->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
@@ -981,7 +981,7 @@ static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt,
return 0;
}
- if ((SSL_CONNECTION_IS_TLS13(s) || for_comp)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || for_comp)
&& !tls_construct_extensions(s, pkt, context, x, chain)) {
/* SSLfatal() already called */
return 0;
@@ -1113,7 +1113,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
/*-
* ----------------------------
- * TLS 1.3 Certificate message:
+ * (D)TLS 1.3 Certificate message:
* ----------------------------
* https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2
*
@@ -1173,21 +1173,21 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
* -------------
* Consequently:
* -------------
- * After the (TLS 1.3 only) context octet string (1 byte length + data) the
+ * After the ((D)TLS 1.3 only) context octet string (1 byte length + data) the
* Certificate message has a 3-byte length that is zero in the client to
* server message when the client has no RPK to send. In that case, there
- * are no (TLS 1.3 only) per-certificate extensions either, because the
+ * are no ((D)TLS 1.3 only) per-certificate extensions either, because the
* [CertificateEntry] list is empty.
*
* In the server to client direction, or when the client had an RPK to send,
- * the TLS 1.3 message just prepends the length of the RPK+extensions,
+ * the (D)TLS 1.3 message just prepends the length of the RPK+extensions,
* while TLS <= 1.2 sends just the RPK (octet-string).
*
* The context must be zero-length in the server to client direction, and
* must match the value recorded in the certificate request in the client
* to server direction.
*/
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
if (!PACKET_get_length_prefixed_1(pkt, &context)) {
SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
goto err;
@@ -1229,7 +1229,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
if (cert_len == 0)
return 1;
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
/*
* With TLS 1.3, a non-empty explicit-length RPK octet-string followed
* by a possibly empty extension block.
@@ -1264,7 +1264,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk)
}
/* Process the Extensions block */
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) {
SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
goto err;
@@ -1341,7 +1341,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
* TLSv1.2 is _just_ the raw public key
* TLSv1.3 includes extensions, so there's a length wrapper
*/
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) {
if (!WPACKET_start_sub_packet_u24(pkt)) {
SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
@@ -1353,7 +1353,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
goto err;
}
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) {
/*
* Only send extensions relevant to raw public keys. Until such
* extensions are defined, this will be an empty set of extensions.
@@ -1437,7 +1437,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
s->init_num = 0;
}
- if (SSL_CONNECTION_IS_TLS13(s) && !s->server
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server
&& s->post_handshake_auth == SSL_PHA_REQUESTED)
s->post_handshake_auth = SSL_PHA_EXT_SENT;
@@ -1459,14 +1459,14 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
* In TLSv1.3 we update the cache as part of constructing the
* NewSessionTicket
*/
- if (!SSL_CONNECTION_IS_TLS13(s))
+ if (!(SSL_CONNECTION_IS_TLS13(s))|| SSL_CONNECTION_IS_DTLS13(s))
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
/* N.B. s->ctx may not equal s->session_ctx */
ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
} else {
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/*
* We encourage applications to only use TLSv1.3 tickets once,
* so we remove this one from the cache.
@@ -1509,7 +1509,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst,
if (cb != NULL) {
if (cleanuphand
- || !SSL_CONNECTION_IS_TLS13(s)
+ || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| SSL_IS_FIRST_HANDSHAKE(s))
cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
}
@@ -1690,7 +1690,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len)
*/
#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
/* KeyUpdate and NewSessionTicket do not need to be added */
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
&& s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
@@ -1984,7 +1984,7 @@ int ssl_version_supported(const SSL_CONNECTION *s, int version,
&& ssl_version_cmp(s, version, vent->version) == 0
&& ssl_method_error(s, thismeth()) == 0
&& (!s->server
- || version != TLS1_3_VERSION
+ || (version != TLS1_3_VERSION && version != DTLS1_3_VERSION)
|| is_tls13_capable(s))) {
if (meth != NULL)
*meth = thismeth();
@@ -2149,12 +2149,14 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
const version_info *table;
int disabled = 0;
RAW_EXTENSION *suppversions;
+ const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION
+ : TLS1_3_VERSION;
s->client_version = client_version;
switch (server_version) {
default:
- if (!SSL_CONNECTION_IS_TLS13(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if (ssl_version_cmp(s, client_version, s->version) < 0)
return SSL_R_WRONG_SSL_VERSION;
*dgrd = DOWNGRADE_NONE;
@@ -2186,9 +2188,11 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
return SSL_R_UNSUPPORTED_PROTOCOL;
- if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
+ if (suppversions->present) {
unsigned int candidate_vers = 0;
- unsigned int best_vers = 0;
+ const unsigned int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? UINT_MAX
+ : 0;
+ unsigned int best_vers = best_vers_init;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
@@ -2222,13 +2226,14 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
return SSL_R_LENGTH_MISMATCH;
}
- if (best_vers > 0) {
+ /* Did best_vers change from the initial value? */
+ if (best_vers != best_vers_init) {
if (s->hello_retry_request != SSL_HRR_NONE) {
/*
* This is after a HelloRetryRequest so we better check that we
- * negotiated TLSv1.3
+ * negotiated (D)TLSv1.3
*/
- if (best_vers != TLS1_3_VERSION)
+ if (best_vers != TLS1_3_VERSION && best_vers != DTLS1_3_VERSION)
return SSL_R_UNSUPPORTED_PROTOCOL;
return 0;
}
@@ -2245,10 +2250,11 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
/*
* If the supported versions extension isn't present, then the highest
- * version we can negotiate is TLSv1.2
+ * version we can negotiate is (D)TLSv1.2
*/
- if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
- client_version = TLS1_2_VERSION;
+ if (ssl_version_cmp(s, client_version, version1_3) >= 0)
+ client_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION
+ : TLS1_2_VERSION;
/*
* No supported versions extension, so we just use the version supplied in
@@ -2307,7 +2313,7 @@ int ssl_choose_client_version(SSL_CONNECTION *s, int version,
}
if (s->hello_retry_request != SSL_HRR_NONE
- && s->version != TLS1_3_VERSION) {
+ && (s->version != TLS1_3_VERSION && s->version != DTLS1_3_VERSION)) {
s->version = origv;
SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
return 0;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-30 19:45:11 +0000