Implement a rolling hash of the ClientHello message, Enforce RFC 8446

section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
author: beck <> 2020-06-06 01:40:09 +0000
committer: beck <> 2020-06-06 01:40:09 +0000
commit: 2d835ca8318d9ce502e9fd2dced3ef440decb39d (patch)
tree: 921562c039b5a27a1e18f71fe397784a1d3435d3 /src/lib/libssl/ssl_tlsext.c
parent: f599916be5b15add90651fc8802c4f96fc257310 (diff)
download: openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.gz
openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.bz2
openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.zip
1 files changed, 35 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index cf54fc4d2c..f6943c83ae 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.74 2020/05/29 17:39:42 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2059,6 +2059,33 @@ tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type)
        return 1;
 }
+int
+tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
+{
+        /*
+         * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
+         * cookie may be added, padding may be removed.
+         */
+        struct tls13_ctx *ctx = s->internal->tls13;
+        if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
+            type == TLSEXT_TYPE_padding)
+                return 1;
+        if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
+            sizeof(type)))
+                return 0;
+        /*
+         * key_share data may be changed, and pre_shared_key data may
+         * be changed
+         */
+        if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
+                return 1;
+        if (!tls13_clienthello_hash_update(ctx, cbs))
+                return 0;
+        return 1;
+}
 static int
 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
 {
@@ -2098,6 +2125,13 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                            CBS_len(&extension_data),
                            s->internal->tlsext_debug_arg);
+                if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server &&
+                    msg_type == SSL_TLSEXT_MSG_CH) {
+                        if (!tlsext_clienthello_hash_extension(s, type,
+                            &extension_data))
+                                goto err;
+                }
                /* Unknown extensions are ignored. */
                if ((tlsext = tls_extension_find(type, &idx)) == NULL)
                        continue;
author	beck <>	2020-06-06 01:40:09 +0000
committer	beck <>	2020-06-06 01:40:09 +0000
commit	2d835ca8318d9ce502e9fd2dced3ef440decb39d (patch)
tree	921562c039b5a27a1e18f71fe397784a1d3435d3 /src/lib/libssl/ssl_tlsext.c
parent	f599916be5b15add90651fc8802c4f96fc257310 (diff)
download	openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.gz openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.bz2 openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index cf54fc4d2c..f6943c83ae 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.74 2020/05/29 17:39:42 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2059,6 +2059,33 @@ tlsext_build(SSL s, CBB cbb, int is_server, uint16_t msg_type)
2059	return 1;	2059	return 1;
2060	}	2060	}
2061		2061
		2062	int
		2063	tlsext_clienthello_hash_extension(SSL s, uint16_t type, CBS cbs)
		2064	{
		2065	/*
		2066	* RFC 8446 4.1.2. For subsequent CH, early data will be removed,
		2067	* cookie may be added, padding may be removed.
		2068	*/
		2069	struct tls13_ctx *ctx = s->internal->tls13;
		2070
		2071	if (type == TLSEXT_TYPE_early_data \|\| type == TLSEXT_TYPE_cookie \|\|
		2072	type == TLSEXT_TYPE_padding)
		2073	return 1;
		2074	if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
		2075	sizeof(type)))
		2076	return 0;
		2077	/*
		2078	* key_share data may be changed, and pre_shared_key data may
		2079	* be changed
		2080	*/
		2081	if (type == TLSEXT_TYPE_pre_shared_key \|\| type == TLSEXT_TYPE_key_share)
		2082	return 1;
		2083	if (!tls13_clienthello_hash_update(ctx, cbs))
		2084	return 0;
		2085
		2086	return 1;
		2087	}
		2088
2062	static int	2089	static int
2063	tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)	2090	tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
2064	{	2091	{
@@ -2098,6 +2125,13 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
2098	CBS_len(&extension_data),	2125	CBS_len(&extension_data),
2099	s->internal->tlsext_debug_arg);	2126	s->internal->tlsext_debug_arg);
2100		2127
		2128	if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server &&
		2129	msg_type == SSL_TLSEXT_MSG_CH) {
		2130	if (!tlsext_clienthello_hash_extension(s, type,
		2131	&extension_data))
		2132	goto err;
		2133	}
		2134
2101	/* Unknown extensions are ignored. */	2135	/* Unknown extensions are ignored. */
2102	if ((tlsext = tls_extension_find(type, &idx)) == NULL)	2136	if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2103	continue;	2137	continue;