LibreSSL 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:

* Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client. This is errata/6.7/019_libssl.patch.sig
author: tb <> 2020-08-10 18:59:47 +0000
committer: tb <> 2020-08-10 18:59:47 +0000
commit: 5a715e5d56517275cd64092796fb2595209eb962 (patch)
tree: e71b2891b8ce65ccefec5a7582a532ae6f33f7f4 /src/lib
parent: a91baa573ac5ab1cbde7a2761d1d1da9501f45ec (diff)
download: openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.gz
openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.bz2
openbsd-5a715e5d56517275cd64092796fb2595209eb962.zip
8 files changed, 189 insertions, 66 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0212166678..8ebdab279f 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.272 2020/04/18 14:07:56 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.272.4.1 2020/08/10 18:59:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -433,6 +433,12 @@ typedef struct ssl_handshake_st {
        uint8_t *sigalgs;
 } SSL_HANDSHAKE;
+typedef struct cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} CERT_PKEY;
 typedef struct ssl_handshake_tls13_st {
        uint16_t min_version;
        uint16_t max_version;
@@ -441,6 +447,10 @@ typedef struct ssl_handshake_tls13_st {
        int use_legacy;
        int hrr;
+        /* Certificate and sigalg selected for use (static pointers) */
+        const CERT_PKEY *cpk;
+        const struct ssl_sigalg *sigalg;
        /* Version proposed by peer server. */
        uint16_t server_version;
@@ -988,12 +998,6 @@ typedef struct dtls1_state_internal_st {
 } DTLS1_STATE_INTERNAL;
 #define D1I(s) (s->d1->internal)
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
 typedef struct cert_st {
        /* Current active set */
        CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 37fdcfa73f..374ba3cef2 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
 *
@@ -322,6 +322,12 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                    tls_sigalgs_len)) == NULL)
                        continue;
+                /* RSA cannot be used without PSS in TLSv1.3. */
+                if (TLS1_get_version(s) >= TLS1_3_VERSION &&
+                    sigalg->key_type == EVP_PKEY_RSA &&
+                    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
+                        continue;
                if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
                        return sigalg;
        }
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index a0e2f7320b..302211c5e7 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.63.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -896,12 +896,49 @@ tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 int
 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert)
 {
-        if (s->tlsext_status_type == -1) {
+        CBS response;
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+        size_t resp_len;
-                return 0;
+        uint16_t version = TLS1_get_client_version(s);
+        uint8_t status_type;
+        if (version >= TLS1_3_VERSION) {
+                /*
+                 * RFC 8446, 4.4.2.1 - the server may request an OCSP
+                 * response with an empty status_request.
+                 */
+                if (CBS_len(cbs) == 0)
+                        return 1;
+                if (!CBS_get_u8(cbs, &status_type)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (status_type != TLSEXT_STATUSTYPE_ocsp) {
+                        SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
+                        return 0;
+                }
+                if (!CBS_get_u24_length_prefixed(cbs, &response)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (CBS_len(&response) > 65536) {
+                        SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
+                        return 0;
+                }
+                if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
+                    &resp_len)) {
+                        *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                s->internal->tlsext_ocsp_resplen = (int)resp_len;
+        } else {
+                if (s->tlsext_status_type == -1) {
+                        *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                        return 0;
+                }
+                /* Set flag to expect CertificateStatus message */
+                s->internal->tlsext_status_expected = 1;
        }
-        /* Set flag to expect CertificateStatus message */
-        s->internal->tlsext_status_expected = 1;
        return 1;
 }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b265ea089f..9536b0a078 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.165 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.165.4.1 2020/08/10 18:59:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -250,7 +250,14 @@ static const uint16_t eccurves_list[] = {
 };
 #endif
-static const uint16_t eccurves_default[] = {
+static const uint16_t eccurves_client_default[] = {
+        29,                     /* X25519 (29) */
+        23,                     /* secp256r1 (23) */
+        24,                     /* secp384r1 (24) */
+        25,                     /* secp521r1 (25) */
+};
+static const uint16_t eccurves_server_default[] = {
        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
        24,                     /* secp384r1 (24) */
@@ -374,9 +381,15 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,
        *pgroups = s->internal->tlsext_supportedgroups;
        *pgroupslen = s->internal->tlsext_supportedgroups_length;
-        if (*pgroups == NULL) {
+        if (*pgroups != NULL)
-                *pgroups = eccurves_default;
+                return;
-                *pgroupslen = sizeof(eccurves_default) / 2;
+        if (!s->server) {
+                *pgroups = eccurves_client_default;
+                *pgroupslen = sizeof(eccurves_client_default) / 2;
+        } else {
+                *pgroups = eccurves_server_default;
+                *pgroupslen = sizeof(eccurves_server_default) / 2;
        }
 }
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 24286569b1..67d663c326 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.54.4.2 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -811,30 +811,92 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
        return ret;
 }
+static int
+tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
+    int *ok, const struct ssl_sigalg **out_sigalg)
+{
+        const struct ssl_sigalg *sigalg;
+        SSL *s = ctx->ssl;
+        *ok = 0;
+        *out_sigalg = NULL;
+        if (cpk->x509 == NULL || cpk->privatekey == NULL)
+                goto done;
+        if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
+                goto done;
+        *ok = 1;
+        *out_sigalg = sigalg;
+ done:
+        return 1;
+}
+static int
+tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
+    const struct ssl_sigalg **out_sigalg)
+{
+        SSL *s = ctx->ssl;
+        const struct ssl_sigalg *sigalg;
+        CERT_PKEY *cpk;
+        int cert_ok;
+        *out_cpk = NULL;
+        *out_sigalg = NULL;
+        cpk = &s->cert->pkeys[SSL_PKEY_ECC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+        if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
+                return 0;
+        if (cert_ok)
+                goto done;
+        cpk = NULL;
+        sigalg = NULL;
+ done:
+        *out_cpk = cpk;
+        *out_sigalg = sigalg;
+        return 1;
+}
 int
 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        SSL *s = ctx->ssl;
        CBB cert_request_context, cert_list;
+        const struct ssl_sigalg *sigalg;
        STACK_OF(X509) *chain;
        CERT_PKEY *cpk;
        X509 *cert;
        int i, ret = 0;
-        /* XXX - Need to revisit certificate selection. */
+        if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
+                goto err;
-        if ((chain = cpk->chain) == NULL)
+        ctx->hs->cpk = cpk;
-                chain = s->ctx->extra_certs;
+        ctx->hs->sigalg = sigalg;
        if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
                goto err;
        if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
                goto err;
-        if (cpk->x509 == NULL)
+        /* No certificate selected. */
+        if (cpk == NULL)
                goto done;
+        if ((chain = cpk->chain) == NULL)
+                chain = s->ctx->extra_certs;
        if (!tls13_cert_add(&cert_list, cpk->x509))
                goto err;
@@ -858,27 +920,23 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        SSL *s = ctx->ssl;
+        const struct ssl_sigalg *sigalg;
-        const struct ssl_sigalg *sigalg = NULL;
        uint8_t *sig = NULL, *sig_content = NULL;
        size_t sig_len, sig_content_len;
        EVP_MD_CTX *mdctx = NULL;
        EVP_PKEY_CTX *pctx;
        EVP_PKEY *pkey;
-        CERT_PKEY *cpk;
+        const CERT_PKEY *cpk;
        CBB sig_cbb;
        int ret = 0;
        memset(&sig_cbb, 0, sizeof(sig_cbb));
-        /* XXX - Need to revisit certificate selection. */
+        if ((cpk = ctx->hs->cpk) == NULL)
-        cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
-        pkey = cpk->privatekey;
-        if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
-                /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
                goto err;
-        }
+        if ((sigalg = ctx->hs->sigalg) == NULL)
+                goto err;
+        pkey = cpk->privatekey;
        if (!CBB_init(&sig_cbb, 0))
                goto err;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index d25674d93b..95e9032634 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.3.4.1 2020/05/19 20:22:33 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.3.4.2 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -486,29 +486,30 @@ tls13_legacy_shutdown(SSL *ssl)
                return 1;
        }
-        /* Send close notify. */
        if (!ctx->close_notify_sent) {
-                ctx->close_notify_sent = 1;
+                /* Enqueue and send close notify. */
-                if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
+                if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
+                        ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
+                        if ((ret = tls13_send_alert(ctx->rl,
+                            SSL_AD_CLOSE_NOTIFY)) < 0)
+                                return tls13_legacy_return_code(ssl, ret);
+                }
+                if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
+                    TLS13_IO_SUCCESS)
                        return tls13_legacy_return_code(ssl, ret);
-        }
+        } else if (!ctx->close_notify_recv) {
-        /* Ensure close notify has been sent. */
-        if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
-                return tls13_legacy_return_code(ssl, ret);
-        /* Receive close notify. */
-        if (!ctx->close_notify_recv) {
                /*
-                 * If there is still application data pending then we have no
+                 * If there is no application data pending, attempt to read more
-                 * option but to discard it here. The application should have
+                 * data in order to receive a close notify. This should trigger
-                 * continued to call SSL_read() instead of SSL_shutdown().
+                 * a record to be read from the wire, which may be application
+                 * handshake or alert data. Only one attempt is made to match
+                 * previous semantics.
                 */
-                /* XXX - tls13_drain_application_data()? */
+                if (tls13_pending_application_data(ctx->rl) == 0) {
-                if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
+                        if ((ret = tls13_read_application_data(ctx->rl, buf,
-                        ret = TLS13_IO_WANT_POLLIN;
+                            sizeof(buf))) < 0)
-                if (ret != TLS13_IO_EOF)
+                                return tls13_legacy_return_code(ssl, ret);
-                        return tls13_legacy_return_code(ssl, ret);
+                }
        }
        if (ctx->close_notify_recv)
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 199f43ca16..4373e769dc 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.36 2020/04/28 20:30:41 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.36.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -227,8 +227,9 @@ tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
                CBB cbb;
                CBS cbs; /* XXX */
-                free(ctx->hs_msg);
+                tls13_handshake_msg_free(ctx->hs_msg);
-                ctx->hs_msg = tls13_handshake_msg_new();
+                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
+                        goto err;
                if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE))
                        goto err;
                if (!CBB_add_u8(&cbb, 0))
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 5c2c2116c0..bf605012b3 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.33 2020/05/03 15:57:25 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.33.4.1 2020/08/10 18:59:47 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -435,6 +435,8 @@ tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx,
        struct tls13_secret key = { .data = NULL, .len = 0 };
        int ret = 0;
+        EVP_AEAD_CTX_cleanup(aead_ctx);
        freezero(iv->data, iv->len);
        iv->data = NULL;
        iv->len = 0;
@@ -523,8 +525,9 @@ static int
 tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
 {
        CBS header, enc_record;
+        ssize_t inner_len;
        uint8_t *content = NULL;
-        ssize_t content_len = 0;
+        size_t content_len = 0;
        uint8_t content_type;
        size_t out_len;
@@ -560,18 +563,18 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
         * Time to hunt for that elusive content type!
         */
        /* XXX - CBS from end? CBS_get_end_u8()? */
-        content_len = out_len - 1;
+        inner_len = out_len - 1;
-        while (content_len >= 0 && content[content_len] == 0)
+        while (inner_len >= 0 && content[inner_len] == 0)
-                content_len--;
+                inner_len--;
-        if (content_len < 0)
+        if (inner_len < 0)
                goto err;
-        content_type = content[content_len];
+        content_type = content[inner_len];
        tls13_record_layer_rbuf_free(rl);
        rl->rbuf_content_type = content_type;
        rl->rbuf = content;
-        rl->rbuf_len = content_len;
+        rl->rbuf_len = inner_len;
        CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
author	tb <>	2020-08-10 18:59:47 +0000
committer	tb <>	2020-08-10 18:59:47 +0000
commit	5a715e5d56517275cd64092796fb2595209eb962 (patch)
tree	e71b2891b8ce65ccefec5a7582a532ae6f33f7f4 /src/lib
parent	a91baa573ac5ab1cbde7a2761d1d1da9501f45ec (diff)
download	openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.gz openbsd-5a715e5d56517275cd64092796fb2595209eb962.tar.bz2 openbsd-5a715e5d56517275cd64092796fb2595209eb962.zip

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 0212166678..8ebdab279f 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.272 2020/04/18 14:07:56 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.272.4.1 2020/08/10 18:59:47 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -433,6 +433,12 @@ typedef struct ssl_handshake_st {
433	uint8_t *sigalgs;	433	uint8_t *sigalgs;
434	} SSL_HANDSHAKE;	434	} SSL_HANDSHAKE;
435		435
		436	typedef struct cert_pkey_st {
		437	X509 *x509;
		438	EVP_PKEY *privatekey;
		439	STACK_OF(X509) *chain;
		440	} CERT_PKEY;
		441
436	typedef struct ssl_handshake_tls13_st {	442	typedef struct ssl_handshake_tls13_st {
437	uint16_t min_version;	443	uint16_t min_version;
438	uint16_t max_version;	444	uint16_t max_version;
@@ -441,6 +447,10 @@ typedef struct ssl_handshake_tls13_st {
441	int use_legacy;	447	int use_legacy;
442	int hrr;	448	int hrr;
443		449
		450	/* Certificate and sigalg selected for use (static pointers) */
		451	const CERT_PKEY *cpk;
		452	const struct ssl_sigalg *sigalg;
		453
444	/* Version proposed by peer server. */	454	/* Version proposed by peer server. */
445	uint16_t server_version;	455	uint16_t server_version;
446		456
@@ -988,12 +998,6 @@ typedef struct dtls1_state_internal_st {
988	} DTLS1_STATE_INTERNAL;	998	} DTLS1_STATE_INTERNAL;
989	#define D1I(s) (s->d1->internal)	999	#define D1I(s) (s->d1->internal)
990		1000
991	typedef struct cert_pkey_st {
992	X509 *x509;
993	EVP_PKEY *privatekey;
994	STACK_OF(X509) *chain;
995	} CERT_PKEY;
996
997	typedef struct cert_st {	1001	typedef struct cert_st {
998	/* Current active set */	1002	/* Current active set */
999	CERT_PKEY key; / ALWAYS points to an element of the pkeys array	1003	CERT_PKEY key; / ALWAYS points to an element of the pkeys array


diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 37fdcfa73f..374ba3cef2 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.20 2019/04/01 02:09:21 beck Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.20.8.1 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -322,6 +322,12 @@ ssl_sigalg_select(SSL s, EVP_PKEY pkey)
322	tls_sigalgs_len)) == NULL)	322	tls_sigalgs_len)) == NULL)
323	continue;	323	continue;
324		324
		325	/* RSA cannot be used without PSS in TLSv1.3. */
		326	if (TLS1_get_version(s) >= TLS1_3_VERSION &&
		327	sigalg->key_type == EVP_PKEY_RSA &&
		328	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
		329	continue;
		330
325	if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))	331	if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve))
326	return sigalg;	332	return sigalg;
327	}	333	}


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index a0e2f7320b..302211c5e7 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.63.4.1 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -896,12 +896,49 @@ tlsext_ocsp_server_build(SSL s, CBB cbb)
896	int	896	int
897	tlsext_ocsp_client_parse(SSL s, CBS cbs, int *alert)	897	tlsext_ocsp_client_parse(SSL s, CBS cbs, int *alert)
898	{	898	{
899	if (s->tlsext_status_type == -1) {	899	CBS response;
900	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	900	size_t resp_len;
901	return 0;	901	uint16_t version = TLS1_get_client_version(s);
		902	uint8_t status_type;
		903
		904	if (version >= TLS1_3_VERSION) {
		905	/*
		906	* RFC 8446, 4.4.2.1 - the server may request an OCSP
		907	* response with an empty status_request.
		908	*/
		909	if (CBS_len(cbs) == 0)
		910	return 1;
		911
		912	if (!CBS_get_u8(cbs, &status_type)) {
		913	SSLerror(s, SSL_R_LENGTH_MISMATCH);
		914	return 0;
		915	}
		916	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
		917	SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
		918	return 0;
		919	}
		920	if (!CBS_get_u24_length_prefixed(cbs, &response)) {
		921	SSLerror(s, SSL_R_LENGTH_MISMATCH);
		922	return 0;
		923	}
		924	if (CBS_len(&response) > 65536) {
		925	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
		926	return 0;
		927	}
		928	if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
		929	&resp_len)) {
		930	*alert = SSL_AD_INTERNAL_ERROR;
		931	return 0;
		932	}
		933	s->internal->tlsext_ocsp_resplen = (int)resp_len;
		934	} else {
		935	if (s->tlsext_status_type == -1) {
		936	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
		937	return 0;
		938	}
		939	/* Set flag to expect CertificateStatus message */
		940	s->internal->tlsext_status_expected = 1;
902	}	941	}
903	/* Set flag to expect CertificateStatus message */
904	s->internal->tlsext_status_expected = 1;
905	return 1;	942	return 1;
906	}	943	}
907		944


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b265ea089f..9536b0a078 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.165 2020/03/10 17:02:21 jsing Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.165.4.1 2020/08/10 18:59:47 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -250,7 +250,14 @@ static const uint16_t eccurves_list[] = {
250	};	250	};
251	#endif	251	#endif
252		252
253	static const uint16_t eccurves_default[] = {	253	static const uint16_t eccurves_client_default[] = {
		254	29, /* X25519 (29) */
		255	23, /* secp256r1 (23) */
		256	24, /* secp384r1 (24) */
		257	25, /* secp521r1 (25) */
		258	};
		259
		260	static const uint16_t eccurves_server_default[] = {
254	29, /* X25519 (29) */	261	29, /* X25519 (29) */
255	23, /* secp256r1 (23) */	262	23, /* secp256r1 (23) */
256	24, /* secp384r1 (24) */	263	24, /* secp384r1 (24) */
@@ -374,9 +381,15 @@ tls1_get_group_list(SSL s, int client_groups, const uint16_t *pgroups,
374		381
375	*pgroups = s->internal->tlsext_supportedgroups;	382	*pgroups = s->internal->tlsext_supportedgroups;
376	*pgroupslen = s->internal->tlsext_supportedgroups_length;	383	*pgroupslen = s->internal->tlsext_supportedgroups_length;
377	if (*pgroups == NULL) {	384	if (*pgroups != NULL)
378	*pgroups = eccurves_default;	385	return;
379	*pgroupslen = sizeof(eccurves_default) / 2;	386
		387	if (!s->server) {
		388	*pgroups = eccurves_client_default;
		389	*pgroupslen = sizeof(eccurves_client_default) / 2;
		390	} else {
		391	*pgroups = eccurves_server_default;
		392	*pgroupslen = sizeof(eccurves_server_default) / 2;
380	}	393	}
381	}	394	}
382		395


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 24286569b1..67d663c326 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.54.4.2 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -811,30 +811,92 @@ tls13_server_finished_recv(struct tls13_ctx ctx, CBS cbs)
811	return ret;	811	return ret;
812	}	812	}
813		813
		814	static int
		815	tls13_client_check_certificate(struct tls13_ctx ctx, CERT_PKEY cpk,
		816	int ok, const struct ssl_sigalg *out_sigalg)
		817	{
		818	const struct ssl_sigalg *sigalg;
		819	SSL *s = ctx->ssl;
		820
		821	*ok = 0;
		822	*out_sigalg = NULL;
		823
		824	if (cpk->x509 == NULL \|\| cpk->privatekey == NULL)
		825	goto done;
		826
		827	if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
		828	goto done;
		829
		830	*ok = 1;
		831	*out_sigalg = sigalg;
		832
		833	done:
		834	return 1;
		835	}
		836
		837	static int
		838	tls13_client_select_certificate(struct tls13_ctx ctx, CERT_PKEY *out_cpk,
		839	const struct ssl_sigalg **out_sigalg)
		840	{
		841	SSL *s = ctx->ssl;
		842	const struct ssl_sigalg *sigalg;
		843	CERT_PKEY *cpk;
		844	int cert_ok;
		845
		846	*out_cpk = NULL;
		847	*out_sigalg = NULL;
		848
		849	cpk = &s->cert->pkeys[SSL_PKEY_ECC];
		850	if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
		851	return 0;
		852	if (cert_ok)
		853	goto done;
		854
		855	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
		856	if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
		857	return 0;
		858	if (cert_ok)
		859	goto done;
		860
		861	cpk = NULL;
		862	sigalg = NULL;
		863
		864	done:
		865	*out_cpk = cpk;
		866	*out_sigalg = sigalg;
		867
		868	return 1;
		869	}
		870
814	int	871	int
815	tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)	872	tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)
816	{	873	{
817	SSL *s = ctx->ssl;	874	SSL *s = ctx->ssl;
818	CBB cert_request_context, cert_list;	875	CBB cert_request_context, cert_list;
		876	const struct ssl_sigalg *sigalg;
819	STACK_OF(X509) *chain;	877	STACK_OF(X509) *chain;
820	CERT_PKEY *cpk;	878	CERT_PKEY *cpk;
821	X509 *cert;	879	X509 *cert;
822	int i, ret = 0;	880	int i, ret = 0;
823		881
824	/* XXX - Need to revisit certificate selection. */	882	if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
825	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];	883	goto err;
826		884
827	if ((chain = cpk->chain) == NULL)	885	ctx->hs->cpk = cpk;
828	chain = s->ctx->extra_certs;	886	ctx->hs->sigalg = sigalg;
829		887
830	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))	888	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
831	goto err;	889	goto err;
832	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))	890	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
833	goto err;	891	goto err;
834		892
835	if (cpk->x509 == NULL)	893	/* No certificate selected. */
		894	if (cpk == NULL)
836	goto done;	895	goto done;
837		896
		897	if ((chain = cpk->chain) == NULL)
		898	chain = s->ctx->extra_certs;
		899
838	if (!tls13_cert_add(&cert_list, cpk->x509))	900	if (!tls13_cert_add(&cert_list, cpk->x509))
839	goto err;	901	goto err;
840		902
@@ -858,27 +920,23 @@ tls13_client_certificate_send(struct tls13_ctx ctx, CBB cbb)
858	int	920	int
859	tls13_client_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)	921	tls13_client_certificate_verify_send(struct tls13_ctx ctx, CBB cbb)
860	{	922	{
861	SSL *s = ctx->ssl;	923	const struct ssl_sigalg *sigalg;
862	const struct ssl_sigalg *sigalg = NULL;
863	uint8_t sig = NULL, sig_content = NULL;	924	uint8_t sig = NULL, sig_content = NULL;
864	size_t sig_len, sig_content_len;	925	size_t sig_len, sig_content_len;
865	EVP_MD_CTX *mdctx = NULL;	926	EVP_MD_CTX *mdctx = NULL;
866	EVP_PKEY_CTX *pctx;	927	EVP_PKEY_CTX *pctx;
867	EVP_PKEY *pkey;	928	EVP_PKEY *pkey;
868	CERT_PKEY *cpk;	929	const CERT_PKEY *cpk;
869	CBB sig_cbb;	930	CBB sig_cbb;
870	int ret = 0;	931	int ret = 0;
871		932
872	memset(&sig_cbb, 0, sizeof(sig_cbb));	933	memset(&sig_cbb, 0, sizeof(sig_cbb));
873		934
874	/* XXX - Need to revisit certificate selection. */	935	if ((cpk = ctx->hs->cpk) == NULL)
875	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
876	pkey = cpk->privatekey;
877
878	if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
879	/* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
880	goto err;	936	goto err;
881	}	937	if ((sigalg = ctx->hs->sigalg) == NULL)
		938	goto err;
		939	pkey = cpk->privatekey;
882		940
883	if (!CBB_init(&sig_cbb, 0))	941	if (!CBB_init(&sig_cbb, 0))
884	goto err;	942	goto err;


diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c index d25674d93b..95e9032634 100644 --- a/src/lib/libssl/tls13_legacy.c +++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_legacy.c,v 1.3.4.1 2020/05/19 20:22:33 tb Exp $ */	1	/* $OpenBSD: tls13_legacy.c,v 1.3.4.2 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -486,29 +486,30 @@ tls13_legacy_shutdown(SSL *ssl)
486	return 1;	486	return 1;
487	}	487	}
488		488
489	/* Send close notify. */
490	if (!ctx->close_notify_sent) {	489	if (!ctx->close_notify_sent) {
491	ctx->close_notify_sent = 1;	490	/* Enqueue and send close notify. */
492	if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)	491	if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
		492	ssl->internal->shutdown \|= SSL_SENT_SHUTDOWN;
		493	if ((ret = tls13_send_alert(ctx->rl,
		494	SSL_AD_CLOSE_NOTIFY)) < 0)
		495	return tls13_legacy_return_code(ssl, ret);
		496	}
		497	if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
		498	TLS13_IO_SUCCESS)
493	return tls13_legacy_return_code(ssl, ret);	499	return tls13_legacy_return_code(ssl, ret);
494	}	500	} else if (!ctx->close_notify_recv) {
495
496	/* Ensure close notify has been sent. */
497	if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
498	return tls13_legacy_return_code(ssl, ret);
499
500	/* Receive close notify. */
501	if (!ctx->close_notify_recv) {
502	/*	501	/*
503	* If there is still application data pending then we have no	502	* If there is no application data pending, attempt to read more
504	* option but to discard it here. The application should have	503	* data in order to receive a close notify. This should trigger
505	* continued to call SSL_read() instead of SSL_shutdown().	504	* a record to be read from the wire, which may be application
		505	* handshake or alert data. Only one attempt is made to match
		506	* previous semantics.
506	*/	507	*/
507	/* XXX - tls13_drain_application_data()? */	508	if (tls13_pending_application_data(ctx->rl) == 0) {
508	if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)	509	if ((ret = tls13_read_application_data(ctx->rl, buf,
509	ret = TLS13_IO_WANT_POLLIN;	510	sizeof(buf))) < 0)
510	if (ret != TLS13_IO_EOF)	511	return tls13_legacy_return_code(ssl, ret);
511	return tls13_legacy_return_code(ssl, ret);	512	}
512	}	513	}
513		514
514	if (ctx->close_notify_recv)	515	if (ctx->close_notify_recv)


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 199f43ca16..4373e769dc 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.36 2020/04/28 20:30:41 jsing Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.36.4.1 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -227,8 +227,9 @@ tls13_key_update_recv(struct tls13_ctx ctx, CBS cbs)
227	CBB cbb;	227	CBB cbb;
228	CBS cbs; /* XXX */	228	CBS cbs; /* XXX */
229		229
230	free(ctx->hs_msg);	230	tls13_handshake_msg_free(ctx->hs_msg);
231	ctx->hs_msg = tls13_handshake_msg_new();	231	if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
		232	goto err;
232	if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE))	233	if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, TLS13_MT_KEY_UPDATE))
233	goto err;	234	goto err;
234	if (!CBB_add_u8(&cbb, 0))	235	if (!CBB_add_u8(&cbb, 0))


diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 5c2c2116c0..bf605012b3 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_record_layer.c,v 1.33 2020/05/03 15:57:25 jsing Exp $ */	1	/* $OpenBSD: tls13_record_layer.c,v 1.33.4.1 2020/08/10 18:59:47 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -435,6 +435,8 @@ tls13_record_layer_set_traffic_key(const EVP_AEAD aead, EVP_AEAD_CTX aead_ctx,
435	struct tls13_secret key = { .data = NULL, .len = 0 };	435	struct tls13_secret key = { .data = NULL, .len = 0 };
436	int ret = 0;	436	int ret = 0;
437		437
		438	EVP_AEAD_CTX_cleanup(aead_ctx);
		439
438	freezero(iv->data, iv->len);	440	freezero(iv->data, iv->len);
439	iv->data = NULL;	441	iv->data = NULL;
440	iv->len = 0;	442	iv->len = 0;
@@ -523,8 +525,9 @@ static int
523	tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)	525	tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
524	{	526	{
525	CBS header, enc_record;	527	CBS header, enc_record;
		528	ssize_t inner_len;
526	uint8_t *content = NULL;	529	uint8_t *content = NULL;
527	ssize_t content_len = 0;	530	size_t content_len = 0;
528	uint8_t content_type;	531	uint8_t content_type;
529	size_t out_len;	532	size_t out_len;
530		533
@@ -560,18 +563,18 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
560	* Time to hunt for that elusive content type!	563	* Time to hunt for that elusive content type!
561	*/	564	*/
562	/* XXX - CBS from end? CBS_get_end_u8()? */	565	/* XXX - CBS from end? CBS_get_end_u8()? */
563	content_len = out_len - 1;	566	inner_len = out_len - 1;
564	while (content_len >= 0 && content[content_len] == 0)	567	while (inner_len >= 0 && content[inner_len] == 0)
565	content_len--;	568	inner_len--;
566	if (content_len < 0)	569	if (inner_len < 0)
567	goto err;	570	goto err;
568	content_type = content[content_len];	571	content_type = content[inner_len];
569		572
570	tls13_record_layer_rbuf_free(rl);	573	tls13_record_layer_rbuf_free(rl);
571		574
572	rl->rbuf_content_type = content_type;	575	rl->rbuf_content_type = content_type;
573	rl->rbuf = content;	576	rl->rbuf = content;
574	rl->rbuf_len = content_len;	577	rl->rbuf_len = inner_len;
575		578
576	CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);	579	CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len);
577		580