extensions: allow receiving and sending extensions which were not advertised by clien...

That is needed due to the special treatment of the cookie extension,
which is sent by the server in HRR even if it was not advertised by
the client.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
index c21e5c1c9de7d0234adbebea6e1c25d3f6c7ac26..eff4f1890db818dc5e1e404ecb3cec18bfd64fa0 100644 (file)
--- a/lib/ext/cookie.c
+++ b/lib/ext/cookie.c
@@ -39,7 +39,7 @@ const hello_ext_entry_st ext_mod_cookie = {
        .name = "Cookie",
        .tls_id = 44,
        .gid = GNUTLS_EXTENSION_COOKIE,
-       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_HRR,
+       .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_HRR|GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST,
        .parse_type = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
 
        .recv_func = cookie_recv_params,

diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index c582aecc95e1b2878ea263a7aab2e0f9c67aee40..5bafa97f6c21fce5bfe1fa5a24c95936dc0e8a98 100644 (file)
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -213,7 +213,8 @@ int hello_ext_parse(void *_ctx, uint16_t tls_id, const uint8_t *data, int data_s
        }
 
        if (session->security_parameters.entity == GNUTLS_CLIENT) {
-               if (!_gnutls_hello_ext_is_present(session, ext->gid)) {
+               if (!(ext->validity & GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST) &&
+                   !_gnutls_hello_ext_is_present(session, ext->gid)) {
                        _gnutls_debug_log("EXT[%p]: Received unexpected extension '%s/%d'\n", session,
                                        ext->name, (int)tls_id);
                        return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
@@ -301,7 +302,8 @@ int hello_ext_send(void *_ctx, gnutls_buffer_st *buf)
        ret = _gnutls_hello_ext_is_present(session, p->gid);
 
        if (session->security_parameters.entity == GNUTLS_SERVER) {
-               if (ret == 0) /* not advertised */
+               /* if client didn't advertise and the override flag is not present */
+               if (!(p->validity & GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST) && ret == 0)
                        return 0;
        } else {
                if (ret != 0) /* already sent */

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 55678a337aa19f0908f8956c69fa86e4ff98f504..84452a999bf2c9379b6a37000c971b47c02b2daa 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2677,6 +2677,7 @@ typedef enum {
  * @GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO: This extension can be present in a TLS1.3 server hello
  * @GNUTLS_EXT_FLAG_EE: This extension can be present in encrypted extensions message
  * @GNUTLS_EXT_FLAG_HRR: This extension can be present in hello retry request message
+ * @GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST: When flag is present, this extension will be send even if the server didn't advertise it. An extension of this type is the Cookie TLS1.3 extension.
  *
  * Enumeration of different TLS extension registration flags.
  */
@@ -2686,7 +2687,8 @@ typedef enum {
   GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO = (1<<2),
   GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO = (1<<3),
   GNUTLS_EXT_FLAG_EE = (1<<4), /* ENCRYPTED */
-  GNUTLS_EXT_FLAG_HRR = (1<<5)
+  GNUTLS_EXT_FLAG_HRR = (1<<5),
+  GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST = (1<<6)
 } gnutls_ext_flags_t;
 
 /* Register a custom tls extension