s->server = server;
if (cb != NULL) {
- if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s))
+ if (SSL_IS_FIRST_HANDSHAKE(s) || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))
cb(ussl, SSL_CB_HANDSHAKE_START, 1);
}
* Note that after writing the first ClientHello we don't know what version
* we are going to negotiate yet, so we don't take this branch until later.
*/
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!ossl_statem_client13_read_transition(s, mt))
goto err;
return 1;
* version we are going to negotiate yet, so we don't take this branch until
* later
*/
- if (SSL_CONNECTION_IS_TLS13(s))
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
return ossl_statem_client13_write_transition(s);
switch (st->hand_state) {
case TLS_ST_CW_CLNT_HELLO:
if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
/*
- * We are assuming this is a TLSv1.3 connection, although we haven't
+ * We are assuming this is a (D)TLSv1.3 connection, although we haven't
* actually selected a version yet.
*/
if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
case TLS_ST_CR_SRVR_HELLO:
/*
- * We only get here in TLSv1.3. We just received an HRR, so issue a
+ * We only get here in (D)TLSv1.3. We just received an HRR, so issue a
* CCS unless middlebox compat mode is off, or we already issued one
* because we did early data.
*/
if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
&& s->max_early_data > 0) {
/*
- * We haven't selected TLSv1.3 yet so we don't call the change
+ * We haven't selected (D)TLSv1.3 yet so we don't call the change
* cipher state function associated with the SSL_METHOD. Instead
* we call tls13_change_cipher_state() directly.
*/
break;
case TLS_ST_CW_CHANGE:
- if (SSL_CONNECTION_IS_TLS13(s)
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)
|| s->hello_retry_request == SSL_HRR_PENDING)
break;
if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
&& s->max_early_data > 0) {
/*
- * We haven't selected TLSv1.3 yet so we don't call the change
+ * We haven't selected (D)TLSv1.3 yet so we don't call the change
* cipher state function associated with the SSL_METHOD. Instead
* we call tls13_change_cipher_state() directly.
*/
if (statem_flush(s) != 1)
return WORK_MORE_B;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!tls13_save_handshake_digest_for_pha(s)) {
/* SSLfatal() already called */
return WORK_ERROR;
return CCS_MAX_LENGTH;
case TLS_ST_CR_SESSION_TICKET:
- return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
+ return (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
: SESSION_TICKET_MAX_LENGTH_TLS12;
case TLS_ST_CR_FINISHED:
int i, protverr;
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
+ int comp_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION
+ : TLS1_3_VERSION;
#endif
SSL_SESSION *sess = s->session;
unsigned char *session_id;
/* Session ID */
session_id = s->session->session_id;
- if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
- if (s->version == TLS1_3_VERSION
+ if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) {
+ if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION)
&& (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
sess_id_len = sizeof(s->tmp_session_id);
s->tmp_session_id_len = sess_id_len;
} else {
assert(s->session->session_id_length <= sizeof(s->session->session_id));
sess_id_len = s->session->session_id_length;
- if (s->version == TLS1_3_VERSION) {
+ if (s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION) {
s->tmp_session_id_len = sess_id_len;
memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
}
#ifndef OPENSSL_NO_COMP
if (ssl_allow_compression(s)
&& sctx->comp_methods
- && (SSL_CONNECTION_IS_DTLS(s)
- || s->s3.tmp.max_ver < TLS1_3_VERSION)) {
+ && ssl_version_cmp(s, s->s3.tmp.max_ver, comp_version_limit) < 0) {
int compnum = sk_SSL_COMP_num(sctx->comp_methods);
for (i = 0; i < compnum; i++) {
comp = sk_SSL_COMP_value(sctx->comp_methods, i);
return 0;
}
- if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.new_cipher != NULL
&& s->s3.tmp.new_cipher->id != c->id) {
/* ServerHello selected a different ciphersuite to that in the HRR */
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
if (s->session->cipher != NULL)
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id)) {
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
const EVP_MD *md = ssl_md(sctx, c->algorithm2);
if (!ossl_assert(s->session->cipher != NULL)) {
}
/* load the server random */
- if (s->version == TLS1_3_VERSION
- && sversion == TLS1_2_VERSION
+ if (((s->version == TLS1_3_VERSION && sversion == TLS1_2_VERSION)
+ || (s->version == DTLS1_3_VERSION && sversion == DTLS1_2_VERSION))
&& PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
&& memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
if (s->hello_retry_request != SSL_HRR_NONE) {
}
}
- if (SSL_CONNECTION_IS_TLS13(s) || hrr) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || hrr) {
if (compression != 0) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_INVALID_COMPRESSION_ALGORITHM);
* Now we have chosen the version we need to check again that the extensions
* are appropriate for this version.
*/
- context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
+ context = (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SSL_EXT_TLS1_3_SERVER_HELLO
: SSL_EXT_TLS1_2_SERVER_HELLO;
if (!tls_validate_all_contexts(s, context, extensions)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
s->hit = 0;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/*
* In TLSv1.3 a ServerHello message signals a key change so the end of
* the message must be on a record boundary.
* echo of what we originally sent in the ClientHello and should not be
* used for resumption.
*/
- if (!SSL_CONNECTION_IS_TLS13(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
s->session->session_id_length = session_id_len;
/* session_id_len could be 0 */
if (session_id_len > 0)
* In TLSv1.3 we have some post-processing to change cipher state, otherwise
* we're done with this message
*/
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!ssl->method->ssl3_enc->setup_key_block(s)
|| !ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
PACKET *extpkt)
{
RAW_EXTENSION *extensions = NULL;
+ const int isdtls = SSL_CONNECTION_IS_DTLS(s);
/*
* If we were sending early_data then any alerts should not be sent using
*/
if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
&& !ssl_set_new_record_layer(s,
- TLS_ANY_VERSION,
+ isdtls ? DTLS_ANY_VERSION : TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
goto err;
}
/* We are definitely going to be using TLSv1.3 */
- s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION);
+ s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, isdtls ? DTLS1_3_VERSION : TLS1_3_VERSION);
if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
&extensions, NULL, 1)
* skip check since TLS 1.3 ciphersuites can be used with any certificate
* type.
*/
- if (!SSL_CONNECTION_IS_TLS13(sc)) {
+ if (!(SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) {
if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) {
SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE);
return WORK_ERROR;
sc->session->verify_result = sc->verify_result;
/* Save the current hash state for when we receive the CertificateVerify */
- if (SSL_CONNECTION_IS_TLS13(sc)
+ if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))
&& !ssl_handshake_hash(sc, sc->cert_verify_hash,
sizeof(sc->cert_verify_hash),
&sc->cert_verify_hash_len)) {
goto err;
}
- if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
+ if (((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !PACKET_get_1(pkt, &context))
|| context != 0
|| !PACKET_get_net_3(pkt, &cert_list_len)
|| PACKET_remaining(pkt) != cert_list_len
goto err;
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
RAW_EXTENSION *rawexts = NULL;
PACKET extensions;
* skip check since TLS 1.3 ciphersuites can be used with any certificate
* type.
*/
- if (!SSL_CONNECTION_IS_TLS13(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE);
return WORK_ERROR;
s->session->peer_rpk = NULL;
/* Save the current hash state for when we receive the CertificateVerify */
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !ssl_handshake_hash(s, s->cert_verify_hash,
sizeof(s->cert_verify_hash),
&s->cert_verify_hash_len)) {
if (s->s3.tmp.valid_flags == NULL)
return 0;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
PACKET reqctx, extensions;
RAW_EXTENSION *rawexts = NULL;
* SSL_get1_peer_certificate() returns something sensible in
* client_cert_cb.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& s->post_handshake_auth != SSL_PHA_REQUESTED)
return MSG_PROCESS_CONTINUE_READING;
PACKET_null_init(&nonce);
if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
- || (SSL_CONNECTION_IS_TLS13(s)
+ || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& (!PACKET_get_net_4(pkt, &age_add)
|| !PACKET_get_length_prefixed_1(pkt, &nonce)))
|| !PACKET_get_net_2(pkt, &ticklen)
- || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0
+ || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? (ticklen == 0
|| PACKET_remaining(pkt) < ticklen)
: PACKET_remaining(pkt) != ticklen)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
* post-handshake and the session may have already gone into the session
* cache.
*/
- if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || s->session->session_id_length > 0) {
SSL_SESSION *new_sess;
/*
}
if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
- && !SSL_CONNECTION_IS_TLS13(s)) {
+ && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
/*
* In TLSv1.2 and below the arrival of a new tickets signals that
* any old ticket we were using is now out of date, so we remove the
s->session->ext.tick_age_add = age_add;
s->session->ext.ticklen = ticklen;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
PACKET extpkt;
if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
s->session->not_resumable = 0;
/* This is a standalone message in TLSv1.3, so there is no more to read */
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
const EVP_MD *md = ssl_handshake_md(s);
int hashleni = EVP_MD_get_size(md);
size_t hashlen;
}
}
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
CERT_PKEY *cpk = NULL;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (s->pha_context == NULL) {
/* no context available, add 0-length context */
if (!WPACKET_put_bytes_u8(pkt, 0)) {
* then we deferred changing the handshake write keys to the last possible
* moment. We need to do it now.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& SSL_IS_FIRST_HANDSHAKE(s)
&& (s->early_data_state != SSL_EARLY_DATA_NONE
|| (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69"
"\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79";
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
size_t hashlen;
/* Set the first 64 bytes of to-be-signed data to octet 32 */
}
/*
- * In TLSv1.3 on the client side we make sure we prepare the client
+ * In (D)TLSv1.3 on the client side we make sure we prepare the client
* certificate after the CertVerify instead of when we get the
- * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
- * comes *before* the Certificate message. In TLSv1.2 it comes after. We
+ * CertificateRequest. This is because in (D)TLSv1.3 the CertificateRequest
+ * comes *before* the Certificate message. In (D)TLSv1.2 it comes after. We
* want to make sure that SSL_get1_peer_certificate() will return the actual
* server certificate from the client_cert_cb callback.
*/
- if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
+ if (!s->server && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.cert_req == 1)
ret = MSG_PROCESS_CONTINUE_PROCESSING;
else
ret = MSG_PROCESS_CONTINUE_READING;
* moment. If we didn't already do this when we sent the client certificate
* then we need to do it now.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !s->server
&& (s->early_data_state != SSL_EARLY_DATA_NONE
|| (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
/*
* Log the master secret, if logging is enabled. We don't log it for
- * TLSv1.3: there's a different key schedule for that.
+ * (D)TLSv1.3: there's a different key schedule for that.
*/
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key,
s->session->master_key_length)) {
/* SSLfatal() already called */
/*
* To get this far we must have read encrypted data from the client. We
* no longer tolerate unencrypted alerts. This is ignored if less than
- * TLSv1.3
+ * (D)TLSv1.3
*/
if (s->rlayer.rrlmethod->set_plain_alerts != NULL)
s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0);
if (s->post_handshake_auth != SSL_PHA_REQUESTED)
s->statem.cleanuphand = 1;
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& !tls13_save_handshake_digest_for_pha(s)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
* In TLSv1.3 a Finished message signals a key change so the end of the
* message must be on a record boundary.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& RECORD_LAYER_processed_read_pending(&s->rlayer)) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
return MSG_PROCESS_ERROR;
}
/* If this occurs, we have missed a message */
- if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->s3.change_cipher_spec) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
return MSG_PROCESS_ERROR;
}
* In TLS1.3 we also have to change cipher state and do any final processing
* of the initial server flight (if we are a client)
*/
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (s->server) {
if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
!ssl->method->ssl3_enc->change_cipher_state(s,
return MSG_PROCESS_ERROR;
}
} else {
- /* TLS 1.3 gets the secret size from the handshake md */
+ /* (D)TLS 1.3 gets the secret size from the handshake md */
size_t dummy;
if (!ssl->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
return 0;
}
- if ((SSL_CONNECTION_IS_TLS13(s) || for_comp)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || for_comp)
&& !tls_construct_extensions(s, pkt, context, x, chain)) {
/* SSLfatal() already called */
return 0;
/*-
* ----------------------------
- * TLS 1.3 Certificate message:
+ * (D)TLS 1.3 Certificate message:
* ----------------------------
* https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2
*
* -------------
* Consequently:
* -------------
- * After the (TLS 1.3 only) context octet string (1 byte length + data) the
+ * After the ((D)TLS 1.3 only) context octet string (1 byte length + data) the
* Certificate message has a 3-byte length that is zero in the client to
* server message when the client has no RPK to send. In that case, there
- * are no (TLS 1.3 only) per-certificate extensions either, because the
+ * are no ((D)TLS 1.3 only) per-certificate extensions either, because the
* [CertificateEntry] list is empty.
*
* In the server to client direction, or when the client had an RPK to send,
- * the TLS 1.3 message just prepends the length of the RPK+extensions,
+ * the (D)TLS 1.3 message just prepends the length of the RPK+extensions,
* while TLS <= 1.2 sends just the RPK (octet-string).
*
* The context must be zero-length in the server to client direction, and
* must match the value recorded in the certificate request in the client
* to server direction.
*/
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
if (!PACKET_get_length_prefixed_1(pkt, &context)) {
SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT);
goto err;
if (cert_len == 0)
return 1;
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
/*
* With TLS 1.3, a non-empty explicit-length RPK octet-string followed
* by a possibly empty extension block.
}
/* Process the Extensions block */
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) {
SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
goto err;
* TLSv1.2 is _just_ the raw public key
* TLSv1.3 includes extensions, so there's a length wrapper
*/
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) {
if (!WPACKET_start_sub_packet_u24(pkt)) {
SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
goto err;
}
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) {
/*
* Only send extensions relevant to raw public keys. Until such
* extensions are defined, this will be an empty set of extensions.
s->init_num = 0;
}
- if (SSL_CONNECTION_IS_TLS13(s) && !s->server
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server
&& s->post_handshake_auth == SSL_PHA_REQUESTED)
s->post_handshake_auth = SSL_PHA_EXT_SENT;
* In TLSv1.3 we update the cache as part of constructing the
* NewSessionTicket
*/
- if (!SSL_CONNECTION_IS_TLS13(s))
+ if (!(SSL_CONNECTION_IS_TLS13(s))|| SSL_CONNECTION_IS_DTLS13(s))
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
/* N.B. s->ctx may not equal s->session_ctx */
ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
} else {
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/*
* We encourage applications to only use TLSv1.3 tickets once,
* so we remove this one from the cache.
if (cb != NULL) {
if (cleanuphand
- || !SSL_CONNECTION_IS_TLS13(s)
+ || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| SSL_IS_FIRST_HANDSHAKE(s))
cb(ssl, SSL_CB_HANDSHAKE_DONE, 1);
}
*/
#define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2)
/* KeyUpdate and NewSessionTicket do not need to be added */
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
&& s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
&& ssl_version_cmp(s, version, vent->version) == 0
&& ssl_method_error(s, thismeth()) == 0
&& (!s->server
- || version != TLS1_3_VERSION
+ || (version != TLS1_3_VERSION && version != DTLS1_3_VERSION)
|| is_tls13_capable(s))) {
if (meth != NULL)
*meth = thismeth();
const version_info *table;
int disabled = 0;
RAW_EXTENSION *suppversions;
+ const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION
+ : TLS1_3_VERSION;
s->client_version = client_version;
switch (server_version) {
default:
- if (!SSL_CONNECTION_IS_TLS13(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if (ssl_version_cmp(s, client_version, s->version) < 0)
return SSL_R_WRONG_SSL_VERSION;
*dgrd = DOWNGRADE_NONE;
if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
return SSL_R_UNSUPPORTED_PROTOCOL;
- if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) {
+ if (suppversions->present) {
unsigned int candidate_vers = 0;
- unsigned int best_vers = 0;
+ const unsigned int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? UINT_MAX
+ : 0;
+ unsigned int best_vers = best_vers_init;
const SSL_METHOD *best_method = NULL;
PACKET versionslist;
return SSL_R_LENGTH_MISMATCH;
}
- if (best_vers > 0) {
+ /* Did best_vers change from the initial value? */
+ if (best_vers != best_vers_init) {
if (s->hello_retry_request != SSL_HRR_NONE) {
/*
* This is after a HelloRetryRequest so we better check that we
- * negotiated TLSv1.3
+ * negotiated (D)TLSv1.3
*/
- if (best_vers != TLS1_3_VERSION)
+ if (best_vers != TLS1_3_VERSION && best_vers != DTLS1_3_VERSION)
return SSL_R_UNSUPPORTED_PROTOCOL;
return 0;
}
/*
* If the supported versions extension isn't present, then the highest
- * version we can negotiate is TLSv1.2
+ * version we can negotiate is (D)TLSv1.2
*/
- if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
- client_version = TLS1_2_VERSION;
+ if (ssl_version_cmp(s, client_version, version1_3) >= 0)
+ client_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION
+ : TLS1_2_VERSION;
/*
* No supported versions extension, so we just use the version supplied in
}
if (s->hello_retry_request != SSL_HRR_NONE
- && s->version != TLS1_3_VERSION) {
+ && (s->version != TLS1_3_VERSION && s->version != DTLS1_3_VERSION)) {
s->version = origv;
SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
return 0;
{
OSSL_STATEM *st = &s->statem;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!ossl_statem_server13_read_transition(s, mt))
goto err;
return 1;
* don't request if post-handshake-only unless doing
* post-handshake in TLSv1.3:
*/
- && (!SSL_CONNECTION_IS_TLS13(s)
+ && (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
|| s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
/*
* to negotiate yet, so we don't take this branch until later
*/
- if (SSL_CONNECTION_IS_TLS13(s))
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
return ossl_statem_server13_write_transition(s);
switch (st->hand_state) {
return WRITE_TRAN_CONTINUE;
case TLS_ST_SR_CLNT_HELLO:
- if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified
+ if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && !s->d1->cookie_verified
&& (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) {
st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
} else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
return WORK_FINISHED_CONTINUE;
case TLS_ST_SW_SESSION_TICKET:
- if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->sent_tickets == 0
&& s->ext.extra_tickets_expected == 0) {
/*
* Actually this is the end of the handshake, but we're going
break;
case TLS_ST_SW_CHANGE:
- if (SSL_CONNECTION_IS_TLS13(s))
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
break;
/* Writes to s->session are only safe for initial handshakes */
if (s->session->cipher == NULL) {
break;
case TLS_ST_SW_SRVR_HELLO:
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& s->hello_retry_request == SSL_HRR_PENDING) {
if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
&& statem_flush(s) != 1)
sizeof(sctpauthkey), sctpauthkey);
}
#endif
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
&& s->hello_retry_request != SSL_HRR_COMPLETE))
break;
break;
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!ssl->method->ssl3_enc->setup_key_block(s)
|| !ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
0, NULL);
}
#endif
- if (SSL_CONNECTION_IS_TLS13(s)) {
- /* TLS 1.3 gets the secret size from the handshake md */
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
+ /* (D)TLS 1.3 gets the secret size from the handshake md */
size_t dummy;
if (!ssl->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
if (statem_flush(s) != 1)
return WORK_MORE_A;
} else {
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
}
case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
if (!s->hit && !send_certificate_request(s)) {
- if (!SSL_CONNECTION_IS_TLS13(s)
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
|| (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none;
}
case TLS_ST_SW_SESSION_TICKET:
clear_sys_error();
- if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && statem_flush(s) != 1) {
if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL
&& conn_is_closed()) {
/*
/* Check if this is actually an unexpected renegotiation ClientHello */
if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
- if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) {
+ if (!ossl_assert(!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
}
/* TLSv1.3 specifies that a ClientHello must end on a record boundary */
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& RECORD_LAYER_processed_read_pending(&s->rlayer)) {
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
goto err;
}
/* For TLSv1.3 we must select the ciphersuite *before* session resumption */
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
const SSL_CIPHER *cipher =
ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl));
}
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
memcpy(s->tmp_session_id, s->clienthello->session_id,
s->clienthello->session_id_len);
s->tmp_session_id_len = s->clienthello->session_id_len;
* If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
* ciphersuite compatibility with the session as part of resumption.
*/
- if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->hit) {
j = 0;
id = s->session->cipher->id;
}
if (!s->hit
- && s->version >= TLS1_VERSION
- && !SSL_CONNECTION_IS_TLS13(s)
- && !SSL_CONNECTION_IS_DTLS(s)
+ && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0
+ && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& s->ext.session_secret_cb != NULL) {
const SSL_CIPHER *pref_cipher = NULL;
/*
* algorithms from the client, starting at q.
*/
s->s3.tmp.new_compression = NULL;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
/*
* We already checked above that the NULL compression method appears in
* the list. Now we check there aren't any others (which is illegal in
* Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher
*/
- if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
+ if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
sk_SSL_CIPHER_free(s->peer_ciphers);
s->peer_ciphers = ciphers;
if (ciphers == NULL) {
wst = WORK_MORE_B;
}
if (wst == WORK_MORE_B) {
- if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
+ if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
/* Let cert callback update server certificates if required */
if (!s->hit && s->cert->cert_cb != NULL) {
int rv = s->cert->cert_cb(ussl, s->cert->cert_cb_arg);
}
/* In TLSv1.3 we selected the ciphersuite before resumption */
- if (!SSL_CONNECTION_IS_TLS13(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
cipher =
ssl3_choose_cipher(s, s->peer_ciphers,
SSL_get_ciphers(ssl));
* we already did this because cipher negotiation happens earlier, and
* we must handle ALPN before we decide whether to accept early_data.
*/
- if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) {
+ if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !tls_handle_alpn(s)) {
/* SSLfatal() already called */
goto err;
}
unsigned char *session_id;
int usetls13 = SSL_CONNECTION_IS_TLS13(s)
|| s->hello_retry_request == SSL_HRR_PENDING;
+ int usedtls13 = SSL_CONNECTION_IS_DTLS13(s)
+ || s->hello_retry_request == SSL_HRR_PENDING;
- version = usetls13 ? TLS1_2_VERSION : s->version;
+ version = usetls13 ? TLS1_2_VERSION : (usedtls13 ? DTLS1_2_VERSION : s->version);
if (!WPACKET_put_bytes_u16(pkt, version)
/*
* Random stuff. Filling of the server_random takes place in
&& !s->hit)
s->session->session_id_length = 0;
- if (usetls13) {
+ if (usetls13 || usedtls13) {
sl = s->tmp_session_id_len;
session_id = s->tmp_session_id;
} else {
#ifdef OPENSSL_NO_COMP
compm = 0;
#else
- if (usetls13 || s->s3.tmp.new_compression == NULL)
+ if (usetls13 || usedtls13 || s->s3.tmp.new_compression == NULL)
compm = 0;
else
compm = s->s3.tmp.new_compression->id;
if (!tls_construct_extensions(s, pkt,
s->hello_retry_request == SSL_HRR_PENDING
? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
- : (SSL_CONNECTION_IS_TLS13(s)
+ : ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
? SSL_EXT_TLS1_3_SERVER_HELLO
: SSL_EXT_TLS1_2_SERVER_HELLO),
NULL, 0)) {
CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s,
WPACKET *pkt)
{
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/* Send random context when doing post-handshake auth */
if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
OPENSSL_free(s->pha_context);
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
* message
*/
- if (SSL_CONNECTION_IS_TLS13(sc)) {
+ if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) {
if (!ssl3_digest_cached_records(sc, 1)) {
/* SSLfatal() already called */
goto err;
goto err;
}
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& (!PACKET_get_length_prefixed_1(pkt, &context)
|| (s->pha_context == NULL && PACKET_remaining(&context) != 0)
|| (s->pha_context != NULL
goto err;
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
RAW_EXTENSION *rawexts = NULL;
PACKET extensions;
* Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
* message
*/
- if (SSL_CONNECTION_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !ssl3_digest_cached_records(s, 1)) {
/* SSLfatal() already called */
goto err;
}
*/
/* Save the current hash state for when we receive the CertificateVerify */
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!ssl_handshake_hash(s, s->cert_verify_hash,
sizeof(s->cert_verify_hash),
&s->cert_verify_hash_len)) {
* In TLSv1.3 the certificate chain is always preceded by a 0 length context
* for the server Certificate message
*/
- if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !WPACKET_put_bytes_u8(pkt, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return CON_FUNC_ERROR;
}
*/
#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (ossl_time_compare(s->session->timeout,
ossl_seconds2time(ONE_WEEK_SEC)) > 0)
timeout = ONE_WEEK_SEC;
return 0;
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!WPACKET_put_bytes_u32(pkt, age_add)
|| !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
* length ticket is not allowed so we abort construction of the
* ticket
*/
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
ok = CON_FUNC_DONT_SEND;
goto err;
}
age_add_u.age_add = 0;
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
size_t i, hashlen;
uint64_t nonce;
static const unsigned char nonce_label[] = "resumption";
* SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
* is no point in using full stateless tickets.
*/
- if (SSL_CONNECTION_IS_TLS13(s)
+ if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& ((s->options & SSL_OP_NO_TICKET) != 0
|| (s->max_early_data > 0
&& (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) {
}
}
- if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
if (!tls_construct_extensions(s, pkt,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, 0)) {
projects / thirdparty / openssl.git / commitdiff
