Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
9 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 fe874d27 编写于 作者: M Matt Caswell
浏览文件
操作

Move the extensions context codes into the public API 

This move prepares for the later addition of the new custom extensions
API. The context codes have an additional "SSL_" added to their name to
ensure we don't have name clashes with other applications.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
上级 b443c845
隐藏空白更改
内联 并排
Showing with 135 addition and 119 deletion
include/openssl/ssl.h
浏览文件 @ fe874d27
...@@ -250,6 +250,29 @@ typedef int (*tls_session_secret_cb_fn) (SSL *s, void *secret, ...@@ -250,6 +250,29 @@ typedef int (*tls_session_secret_cb_fn) (SSL *s, void *secret,
STACK_OF(SSL_CIPHER) *peer_ciphers, STACK_OF(SSL_CIPHER) *peer_ciphers,
const SSL_CIPHER **cipher, void *arg); const SSL_CIPHER **cipher, void *arg);
/* Extension context codes */
/* This extension is only allowed in TLS */
#define SSL_EXT_TLS_ONLY 0x0001
/* This extension is only allowed in DTLS */
#define SSL_EXT_DTLS_ONLY 0x0002
/* Some extensions may be allowed in DTLS but we don't implement them for it */
#define SSL_EXT_TLS_IMPLEMENTATION_ONLY 0x0004
/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
#define SSL_EXT_SSL3_ALLOWED 0x0008
/* Extension is only defined for TLS1.2 and above */
#define SSL_EXT_TLS1_2_AND_BELOW_ONLY 0x0010
/* Extension is only defined for TLS1.3 and above */
#define SSL_EXT_TLS1_3_ONLY 0x0020
#define SSL_EXT_CLIENT_HELLO 0x0040
/* Really means TLS1.2 or below */
#define SSL_EXT_TLS1_2_SERVER_HELLO 0x0080
#define SSL_EXT_TLS1_3_SERVER_HELLO 0x0100
#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x0200
#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 0x0400
#define SSL_EXT_TLS1_3_CERTIFICATE 0x0800
#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET 0x1000
#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 0x2000
/* Typedefs for handling custom extensions */ /* Typedefs for handling custom extensions */
typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type, typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type,
......
ssl/ssl_sess.c
浏览文件 @ fe874d27
...@@ -468,9 +468,10 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -468,9 +468,10 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
TICKET_RETURN r; TICKET_RETURN r;
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, EXT_CLIENT_HELLO, if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
hello->pre_proc_exts, NULL, 0, al) SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
|| !tls_parse_extension(s, TLSEXT_IDX_psk, EXT_CLIENT_HELLO, NULL, 0, al)
|| !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
hello->pre_proc_exts, NULL, 0, al)) hello->pre_proc_exts, NULL, 0, al))
return -1; return -1;
......
ssl/statem/extensions.c
浏览文件 @ fe874d27
...@@ -114,16 +114,16 @@ typedef struct extensions_definition_st { ...@@ -114,16 +114,16 @@ typedef struct extensions_definition_st {
static const EXTENSION_DEFINITION ext_defs[] = { static const EXTENSION_DEFINITION ext_defs[] = {
{ {
TLSEXT_TYPE_renegotiate, TLSEXT_TYPE_renegotiate,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_2_AND_BELOW_ONLY, | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
final_renegotiate final_renegotiate
}, },
{ {
TLSEXT_TYPE_server_name, TLSEXT_TYPE_server_name,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_server_name, init_server_name,
tls_parse_ctos_server_name, tls_parse_stoc_server_name, tls_parse_ctos_server_name, tls_parse_stoc_server_name,
tls_construct_stoc_server_name, tls_construct_ctos_server_name, tls_construct_stoc_server_name, tls_construct_ctos_server_name,
...@@ -132,7 +132,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -132,7 +132,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
{ {
TLSEXT_TYPE_srp, TLSEXT_TYPE_srp,
EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
}, },
#else #else
...@@ -141,14 +141,15 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -141,14 +141,15 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
{ {
TLSEXT_TYPE_ec_point_formats, TLSEXT_TYPE_ec_point_formats,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats final_ec_pt_formats
}, },
{ {
TLSEXT_TYPE_supported_groups, TLSEXT_TYPE_supported_groups,
EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, tls_parse_ctos_supported_groups, NULL, NULL, tls_parse_ctos_supported_groups, NULL,
NULL /* TODO(TLS1.3): Need to add this */, NULL /* TODO(TLS1.3): Need to add this */,
tls_construct_ctos_supported_groups, NULL tls_construct_ctos_supported_groups, NULL
...@@ -159,14 +160,15 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -159,14 +160,15 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#endif #endif
{ {
TLSEXT_TYPE_session_ticket, TLSEXT_TYPE_session_ticket,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_session_ticket, tls_parse_ctos_session_ticket, init_session_ticket, tls_parse_ctos_session_ticket,
tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
tls_construct_ctos_session_ticket, NULL tls_construct_ctos_session_ticket, NULL
}, },
{ {
TLSEXT_TYPE_signature_algorithms, TLSEXT_TYPE_signature_algorithms,
EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
init_sig_algs, tls_parse_ctos_sig_algs, init_sig_algs, tls_parse_ctos_sig_algs,
tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
tls_construct_ctos_sig_algs, final_sig_algs tls_construct_ctos_sig_algs, final_sig_algs
...@@ -174,8 +176,8 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -174,8 +176,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
{ {
TLSEXT_TYPE_status_request, TLSEXT_TYPE_status_request,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_3_CERTIFICATE, | SSL_EXT_TLS1_3_CERTIFICATE,
init_status_request, tls_parse_ctos_status_request, init_status_request, tls_parse_ctos_status_request,
tls_parse_stoc_status_request, tls_construct_stoc_status_request, tls_parse_stoc_status_request, tls_construct_stoc_status_request,
tls_construct_ctos_status_request, NULL tls_construct_ctos_status_request, NULL
...@@ -186,7 +188,8 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -186,7 +188,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
{ {
TLSEXT_TYPE_next_proto_neg, TLSEXT_TYPE_next_proto_neg,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
}, },
...@@ -199,16 +202,16 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -199,16 +202,16 @@ static const EXTENSION_DEFINITION ext_defs[] = {
* happens after server_name callbacks * happens after server_name callbacks
*/ */
TLSEXT_TYPE_application_layer_protocol_negotiation, TLSEXT_TYPE_application_layer_protocol_negotiation,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
}, },
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
{ {
TLSEXT_TYPE_use_srtp, TLSEXT_TYPE_use_srtp,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
}, },
...@@ -217,15 +220,16 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -217,15 +220,16 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#endif #endif
{ {
TLSEXT_TYPE_encrypt_then_mac, TLSEXT_TYPE_encrypt_then_mac,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
tls_construct_stoc_etm, tls_construct_ctos_etm, NULL tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
}, },
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
{ {
TLSEXT_TYPE_signed_certificate_timestamp, TLSEXT_TYPE_signed_certificate_timestamp,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| EXT_TLS1_3_CERTIFICATE, | SSL_EXT_TLS1_3_CERTIFICATE,
NULL, NULL,
/* /*
* No server side support for this, but can be provided by a custom * No server side support for this, but can be provided by a custom
...@@ -239,20 +243,23 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -239,20 +243,23 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#endif #endif
{ {
TLSEXT_TYPE_extended_master_secret, TLSEXT_TYPE_extended_master_secret,
EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
}, },
{ {
TLSEXT_TYPE_supported_versions, TLSEXT_TYPE_supported_versions,
EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
| SSL_EXT_TLS1_3_ONLY,
NULL, NULL,
/* Processed inline as part of version selection */ /* Processed inline as part of version selection */
NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
}, },
{ {
TLSEXT_TYPE_psk_kex_modes, TLSEXT_TYPE_psk_kex_modes,
EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
| SSL_EXT_TLS1_3_ONLY,
init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
tls_construct_ctos_psk_kex_modes, NULL tls_construct_ctos_psk_kex_modes, NULL
}, },
...@@ -263,9 +270,9 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -263,9 +270,9 @@ static const EXTENSION_DEFINITION ext_defs[] = {
* been parsed before we do this one. * been parsed before we do this one.
*/ */
TLSEXT_TYPE_key_share, TLSEXT_TYPE_key_share,
EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
| EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
| EXT_TLS1_3_ONLY, | SSL_EXT_TLS1_3_ONLY,
NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
tls_construct_stoc_key_share, tls_construct_ctos_key_share, tls_construct_stoc_key_share, tls_construct_ctos_key_share,
final_key_share final_key_share
...@@ -273,8 +280,8 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -273,8 +280,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#endif #endif
{ {
TLSEXT_TYPE_cookie, TLSEXT_TYPE_cookie,
EXT_CLIENT_HELLO | EXT_TLS1_3_HELLO_RETRY_REQUEST SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
| EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie, NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie,
NULL NULL
}, },
...@@ -284,20 +291,21 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -284,20 +291,21 @@ static const EXTENSION_DEFINITION ext_defs[] = {
* SSL_OP_CRYPTOPRO_TLSEXT_BUG is set * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
*/ */
TLSEXT_TYPE_cryptopro_bug, TLSEXT_TYPE_cryptopro_bug,
EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
}, },
{ {
TLSEXT_TYPE_early_data, TLSEXT_TYPE_early_data,
EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
| EXT_TLS1_3_NEW_SESSION_TICKET, | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
tls_construct_stoc_early_data, tls_construct_ctos_early_data, tls_construct_stoc_early_data, tls_construct_ctos_early_data,
final_early_data final_early_data
}, },
{ {
TLSEXT_TYPE_certificate_authorities, TLSEXT_TYPE_certificate_authorities,
EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST | EXT_TLS1_3_ONLY, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
| SSL_EXT_TLS1_3_ONLY,
init_certificate_authorities, init_certificate_authorities,
tls_parse_certificate_authorities, tls_parse_certificate_authorities, tls_parse_certificate_authorities, tls_parse_certificate_authorities,
tls_construct_certificate_authorities, tls_construct_certificate_authorities,
...@@ -306,7 +314,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -306,7 +314,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
{ {
/* Must be immediately before pre_shared_key */ /* Must be immediately before pre_shared_key */
TLSEXT_TYPE_padding, TLSEXT_TYPE_padding,
EXT_CLIENT_HELLO, SSL_EXT_CLIENT_HELLO,
NULL, NULL,
/* We send this, but don't read it */ /* We send this, but don't read it */
NULL, NULL, NULL, tls_construct_ctos_padding, NULL NULL, NULL, NULL, tls_construct_ctos_padding, NULL
...@@ -314,8 +322,8 @@ static const EXTENSION_DEFINITION ext_defs[] = { ...@@ -314,8 +322,8 @@ static const EXTENSION_DEFINITION ext_defs[] = {
{ {
/* Required by the TLSv1.3 spec to always be the last extension */ /* Required by the TLSv1.3 spec to always be the last extension */
TLSEXT_TYPE_psk, TLSEXT_TYPE_psk,
EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
| EXT_TLS1_3_ONLY, | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
tls_construct_ctos_psk, NULL tls_construct_ctos_psk, NULL
} }
...@@ -342,9 +350,9 @@ static int verify_extension(SSL *s, unsigned int context, unsigned int type, ...@@ -342,9 +350,9 @@ static int verify_extension(SSL *s, unsigned int context, unsigned int type,
return 0; return 0;
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
if ((thisext->context & EXT_TLS_ONLY) != 0) if ((thisext->context & SSL_EXT_TLS_ONLY) != 0)
return 0; return 0;
} else if ((thisext->context & EXT_DTLS_ONLY) != 0) { } else if ((thisext->context & SSL_EXT_DTLS_ONLY) != 0) {
return 0; return 0;
} }
...@@ -353,7 +361,7 @@ static int verify_extension(SSL *s, unsigned int context, unsigned int type, ...@@ -353,7 +361,7 @@ static int verify_extension(SSL *s, unsigned int context, unsigned int type,
} }
} }
if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) { if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) == 0) {
/* /*
* Custom extensions only apply to <=TLS1.2. This extension is unknown * Custom extensions only apply to <=TLS1.2. This extension is unknown
* in this context - we allow it * in this context - we allow it
...@@ -386,12 +394,12 @@ static int extension_is_relevant(SSL *s, unsigned int extctx, ...@@ -386,12 +394,12 @@ static int extension_is_relevant(SSL *s, unsigned int extctx,
unsigned int thisctx) unsigned int thisctx)
{ {
if ((SSL_IS_DTLS(s) if ((SSL_IS_DTLS(s)
&& (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
|| (s->version == SSL3_VERSION || (s->version == SSL3_VERSION
&& (extctx & EXT_SSL3_ALLOWED) == 0) && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
|| (SSL_IS_TLS13(s) || (SSL_IS_TLS13(s)
&& (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0) && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
|| (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0)) || (!SSL_IS_TLS13(s) && (extctx & SSL_EXT_TLS1_3_ONLY) != 0))
return 0; return 0;
return 1; return 1;
...@@ -429,10 +437,10 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -429,10 +437,10 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
* Initialise server side custom extensions. Client side is done during * Initialise server side custom extensions. Client side is done during
* construction of extensions for the ClientHello. * construction of extensions for the ClientHello.
*/ */
if ((context & EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
exts = &s->cert->srv_ext; exts = &s->cert->srv_ext;
custom_ext_init(&s->cert->srv_ext); custom_ext_init(&s->cert->srv_ext);
} else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
exts = &s->cert->cli_ext; exts = &s->cert->cli_ext;
} }
...@@ -463,7 +471,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -463,7 +471,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
|| (thisex != NULL && thisex->present == 1) || (thisex != NULL && thisex->present == 1)
|| (type == TLSEXT_TYPE_psk || (type == TLSEXT_TYPE_psk
&& (context & EXT_CLIENT_HELLO) != 0 && (context & SSL_EXT_CLIENT_HELLO) != 0
&& PACKET_remaining(&extensions) != 0)) { && PACKET_remaining(&extensions) != 0)) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
*al = SSL_AD_ILLEGAL_PARAMETER; *al = SSL_AD_ILLEGAL_PARAMETER;
...@@ -562,7 +570,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, ...@@ -562,7 +570,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
*/ */
if ((!s->hit || !s->server) if ((!s->hit || !s->server)
&& (context && (context
& (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
&& custom_ext_parse(s, s->server, currext->type, && custom_ext_parse(s, s->server, currext->type,
PACKET_data(&currext->data), PACKET_data(&currext->data),
PACKET_remaining(&currext->data), PACKET_remaining(&currext->data),
...@@ -587,9 +595,9 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, ...@@ -587,9 +595,9 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
const EXTENSION_DEFINITION *thisexd; const EXTENSION_DEFINITION *thisexd;
/* Calculate the number of extensions in the extensions list */ /* Calculate the number of extensions in the extensions list */
if ((context & EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
numexts += s->cert->srv_ext.meths_count; numexts += s->cert->srv_ext.meths_count;
} else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
numexts += s->cert->cli_ext.meths_count; numexts += s->cert->cli_ext.meths_count;
} }
...@@ -640,15 +648,16 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -640,15 +648,16 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
* If extensions are of zero length then we don't even add the * If extensions are of zero length then we don't even add the
* extensions length bytes to a ClientHello/ServerHello in SSLv3 * extensions length bytes to a ClientHello/ServerHello in SSLv3
*/ */
|| ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 || ((context &
&& s->version == SSL3_VERSION (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
&& !WPACKET_set_flags(pkt, && s->version == SSL3_VERSION
&& !WPACKET_set_flags(pkt,
WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
if ((context & EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
reason = ssl_get_client_min_max_version(s, &min_version, &max_version); reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
if (reason != 0) { if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
...@@ -657,10 +666,10 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -657,10 +666,10 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
} }
/* Add custom extensions first */ /* Add custom extensions first */
if ((context & EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
custom_ext_init(&s->cert->cli_ext); custom_ext_init(&s->cert->cli_ext);
addcustom = 1; addcustom = 1;
} else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {
/* /*
* We already initialised the custom extensions during ClientHello * We already initialised the custom extensions during ClientHello
* parsing. * parsing.
...@@ -690,18 +699,18 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -690,18 +699,18 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
/* Check if this extension is defined for our protocol. If not, skip */ /* Check if this extension is defined for our protocol. If not, skip */
if ((SSL_IS_DTLS(s) if ((SSL_IS_DTLS(s)
&& (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY) && (thisexd->context & SSL_EXT_TLS_IMPLEMENTATION_ONLY)
!= 0) != 0)
|| (s->version == SSL3_VERSION || (s->version == SSL3_VERSION
&& (thisexd->context & EXT_SSL3_ALLOWED) == 0) && (thisexd->context & SSL_EXT_SSL3_ALLOWED) == 0)
|| (SSL_IS_TLS13(s) || (SSL_IS_TLS13(s)
&& (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY) && (thisexd->context & SSL_EXT_TLS1_2_AND_BELOW_ONLY)
!= 0) != 0)
|| (!SSL_IS_TLS13(s) || (!SSL_IS_TLS13(s)
&& (thisexd->context & EXT_TLS1_3_ONLY) != 0 && (thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0
&& (context & EXT_CLIENT_HELLO) == 0) && (context & SSL_EXT_CLIENT_HELLO) == 0)
|| ((thisexd->context & EXT_TLS1_3_ONLY) != 0 || ((thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0
&& (context & EXT_CLIENT_HELLO) != 0 && (context & SSL_EXT_CLIENT_HELLO) != 0
&& (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
|| construct == NULL) || construct == NULL)
continue; continue;
......
ssl/statem/extensions_clnt.c
浏览文件 @ fe874d27
...@@ -1307,7 +1307,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1307,7 +1307,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0; return 0;
} }
if ((context & EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
unsigned const char *pcurves = NULL; unsigned const char *pcurves = NULL;
size_t i, num_curves; size_t i, num_curves;
...@@ -1411,7 +1411,7 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1411,7 +1411,7 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx, int *al)
{ {
if (context == EXT_TLS1_3_NEW_SESSION_TICKET) { if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
unsigned long max_early_data; unsigned long max_early_data;
if (!PACKET_get_net_4(pkt, &max_early_data) if (!PACKET_get_net_4(pkt, &max_early_data)
......
ssl/statem/extensions_srvr.c
浏览文件 @ fe874d27
...@@ -1133,7 +1133,7 @@ int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1133,7 +1133,7 @@ int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context, int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx, int *al)
{ {
if (context == EXT_TLS1_3_NEW_SESSION_TICKET) { if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
if (s->max_early_data == 0) if (s->max_early_data == 0)
return 1; return 1;
......
ssl/statem/statem_clnt.c
浏览文件 @ fe874d27
...@@ -1200,7 +1200,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1200,7 +1200,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
} }
/* TLS extensions */ /* TLS extensions */
if (!tls_construct_extensions(s, pkt, EXT_CLIENT_HELLO, NULL, 0, &al)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al); ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0; return 0;
...@@ -1390,8 +1390,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1390,8 +1390,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
goto f_err; goto f_err;
} }
context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
: EXT_TLS1_2_SERVER_HELLO; : SSL_EXT_TLS1_2_SERVER_HELLO;
if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL)) if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL))
goto f_err; goto f_err;
...@@ -1400,7 +1400,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1400,7 +1400,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
/* This will set s->hit if we are resuming */ /* This will set s->hit if we are resuming */
if (!tls_parse_extension(s, TLSEXT_IDX_psk, if (!tls_parse_extension(s, TLSEXT_IDX_psk,
EXT_TLS1_3_SERVER_HELLO, SSL_EXT_TLS1_3_SERVER_HELLO,
extensions, NULL, 0, &al)) extensions, NULL, 0, &al))
goto f_err; goto f_err;
} else { } else {
...@@ -1634,9 +1634,9 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1634,9 +1634,9 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
goto f_err; goto f_err;
} }
if (!tls_collect_extensions(s, &extpkt, EXT_TLS1_3_HELLO_RETRY_REQUEST, if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
&extensions, &al, NULL) &extensions, &al, NULL)
|| !tls_parse_all_extensions(s, EXT_TLS1_3_HELLO_RETRY_REQUEST, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
extensions, NULL, 0, &al)) extensions, NULL, 0, &al))
goto f_err; goto f_err;
...@@ -1728,9 +1728,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1728,9 +1728,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH); SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err; goto f_err;
} }
if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, if (!tls_collect_extensions(s, &extensions,
&rawexts, &al, NULL) SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
|| !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, &al, NULL)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al)) { rawexts, x, chainidx, &al)) {
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto f_err; goto f_err;
...@@ -2357,9 +2358,9 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) ...@@ -2357,9 +2358,9 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
goto err; goto err;
} }
if (!tls_collect_extensions(s, &extensions, if (!tls_collect_extensions(s, &extensions,
EXT_TLS1_3_CERTIFICATE_REQUEST, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
&rawexts, &al, NULL) &rawexts, &al, NULL)
|| !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE_REQUEST, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
rawexts, NULL, 0, &al)) { rawexts, NULL, 0, &al)) {
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto err; goto err;
...@@ -2511,9 +2512,10 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2511,9 +2512,10 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
if (!PACKET_as_length_prefixed_2(pkt, &extpkt) if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
|| !tls_collect_extensions(s, &extpkt, || !tls_collect_extensions(s, &extpkt,
EXT_TLS1_3_NEW_SESSION_TICKET, SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
&exts, &al, NULL) &exts, &al, NULL)
|| !tls_parse_all_extensions(s, EXT_TLS1_3_NEW_SESSION_TICKET, || !tls_parse_all_extensions(s,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
exts, NULL, 0, &al)) { exts, NULL, 0, &al)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION); SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION);
goto f_err; goto f_err;
...@@ -3479,9 +3481,10 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) ...@@ -3479,9 +3481,10 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
goto err; goto err;
} }
if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, if (!tls_collect_extensions(s, &extensions,
&rawexts, &al, NULL) SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
|| !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &al, NULL)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
rawexts, NULL, 0, &al)) rawexts, NULL, 0, &al))
goto err; goto err;
......
ssl/statem/statem_lib.c
浏览文件 @ fe874d27
...@@ -801,7 +801,7 @@ static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain, ...@@ -801,7 +801,7 @@ static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain,
} }
if (SSL_IS_TLS13(s) if (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt, EXT_TLS1_3_CERTIFICATE, x, && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
chain, al)) chain, al))
return 0; return 0;
......
ssl/statem/statem_locl.h
浏览文件 @ fe874d27
...@@ -32,29 +32,6 @@ ...@@ -32,29 +32,6 @@
/* The maximum number of incoming KeyUpdate messages we will accept */ /* The maximum number of incoming KeyUpdate messages we will accept */
#define MAX_KEY_UPDATE_MESSAGES 32 #define MAX_KEY_UPDATE_MESSAGES 32
/* Extension context codes */
/* This extension is only allowed in TLS */
#define EXT_TLS_ONLY 0x0001
/* This extension is only allowed in DTLS */
#define EXT_DTLS_ONLY 0x0002
/* Some extensions may be allowed in DTLS but we don't implement them for it */
#define EXT_TLS_IMPLEMENTATION_ONLY 0x0004
/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
#define EXT_SSL3_ALLOWED 0x0008
/* Extension is only defined for TLS1.2 and above */
#define EXT_TLS1_2_AND_BELOW_ONLY 0x0010
/* Extension is only defined for TLS1.3 and above */
#define EXT_TLS1_3_ONLY 0x0020
#define EXT_CLIENT_HELLO 0x0040
/* Really means TLS1.2 or below */
#define EXT_TLS1_2_SERVER_HELLO 0x0080
#define EXT_TLS1_3_SERVER_HELLO 0x0100
#define EXT_TLS1_3_ENCRYPTED_EXTENSIONS 0x0200
#define EXT_TLS1_3_HELLO_RETRY_REQUEST 0x0400
#define EXT_TLS1_3_CERTIFICATE 0x0800
#define EXT_TLS1_3_NEW_SESSION_TICKET 0x1000
#define EXT_TLS1_3_CERTIFICATE_REQUEST 0x2000
/* Dummy message type */ /* Dummy message type */
#define SSL3_MT_DUMMY -1 #define SSL3_MT_DUMMY -1
......
ssl/statem/statem_srvr.c
浏览文件 @ fe874d27
...@@ -1442,7 +1442,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1442,7 +1442,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
/* Preserve the raw extensions PACKET for later use */ /* Preserve the raw extensions PACKET for later use */
extensions = clienthello->extensions; extensions = clienthello->extensions;
if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO, if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
&clienthello->pre_proc_exts, &al, &clienthello->pre_proc_exts, &al,
&clienthello->pre_proc_exts_len)) { &clienthello->pre_proc_exts_len)) {
/* SSLerr already been called */ /* SSLerr already been called */
...@@ -1580,7 +1580,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) ...@@ -1580,7 +1580,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al)
/* We need to do this before getting the session */ /* We need to do this before getting the session */
if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
EXT_CLIENT_HELLO, SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, al)) { clienthello->pre_proc_exts, NULL, 0, al)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto err; goto err;
...@@ -1708,7 +1708,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) ...@@ -1708,7 +1708,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al)
#endif /* !OPENSSL_NO_EC */ #endif /* !OPENSSL_NO_EC */
/* TLS extensions */ /* TLS extensions */
if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO, if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, al)) { clienthello->pre_proc_exts, NULL, 0, al)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
goto err; goto err;
...@@ -2127,8 +2127,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ...@@ -2127,8 +2127,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
&& !WPACKET_put_bytes_u8(pkt, compm)) && !WPACKET_put_bytes_u8(pkt, compm))
|| !tls_construct_extensions(s, pkt, || !tls_construct_extensions(s, pkt,
SSL_IS_TLS13(s) SSL_IS_TLS13(s)
? EXT_TLS1_3_SERVER_HELLO ? SSL_EXT_TLS1_3_SERVER_HELLO
: EXT_TLS1_2_SERVER_HELLO, : SSL_EXT_TLS1_2_SERVER_HELLO,
NULL, 0, &al)) { NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err; goto err;
...@@ -2510,8 +2510,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) ...@@ -2510,8 +2510,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
goto err; goto err;
} }
if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_CERTIFICATE_REQUEST, if (!tls_construct_extensions(s, pkt,
NULL, 0, &al)) { SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
...@@ -3251,9 +3252,10 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3251,9 +3252,10 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH); SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
goto f_err; goto f_err;
} }
if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE, if (!tls_collect_extensions(s, &extensions,
&rawexts, &al, NULL) SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
|| !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE, &al, NULL)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al)) { rawexts, x, chainidx, &al)) {
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto f_err; goto f_err;
...@@ -3550,7 +3552,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3550,7 +3552,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| (SSL_IS_TLS13(s) || (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt, && !tls_construct_extensions(s, pkt,
EXT_TLS1_3_NEW_SESSION_TICKET, SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, 0, &al))) { NULL, 0, &al))) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err; goto err;
...@@ -3637,7 +3639,7 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) ...@@ -3637,7 +3639,7 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{ {
int al; int al;
if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS, if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, 0, &al)) { NULL, 0, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al); ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
...@@ -3659,7 +3661,8 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) ...@@ -3659,7 +3661,8 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
*/ */
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
|| !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST, || !tls_construct_extensions(s, pkt,
SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
NULL, 0, &al)) { NULL, 0, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
goto err; goto err;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册