Add an indicator that an extension has been processed.

ok jsing@

diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h
index b4d093b..2266d5e 100644 (file)
--- a/lib/libssl/ssl_local.h
+++ b/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.13 2024/02/03 15:58:34 beck Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.14 2024/03/26 03:44:11 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -599,6 +599,9 @@ typedef struct ssl_handshake_st {
        /* Extensions seen in this handshake. */
        uint32_t extensions_seen;
 
+       /* Extensions processed in this handshake. */
+       uint32_t extensions_processed;
+
        /* Signature algorithms selected for use (static pointers). */
        const struct ssl_sigalg *our_sigalg;
        const struct ssl_sigalg *peer_sigalg;

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 3883aa6..e1506e5 100644 (file)
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.142 2024/03/26 01:21:34 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.143 2024/03/26 03:44:11 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2253,6 +2253,16 @@ tlsext_extension_seen(SSL *s, uint16_t type)
        return ((s->s3->hs.extensions_seen & (1 << idx)) != 0);
 }
 
+int
+tlsext_extension_processed(SSL *s, uint16_t type)
+{
+       size_t idx;
+
+       if (tls_extension_find(type, &idx) == NULL)
+               return 0;
+       return ((s->s3->hs.extensions_processed & (1 << idx)) != 0);
+}
+
 const struct tls_extension_funcs *
 tlsext_funcs(const struct tls_extension *tlsext, int is_server)
 {
@@ -2490,6 +2500,8 @@ tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
 
        alert_desc = SSL_AD_DECODE_ERROR;
 
+       s->s3->hs.extensions_processed = 0;
+
        /* Run processing for present TLS extensions, in a defined order. */
        for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
                tlsext = &tls_extensions[idx];
@@ -2503,6 +2515,8 @@ tlsext_process(SSL *s, struct tlsext_data *td, int is_server, uint16_t msg_type,
 
                if (CBS_len(&td->extensions[idx]) != 0)
                        goto err;
+
+               s->s3->hs.extensions_processed |= (1 << idx);
        }
 
        return 1;

diff --git a/lib/libssl/ssl_tlsext.h b/lib/libssl/ssl_tlsext.h
index da14f7f..4fd2ec0 100644 (file)
--- a/lib/libssl/ssl_tlsext.h
+++ b/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.h,v 1.33 2023/04/23 18:51:53 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.h,v 1.34 2024/03/26 03:44:11 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -41,6 +41,7 @@ int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb);
 int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
 
 int tlsext_extension_seen(SSL *s, uint16_t);
+int tlsext_extension_processed(SSL *s, uint16_t);
 int tlsext_randomize_build_order(SSL *s);
 
 __END_HIDDEN_DECLS