Modify sigalgs extension processing for TLS 1.3.

- Make a separate sigalgs list for TLS 1.3 including only modern algorithm choices which we use when the handshake will not negotiate TLS 1.2 - Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2 ok jsing@ tb@
author: beck <> 2019-01-23 16:46:04 +0000
committer: beck <> 2019-01-23 16:46:04 +0000
commit: eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df (patch)
tree: b41a9c3ad5801c2f161aede880a9a198b66706f7 /src/lib/libssl/ssl_tlsext.c
parent: 07abe74fde5f23d3df46cb653258762e05b4d846 (diff)
download: openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.tar.gz
openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.tar.bz2
openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.zip
1 files changed, 326 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6eec807f56..06105f976d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.31 2019/01/20 02:53:56 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,9 +536,26 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
-        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+        switch (TLS1_get_client_version(s)) {
-                return 0;
+        case TLS1_2_VERSION:
+                if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+                        return 0;
+                break;
+        case TLS1_3_VERSION: 
+                if  (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
+                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
+                            tls12_sigalgs_len))
+                                return 0;
+                } else {
+                        if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
+                            tls13_sigalgs_len))
+                                return 0;               }
+                break;
+        default:
+                /* Should not happen */
+                return 0;
+        }
        if (!CBB_flush(cbb))
                return 0;
@@ -553,7 +570,17 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
                return 0;
-        return tls1_process_sigalgs(s, &sigalgs);
+        switch (s->version) {
+        case TLS1_3_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
+                    tls13_sigalgs_len);
+        case TLS1_2_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+                    tls12_sigalgs_len);
+        default:
+                /* Fail if we get a version > what we recognize */
+                return 0;
+        }
 }
 int
@@ -1243,7 +1270,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
        return 1;
-err:
+ err:
        freezero(public_key, X25519_KEY_LENGTH);
        freezero(private_key, X25519_KEY_LENGTH);
@@ -1253,24 +1280,100 @@ err:
 int
 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        /* XXX we accept this but currently ignore it */
+        CBS client_shares;
-        if (!CBS_skip(cbs, CBS_len(cbs))) {
+        CBS key_exchange;
-                *alert = TLS1_AD_INTERNAL_ERROR;
+        uint16_t group;
-                return 0;
+        size_t out_len;
+        int ret = 0;
+        if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        while (CBS_len(&client_shares) > 0) {
+                /* Unpack client share. */
+                if (!CBS_get_u16(&client_shares, &group))
+                        goto err;
+                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
+                        goto err;
+                /*
+                 * Skip this client share if not X25519
+                 * XXX support other groups later.
+                 */
+                if (ret || group != tls1_ec_nid2curve_id(NID_X25519))
+                        continue;
+                if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
+                        goto err;
+                if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
+                    &out_len))
+                        goto err;
+                ret = 1;
        }
-        return 1;
+        return ret;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
 }
 int
 tlsext_keyshare_server_needs(SSL *s)
 {
-        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+        size_t idx;
+        if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
+                return 0;
+        if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
+                return 0;
+        return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
 }
 int
 tlsext_keyshare_server_build(SSL *s, CBB *cbb)
 {
+        uint8_t *public_key = NULL, *private_key = NULL;
+        CBB key_exchange;
+        /* X25519 */
+        if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
+                return 0;
+        /* Generate X25519 key pair. */
+        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        X25519_keypair(public_key, private_key);
+        /* Add the group and serialize the public key. */
+        if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
+                goto err;
+        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
+                goto err;
+        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
+                goto err;
+        if (!CBB_flush(cbb))
+                goto err;
+        S3I(s)->hs_tls13.x25519_public = public_key;
+        S3I(s)->hs_tls13.x25519_private = private_key;
+        return 1;
+ err:
+        freezero(public_key, X25519_KEY_LENGTH);
+        freezero(private_key, X25519_KEY_LENGTH);
        return 0;
 }
@@ -1291,6 +1394,10 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
        if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
                goto err;
        if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1313,8 +1420,9 @@ tlsext_versions_client_needs(SSL *s)
        /* XXX once this gets initialized when we get tls13_client.c */
        if (S3I(s)->hs_tls13.max_version == 0)
                return 0;
-        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
+        if (SSL_IS_DTLS(s))
-            TLS1_3_VERSION);
+                return 0;
+        return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
 }
 int
@@ -1348,13 +1456,41 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
 int
 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        /* XXX we accept this but currently ignore it */
+        CBS versions;
-        if (!CBS_skip(cbs, CBS_len(cbs))) {
+        uint16_t version;
-                *alert = TLS1_AD_INTERNAL_ERROR;
+        uint16_t max, min;
-                return 0;
+        uint16_t matched_version = 0;
+        max = S3I(s)->hs_tls13.max_version;
+        min = S3I(s)->hs_tls13.min_version;
+        if (!CBS_get_u8_length_prefixed(cbs, &versions))
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        if (CBS_len(&versions) < 2)
+                goto err;
+        while(CBS_len(&versions) > 0) {
+                if (!CBS_get_u16(&versions, &version))
+                        goto err;
+                /*
+                 * XXX What is below implements client preference, and
+                 * ignores any server preference entirely.
+                 */
+                if (matched_version == 0 && version >= min && version <= max)
+                        matched_version = version;
        }
+        if (matched_version != 0)
+                s->version = matched_version;
        return 1;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
 }
 int
@@ -1366,7 +1502,11 @@ tlsext_versions_server_needs(SSL *s)
 int
 tlsext_versions_server_build(SSL *s, CBB *cbb)
 {
-        return 0;
+        if (!CBB_add_u16(cbb, TLS1_3_VERSION))
+                return 0;
+        /* XXX set 1.2 in legacy version?  */
+        return 1;
 }
 int
@@ -1379,12 +1519,161 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
                return 0;
        }
+        if (CBS_len(cbs) != 0) {
+                *alert = SSL_AD_DECODE_ERROR;
+                return 0;
+        }
+        if (selected_version < TLS1_3_VERSION) {
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
        /* XXX test between min and max once initialization code goes in */
        S3I(s)->hs_tls13.server_version = selected_version;
        return 1;
 }
+/*
+ * Cookie - RFC 8446 section 4.2.2.
+ */
+int
+tlsext_cookie_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        if (SSL_IS_DTLS(s))
+                return 0;
+        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                return 0;
+        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
+            (S3I(s)->hs_tls13.cookie != NULL));
+}
+int
+tlsext_cookie_client_build(SSL *s, CBB *cbb)
+{
+        CBB cookie;
+        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
+                return 0;
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS cookie;
+        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+                goto err;
+        /*
+         * Check provided cookie value against what server previously
+         * sent - client *MUST* send the same cookie with new CR after
+         * a cookie is sent by the server with an HRR
+         */
+        if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len) != 0) {
+                /* XXX special cookie mismatch alert? */
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
+        return 1;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
+int
+tlsext_cookie_server_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        if (SSL_IS_DTLS(s))
+                return 0;
+        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                return 0;
+        /*
+         * Server needs to set cookie value in tls13 handshake
+         * in order to send one, should only be sent with HRR.
+         */
+        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
+            (S3I(s)->hs_tls13.cookie != NULL));
+}
+int
+tlsext_cookie_server_build(SSL *s, CBB *cbb)
+{
+        CBB cookie;
+        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
+                return 0;
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS cookie;
+        /*
+         * XXX This currently assumes we will not get a second
+         * HRR from a server with a cookie to process after accepting
+         * one from the server in the same handshake
+         */
+        if ((S3I(s)->hs_tls13.cookie != NULL) ||
+            S3I(s)->hs_tls13.cookie_len != 0) {
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
+        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
+                goto err;
+        memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
+        S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
+        return 1;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
 struct tls_extension_funcs {
        int (*needs)(SSL *s);
        int (*build)(SSL *s, CBB *cbb);
@@ -1542,6 +1831,20 @@ static struct tls_extension tls_extensions[] = {
                        .parse = tlsext_alpn_client_parse,
                },
        },
+        {
+                .type = TLSEXT_TYPE_cookie,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_cookie_client_needs,
+                        .build = tlsext_cookie_client_build,
+                        .parse = tlsext_cookie_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_cookie_server_needs,
+                        .build = tlsext_cookie_server_build,
+                        .parse = tlsext_cookie_client_parse,
+                },
+        },
 #ifndef OPENSSL_NO_SRTP
        {
                .type = TLSEXT_TYPE_use_srtp,
@@ -1565,7 +1868,7 @@ static struct tls_extension tls_extensions[] = {
 /* Ensure that extensions fit in a uint32_t bitmask. */
 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
-static struct tls_extension *
+struct tls_extension *
 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
 {
        size_t i;
@@ -1645,11 +1948,12 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
        struct tls_extension_funcs *ext;
        struct tls_extension *tlsext;
        CBS extensions, extension_data;
-        uint32_t extensions_seen = 0;
        uint16_t type;
        size_t idx;
        uint16_t version;
+        S3I(s)->hs.extensions_seen = 0;
        if (is_server)
                version = s->version;
        else
@@ -1688,9 +1992,9 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                }
                /* Check for duplicate known extensions. */
-                if ((extensions_seen & (1 << idx)) != 0)
+                if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
                        return 0;
-                extensions_seen |= (1 << idx);
+                S3I(s)->hs.extensions_seen |= (1 << idx);
                ext = tlsext_funcs(tlsext, is_server);
                if (!ext->parse(s, &extension_data, alert))
author	beck <>	2019-01-23 16:46:04 +0000
committer	beck <>	2019-01-23 16:46:04 +0000
commit	eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df (patch)
tree	b41a9c3ad5801c2f161aede880a9a198b66706f7 /src/lib/libssl/ssl_tlsext.c
parent	07abe74fde5f23d3df46cb653258762e05b4d846 (diff)
download	openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.tar.gz openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.tar.bz2 openbsd-eb8cfbe6972b8b99de20acf4ed8e9b7ffc9b22df.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 6eec807f56..06105f976d 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.31 2019/01/20 02:53:56 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,9 +536,26 @@ tlsext_sigalgs_client_build(SSL s, CBB cbb)
536	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))	536	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
537	return 0;	537	return 0;
538		538
539	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))	539	switch (TLS1_get_client_version(s)) {
540	return 0;	540	case TLS1_2_VERSION:
		541	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
		542	return 0;
		543	break;
		544	case TLS1_3_VERSION:
		545	if (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
		546	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
		547	tls12_sigalgs_len))
		548	return 0;
		549	} else {
		550	if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
		551	tls13_sigalgs_len))
		552	return 0; }
541		553
		554	break;
		555	default:
		556	/* Should not happen */
		557	return 0;
		558	}
542	if (!CBB_flush(cbb))	559	if (!CBB_flush(cbb))
543	return 0;	560	return 0;
544		561
@@ -553,7 +570,17 @@ tlsext_sigalgs_server_parse(SSL s, CBS cbs, int *alert)
553	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))	570	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
554	return 0;	571	return 0;
555		572
556	return tls1_process_sigalgs(s, &sigalgs);	573	switch (s->version) {
		574	case TLS1_3_VERSION:
		575	return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
		576	tls13_sigalgs_len);
		577	case TLS1_2_VERSION:
		578	return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
		579	tls12_sigalgs_len);
		580	default:
		581	/* Fail if we get a version > what we recognize */
		582	return 0;
		583	}
557	}	584	}
558		585
559	int	586	int
@@ -1243,7 +1270,7 @@ tlsext_keyshare_client_build(SSL s, CBB cbb)
1243		1270
1244	return 1;	1271	return 1;
1245		1272
1246	err:	1273	err:
1247	freezero(public_key, X25519_KEY_LENGTH);	1274	freezero(public_key, X25519_KEY_LENGTH);
1248	freezero(private_key, X25519_KEY_LENGTH);	1275	freezero(private_key, X25519_KEY_LENGTH);
1249		1276
@@ -1253,24 +1280,100 @@ err:
1253	int	1280	int
1254	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)	1281	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)
1255	{	1282	{
1256	/* XXX we accept this but currently ignore it */	1283	CBS client_shares;
1257	if (!CBS_skip(cbs, CBS_len(cbs))) {	1284	CBS key_exchange;
1258	*alert = TLS1_AD_INTERNAL_ERROR;	1285	uint16_t group;
1259	return 0;	1286	size_t out_len;
		1287	int ret = 0;
		1288
		1289	if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
		1290	goto err;
		1291
		1292	if (CBS_len(cbs) != 0)
		1293	goto err;
		1294
		1295	while (CBS_len(&client_shares) > 0) {
		1296
		1297	/* Unpack client share. */
		1298	if (!CBS_get_u16(&client_shares, &group))
		1299	goto err;
		1300
		1301	if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
		1302	goto err;
		1303
		1304	/*
		1305	* Skip this client share if not X25519
		1306	* XXX support other groups later.
		1307	*/
		1308	if (ret \|\| group != tls1_ec_nid2curve_id(NID_X25519))
		1309	continue;
		1310
		1311	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
		1312	goto err;
		1313
		1314	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
		1315	&out_len))
		1316	goto err;
		1317
		1318	ret = 1;
1260	}	1319	}
1261		1320
1262	return 1;	1321	return ret;
		1322
		1323	err:
		1324	*alert = SSL_AD_DECODE_ERROR;
		1325	return 0;
1263	}	1326	}
1264		1327
1265	int	1328	int
1266	tlsext_keyshare_server_needs(SSL *s)	1329	tlsext_keyshare_server_needs(SSL *s)
1267	{	1330	{
1268	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);	1331	size_t idx;
		1332
		1333	if (SSL_IS_DTLS(s) \|\| s->version < TLS1_3_VERSION)
		1334	return 0;
		1335	if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
		1336	return 0;
		1337	return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1269	}	1338	}
1270		1339
1271	int	1340	int
1272	tlsext_keyshare_server_build(SSL s, CBB cbb)	1341	tlsext_keyshare_server_build(SSL s, CBB cbb)
1273	{	1342	{
		1343	uint8_t public_key = NULL, private_key = NULL;
		1344	CBB key_exchange;
		1345
		1346	/* X25519 */
		1347	if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
		1348	return 0;
		1349
		1350	/* Generate X25519 key pair. */
		1351	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1352	goto err;
		1353	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1354	goto err;
		1355	X25519_keypair(public_key, private_key);
		1356
		1357	/* Add the group and serialize the public key. */
		1358	if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
		1359	goto err;
		1360	if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
		1361	goto err;
		1362	if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
		1363	goto err;
		1364
		1365	if (!CBB_flush(cbb))
		1366	goto err;
		1367
		1368	S3I(s)->hs_tls13.x25519_public = public_key;
		1369	S3I(s)->hs_tls13.x25519_private = private_key;
		1370
		1371	return 1;
		1372
		1373	err:
		1374	freezero(public_key, X25519_KEY_LENGTH);
		1375	freezero(private_key, X25519_KEY_LENGTH);
		1376
1274	return 0;	1377	return 0;
1275	}	1378	}
1276		1379
@@ -1291,6 +1394,10 @@ tlsext_keyshare_client_parse(SSL s, CBS cbs, int *alert)
1291		1394
1292	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))	1395	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1293	goto err;	1396	goto err;
		1397
		1398	if (CBS_len(cbs) != 0)
		1399	goto err;
		1400
1294	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)	1401	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1295	goto err;	1402	goto err;
1296	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,	1403	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1313,8 +1420,9 @@ tlsext_versions_client_needs(SSL *s)
1313	/* XXX once this gets initialized when we get tls13_client.c */	1420	/* XXX once this gets initialized when we get tls13_client.c */
1314	if (S3I(s)->hs_tls13.max_version == 0)	1421	if (S3I(s)->hs_tls13.max_version == 0)
1315	return 0;	1422	return 0;
1316	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=	1423	if (SSL_IS_DTLS(s))
1317	TLS1_3_VERSION);	1424	return 0;
		1425	return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1318	}	1426	}
1319		1427
1320	int	1428	int
@@ -1348,13 +1456,41 @@ tlsext_versions_client_build(SSL s, CBB cbb)
1348	int	1456	int
1349	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)	1457	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)
1350	{	1458	{
1351	/* XXX we accept this but currently ignore it */	1459	CBS versions;
1352	if (!CBS_skip(cbs, CBS_len(cbs))) {	1460	uint16_t version;
1353	*alert = TLS1_AD_INTERNAL_ERROR;	1461	uint16_t max, min;
1354	return 0;	1462	uint16_t matched_version = 0;
		1463
		1464	max = S3I(s)->hs_tls13.max_version;
		1465	min = S3I(s)->hs_tls13.min_version;
		1466
		1467	if (!CBS_get_u8_length_prefixed(cbs, &versions))
		1468	goto err;
		1469
		1470	if (CBS_len(cbs) != 0)
		1471	goto err;
		1472
		1473	if (CBS_len(&versions) < 2)
		1474	goto err;
		1475
		1476	while(CBS_len(&versions) > 0) {
		1477	if (!CBS_get_u16(&versions, &version))
		1478	goto err;
		1479	/*
		1480	* XXX What is below implements client preference, and
		1481	* ignores any server preference entirely.
		1482	*/
		1483	if (matched_version == 0 && version >= min && version <= max)
		1484	matched_version = version;
1355	}	1485	}
		1486	if (matched_version != 0)
		1487	s->version = matched_version;
1356		1488
1357	return 1;	1489	return 1;
		1490
		1491	err:
		1492	*alert = SSL_AD_DECODE_ERROR;
		1493	return 0;
1358	}	1494	}
1359		1495
1360	int	1496	int
@@ -1366,7 +1502,11 @@ tlsext_versions_server_needs(SSL *s)
1366	int	1502	int
1367	tlsext_versions_server_build(SSL s, CBB cbb)	1503	tlsext_versions_server_build(SSL s, CBB cbb)
1368	{	1504	{
1369	return 0;	1505	if (!CBB_add_u16(cbb, TLS1_3_VERSION))
		1506	return 0;
		1507	/* XXX set 1.2 in legacy version? */
		1508
		1509	return 1;
1370	}	1510	}
1371		1511
1372	int	1512	int
@@ -1379,12 +1519,161 @@ tlsext_versions_client_parse(SSL s, CBS cbs, int *alert)
1379	return 0;	1519	return 0;
1380	}	1520	}
1381		1521
		1522	if (CBS_len(cbs) != 0) {
		1523	*alert = SSL_AD_DECODE_ERROR;
		1524	return 0;
		1525	}
		1526
		1527	if (selected_version < TLS1_3_VERSION) {
		1528	*alert = SSL_AD_ILLEGAL_PARAMETER;
		1529	return 0;
		1530	}
		1531
1382	/* XXX test between min and max once initialization code goes in */	1532	/* XXX test between min and max once initialization code goes in */
1383	S3I(s)->hs_tls13.server_version = selected_version;	1533	S3I(s)->hs_tls13.server_version = selected_version;
1384		1534
1385	return 1;	1535	return 1;
1386	}	1536	}
1387		1537
		1538
		1539	/*
		1540	* Cookie - RFC 8446 section 4.2.2.
		1541	*/
		1542
		1543	int
		1544	tlsext_cookie_client_needs(SSL *s)
		1545	{
		1546	/* XXX once this gets initialized when we get tls13_client.c */
		1547	if (S3I(s)->hs_tls13.max_version == 0)
		1548	return 0;
		1549	if (SSL_IS_DTLS(s))
		1550	return 0;
		1551	if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
		1552	return 0;
		1553	return ((S3I(s)->hs_tls13.cookie_len > 0) &&
		1554	(S3I(s)->hs_tls13.cookie != NULL));
		1555	}
		1556
		1557	int
		1558	tlsext_cookie_client_build(SSL s, CBB cbb)
		1559	{
		1560	CBB cookie;
		1561
		1562	if (!CBB_add_u16_length_prefixed(cbb, &cookie))
		1563	return 0;
		1564
		1565	if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
		1566	S3I(s)->hs_tls13.cookie_len))
		1567	return 0;
		1568
		1569	if (!CBB_flush(cbb))
		1570	return 0;
		1571
		1572	return 1;
		1573	}
		1574
		1575	int
		1576	tlsext_cookie_server_parse(SSL s, CBS cbs, int *alert)
		1577	{
		1578	CBS cookie;
		1579
		1580	if (!CBS_get_u16_length_prefixed(cbs, &cookie))
		1581	goto err;
		1582
		1583	if (CBS_len(cbs) != 0)
		1584	goto err;
		1585
		1586	if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
		1587	goto err;
		1588
		1589	/*
		1590	* Check provided cookie value against what server previously
		1591	* sent - client MUST send the same cookie with new CR after
		1592	* a cookie is sent by the server with an HRR
		1593	*/
		1594	if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
		1595	S3I(s)->hs_tls13.cookie_len) != 0) {
		1596	/* XXX special cookie mismatch alert? */
		1597	*alert = SSL_AD_ILLEGAL_PARAMETER;
		1598	return 0;
		1599	}
		1600
		1601	return 1;
		1602
		1603	err:
		1604	*alert = SSL_AD_DECODE_ERROR;
		1605	return 0;
		1606	}
		1607
		1608	int
		1609	tlsext_cookie_server_needs(SSL *s)
		1610	{
		1611	/* XXX once this gets initialized when we get tls13_client.c */
		1612	if (S3I(s)->hs_tls13.max_version == 0)
		1613	return 0;
		1614	if (SSL_IS_DTLS(s))
		1615	return 0;
		1616	if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
		1617	return 0;
		1618	/*
		1619	* Server needs to set cookie value in tls13 handshake
		1620	* in order to send one, should only be sent with HRR.
		1621	*/
		1622	return ((S3I(s)->hs_tls13.cookie_len > 0) &&
		1623	(S3I(s)->hs_tls13.cookie != NULL));
		1624	}
		1625
		1626	int
		1627	tlsext_cookie_server_build(SSL s, CBB cbb)
		1628	{
		1629	CBB cookie;
		1630
		1631	if (!CBB_add_u16_length_prefixed(cbb, &cookie))
		1632	return 0;
		1633	if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
		1634	S3I(s)->hs_tls13.cookie_len))
		1635	return 0;
		1636	if (!CBB_flush(cbb))
		1637	return 0;
		1638
		1639	return 1;
		1640	}
		1641
		1642	int
		1643	tlsext_cookie_client_parse(SSL s, CBS cbs, int *alert)
		1644	{
		1645	CBS cookie;
		1646
		1647	/*
		1648	* XXX This currently assumes we will not get a second
		1649	* HRR from a server with a cookie to process after accepting
		1650	* one from the server in the same handshake
		1651	*/
		1652	if ((S3I(s)->hs_tls13.cookie != NULL) \|\|
		1653	S3I(s)->hs_tls13.cookie_len != 0) {
		1654	*alert = SSL_AD_ILLEGAL_PARAMETER;
		1655	return 0;
		1656	}
		1657
		1658	if (!CBS_get_u16_length_prefixed(cbs, &cookie))
		1659	goto err;
		1660
		1661	if (CBS_len(cbs) != 0)
		1662	goto err;
		1663
		1664	if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
		1665	goto err;
		1666
		1667	memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
		1668	S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
		1669
		1670	return 1;
		1671
		1672	err:
		1673	*alert = SSL_AD_DECODE_ERROR;
		1674	return 0;
		1675	}
		1676
1388	struct tls_extension_funcs {	1677	struct tls_extension_funcs {
1389	int (needs)(SSL s);	1678	int (needs)(SSL s);
1390	int (build)(SSL s, CBB *cbb);	1679	int (build)(SSL s, CBB *cbb);
@@ -1542,6 +1831,20 @@ static struct tls_extension tls_extensions[] = {
1542	.parse = tlsext_alpn_client_parse,	1831	.parse = tlsext_alpn_client_parse,
1543	},	1832	},
1544	},	1833	},
		1834	{
		1835	.type = TLSEXT_TYPE_cookie,
		1836	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_HRR,
		1837	.client = {
		1838	.needs = tlsext_cookie_client_needs,
		1839	.build = tlsext_cookie_client_build,
		1840	.parse = tlsext_cookie_server_parse,
		1841	},
		1842	.server = {
		1843	.needs = tlsext_cookie_server_needs,
		1844	.build = tlsext_cookie_server_build,
		1845	.parse = tlsext_cookie_client_parse,
		1846	},
		1847	},
1545	#ifndef OPENSSL_NO_SRTP	1848	#ifndef OPENSSL_NO_SRTP
1546	{	1849	{
1547	.type = TLSEXT_TYPE_use_srtp,	1850	.type = TLSEXT_TYPE_use_srtp,
@@ -1565,7 +1868,7 @@ static struct tls_extension tls_extensions[] = {
1565	/* Ensure that extensions fit in a uint32_t bitmask. */	1868	/* Ensure that extensions fit in a uint32_t bitmask. */
1566	CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));	1869	CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1567		1870
1568	static struct tls_extension *	1871	struct tls_extension *
1569	tls_extension_find(uint16_t type, size_t *tls_extensions_idx)	1872	tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1570	{	1873	{
1571	size_t i;	1874	size_t i;
@@ -1645,11 +1948,12 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
1645	struct tls_extension_funcs *ext;	1948	struct tls_extension_funcs *ext;
1646	struct tls_extension *tlsext;	1949	struct tls_extension *tlsext;
1647	CBS extensions, extension_data;	1950	CBS extensions, extension_data;
1648	uint32_t extensions_seen = 0;
1649	uint16_t type;	1951	uint16_t type;
1650	size_t idx;	1952	size_t idx;
1651	uint16_t version;	1953	uint16_t version;
1652		1954
		1955	S3I(s)->hs.extensions_seen = 0;
		1956
1653	if (is_server)	1957	if (is_server)
1654	version = s->version;	1958	version = s->version;
1655	else	1959	else
@@ -1688,9 +1992,9 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
1688	}	1992	}
1689		1993
1690	/* Check for duplicate known extensions. */	1994	/* Check for duplicate known extensions. */
1691	if ((extensions_seen & (1 << idx)) != 0)	1995	if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
1692	return 0;	1996	return 0;
1693	extensions_seen \|= (1 << idx);	1997	S3I(s)->hs.extensions_seen \|= (1 << idx);
1694		1998
1695	ext = tlsext_funcs(tlsext, is_server);	1999	ext = tlsext_funcs(tlsext, is_server);
1696	if (!ext->parse(s, &extension_data, alert))	2000	if (!ext->parse(s, &extension_data, alert))