Fix SCTP todo

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24605)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 994f5f239e69d9604a6f7d05563b0d4e944a4bd1..f64df4bd546db49a395d9e962fa3e195cca000e5 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1762,7 +1762,12 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
     }
 
 #ifndef OPENSSL_NO_SCTP
-    if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
+    /*
+     * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated
+     * which is not supported.
+     * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info.
+     */
+    if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && s->hit) {
         unsigned char sctpauthkey[64];
         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
         size_t labellen;
@@ -3623,7 +3628,12 @@ int tls_client_key_exchange_post_work(SSL_CONNECTION *s)
     pmslen = 0;
 
 #ifndef OPENSSL_NO_SCTP
-    if (SSL_CONNECTION_IS_DTLS(s)) {
+    /*
+     * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated
+     * which is not supported.
+     * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info.
+     */
+    if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s)) {
         unsigned char sctpauthkey[64];
         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
         size_t labellen;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 6479c88f6946e71fa84c1adad96248ff6f659e71..0e3feea21542cbb7da13e9269d3d50cbdccbd1a9 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -916,7 +916,12 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst)
             break;
         }
 #ifndef OPENSSL_NO_SCTP
-        if (SSL_CONNECTION_IS_DTLS(s) && s->hit) {
+        /*
+        * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated
+        * which is not supported.
+        * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info.
+        */
+        if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && s->hit) {
             unsigned char sctpauthkey[64];
             char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
             size_t labellen;
@@ -3469,7 +3474,12 @@ WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s,
 {
 #ifndef OPENSSL_NO_SCTP
     if (wst == WORK_MORE_A) {
-        if (SSL_CONNECTION_IS_DTLS(s)) {
+        /*
+         * Before exporting the SCTP auth key we check if DTLSv1.3 has been
+         * negotiated which is not supported.
+         * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info.
+         */
+        if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s)) {
             unsigned char sctpauthkey[64];
             char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
             size_t labellen;

diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index a960a7382af3aec164fc3e0c3fb5553034317aad..a68c72f411ed4431c8772e0727b805236f587043 100644 (file)
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -66,18 +66,6 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm)
     if (no_etm)
         SSL_set_options(srvr_ssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
 
-#ifndef OPENSSL_NO_SCTP
-    /**
-     * TODO(DTLSv1.3): Fix SCTP support
-     * This test is failing on exporting the sctp auth key on server and client
-     * because ossl_statem_export_allowed() fails.
-     * ossl_statem_server_post_work:internal error:ssl/statem/statem_srvr.c:937:
-     * and
-     * tls_process_server_hello:internal error:ssl/statem/statem_clnt.c:1763:
-     */
-    OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1);
-#endif
-
     if (!TEST_true(SSL_set_cipher_list(srvr_ssl, cs))
             || !TEST_true(SSL_set_cipher_list(clnt_ssl, cs))
             || !TEST_ptr(sc_bio = SSL_get_rbio(srvr_ssl))