Update ServerHello to new draft-22 format (88050dd1) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

crypto/err/openssl.txt

+3 −0

Original line number	Diff line number	Diff line
		@@ -1292,6 +1292,8 @@ SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET:460:tls_construct_stoc_session_ticket
		SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST:461:tls_construct_stoc_status_request
		SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS:544:\
		tls_construct_stoc_supported_groups
		SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS:608:\
		tls_construct_stoc_supported_versions
		SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP:462:tls_construct_stoc_use_srtp
		SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO:521:\
		tls_early_post_process_client_hello
		@@ -1332,6 +1334,7 @@ SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
		SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
		SSL_F_TLS_PARSE_STOC_SESSION_TICKET:584:tls_parse_stoc_session_ticket
		SSL_F_TLS_PARSE_STOC_STATUS_REQUEST:585:tls_parse_stoc_status_request
		SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS:609:tls_parse_stoc_supported_versions
		SSL_F_TLS_PARSE_STOC_USE_SRTP:446:tls_parse_stoc_use_srtp
		SSL_F_TLS_POST_PROCESS_CLIENT_HELLO:378:tls_post_process_client_hello
		SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE:384:\

include/openssl/sslerr.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -340,6 +340,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET 460
		# define SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST 461
		# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS 544
		# define SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS 608
		# define SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP 462
		# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 521
		# define SSL_F_TLS_FINISH_HANDSHAKE 597
		@@ -379,6 +380,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_TLS_PARSE_STOC_SERVER_NAME 583
		# define SSL_F_TLS_PARSE_STOC_SESSION_TICKET 584
		# define SSL_F_TLS_PARSE_STOC_STATUS_REQUEST 585
		# define SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS 609
		# define SSL_F_TLS_PARSE_STOC_USE_SRTP 446
		# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378
		# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384

ssl/ssl_err.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -524,6 +524,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
		"tls_construct_stoc_status_request"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, 0),
		"tls_construct_stoc_supported_groups"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS, 0),
		"tls_construct_stoc_supported_versions"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, 0),
		"tls_construct_stoc_use_srtp"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, 0),
		@@ -593,6 +595,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
		"tls_parse_stoc_session_ticket"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, 0),
		"tls_parse_stoc_status_request"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 0),
		"tls_parse_stoc_supported_versions"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_USE_SRTP, 0),
		"tls_parse_stoc_use_srtp"},
		{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 0),

ssl/ssl_locl.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -2266,7 +2266,8 @@ __owur int ssl_check_version_downgrade(SSL *s);
		__owur int ssl_set_version_bound(int method_version, int version, int *bound);
		__owur int ssl_choose_server_version(SSL s, CLIENTHELLO_MSG hello,
		DOWNGRADE *dgrd);
		__owur int ssl_choose_client_version(SSL *s, int version, int checkdgrd);
		__owur int ssl_choose_client_version(SSL *s, int version,
		RAW_EXTENSION *extensions);
		int ssl_get_min_max_version(const SSL s, int min_version, int *max_version);

		__owur long tls1_default_timeout(void);

ssl/statem/extensions.c

+44 −3

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@

		#include <string.h>
		#include "internal/nelem.h"
		#include "internal/cryptlib.h"
		#include "../ssl_locl.h"
		#include "statem_locl.h"

		@@ -261,11 +262,13 @@ static const EXTENSION_DEFINITION ext_defs[] = {
		},
		{
		TLSEXT_TYPE_supported_versions,
		SSL_EXT_CLIENT_HELLO \| SSL_EXT_TLS_IMPLEMENTATION_ONLY
		\| SSL_EXT_TLS1_3_ONLY,
		SSL_EXT_CLIENT_HELLO \| SSL_EXT_TLS1_2_SERVER_HELLO
		\| SSL_EXT_TLS1_3_SERVER_HELLO \| SSL_EXT_TLS_IMPLEMENTATION_ONLY,
		NULL,
		/* Processed inline as part of version selection */
		NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
		NULL, tls_parse_stoc_supported_versions,
		tls_construct_stoc_supported_versions,
		tls_construct_ctos_supported_versions, NULL
		},
		{
		TLSEXT_TYPE_psk_kex_modes,
		@@ -357,6 +360,44 @@ static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
		return 1;
		}

		int tls_validate_all_contexts(SSL s, unsigned int thisctx, RAW_EXTENSION exts)
		{
		size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
		RAW_EXTENSION *thisext;
		unsigned int context;
		ENDPOINT role = ENDPOINT_BOTH;

		if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
		role = ENDPOINT_SERVER;
		else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
		role = ENDPOINT_CLIENT;

		/* Calculate the number of extensions in the extensions list */
		num_exts = builtin_num + s->cert->custext.meths_count;

		for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
		if (!thisext->present)
		continue;

		if (i < builtin_num) {
		context = ext_defs[i].context;
		} else {
		custom_ext_method *meth = NULL;

		meth = custom_ext_find(&s->cert->custext, role, thisext->type,
		&offset);
		if (!ossl_assert(meth != NULL))
		return 0;
		context = meth->context;
		}

		if (!validate_context(s, context, thisctx))
		return 0;
		}

		return 1;
		}

		/*
		* Verify whether we are allowed to use the extension \|type\| in the current
		* \|context\|. Returns 1 to indicate the extension is allowed or unknown or 0 to