Bug#1108958: unblock: openssl (12/16)
From
Sebastian Andrzej Siewior@21:1/5 to
Paul Gevers on Sat Jul 12 19:20:02 2025
[continued from previous message]
- if (!ssl->method->ssl3_enc->change_cipher_state(s,
+ if (!tls13_store_server_finished_hash(s)) {
+ /* SSLfatal() already called */
+ return MSG_PROCESS_ERROR;
+ }
+
+ /*
+ * For non-QUIC we set up the client's app data read keys now, so + * that we can go straight into reading 0.5RTT data from the server.
+ * For QUIC we don't do that, and instead defer setting up the keys
+ * until after we have set up the write keys in order to ensure that
+ * write keys are always set up before read keys (so that if we read
+ * a message we have the correct keys in place to ack it)
+ */
+ if (!SSL_IS_QUIC_HANDSHAKE(s)
+ && !ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
@@ -2365,23 +2380,24 @@
real_max = ver_max;
/* Check for downgrades */
- if (s->version == TLS1_2_VERSION && real_max > s->version) {
- if (memcmp(tls12downgrade,
+ /* TODO(DTLSv1.3): Update this code for DTLSv1.3 */
+ if (!SSL_CONNECTION_IS_DTLS(s) && real_max > s->version) {
+ /* Signal applies to all versions */
+ if (memcmp(tls11downgrade,
s->s3.server_random + SSL3_RANDOM_SIZE
- - sizeof(tls12downgrade),
- sizeof(tls12downgrade)) == 0) {
+ - sizeof(tls11downgrade),
+ sizeof(tls11downgrade)) == 0) {
s->version = origv;
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_INAPPROPRIATE_FALLBACK);
return 0;
}
- } else if (!SSL_CONNECTION_IS_DTLS(s)
- && s->version < TLS1_2_VERSION
- && real_max > s->version) {
- if (memcmp(tls11downgrade,
+ /* Only when accepting TLS1.3 */
+ if (real_max == TLS1_3_VERSION
+ && memcmp(tls12downgrade,
s->s3.server_random + SSL3_RANDOM_SIZE
- - sizeof(tls11downgrade),
- sizeof(tls11downgrade)) == 0) {
+ - sizeof(tls12downgrade),
+ sizeof(tls12downgrade)) == 0) {
s->version = origv;
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_R_INAPPROPRIATE_FALLBACK);
diff -Nru -w openssl-3.5.0/ssl/statem/statem_srvr.c openssl-3.5.1/ssl/statem/statem_srvr.c
--- openssl-3.5.0/ssl/statem/statem_srvr.c 2025-04-08 15:09:06.000000000 +0200
+++ openssl-3.5.1/ssl/statem/statem_srvr.c 2025-07-01 13:52:08.000000000 +0200
@@ -977,6 +977,7 @@
if (SSL_CONNECTION_IS_TLS13(s)) {
if (!ssl->method->ssl3_enc->setup_key_block(s)
+ || !tls13_store_handshake_traffic_hash(s)
|| !ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
/* SSLfatal() already called */
@@ -1040,6 +1041,7 @@
if (!ssl->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0,
&dummy)
+ || !tls13_store_server_finished_hash(s)
|| !ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
/* SSLfatal() already called */
diff -Nru -w openssl-3.5.0/ss