grpc 1.41.0 → 1.41.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of grpc might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Makefile +4 -3
- data/etc/roots.pem +335 -326
- data/src/ruby/ext/grpc/extconf.rb +1 -1
- data/src/ruby/lib/grpc/version.rb +1 -1
- data/third_party/boringssl-with-bazel/err_data.c +278 -272
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_bool.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_d2i_fp.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_gentm.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_mbstr.c +15 -22
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_object.c +13 -7
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_print.c +19 -29
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/a_strex.c +268 -271
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_strnid.c +6 -43
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_time.c +2 -2
- data/third_party/boringssl-with-bazel/src/crypto/asn1/a_utctm.c +0 -39
- data/third_party/boringssl-with-bazel/src/crypto/asn1/asn1_par.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/{x509 → asn1}/charmap.h +0 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/internal.h +25 -0
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_dec.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_enc.c +289 -198
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_fre.c +8 -8
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_new.c +9 -13
- data/third_party/boringssl-with-bazel/src/crypto/asn1/tasn_utl.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/base64/base64.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/bio/bio_mem.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/connect.c +1 -5
- data/third_party/boringssl-with-bazel/src/crypto/bio/fd.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/bio/file.c +1 -7
- data/third_party/boringssl-with-bazel/src/crypto/bio/pair.c +1 -6
- data/third_party/boringssl-with-bazel/src/crypto/bio/socket.c +3 -17
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbb.c +9 -0
- data/third_party/boringssl-with-bazel/src/crypto/bytestring/cbs.c +8 -0
- data/third_party/boringssl-with-bazel/src/crypto/cipher_extra/cipher_extra.c +45 -65
- data/third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/div.c +21 -3
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/gcd_extra.c +3 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/bn/internal.h +5 -2
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/cipher/e_aes.c +10 -0
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/md4/md4.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/modes/gcm_nohw.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rand/rand.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa.c +24 -9
- data/third_party/boringssl-with-bazel/src/crypto/fipsmodule/rsa/rsa_impl.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/mem.c +12 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_all.c +0 -9
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_info.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_lib.c +0 -8
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pk8.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/pem/pem_pkey.c +0 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/internal.h +16 -7
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7.c +9 -4
- data/third_party/boringssl-with-bazel/src/crypto/pkcs7/pkcs7_x509.c +151 -12
- data/third_party/boringssl-with-bazel/src/crypto/pkcs8/pkcs8_x509.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/by_file.c +2 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/internal.h +181 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/name_print.c +246 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/rsa_pss.c +11 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_crl.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509.c +0 -179
- data/third_party/boringssl-with-bazel/src/crypto/x509/t_x509a.c +4 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_lu.c +0 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_obj.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vfy.c +11 -50
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509_vpm.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509/x509name.c +2 -4
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_all.c +0 -16
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_name.c +22 -18
- data/third_party/boringssl-with-bazel/src/crypto/x509/x_x509.c +11 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/internal.h +16 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_cache.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_data.c +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_int.h +1 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_map.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/pcy_tree.c +4 -3
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_akey.c +24 -5
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_alt.c +17 -8
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_bitst.c +3 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_cpols.c +6 -6
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_crld.c +4 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_enum.c +5 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_ncons.c +112 -55
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c +2 -1
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c +0 -2
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c +1 -0
- data/third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c +71 -26
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1.h +304 -192
- data/third_party/boringssl-with-bazel/src/include/openssl/asn1t.h +2 -9
- data/third_party/boringssl-with-bazel/src/include/openssl/base.h +5 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bio.h +3 -1
- data/third_party/boringssl-with-bazel/src/include/openssl/bn.h +3 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/bytestring.h +9 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/cipher.h +8 -2
- data/third_party/boringssl-with-bazel/src/include/openssl/hkdf.h +4 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/mem.h +9 -3
- data/third_party/boringssl-with-bazel/src/include/openssl/pem.h +0 -20
- data/third_party/boringssl-with-bazel/src/include/openssl/pkcs7.h +12 -5
- data/third_party/boringssl-with-bazel/src/include/openssl/rsa.h +5 -0
- data/third_party/boringssl-with-bazel/src/include/openssl/span.h +37 -15
- data/third_party/boringssl-with-bazel/src/include/openssl/ssl.h +26 -12
- data/third_party/boringssl-with-bazel/src/include/openssl/tls1.h +31 -32
- data/third_party/boringssl-with-bazel/src/include/openssl/x509.h +50 -76
- data/third_party/boringssl-with-bazel/src/include/openssl/x509_vfy.h +0 -131
- data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h +48 -8
- data/third_party/boringssl-with-bazel/src/ssl/encrypted_client_hello.cc +266 -357
- data/third_party/boringssl-with-bazel/src/ssl/extensions.cc +90 -152
- data/third_party/boringssl-with-bazel/src/ssl/handshake.cc +15 -13
- data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc +75 -79
- data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc +96 -97
- data/third_party/boringssl-with-bazel/src/ssl/internal.h +63 -43
- data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc +2 -2
- data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc +6 -12
- data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc +14 -16
- data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc +14 -27
- data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc +203 -203
- data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc +30 -41
- data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc +47 -33
- metadata +39 -38
|
@@ -101,6 +101,73 @@ static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
|
|
|
101
101
|
return true;
|
|
102
102
|
}
|
|
103
103
|
|
|
104
|
+
static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
|
|
105
|
+
ParsedServerHello *out, uint8_t *out_alert,
|
|
106
|
+
const SSLMessage &msg) {
|
|
107
|
+
if (!ssl_parse_server_hello(out, out_alert, msg)) {
|
|
108
|
+
return false;
|
|
109
|
+
}
|
|
110
|
+
// The RFC8446 version of the structure fixes some legacy values.
|
|
111
|
+
// Additionally, the session ID must echo the original one.
|
|
112
|
+
if (out->legacy_version != TLS1_2_VERSION ||
|
|
113
|
+
out->compression_method != 0 ||
|
|
114
|
+
!CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) ||
|
|
115
|
+
CBS_len(&out->extensions) == 0) {
|
|
116
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
117
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
118
|
+
return false;
|
|
119
|
+
}
|
|
120
|
+
return true;
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
static bool is_hello_retry_request(const ParsedServerHello &server_hello) {
|
|
124
|
+
return Span<const uint8_t>(server_hello.random) == kHelloRetryRequest;
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
static bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted,
|
|
128
|
+
uint8_t *out_alert,
|
|
129
|
+
const ParsedServerHello &server_hello) {
|
|
130
|
+
const bool is_hrr = is_hello_retry_request(server_hello);
|
|
131
|
+
size_t offset;
|
|
132
|
+
if (is_hrr) {
|
|
133
|
+
// We check for an unsolicited extension when parsing all of them.
|
|
134
|
+
SSLExtension ech(TLSEXT_TYPE_encrypted_client_hello);
|
|
135
|
+
if (!ssl_parse_extensions(&server_hello.extensions, out_alert, {&ech},
|
|
136
|
+
/*ignore_unknown=*/true)) {
|
|
137
|
+
return false;
|
|
138
|
+
}
|
|
139
|
+
if (!ech.present) {
|
|
140
|
+
*out_accepted = false;
|
|
141
|
+
return true;
|
|
142
|
+
}
|
|
143
|
+
if (CBS_len(&ech.data) != ECH_CONFIRMATION_SIGNAL_LEN) {
|
|
144
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
145
|
+
*out_alert = SSL_AD_DECODE_ERROR;
|
|
146
|
+
return false;
|
|
147
|
+
}
|
|
148
|
+
offset = CBS_data(&ech.data) - CBS_data(&server_hello.raw);
|
|
149
|
+
} else {
|
|
150
|
+
offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
if (!hs->selected_ech_config) {
|
|
154
|
+
*out_accepted = false;
|
|
155
|
+
return true;
|
|
156
|
+
}
|
|
157
|
+
|
|
158
|
+
uint8_t expected[ECH_CONFIRMATION_SIGNAL_LEN];
|
|
159
|
+
if (!ssl_ech_accept_confirmation(hs, expected, hs->inner_client_random,
|
|
160
|
+
hs->inner_transcript, is_hrr,
|
|
161
|
+
server_hello.raw, offset)) {
|
|
162
|
+
*out_alert = SSL_AD_INTERNAL_ERROR;
|
|
163
|
+
return false;
|
|
164
|
+
}
|
|
165
|
+
|
|
166
|
+
*out_accepted = CRYPTO_memcmp(CBS_data(&server_hello.raw) + offset, expected,
|
|
167
|
+
sizeof(expected)) == 0;
|
|
168
|
+
return true;
|
|
169
|
+
}
|
|
170
|
+
|
|
104
171
|
static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
105
172
|
SSL *const ssl = hs->ssl;
|
|
106
173
|
assert(ssl->s3->have_version);
|
|
@@ -117,36 +184,17 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
117
184
|
return ssl_hs_error;
|
|
118
185
|
}
|
|
119
186
|
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
CBS body = msg.body, extensions, server_random, session_id;
|
|
125
|
-
uint16_t server_version, cipher_suite;
|
|
126
|
-
uint8_t compression_method;
|
|
127
|
-
if (!CBS_get_u16(&body, &server_version) ||
|
|
128
|
-
!CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
|
|
129
|
-
!CBS_get_u8_length_prefixed(&body, &session_id) ||
|
|
130
|
-
!CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
|
|
131
|
-
!CBS_get_u16(&body, &cipher_suite) ||
|
|
132
|
-
!CBS_get_u8(&body, &compression_method) ||
|
|
133
|
-
compression_method != 0 ||
|
|
134
|
-
!CBS_get_u16_length_prefixed(&body, &extensions) ||
|
|
135
|
-
CBS_len(&extensions) == 0 ||
|
|
136
|
-
CBS_len(&body) != 0) {
|
|
137
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
138
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
187
|
+
ParsedServerHello server_hello;
|
|
188
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
189
|
+
if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
|
|
190
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
139
191
|
return ssl_hs_error;
|
|
140
192
|
}
|
|
141
193
|
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
|
|
148
|
-
// Check if the cipher is a TLS 1.3 cipher.
|
|
149
|
-
if (cipher == NULL ||
|
|
194
|
+
// The cipher suite must be one we offered. We currently offer all supported
|
|
195
|
+
// TLS 1.3 ciphers, so check the version.
|
|
196
|
+
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
|
|
197
|
+
if (cipher == nullptr ||
|
|
150
198
|
SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
|
|
151
199
|
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
|
|
152
200
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
|
|
@@ -156,32 +204,60 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
156
204
|
|
|
157
205
|
hs->new_cipher = cipher;
|
|
158
206
|
|
|
159
|
-
bool
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
207
|
+
const bool is_hrr = is_hello_retry_request(server_hello);
|
|
208
|
+
if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
|
|
209
|
+
(is_hrr && !hs->transcript.UpdateForHelloRetryRequest())) {
|
|
210
|
+
return ssl_hs_error;
|
|
211
|
+
}
|
|
212
|
+
if (hs->selected_ech_config) {
|
|
213
|
+
if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
|
|
214
|
+
hs->new_cipher) ||
|
|
215
|
+
(is_hrr && !hs->inner_transcript.UpdateForHelloRetryRequest())) {
|
|
216
|
+
return ssl_hs_error;
|
|
217
|
+
}
|
|
218
|
+
}
|
|
167
219
|
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
220
|
+
// Determine which ClientHello the server is responding to. Run
|
|
221
|
+
// |check_ech_confirmation| unconditionally, so we validate the extension
|
|
222
|
+
// contents.
|
|
223
|
+
bool ech_accepted;
|
|
224
|
+
if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
|
|
225
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
226
|
+
return ssl_hs_error;
|
|
227
|
+
}
|
|
228
|
+
if (hs->selected_ech_config) {
|
|
229
|
+
ssl->s3->ech_status = ech_accepted ? ssl_ech_accepted : ssl_ech_rejected;
|
|
230
|
+
}
|
|
231
|
+
|
|
232
|
+
if (!is_hrr) {
|
|
233
|
+
hs->tls13_state = state_read_server_hello;
|
|
234
|
+
return ssl_hs_ok;
|
|
235
|
+
}
|
|
236
|
+
|
|
237
|
+
// The ECH extension, if present, was already parsed by
|
|
238
|
+
// |check_ech_confirmation|.
|
|
239
|
+
SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),
|
|
240
|
+
supported_versions(TLSEXT_TYPE_supported_versions),
|
|
241
|
+
ech_unused(TLSEXT_TYPE_encrypted_client_hello,
|
|
242
|
+
hs->selected_ech_config || hs->config->ech_grease_enabled);
|
|
243
|
+
if (!ssl_parse_extensions(
|
|
244
|
+
&server_hello.extensions, &alert,
|
|
245
|
+
{&cookie, &key_share, &supported_versions, &ech_unused},
|
|
246
|
+
/*ignore_unknown=*/false)) {
|
|
171
247
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
172
248
|
return ssl_hs_error;
|
|
173
249
|
}
|
|
174
250
|
|
|
175
|
-
if (!
|
|
251
|
+
if (!cookie.present && !key_share.present) {
|
|
176
252
|
OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
|
|
177
253
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
178
254
|
return ssl_hs_error;
|
|
179
255
|
}
|
|
180
|
-
if (
|
|
256
|
+
if (cookie.present) {
|
|
181
257
|
CBS cookie_value;
|
|
182
|
-
if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
|
|
258
|
+
if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) ||
|
|
183
259
|
CBS_len(&cookie_value) == 0 ||
|
|
184
|
-
CBS_len(&cookie) != 0) {
|
|
260
|
+
CBS_len(&cookie.data) != 0) {
|
|
185
261
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
186
262
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
187
263
|
return ssl_hs_error;
|
|
@@ -192,9 +268,10 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
192
268
|
}
|
|
193
269
|
}
|
|
194
270
|
|
|
195
|
-
if (
|
|
271
|
+
if (key_share.present) {
|
|
196
272
|
uint16_t group_id;
|
|
197
|
-
if (!CBS_get_u16(&key_share, &group_id) ||
|
|
273
|
+
if (!CBS_get_u16(&key_share.data, &group_id) ||
|
|
274
|
+
CBS_len(&key_share.data) != 0) {
|
|
198
275
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
199
276
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
200
277
|
return ssl_hs_error;
|
|
@@ -221,23 +298,16 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
221
298
|
}
|
|
222
299
|
}
|
|
223
300
|
|
|
224
|
-
//
|
|
225
|
-
//
|
|
226
|
-
//
|
|
227
|
-
//
|
|
228
|
-
|
|
229
|
-
if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
|
|
230
|
-
!hs->transcript.UpdateForHelloRetryRequest() ||
|
|
231
|
-
!ssl_hash_message(hs, msg)) {
|
|
301
|
+
// Although we now know whether ClientHelloInner was used, we currently
|
|
302
|
+
// maintain both transcripts up to ServerHello. We could swap transcripts
|
|
303
|
+
// early, but then ClientHello construction and |check_ech_confirmation|
|
|
304
|
+
// become more complex.
|
|
305
|
+
if (!ssl_hash_message(hs, msg)) {
|
|
232
306
|
return ssl_hs_error;
|
|
233
307
|
}
|
|
234
|
-
if (
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
!hs->inner_transcript.UpdateForHelloRetryRequest() ||
|
|
238
|
-
!hs->inner_transcript.Update(msg.raw)) {
|
|
239
|
-
return ssl_hs_error;
|
|
240
|
-
}
|
|
308
|
+
if (ssl->s3->ech_status == ssl_ech_accepted &&
|
|
309
|
+
!hs->inner_transcript.Update(msg.raw)) {
|
|
310
|
+
return ssl_hs_error;
|
|
241
311
|
}
|
|
242
312
|
|
|
243
313
|
// HelloRetryRequest should be the end of the flight.
|
|
@@ -267,7 +337,8 @@ static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
267
337
|
|
|
268
338
|
// Build the second ClientHelloInner, if applicable. The second ClientHello
|
|
269
339
|
// uses an empty string for |enc|.
|
|
270
|
-
if (hs->
|
|
340
|
+
if (hs->ssl->s3->ech_status == ssl_ech_accepted &&
|
|
341
|
+
!ssl_encrypt_client_hello(hs, {})) {
|
|
271
342
|
return ssl_hs_error;
|
|
272
343
|
}
|
|
273
344
|
|
|
@@ -286,83 +357,70 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
286
357
|
if (!ssl->method->get_message(ssl, &msg)) {
|
|
287
358
|
return ssl_hs_read_message;
|
|
288
359
|
}
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
CBS body = msg.body, server_random, session_id, extensions;
|
|
294
|
-
uint16_t server_version;
|
|
295
|
-
uint16_t cipher_suite;
|
|
296
|
-
uint8_t compression_method;
|
|
297
|
-
if (!CBS_get_u16(&body, &server_version) ||
|
|
298
|
-
!CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
|
|
299
|
-
!CBS_get_u8_length_prefixed(&body, &session_id) ||
|
|
300
|
-
!CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
|
|
301
|
-
!CBS_get_u16(&body, &cipher_suite) ||
|
|
302
|
-
!CBS_get_u8(&body, &compression_method) ||
|
|
303
|
-
compression_method != 0 ||
|
|
304
|
-
!CBS_get_u16_length_prefixed(&body, &extensions) ||
|
|
305
|
-
CBS_len(&body) != 0) {
|
|
306
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
307
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
308
|
-
return ssl_hs_error;
|
|
309
|
-
}
|
|
310
|
-
|
|
311
|
-
if (server_version != TLS1_2_VERSION) {
|
|
312
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
313
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
|
|
360
|
+
ParsedServerHello server_hello;
|
|
361
|
+
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
362
|
+
if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
|
|
363
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
314
364
|
return ssl_hs_error;
|
|
315
365
|
}
|
|
316
366
|
|
|
317
367
|
// Forbid a second HelloRetryRequest.
|
|
318
|
-
if (
|
|
368
|
+
if (is_hello_retry_request(server_hello)) {
|
|
319
369
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
|
|
320
370
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
|
|
321
371
|
return ssl_hs_error;
|
|
322
372
|
}
|
|
323
373
|
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
// Check if the cipher is a TLS 1.3 cipher.
|
|
328
|
-
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
|
|
329
|
-
if (cipher == nullptr ||
|
|
330
|
-
SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
|
|
331
|
-
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
|
|
374
|
+
// Check the cipher suite, in case this is after HelloRetryRequest.
|
|
375
|
+
if (SSL_CIPHER_get_value(hs->new_cipher) != server_hello.cipher_suite) {
|
|
332
376
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
|
|
333
377
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
334
378
|
return ssl_hs_error;
|
|
335
379
|
}
|
|
336
380
|
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
381
|
+
if (ssl->s3->ech_status == ssl_ech_accepted) {
|
|
382
|
+
if (ssl->s3->used_hello_retry_request) {
|
|
383
|
+
// HelloRetryRequest and ServerHello must accept ECH consistently.
|
|
384
|
+
bool ech_accepted;
|
|
385
|
+
if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
|
|
386
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
387
|
+
return ssl_hs_error;
|
|
388
|
+
}
|
|
389
|
+
if (!ech_accepted) {
|
|
390
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_ECH_NEGOTIATION);
|
|
391
|
+
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
392
|
+
return ssl_hs_error;
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
|
|
396
|
+
hs->transcript = std::move(hs->inner_transcript);
|
|
397
|
+
hs->extensions.sent = hs->inner_extensions_sent;
|
|
398
|
+
// Report the inner random value through |SSL_get_client_random|.
|
|
399
|
+
OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
|
|
400
|
+
SSL3_RANDOM_SIZE);
|
|
342
401
|
}
|
|
343
402
|
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
have_supported_versions = false;
|
|
347
|
-
CBS key_share, pre_shared_key, supported_versions;
|
|
348
|
-
SSL_EXTENSION_TYPE ext_types[] = {
|
|
349
|
-
{TLSEXT_TYPE_key_share, &have_key_share, &key_share},
|
|
350
|
-
{TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
|
|
351
|
-
{TLSEXT_TYPE_supported_versions, &have_supported_versions,
|
|
352
|
-
&supported_versions},
|
|
353
|
-
};
|
|
403
|
+
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
|
|
404
|
+
SSL3_RANDOM_SIZE);
|
|
354
405
|
|
|
355
|
-
|
|
356
|
-
|
|
406
|
+
// When offering ECH, |ssl->session| is only offered in ClientHelloInner.
|
|
407
|
+
const bool pre_shared_key_allowed =
|
|
408
|
+
ssl->session != nullptr && ssl->s3->ech_status != ssl_ech_rejected;
|
|
409
|
+
SSLExtension key_share(TLSEXT_TYPE_key_share),
|
|
410
|
+
pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),
|
|
411
|
+
supported_versions(TLSEXT_TYPE_supported_versions);
|
|
412
|
+
if (!ssl_parse_extensions(&server_hello.extensions, &alert,
|
|
413
|
+
{&key_share, &pre_shared_key, &supported_versions},
|
|
357
414
|
/*ignore_unknown=*/false)) {
|
|
358
415
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
359
416
|
return ssl_hs_error;
|
|
360
417
|
}
|
|
361
418
|
|
|
362
|
-
// Recheck supported_versions, in case this is
|
|
419
|
+
// Recheck supported_versions, in case this is after HelloRetryRequest.
|
|
363
420
|
uint16_t version;
|
|
364
|
-
if (!
|
|
365
|
-
!CBS_get_u16(&supported_versions, &version) ||
|
|
421
|
+
if (!supported_versions.present ||
|
|
422
|
+
!CBS_get_u16(&supported_versions.data, &version) ||
|
|
423
|
+
CBS_len(&supported_versions.data) != 0 ||
|
|
366
424
|
version != ssl->version) {
|
|
367
425
|
OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
|
|
368
426
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
@@ -370,15 +428,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
370
428
|
}
|
|
371
429
|
|
|
372
430
|
alert = SSL_AD_DECODE_ERROR;
|
|
373
|
-
if (
|
|
374
|
-
if (ssl->session == NULL) {
|
|
375
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
376
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
|
377
|
-
return ssl_hs_error;
|
|
378
|
-
}
|
|
379
|
-
|
|
431
|
+
if (pre_shared_key.present) {
|
|
380
432
|
if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
|
|
381
|
-
&pre_shared_key)) {
|
|
433
|
+
&pre_shared_key.data)) {
|
|
382
434
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
383
435
|
return ssl_hs_error;
|
|
384
436
|
}
|
|
@@ -389,7 +441,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
389
441
|
return ssl_hs_error;
|
|
390
442
|
}
|
|
391
443
|
|
|
392
|
-
if (ssl->session->cipher->algorithm_prf !=
|
|
444
|
+
if (ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
|
|
393
445
|
OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
|
|
394
446
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
395
447
|
return ssl_hs_error;
|
|
@@ -422,13 +474,11 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
422
474
|
return ssl_hs_error;
|
|
423
475
|
}
|
|
424
476
|
|
|
425
|
-
hs->new_session->cipher =
|
|
426
|
-
hs->new_cipher = cipher;
|
|
427
|
-
|
|
428
|
-
size_t hash_len =
|
|
429
|
-
EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
|
|
477
|
+
hs->new_session->cipher = hs->new_cipher;
|
|
430
478
|
|
|
431
479
|
// Set up the key schedule and incorporate the PSK into the running secret.
|
|
480
|
+
size_t hash_len = EVP_MD_size(
|
|
481
|
+
ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
|
|
432
482
|
if (!tls13_init_key_schedule(
|
|
433
483
|
hs, ssl->s3->session_reused
|
|
434
484
|
? MakeConstSpan(hs->new_session->secret,
|
|
@@ -437,7 +487,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
437
487
|
return ssl_hs_error;
|
|
438
488
|
}
|
|
439
489
|
|
|
440
|
-
if (!
|
|
490
|
+
if (!key_share.present) {
|
|
441
491
|
// We do not support psk_ke and thus always require a key share.
|
|
442
492
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
|
|
443
493
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
|
|
@@ -448,53 +498,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
448
498
|
Array<uint8_t> dhe_secret;
|
|
449
499
|
alert = SSL_AD_DECODE_ERROR;
|
|
450
500
|
if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
|
|
451
|
-
&key_share)) {
|
|
501
|
+
&key_share.data)) {
|
|
452
502
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
453
503
|
return ssl_hs_error;
|
|
454
504
|
}
|
|
455
505
|
|
|
456
|
-
if (!tls13_advance_key_schedule(hs, dhe_secret)
|
|
457
|
-
|
|
458
|
-
}
|
|
459
|
-
|
|
460
|
-
// Determine whether the server accepted ECH.
|
|
461
|
-
//
|
|
462
|
-
// TODO(https://crbug.com/boringssl/275): This is a bit late in the process of
|
|
463
|
-
// parsing ServerHello. |ssl->session| is only valid for ClientHelloInner, so
|
|
464
|
-
// the decisions made based on PSK need to be double-checked. draft-11 will
|
|
465
|
-
// fix this, at which point this logic can be moved before any processing.
|
|
466
|
-
if (hs->selected_ech_config) {
|
|
467
|
-
uint8_t ech_confirmation[ECH_CONFIRMATION_SIGNAL_LEN];
|
|
468
|
-
if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
|
|
469
|
-
hs->new_cipher) ||
|
|
470
|
-
!ssl_ech_accept_confirmation(hs, ech_confirmation, hs->inner_transcript,
|
|
471
|
-
msg.raw)) {
|
|
472
|
-
return ssl_hs_error;
|
|
473
|
-
}
|
|
474
|
-
|
|
475
|
-
if (CRYPTO_memcmp(ech_confirmation,
|
|
476
|
-
ssl->s3->server_random + sizeof(ssl->s3->server_random) -
|
|
477
|
-
sizeof(ech_confirmation),
|
|
478
|
-
sizeof(ech_confirmation)) == 0) {
|
|
479
|
-
ssl->s3->ech_status = ssl_ech_accepted;
|
|
480
|
-
hs->transcript = std::move(hs->inner_transcript);
|
|
481
|
-
hs->extensions.sent = hs->inner_extensions_sent;
|
|
482
|
-
// Report the inner random value through |SSL_get_client_random|.
|
|
483
|
-
OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
|
|
484
|
-
SSL3_RANDOM_SIZE);
|
|
485
|
-
} else {
|
|
486
|
-
// Resuming against the ClientHelloOuter was an unsolicited extension.
|
|
487
|
-
if (have_pre_shared_key) {
|
|
488
|
-
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
|
489
|
-
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
|
|
490
|
-
return ssl_hs_error;
|
|
491
|
-
}
|
|
492
|
-
ssl->s3->ech_status = ssl_ech_rejected;
|
|
493
|
-
}
|
|
494
|
-
}
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
if (!ssl_hash_message(hs, msg) ||
|
|
506
|
+
if (!tls13_advance_key_schedule(hs, dhe_secret) ||
|
|
507
|
+
!ssl_hash_message(hs, msg) ||
|
|
498
508
|
!tls13_derive_handshake_secrets(hs)) {
|
|
499
509
|
return ssl_hs_error;
|
|
500
510
|
}
|
|
@@ -532,17 +542,19 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
|
|
|
532
542
|
return ssl_hs_error;
|
|
533
543
|
}
|
|
534
544
|
|
|
535
|
-
CBS body = msg.body;
|
|
536
|
-
if (!
|
|
537
|
-
|
|
538
|
-
return ssl_hs_error;
|
|
539
|
-
}
|
|
540
|
-
if (CBS_len(&body) != 0) {
|
|
545
|
+
CBS body = msg.body, extensions;
|
|
546
|
+
if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
|
|
547
|
+
CBS_len(&body) != 0) {
|
|
541
548
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
542
549
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
543
550
|
return ssl_hs_error;
|
|
544
551
|
}
|
|
545
552
|
|
|
553
|
+
if (!ssl_parse_serverhello_tlsext(hs, &extensions)) {
|
|
554
|
+
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
|
|
555
|
+
return ssl_hs_error;
|
|
556
|
+
}
|
|
557
|
+
|
|
546
558
|
if (ssl->s3->early_data_accepted) {
|
|
547
559
|
// The extension parser checks the server resumed the session.
|
|
548
560
|
assert(ssl->s3->session_reused);
|
|
@@ -626,25 +638,19 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
|
|
|
626
638
|
}
|
|
627
639
|
|
|
628
640
|
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
const SSL_EXTENSION_TYPE ext_types[] = {
|
|
632
|
-
{TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},
|
|
633
|
-
{TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},
|
|
634
|
-
};
|
|
635
|
-
|
|
641
|
+
SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),
|
|
642
|
+
ca(TLSEXT_TYPE_certificate_authorities);
|
|
636
643
|
CBS body = msg.body, context, extensions, supported_signature_algorithms;
|
|
637
644
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
638
645
|
if (!CBS_get_u8_length_prefixed(&body, &context) ||
|
|
639
646
|
// The request context is always empty during the handshake.
|
|
640
647
|
CBS_len(&context) != 0 ||
|
|
641
|
-
!CBS_get_u16_length_prefixed(&body, &extensions) ||
|
|
648
|
+
!CBS_get_u16_length_prefixed(&body, &extensions) || //
|
|
642
649
|
CBS_len(&body) != 0 ||
|
|
643
|
-
!ssl_parse_extensions(&extensions, &alert,
|
|
650
|
+
!ssl_parse_extensions(&extensions, &alert, {&sigalgs, &ca},
|
|
644
651
|
/*ignore_unknown=*/true) ||
|
|
645
|
-
|
|
646
|
-
!
|
|
647
|
-
!CBS_get_u16_length_prefixed(&sigalgs,
|
|
652
|
+
!sigalgs.present ||
|
|
653
|
+
!CBS_get_u16_length_prefixed(&sigalgs.data,
|
|
648
654
|
&supported_signature_algorithms) ||
|
|
649
655
|
!tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
|
|
650
656
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
@@ -652,8 +658,8 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
|
|
|
652
658
|
return ssl_hs_error;
|
|
653
659
|
}
|
|
654
660
|
|
|
655
|
-
if (
|
|
656
|
-
hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);
|
|
661
|
+
if (ca.present) {
|
|
662
|
+
hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca.data);
|
|
657
663
|
if (!hs->ca_names) {
|
|
658
664
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
659
665
|
return ssl_hs_error;
|
|
@@ -1076,23 +1082,17 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
|
|
|
1076
1082
|
return nullptr;
|
|
1077
1083
|
}
|
|
1078
1084
|
|
|
1079
|
-
|
|
1080
|
-
bool have_early_data = false;
|
|
1081
|
-
CBS early_data;
|
|
1082
|
-
const SSL_EXTENSION_TYPE ext_types[] = {
|
|
1083
|
-
{TLSEXT_TYPE_early_data, &have_early_data, &early_data},
|
|
1084
|
-
};
|
|
1085
|
-
|
|
1085
|
+
SSLExtension early_data(TLSEXT_TYPE_early_data);
|
|
1086
1086
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
|
1087
|
-
if (!ssl_parse_extensions(&extensions, &alert,
|
|
1087
|
+
if (!ssl_parse_extensions(&extensions, &alert, {&early_data},
|
|
1088
1088
|
/*ignore_unknown=*/true)) {
|
|
1089
1089
|
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
1090
1090
|
return nullptr;
|
|
1091
1091
|
}
|
|
1092
1092
|
|
|
1093
|
-
if (
|
|
1094
|
-
if (!CBS_get_u32(&early_data, &session->ticket_max_early_data) ||
|
|
1095
|
-
CBS_len(&early_data) != 0) {
|
|
1093
|
+
if (early_data.present) {
|
|
1094
|
+
if (!CBS_get_u32(&early_data.data, &session->ticket_max_early_data) ||
|
|
1095
|
+
CBS_len(&early_data.data) != 0) {
|
|
1096
1096
|
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
1097
1097
|
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
1098
1098
|
return nullptr;
|