diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-10-03 08:39:58 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-14 15:00:33 +0100 |
| commit | bf4f76933e57fdcf844a3a174367bb3ecd5e48d1 (patch) | |
| tree | 7967339b65de712df5f6f7623e59dbb234d0c789 | |
| parent | efac43affc750bb634adaecee8a6ad85b35db323 (diff) | |
| download | gnutls-bf4f76933e57fdcf844a3a174367bb3ecd5e48d1.tar.gz | |
extensions: allow receiving and sending extensions which were not advertised by client side
That is needed due to the special treatment of the cookie extension,
which is sent by the server in HRR even if it was not advertised by
the client.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/ext/cookie.c | 2 | ||||
| -rw-r--r-- | lib/hello_ext.c | 6 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 4 |
3 files changed, 8 insertions, 4 deletions
diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c index c21e5c1c9d..eff4f1890d 100644 --- a/lib/ext/cookie.c +++ b/lib/ext/cookie.c @@ -39,7 +39,7 @@ const hello_ext_entry_st ext_mod_cookie = { .name = "Cookie", .tls_id = 44, .gid = GNUTLS_EXTENSION_COOKIE, - .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_HRR, + .validity = GNUTLS_EXT_FLAG_CLIENT_HELLO|GNUTLS_EXT_FLAG_HRR|GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST, .parse_type = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */ .recv_func = cookie_recv_params, diff --git a/lib/hello_ext.c b/lib/hello_ext.c index c582aecc95..5bafa97f6c 100644 --- a/lib/hello_ext.c +++ b/lib/hello_ext.c @@ -213,7 +213,8 @@ int hello_ext_parse(void *_ctx, uint16_t tls_id, const uint8_t *data, int data_s } if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (!_gnutls_hello_ext_is_present(session, ext->gid)) { + if (!(ext->validity & GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST) && + !_gnutls_hello_ext_is_present(session, ext->gid)) { _gnutls_debug_log("EXT[%p]: Received unexpected extension '%s/%d'\n", session, ext->name, (int)tls_id); return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); @@ -301,7 +302,8 @@ int hello_ext_send(void *_ctx, gnutls_buffer_st *buf) ret = _gnutls_hello_ext_is_present(session, p->gid); if (session->security_parameters.entity == GNUTLS_SERVER) { - if (ret == 0) /* not advertised */ + /* if client didn't advertise and the override flag is not present */ + if (!(p->validity & GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST) && ret == 0) return 0; } else { if (ret != 0) /* already sent */ diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 7cf3d769c9..0a9fbe07bd 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -2674,6 +2674,7 @@ typedef enum { * @GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO: This extension can be present in a TLS1.3 server hello * @GNUTLS_EXT_FLAG_EE: This extension can be present in encrypted extensions message * @GNUTLS_EXT_FLAG_HRR: This extension can be present in hello retry request message + * @GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST: When flag is present, this extension will be send even if the server didn't advertise it. An extension of this type is the Cookie TLS1.3 extension. * * Enumeration of different TLS extension registration flags. */ @@ -2683,7 +2684,8 @@ typedef enum { GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO = (1<<2), GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO = (1<<3), GNUTLS_EXT_FLAG_EE = (1<<4), /* ENCRYPTED */ - GNUTLS_EXT_FLAG_HRR = (1<<5) + GNUTLS_EXT_FLAG_HRR = (1<<5), + GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST = (1<<6) } gnutls_ext_flags_t; /* Register a custom tls extension |