From 6c75a12d876a9099759eec3892e6d8849c519a2f Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 10 Jun 2024 20:46:17 +0200 Subject: [PATCH] Fix SCTP todo Reviewed-by: Tomas Mraz Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/24605) --- ssl/statem/statem_clnt.c | 14 ++++++++++++-- ssl/statem/statem_srvr.c | 14 ++++++++++++-- test/dtls_mtu_test.c | 12 ------------ 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 994f5f239e6..f64df4bd546 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1762,7 +1762,12 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) } #ifndef OPENSSL_NO_SCTP - if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { + /* + * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated + * which is not supported. + * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info. + */ + if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && s->hit) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; @@ -3623,7 +3628,12 @@ int tls_client_key_exchange_post_work(SSL_CONNECTION *s) pmslen = 0; #ifndef OPENSSL_NO_SCTP - if (SSL_CONNECTION_IS_DTLS(s)) { + /* + * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated + * which is not supported. + * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info. + */ + if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s)) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 6479c88f694..0e3feea2154 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -916,7 +916,12 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; } #ifndef OPENSSL_NO_SCTP - if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { + /* + * Before exporting the SCTP auth key we check if DTLSv1.3 has been negotiated + * which is not supported. + * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info. + */ + if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && s->hit) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; @@ -3469,7 +3474,12 @@ WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, { #ifndef OPENSSL_NO_SCTP if (wst == WORK_MORE_A) { - if (SSL_CONNECTION_IS_DTLS(s)) { + /* + * Before exporting the SCTP auth key we check if DTLSv1.3 has been + * negotiated which is not supported. + * Refer to draft-tuexen-tsvwg-rfc6083-bis-04 for more info. + */ + if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s)) { unsigned char sctpauthkey[64]; char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; size_t labellen; diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c index a960a7382af..a68c72f411e 100644 --- a/test/dtls_mtu_test.c +++ b/test/dtls_mtu_test.c @@ -66,18 +66,6 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm) if (no_etm) SSL_set_options(srvr_ssl, SSL_OP_NO_ENCRYPT_THEN_MAC); -#ifndef OPENSSL_NO_SCTP - /** - * TODO(DTLSv1.3): Fix SCTP support - * This test is failing on exporting the sctp auth key on server and client - * because ossl_statem_export_allowed() fails. - * ossl_statem_server_post_work:internal error:ssl/statem/statem_srvr.c:937: - * and - * tls_process_server_hello:internal error:ssl/statem/statem_clnt.c:1763: - */ - OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1); -#endif - if (!TEST_true(SSL_set_cipher_list(srvr_ssl, cs)) || !TEST_true(SSL_set_cipher_list(clnt_ssl, cs)) || !TEST_ptr(sc_bio = SSL_get_rbio(srvr_ssl)) -- 2.47.2