From 656d40953c3637b557de9920f7e694aec97bc5ed Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 25 Mar 2024 22:43:06 +0100 Subject: Do DTLS13 and TLS13 connection version check in one macro Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22366) --- ssl/ssl_local.h | 6 +++- ssl/statem/statem.c | 2 +- ssl/statem/statem_clnt.c | 58 ++++++++++++++++++------------------- ssl/statem/statem_lib.c | 40 +++++++++++++------------- ssl/statem/statem_srvr.c | 74 ++++++++++++++++++++++++------------------------ 5 files changed, 92 insertions(+), 88 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index b4a10b7bfa..3b5c87318f 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -268,8 +268,12 @@ && SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \ && SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION) +/* Check if we are using (D)TLSv1.3 */ +# define SSL_CONNECTION_IS_VERSION13(s) \ + (SSL_CONNECTION_IS_DTLS13(s) || SSL_CONNECTION_IS_TLS13(s)) + # define SSL_CONNECTION_TREAT_AS_TLS13(s) \ - ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) \ + (SSL_CONNECTION_IS_VERSION13(s) \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \ || (s)->early_data_state == SSL_EARLY_DATA_WRITING \ diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 5fd05235b4..1a1012e40d 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -398,7 +398,7 @@ static int state_machine(SSL_CONNECTION *s, int server) s->server = server; if (cb != NULL) { - if (SSL_IS_FIRST_HANDSHAKE(s) || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_VERSION13(s)) cb(ssl, SSL_CB_HANDSHAKE_START, 1); } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 7509b69f7d..66656aca0d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -235,7 +235,7 @@ int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) * Note that after writing the first ClientHello we don't know what version * we are going to negotiate yet, so we don't take this branch until later. */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ossl_statem_client13_read_transition(s, mt)) goto err; return 1; @@ -547,7 +547,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) * version we are going to negotiate yet, so we don't take this branch until * later */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) return ossl_statem_client13_write_transition(s); switch (st->hand_state) { @@ -836,7 +836,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_CW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) + if (SSL_CONNECTION_IS_VERSION13(s) || s->hello_retry_request == SSL_HRR_PENDING) break; if (s->early_data_state == SSL_EARLY_DATA_CONNECTING @@ -897,7 +897,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_B; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return WORK_ERROR; @@ -1058,7 +1058,7 @@ size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + return SSL_CONNECTION_IS_VERSION13(s) ? SESSION_TICKET_MAX_LENGTH_TLS13 : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: @@ -1408,7 +1408,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, return 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.new_cipher != NULL + if (SSL_CONNECTION_IS_VERSION13(s) && s->s3.tmp.new_cipher != NULL && s->s3.tmp.new_cipher->id != c->id) { /* ServerHello selected a different ciphersuite to that in the HRR */ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); @@ -1423,7 +1423,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, if (s->session->cipher != NULL) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const EVP_MD *md = ssl_md(sctx, c->algorithm2); if (!ossl_assert(s->session->cipher != NULL)) { @@ -1548,7 +1548,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) } } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || hrr) { + if (SSL_CONNECTION_IS_VERSION13(s) || hrr) { if (compression != 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_COMPRESSION_ALGORITHM); @@ -1576,7 +1576,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * Now we have chosen the version we need to check again that the extensions * are appropriate for this version. */ - context = (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SSL_EXT_TLS1_3_SERVER_HELLO + context = SSL_CONNECTION_IS_VERSION13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO; if (!tls_validate_all_contexts(s, context, extensions)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); @@ -1585,7 +1585,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) s->hit = 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * In TLSv1.3 a ServerHello message signals a key change so the end of * the message must be on a record boundary. @@ -1678,7 +1678,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * echo of what we originally sent in the ClientHello and should not be * used for resumption. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { s->session->session_id_length = session_id_len; /* session_id_len could be 0 */ if (session_id_len > 0) @@ -1785,7 +1785,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 we have some post-processing to change cipher state, otherwise * we're done with this message */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) { @@ -1936,7 +1936,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!(SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) { + if (!SSL_CONNECTION_IS_VERSION13(sc)) { if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE); return WORK_ERROR; @@ -1951,7 +1951,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, sc->session->verify_result = sc->verify_result; /* Save the current hash state for when we receive the CertificateVerify */ - if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_handshake_hash(sc, sc->cert_verify_hash, sizeof(sc->cert_verify_hash), &sc->cert_verify_hash_len)) { @@ -1986,7 +1986,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if (((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !PACKET_get_1(pkt, &context)) + if ((SSL_CONNECTION_IS_VERSION13(s) && !PACKET_get_1(pkt, &context)) || context != 0 || !PACKET_get_net_3(pkt, &cert_list_len) || PACKET_remaining(pkt) != cert_list_len @@ -2018,7 +2018,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -2122,7 +2122,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); return WORK_ERROR; @@ -2138,7 +2138,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, s->session->peer_rpk = NULL; /* Save the current hash state for when we receive the CertificateVerify */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !ssl_handshake_hash(s, s->cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -2572,7 +2572,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, if (s->s3.tmp.valid_flags == NULL) return 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { PACKET reqctx, extensions; RAW_EXTENSION *rawexts = NULL; @@ -2677,7 +2677,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, * SSL_get1_peer_certificate() returns something sensible in * client_cert_cb. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) return MSG_PROCESS_CONTINUE_READING; @@ -2698,11 +2698,11 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, PACKET_null_init(&nonce); if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) - || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + || (SSL_CONNECTION_IS_VERSION13(s) && (!PACKET_get_net_4(pkt, &age_add) || !PACKET_get_length_prefixed_1(pkt, &nonce))) || !PACKET_get_net_2(pkt, &ticklen) - || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? (ticklen == 0 + || (SSL_CONNECTION_IS_VERSION13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) : PACKET_remaining(pkt) != ticklen)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); @@ -2725,7 +2725,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, * post-handshake and the session may have already gone into the session * cache. */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || s->session->session_id_length > 0) { + if (SSL_CONNECTION_IS_VERSION13(s) || s->session->session_id_length > 0) { SSL_SESSION *new_sess; /* @@ -2738,7 +2738,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, } if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 - && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + && !SSL_CONNECTION_IS_VERSION13(s)) { /* * In TLSv1.2 and below the arrival of a new tickets signals that * any old ticket we were using is now out of date, so we remove the @@ -2772,7 +2772,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->ext.tick_age_add = age_add; s->session->ext.ticklen = ticklen; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { PACKET extpkt; if (!PACKET_as_length_prefixed_2(pkt, &extpkt) @@ -2825,7 +2825,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->not_resumable = 0; /* This is a standalone message in TLSv1.3, so there is no more to read */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const EVP_MD *md = ssl_handshake_md(s); int hashleni = EVP_MD_get_size(md); size_t hashlen; @@ -3741,7 +3741,7 @@ WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) } } - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; @@ -3761,7 +3761,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, CERT_PKEY *cpk = NULL; SSL *ssl = SSL_CONNECTION_GET_SSL(s); - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (s->pha_context == NULL) { /* no context available, add 0-length context */ if (!WPACKET_put_bytes_u8(pkt, 0)) { @@ -3798,7 +3798,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, * then we deferred changing the handshake write keys to the last possible * moment. We need to do it now. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && SSL_IS_FIRST_HANDSHAKE(s) && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 0938788384..5711e7f954 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -261,7 +261,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { size_t hashlen; /* Set the first 64 bytes of to-be-signed data to octet 32 */ @@ -587,7 +587,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) * want to make sure that SSL_get1_peer_certificate() will return the actual * server certificate from the client_cert_cb callback. */ - if (!s->server && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.cert_req == 1) + if (!s->server && SSL_CONNECTION_IS_VERSION13(s) && s->s3.tmp.cert_req == 1) ret = MSG_PROCESS_CONTINUE_PROCESSING; else ret = MSG_PROCESS_CONTINUE_READING; @@ -618,7 +618,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) * moment. If we didn't already do this when we sent the client certificate * then we need to do it now. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !s->server && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) @@ -656,7 +656,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) * Log the master secret, if logging is enabled. We don't log it for * (D)TLSv1.3: there's a different key schedule for that. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, s->session->master_key_length)) { /* SSLfatal() already called */ @@ -844,7 +844,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); if (s->post_handshake_auth != SSL_PHA_REQUESTED) s->statem.cleanuphand = 1; - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; @@ -855,14 +855,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 a Finished message signals a key change so the end of the * message must be on a record boundary. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); return MSG_PROCESS_ERROR; } /* If this occurs, we have missed a message */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->s3.change_cipher_spec) { + if (!SSL_CONNECTION_IS_VERSION13(s) && !s->s3.change_cipher_spec) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); return MSG_PROCESS_ERROR; } @@ -910,7 +910,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLS1.3 we also have to change cipher state and do any final processing * of the initial server flight (if we are a client) */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (s->server) { if (s->post_handshake_auth != SSL_PHA_REQUESTED && !ssl->method->ssl3_enc->change_cipher_state(s, @@ -981,7 +981,7 @@ static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || for_comp) + if ((SSL_CONNECTION_IS_VERSION13(s) || for_comp) && !tls_construct_extensions(s, pkt, context, x, chain)) { /* SSLfatal() already called */ return 0; @@ -1187,7 +1187,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) * must match the value recorded in the certificate request in the client * to server direction. */ - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!PACKET_get_length_prefixed_1(pkt, &context)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); goto err; @@ -1229,7 +1229,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) if (cert_len == 0) return 1; - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { /* * With TLS 1.3, a non-empty explicit-length RPK octet-string followed * by a possibly empty extension block. @@ -1264,7 +1264,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) } /* Process the Extensions block */ - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); goto err; @@ -1341,7 +1341,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) * TLSv1.2 is _just_ the raw public key * TLSv1.3 includes extensions, so there's a length wrapper */ - if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!WPACKET_start_sub_packet_u24(pkt)) { SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -1353,7 +1353,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) goto err; } - if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { /* * Only send extensions relevant to raw public keys. Until such * extensions are defined, this will be an empty set of extensions. @@ -1437,7 +1437,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, s->init_num = 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server + if (SSL_CONNECTION_IS_VERSION13(s) && !s->server && s->post_handshake_auth == SSL_PHA_REQUESTED) s->post_handshake_auth = SSL_PHA_EXT_SENT; @@ -1459,14 +1459,14 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, * In TLSv1.3 we update the cache as part of constructing the * NewSessionTicket */ - if (!(SSL_CONNECTION_IS_TLS13(s))|| SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s)) ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; } else { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We encourage applications to only use TLSv1.3 tickets once, * so we remove this one from the cache. @@ -1509,7 +1509,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, if (cb != NULL) { if (cleanuphand - || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + || !SSL_CONNECTION_IS_VERSION13(s) || SSL_IS_FIRST_HANDSHAKE(s)) cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); } @@ -1690,7 +1690,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len) */ #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) /* KeyUpdate and NewSessionTicket do not need to be added */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO @@ -2156,7 +2156,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, switch (server_version) { default: - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { if (ssl_version_cmp(s, client_version, s->version) < 0) return SSL_R_WRONG_SSL_VERSION; *dgrd = DOWNGRADE_NONE; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 5dc1e1dbcc..57927271db 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -180,7 +180,7 @@ int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) { OSSL_STATEM *st = &s->statem; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ossl_statem_server13_read_transition(s, mt)) goto err; return 1; @@ -415,7 +415,7 @@ int send_certificate_request(SSL_CONNECTION *s) * don't request if post-handshake-only unless doing * post-handshake in TLSv1.3: */ - && (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && (!SSL_CONNECTION_IS_VERSION13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) /* @@ -609,7 +609,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) * to negotiate yet, so we don't take this branch until later */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) return ossl_statem_server13_write_transition(s); switch (st->hand_state) { @@ -785,7 +785,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->sent_tickets == 0 + if (SSL_CONNECTION_IS_VERSION13(s) && s->sent_tickets == 0 && s->ext.extra_tickets_expected == 0) { /* * Actually this is the end of the handshake, but we're going @@ -806,7 +806,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) break; /* Writes to s->session are only safe for initial handshakes */ if (s->session->cipher == NULL) { @@ -905,7 +905,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && s->hello_retry_request == SSL_HRR_PENDING) { if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 && statem_flush(s) != 1) @@ -942,7 +942,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 && s->hello_retry_request != SSL_HRR_COMPLETE)) break; @@ -955,7 +955,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { @@ -1014,7 +1014,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) 0, NULL); } #endif - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* (D)TLS 1.3 gets the secret size from the handshake md */ size_t dummy; if (!ssl->method->ssl3_enc->generate_master_secret(s, @@ -1032,7 +1032,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_A; } else { - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1040,7 +1040,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_ENCRYPTED_EXTENSIONS: if (!s->hit && !send_certificate_request(s)) { - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1057,7 +1057,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_SESSION_TICKET: clear_sys_error(); - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && statem_flush(s) != 1) { + if (SSL_CONNECTION_IS_VERSION13(s) && statem_flush(s) != 1) { if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL && conn_is_closed()) { /* @@ -1474,7 +1474,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { - if (!ossl_assert(!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) { + if (!ossl_assert(!SSL_CONNECTION_IS_VERSION13(s))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1745,7 +1745,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); goto err; @@ -1813,7 +1813,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const SSL_CIPHER *cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); @@ -1882,7 +1882,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { memcpy(s->tmp_session_id, s->clienthello->session_id, s->clienthello->session_id_len); s->tmp_session_id_len = s->clienthello->session_id_len; @@ -1892,7 +1892,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check * ciphersuite compatibility with the session as part of resumption. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->hit) { + if (!SSL_CONNECTION_IS_VERSION13(s) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1961,7 +1961,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (!s->hit && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0 - && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && !SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* @@ -2006,7 +2006,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * algorithms from the client, starting at q. */ s->s3.tmp.new_compression = NULL; - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We already checked above that the NULL compression method appears in * the list. Now we check there aren't any others (which is illegal in @@ -2093,7 +2093,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher */ - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { sk_SSL_CIPHER_free(s->peer_ciphers); s->peer_ciphers = ciphers; if (ciphers == NULL) { @@ -2280,7 +2280,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) wst = WORK_MORE_B; } if (wst == WORK_MORE_B) { - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { /* Let cert callback update server certificates if required */ if (!s->hit && s->cert->cert_cb != NULL) { int rv = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); @@ -2296,7 +2296,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) } /* In TLSv1.3 we selected the ciphersuite before resumption */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { cipher = ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(ssl)); @@ -2354,7 +2354,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) * we already did this because cipher negotiation happens earlier, and * we must handle ALPN before we decide whether to accept early_data. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !tls_handle_alpn(s)) { + if (!SSL_CONNECTION_IS_VERSION13(s) && !tls_handle_alpn(s)) { /* SSLfatal() already called */ goto err; } @@ -2471,7 +2471,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) if (!tls_construct_extensions(s, pkt, s->hello_retry_request == SSL_HRR_PENDING ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - : ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + : (SSL_CONNECTION_IS_VERSION13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { @@ -2827,7 +2827,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* Send random context when doing post-handshake auth */ if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { OPENSSL_free(s->pha_context); @@ -3573,7 +3573,7 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) * Freeze the handshake buffer. For pha_context == NULL && PACKET_remaining(&context) != 0) || (s->pha_context != NULL @@ -3672,7 +3672,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -3767,7 +3767,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, * Freeze the handshake buffer. For cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -3826,7 +3826,7 @@ CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt * In TLSv1.3 the certificate chain is always preceded by a 0 length context * for the server Certificate message */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !WPACKET_put_bytes_u8(pkt, 0)) { + if (SSL_CONNECTION_IS_VERSION13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -3891,7 +3891,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, */ #define ONE_WEEK_SEC (7 * 24 * 60 * 60) - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (ossl_time_compare(s->session->timeout, ossl_seconds2time(ONE_WEEK_SEC)) > 0) timeout = ONE_WEEK_SEC; @@ -3903,7 +3903,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!WPACKET_put_bytes_u32(pkt, age_add) || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -4030,7 +4030,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, * length ticket is not allowed so we abort construction of the * ticket */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { ok = CON_FUNC_DONT_SEND; goto err; } @@ -4173,7 +4173,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt age_add_u.age_add = 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { size_t i, hashlen; uint64_t nonce; static const unsigned char nonce_label[] = "resumption"; @@ -4260,7 +4260,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there * is no point in using full stateless tickets. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && ((s->options & SSL_OP_NO_TICKET) != 0 || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { @@ -4285,7 +4285,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt } } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, NULL, 0)) { -- cgit v1.2.3