* be the same as in the inner.
*
* This macro should be called in each _ctos_ function that doesn't explicitly
- * have special ECH handling.
+ * have special ECH handling. There are some _ctos_ functions that are called
+ * from a server, but we don't want to do anything in such cases. We also
+ * screen out cases where the context is not handling the ClientHello.
*
* Note that the placement of this macro needs a bit of thought - it has to go
* after declarations (to keep the ansi-c compile happy) and also after any
* state changes that would affect a possible 2nd call to the constructor.
* Luckily, that's usually not too hard, but it's not mechanical.
*/
-# define ECH_SAME_EXT(s, pkt) \
- if (s->ext.ech.es != NULL && s->ext.ech.grease == 0) { \
+# define ECH_SAME_EXT(s, context, pkt) \
+ if (context == SSL_EXT_CLIENT_HELLO && !s->server \
+ && s->ext.ech.es != NULL && s->ext.ech.grease == 0) { \
int ech_iosame_rv = ossl_ech_same_ext(s, pkt); \
\
if (ech_iosame_rv == OSSL_ECH_SAME_EXT_ERR) \
}
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
}
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
/* Add a complete RI extension if renegotiating */
if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
/* Add Max Fragment Length extension if client enabled it. */
if (s->srp_ctx.login == NULL)
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
if (!use_ecc(s, min_version, max_version))
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
/* Add TLS extension ECPointFormats to the ClientHello message */
&& (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
/*
if (!tls_use_ticket(s))
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!s->new_session && s->session != NULL
}
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
salglen = tls12_get_psigalgs(s, 1, &salg);
if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
|| !SSL_IS_FIRST_HANDSHAKE(s))
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
/*
if (clnt == NULL)
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
if (x != NULL)
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
if (max_version < TLS1_3_VERSION)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
size_t valid_keyshare = 0;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
/* key_share extension */
if (s->ext.tls13_cookie_len == 0)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt);
+ ECH_SAME_EXT(s, context, pkt);
#endif
/*
if (!s->pha_enabled)
return EXT_RETURN_NOT_SENT;
# ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(s, pkt)
+ ECH_SAME_EXT(s, context, pkt)
# endif
/* construct extension - 0 length, no contents */
if (sc->client_cert_type == NULL)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(sc, pkt)
+ ECH_SAME_EXT(sc, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
if (sc->server_cert_type == NULL)
return EXT_RETURN_NOT_SENT;
#ifndef OPENSSL_NO_ECH
- ECH_SAME_EXT(sc, pkt)
+ ECH_SAME_EXT(sc, context, pkt)
#endif
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
projects / thirdparty / openssl.git / commitdiff
