Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 426dfc9f 编写于 作者: M Matt Caswell
浏览文件
操作

Send supported_versions in an HRR 

Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
上级 e7dd763e
隐藏空白更改
内联 并排
Showing with 27 addition and 4 deletion
crypto/err/openssl.txt
浏览文件 @ 426dfc9f
...@@ -2361,6 +2361,7 @@ SSL_R_BAD_EXTENSION:110:bad extension ...@@ -2361,6 +2361,7 @@ SSL_R_BAD_EXTENSION:110:bad extension
SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length
SSL_R_BAD_HANDSHAKE_STATE:236:bad handshake state SSL_R_BAD_HANDSHAKE_STATE:236:bad handshake state
SSL_R_BAD_HELLO_REQUEST:105:bad hello request SSL_R_BAD_HELLO_REQUEST:105:bad hello request
SSL_R_BAD_HRR_VERSION:263:bad hrr version
SSL_R_BAD_KEY_SHARE:108:bad key share SSL_R_BAD_KEY_SHARE:108:bad key share
SSL_R_BAD_KEY_UPDATE:122:bad key update SSL_R_BAD_KEY_UPDATE:122:bad key update
SSL_R_BAD_LENGTH:271:bad length SSL_R_BAD_LENGTH:271:bad length
......
include/openssl/sslerr.h
浏览文件 @ 426dfc9f
...@@ -444,6 +444,7 @@ int ERR_load_SSL_strings(void); ...@@ -444,6 +444,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_BAD_HANDSHAKE_LENGTH 332 # define SSL_R_BAD_HANDSHAKE_LENGTH 332
# define SSL_R_BAD_HANDSHAKE_STATE 236 # define SSL_R_BAD_HANDSHAKE_STATE 236
# define SSL_R_BAD_HELLO_REQUEST 105 # define SSL_R_BAD_HELLO_REQUEST 105
# define SSL_R_BAD_HRR_VERSION 263
# define SSL_R_BAD_KEY_SHARE 108 # define SSL_R_BAD_KEY_SHARE 108
# define SSL_R_BAD_KEY_UPDATE 122 # define SSL_R_BAD_KEY_UPDATE 122
# define SSL_R_BAD_LENGTH 271 # define SSL_R_BAD_LENGTH 271
......
ssl/ssl_err.c
浏览文件 @ 426dfc9f
...@@ -706,6 +706,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -706,6 +706,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE),
"bad handshake state"}, "bad handshake state"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HRR_VERSION), "bad hrr version"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_UPDATE), "bad key update"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_UPDATE), "bad key update"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "bad length"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "bad length"},
......
ssl/statem/extensions_clnt.c
浏览文件 @ 426dfc9f
...@@ -1657,6 +1657,21 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1657,6 +1657,21 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
if (version == TLS1_3_VERSION_DRAFT) if (version == TLS1_3_VERSION_DRAFT)
version = TLS1_3_VERSION; version = TLS1_3_VERSION;
/* We ignore this extension for HRRs except to sanity check it */
if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) {
/*
* The only protocol version we support which has an HRR message is
* TLSv1.3, therefore we shouldn't be getting an HRR for anything else.
*/
if (version != TLS1_3_VERSION) {
*al = SSL_AD_PROTOCOL_VERSION;
SSLerr(SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
SSL_R_BAD_HRR_VERSION);
return 0;
}
return 1;
}
/* We just set it here. We validate it in ssl_choose_client_version */ /* We just set it here. We validate it in ssl_choose_client_version */
s->version = version; s->version = version;
......
ssl/statem/statem_srvr.c
浏览文件 @ 426dfc9f
...@@ -2274,7 +2274,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ...@@ -2274,7 +2274,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
compm = s->s3->tmp.new_compression->id; compm = s->s3->tmp.new_compression->id;
#endif #endif
if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl) if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
|| !WPACKET_put_bytes_u8(pkt, compm) || !WPACKET_put_bytes_u8(pkt, compm)
|| !tls_construct_extensions(s, pkt, || !tls_construct_extensions(s, pkt,
......
test/recipes/70-test_tls13kexmodes.t
浏览文件 @ 426dfc9f
...@@ -90,6 +90,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); ...@@ -90,6 +90,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
checkhandshake::PSK_CLI_EXTENSION], checkhandshake::PSK_CLI_EXTENSION],
[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
checkhandshake::KEY_SHARE_HRR_EXTENSION], checkhandshake::KEY_SHARE_HRR_EXTENSION],
......
test/recipes/70-test_tls13messages.t
浏览文件 @ 426dfc9f
...@@ -90,6 +90,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); ...@@ -90,6 +90,8 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK, [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_PSK,
checkhandshake::PSK_CLI_EXTENSION], checkhandshake::PSK_CLI_EXTENSION],
[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_SUPPORTED_VERSIONS,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE, [TLSProxy::Message::MT_SERVER_HELLO, TLSProxy::Message::EXT_KEY_SHARE,
checkhandshake::KEY_SHARE_HRR_EXTENSION], checkhandshake::KEY_SHARE_HRR_EXTENSION],
......
util/perl/TLSProxy/ServerHello.pm
浏览文件 @ 426dfc9f
...@@ -50,6 +50,7 @@ sub parse ...@@ -50,6 +50,7 @@ sub parse
my $self = shift; my $self = shift;
my $ptr = 2; my $ptr = 2;
my ($server_version) = unpack('n', $self->data); my ($server_version) = unpack('n', $self->data);
my $neg_version = $server_version;
my $random = substr($self->data, $ptr, 32); my $random = substr($self->data, $ptr, 32);
$ptr += 32; $ptr += 32;
...@@ -94,15 +95,15 @@ sub parse ...@@ -94,15 +95,15 @@ sub parse
$extension_data = substr($extension_data, 4 + $size); $extension_data = substr($extension_data, 4 + $size);
$extensions{$type} = $extdata; $extensions{$type} = $extdata;
if ($type == TLSProxy::Message::EXT_SUPPORTED_VERSIONS) { if ($type == TLSProxy::Message::EXT_SUPPORTED_VERSIONS) {
$server_version = unpack('n', $extdata); $neg_version = unpack('n', $extdata);
} }
} }
if ($random eq $hrrrandom) { if ($random eq $hrrrandom) {
TLSProxy::Proxy->is_tls13(1); TLSProxy::Proxy->is_tls13(1);
# TODO(TLS1.3): Replace this reference to draft version before release # TODO(TLS1.3): Replace this reference to draft version before release
} elsif ($server_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) { } elsif ($neg_version == TLSProxy::Record::VERS_TLS_1_3_DRAFT) {
$server_version = TLSProxy::Record::VERS_TLS_1_3; $neg_version = TLSProxy::Record::VERS_TLS_1_3;
TLSProxy::Proxy->is_tls13(1); TLSProxy::Proxy->is_tls13(1);
TLSProxy::Record->server_encrypting(1); TLSProxy::Record->server_encrypting(1);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册