diff options
| author | jsing <> | 2020-05-29 17:47:30 +0000 |
|---|---|---|
| committer | jsing <> | 2020-05-29 17:47:30 +0000 |
| commit | 574d6f0d7739a1810b9aad1f62716ceadbe58540 (patch) | |
| tree | 87f4d432f87e6b391e38fa5c2e73bbef1e8dd87d | |
| parent | ff2fa7afa324d94c7698c829a723c0673f95c345 (diff) | |
| download | openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.gz openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.tar.bz2 openbsd-574d6f0d7739a1810b9aad1f62716ceadbe58540.zip | |
Wire up the servername callback in the TLSv1.3 server.
This makes SNI work correctly with TLSv1.3.
Found the hard way by danj@, gonzalo@ and others.
ok beck@ inoguchi@ tb@
| -rw-r--r-- | src/lib/libssl/tls13_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_legacy.c | 28 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 17 |
3 files changed, 45 insertions, 3 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 770c18d6ad..96ed981959 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_internal.h,v 1.82 2020/05/23 11:57:41 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_internal.h,v 1.83 2020/05/29 17:47:30 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> | 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> |
| @@ -311,6 +311,7 @@ int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, | |||
| 311 | int peek); | 311 | int peek); |
| 312 | int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); | 312 | int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); |
| 313 | int tls13_legacy_shutdown(SSL *ssl); | 313 | int tls13_legacy_shutdown(SSL *ssl); |
| 314 | int tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert); | ||
| 314 | 315 | ||
| 315 | /* | 316 | /* |
| 316 | * Message Types - RFC 8446, Section B.3. | 317 | * Message Types - RFC 8446, Section B.3. |
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c index be89e9aa24..4d68287141 100644 --- a/src/lib/libssl/tls13_legacy.c +++ b/src/lib/libssl/tls13_legacy.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_legacy.c,v 1.7 2020/05/16 14:42:35 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_legacy.c,v 1.8 2020/05/29 17:47:30 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -519,3 +519,29 @@ tls13_legacy_shutdown(SSL *ssl) | |||
| 519 | 519 | ||
| 520 | return 0; | 520 | return 0; |
| 521 | } | 521 | } |
| 522 | |||
| 523 | int | ||
| 524 | tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) | ||
| 525 | { | ||
| 526 | int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; | ||
| 527 | int ret = SSL_TLSEXT_ERR_NOACK; | ||
| 528 | SSL_CTX *ssl_ctx = ctx->ssl->ctx; | ||
| 529 | SSL *ssl = ctx->ssl; | ||
| 530 | |||
| 531 | if (ssl_ctx->internal->tlsext_servername_callback == NULL) | ||
| 532 | ssl_ctx = ssl->initial_ctx; | ||
| 533 | if (ssl_ctx->internal->tlsext_servername_callback == NULL) | ||
| 534 | return 1; | ||
| 535 | |||
| 536 | ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, | ||
| 537 | ssl_ctx->internal->tlsext_servername_arg); | ||
| 538 | |||
| 539 | if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || | ||
| 540 | ret == SSL_TLSEXT_ERR_ALERT_WARNING) { | ||
| 541 | if (legacy_alert >= 0 && legacy_alert <= 255) | ||
| 542 | *alert = legacy_alert; | ||
| 543 | return 0; | ||
| 544 | } | ||
| 545 | |||
| 546 | return 1; | ||
| 547 | } | ||
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 621e51d501..181ba583a0 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.53 2020/05/23 11:58:46 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.54 2020/05/29 17:47:30 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -373,6 +373,19 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 373 | return 1; | 373 | return 1; |
| 374 | } | 374 | } |
| 375 | 375 | ||
| 376 | static int | ||
| 377 | tls13_servername_process(struct tls13_ctx *ctx) | ||
| 378 | { | ||
| 379 | uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; | ||
| 380 | |||
| 381 | if (!tls13_legacy_servername_process(ctx, &alert)) { | ||
| 382 | ctx->alert = alert; | ||
| 383 | return 0; | ||
| 384 | } | ||
| 385 | |||
| 386 | return 1; | ||
| 387 | } | ||
| 388 | |||
| 376 | int | 389 | int |
| 377 | tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) | 390 | tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) |
| 378 | { | 391 | { |
| @@ -380,6 +393,8 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 380 | return 0; | 393 | return 0; |
| 381 | if (!tls13_key_share_generate(ctx->hs->key_share)) | 394 | if (!tls13_key_share_generate(ctx->hs->key_share)) |
| 382 | return 0; | 395 | return 0; |
| 396 | if (!tls13_servername_process(ctx)) | ||
| 397 | return 0; | ||
| 383 | 398 | ||
| 384 | ctx->hs->server_group = 0; | 399 | ctx->hs->server_group = 0; |
| 385 | 400 | ||