Modify sigalgs extension processing for TLS 1.3.

- Make a separate sigalgs list for TLS 1.3 including only modern
  algorithm choices which we use when the handshake will not negotiate
  TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
  mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@

8 files changed, 380 insertions, 36 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 9e4998cb42..53aab7c1e5 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.178 2019/01/21 01:20:11 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.179 2019/01/23 16:46:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1569,6 +1569,7 @@ ssl3_free(SSL *s)
         freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
         freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
         freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
+        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
 
         sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
 
@@ -1605,6 +1606,11 @@ ssl3_clear(SSL *s)
         freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
         freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
         freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
+        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
+        S3I(s)->hs_tls13.cookie = NULL;
+        S3I(s)->hs_tls13.cookie_len = 0;
+
+        S3I(s)->hs.extensions_seen = 0;
 
         rp = S3I(s)->rbuf.buf;
         wp = S3I(s)->wbuf.buf;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index acc48389c0..ee26a200b1 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.52 2019/01/18 00:54:42 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.53 2019/01/23 16:46:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s)
                         SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
                         goto err;
                 }
-                if (!tls1_process_sigalgs(s, &sigalgs)) {
+                if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+                    tls12_sigalgs_len)) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                         SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
                         goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 7903d84890..e4b1341db5 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.228 2019/01/21 10:28:52 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.229 2019/01/23 16:46:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -429,6 +429,9 @@ typedef struct ssl_handshake_st {
         /* key_block is the record-layer key block for TLS 1.2 and earlier. */
         int key_block_len;
         unsigned char *key_block;
+
+        /* Extensions seen in this handshake. */
+        uint32_t extensions_seen;
 } SSL_HANDSHAKE;
 
 typedef struct ssl_handshake_tls13_st {
@@ -445,6 +448,9 @@ typedef struct ssl_handshake_tls13_st {
         uint8_t *x25519_peer_public;
 
         struct tls13_secrets *secrets;
+
+        uint8_t *cookie;
+        size_t cookie_len;
 } SSL_HANDSHAKE_TLS13;
 
 typedef struct ssl_ctx_internal_st {
@@ -1313,7 +1319,7 @@ int tls1_process_ticket(SSL *s, const unsigned char *session_id,
     int session_id_len, CBS *ext_block, SSL_SESSION **ret);
 
 long ssl_get_algorithm2(SSL *s);
-int tls1_process_sigalgs(SSL *s, CBS *cbs);
+int tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *, size_t);
 
 int tls1_check_ec_server_key(SSL *s);
 
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index a6b4251d70..23f65f5070 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.11 2018/11/16 02:41:16 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.12 2019/01/23 16:46:04 beck Exp $ */
 /*
- * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -163,13 +163,30 @@ const struct ssl_sigalg sigalgs[] = {
         },
 };
 
+/* Sigalgs for tls 1.3, in preference order, */
+uint16_t tls13_sigalgs[] = {
+        SIGALG_RSA_PSS_RSAE_SHA512,
+        SIGALG_RSA_PKCS1_SHA512,
+        SIGALG_ECDSA_SECP512R1_SHA512,
+        SIGALG_RSA_PSS_RSAE_SHA384,
+        SIGALG_RSA_PKCS1_SHA384,
+        SIGALG_ECDSA_SECP384R1_SHA384,
+        SIGALG_RSA_PSS_RSAE_SHA256,
+        SIGALG_RSA_PKCS1_SHA256,
+        SIGALG_ECDSA_SECP256R1_SHA256,
+};
+size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
+
 /* Sigalgs for tls 1.2, in preference order, */
 uint16_t tls12_sigalgs[] = {
+        SIGALG_RSA_PSS_RSAE_SHA512,
         SIGALG_RSA_PKCS1_SHA512,
         SIGALG_ECDSA_SECP512R1_SHA512,
         SIGALG_GOSTR12_512_STREEBOG_512,
+        SIGALG_RSA_PSS_RSAE_SHA384,
         SIGALG_RSA_PKCS1_SHA384,
         SIGALG_ECDSA_SECP384R1_SHA384,
+        SIGALG_RSA_PSS_RSAE_SHA256,
         SIGALG_RSA_PKCS1_SHA256,
         SIGALG_ECDSA_SECP256R1_SHA256,
         SIGALG_GOSTR12_256_STREEBOG_256,
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 5ae595835b..8ea4df9e31 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.8 2018/11/16 02:41:16 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.9 2019/01/23 16:46:04 beck Exp $ */
 /*
  * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
  *
@@ -71,6 +71,8 @@ struct ssl_sigalg{
 
 extern uint16_t tls12_sigalgs[];
 extern size_t tls12_sigalgs_len;
+extern uint16_t tls13_sigalgs[];
+extern size_t tls13_sigalgs_len;
 
 const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
 const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6eec807f56..06105f976d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.31 2019/01/20 02:53:56 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,9 +536,26 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
         if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                 return 0;
 
-        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
-                return 0;
+        switch (TLS1_get_client_version(s)) {
+        case TLS1_2_VERSION:
+                if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+                        return 0;
+                break;
+        case TLS1_3_VERSION: 
+                if  (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
+                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
+                            tls12_sigalgs_len))
+                                return 0;
+                } else {
+                        if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
+                            tls13_sigalgs_len))
+                                return 0;               }
 
+                break;
+        default:
+                /* Should not happen */
+                return 0;
+        }
         if (!CBB_flush(cbb))
                 return 0;
 
@@ -553,7 +570,17 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
         if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
                 return 0;
 
-        return tls1_process_sigalgs(s, &sigalgs);
+        switch (s->version) {
+        case TLS1_3_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
+                    tls13_sigalgs_len);
+        case TLS1_2_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+                    tls12_sigalgs_len);
+        default:
+                /* Fail if we get a version > what we recognize */
+                return 0;
+        }
 }
 
 int
@@ -1243,7 +1270,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
 
         return 1;
 
-err:
+ err:
         freezero(public_key, X25519_KEY_LENGTH);
         freezero(private_key, X25519_KEY_LENGTH);
 
@@ -1253,24 +1280,100 @@ err:
 int
 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        /* XXX we accept this but currently ignore it */
-        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
-                return 0;
+        CBS client_shares;
+        CBS key_exchange;
+        uint16_t group;
+        size_t out_len;
+        int ret = 0;
+
+        if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        while (CBS_len(&client_shares) > 0) {
+
+                /* Unpack client share. */
+                if (!CBS_get_u16(&client_shares, &group))
+                        goto err;
+
+                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
+                        goto err;
+
+                /*
+                 * Skip this client share if not X25519
+                 * XXX support other groups later.
+                 */
+                if (ret || group != tls1_ec_nid2curve_id(NID_X25519))
+                        continue;
+
+                if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
+                        goto err;
+
+                if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
+                    &out_len))
+                        goto err;
+
+                ret = 1;
         }
 
-        return 1;
+        return ret;
+
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
 }
 
 int
 tlsext_keyshare_server_needs(SSL *s)
 {
-        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+        size_t idx;
+
+        if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
+                return 0;
+        if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
+                return 0;
+        return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
 }
 
 int
 tlsext_keyshare_server_build(SSL *s, CBB *cbb)
 {
+        uint8_t *public_key = NULL, *private_key = NULL;
+        CBB key_exchange;
+
+        /* X25519 */
+        if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
+                return 0;
+
+        /* Generate X25519 key pair. */
+        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        X25519_keypair(public_key, private_key);
+
+        /* Add the group and serialize the public key. */
+        if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
+                goto err;
+        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
+                goto err;
+        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
+                goto err;
+
+        if (!CBB_flush(cbb))
+                goto err;
+
+        S3I(s)->hs_tls13.x25519_public = public_key;
+        S3I(s)->hs_tls13.x25519_private = private_key;
+
+        return 1;
+
+ err:
+        freezero(public_key, X25519_KEY_LENGTH);
+        freezero(private_key, X25519_KEY_LENGTH);
+
         return 0;
 }
 
@@ -1291,6 +1394,10 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
 
         if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
                 goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
         if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
                 goto err;
         if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1313,8 +1420,9 @@ tlsext_versions_client_needs(SSL *s)
         /* XXX once this gets initialized when we get tls13_client.c */
         if (S3I(s)->hs_tls13.max_version == 0)
                 return 0;
-        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
-            TLS1_3_VERSION);
+        if (SSL_IS_DTLS(s))
+                return 0;
+        return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
 }
 
 int
@@ -1348,13 +1456,41 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
 int
 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        /* XXX we accept this but currently ignore it */
-        if (!CBS_skip(cbs, CBS_len(cbs))) {
-                *alert = TLS1_AD_INTERNAL_ERROR;
-                return 0;
+        CBS versions;
+        uint16_t version;
+        uint16_t max, min;
+        uint16_t matched_version = 0;
+
+        max = S3I(s)->hs_tls13.max_version;
+        min = S3I(s)->hs_tls13.min_version;
+
+        if (!CBS_get_u8_length_prefixed(cbs, &versions))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if (CBS_len(&versions) < 2)
+                goto err;
+
+        while(CBS_len(&versions) > 0) {
+                if (!CBS_get_u16(&versions, &version))
+                        goto err;
+                /*
+                 * XXX What is below implements client preference, and
+                 * ignores any server preference entirely.
+                 */
+                if (matched_version == 0 && version >= min && version <= max)
+                        matched_version = version;
         }
+        if (matched_version != 0)
+                s->version = matched_version;
 
         return 1;
+
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
 }
 
 int
@@ -1366,7 +1502,11 @@ tlsext_versions_server_needs(SSL *s)
 int
 tlsext_versions_server_build(SSL *s, CBB *cbb)
 {
-        return 0;
+        if (!CBB_add_u16(cbb, TLS1_3_VERSION))
+                return 0;
+        /* XXX set 1.2 in legacy version?  */
+
+        return 1;
 }
 
 int
@@ -1379,12 +1519,161 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
                 return 0;
         }
 
+        if (CBS_len(cbs) != 0) {
+                *alert = SSL_AD_DECODE_ERROR;
+                return 0;
+        }
+
+        if (selected_version < TLS1_3_VERSION) {
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
+
         /* XXX test between min and max once initialization code goes in */
         S3I(s)->hs_tls13.server_version = selected_version;
 
         return 1;
 }
 
+
+/*
+ * Cookie - RFC 8446 section 4.2.2.
+ */
+
+int
+tlsext_cookie_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        if (SSL_IS_DTLS(s))
+                return 0;
+        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                return 0;
+        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
+            (S3I(s)->hs_tls13.cookie != NULL));
+}
+
+int
+tlsext_cookie_client_build(SSL *s, CBB *cbb)
+{
+        CBB cookie;
+
+        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
+                return 0;
+
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len))
+                return 0;
+
+        if (!CBB_flush(cbb))
+                return 0;
+
+        return 1;
+}
+
+int
+tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS cookie;
+
+        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+                goto err;
+
+        /*
+         * Check provided cookie value against what server previously
+         * sent - client *MUST* send the same cookie with new CR after
+         * a cookie is sent by the server with an HRR
+         */
+        if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len) != 0) {
+                /* XXX special cookie mismatch alert? */
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
+
+        return 1;
+
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
+
+int
+tlsext_cookie_server_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        if (SSL_IS_DTLS(s))
+                return 0;
+        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                return 0;
+        /*
+         * Server needs to set cookie value in tls13 handshake
+         * in order to send one, should only be sent with HRR.
+         */
+        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
+            (S3I(s)->hs_tls13.cookie != NULL));
+}
+
+int
+tlsext_cookie_server_build(SSL *s, CBB *cbb)
+{
+        CBB cookie;
+
+        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
+                return 0;
+        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
+            S3I(s)->hs_tls13.cookie_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+
+        return 1;
+}
+
+int
+tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS cookie;
+
+        /*
+         * XXX This currently assumes we will not get a second
+         * HRR from a server with a cookie to process after accepting
+         * one from the server in the same handshake
+         */
+        if ((S3I(s)->hs_tls13.cookie != NULL) ||
+            S3I(s)->hs_tls13.cookie_len != 0) {
+                *alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
+        }
+
+        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
+                goto err;
+
+        memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
+        S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
+
+        return 1;
+
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
+
 struct tls_extension_funcs {
         int (*needs)(SSL *s);
         int (*build)(SSL *s, CBB *cbb);
@@ -1542,6 +1831,20 @@ static struct tls_extension tls_extensions[] = {
                         .parse = tlsext_alpn_client_parse,
                 },
         },
+        {
+                .type = TLSEXT_TYPE_cookie,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_cookie_client_needs,
+                        .build = tlsext_cookie_client_build,
+                        .parse = tlsext_cookie_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_cookie_server_needs,
+                        .build = tlsext_cookie_server_build,
+                        .parse = tlsext_cookie_client_parse,
+                },
+        },
 #ifndef OPENSSL_NO_SRTP
         {
                 .type = TLSEXT_TYPE_use_srtp,
@@ -1565,7 +1868,7 @@ static struct tls_extension tls_extensions[] = {
 /* Ensure that extensions fit in a uint32_t bitmask. */
 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
 
-static struct tls_extension *
+struct tls_extension *
 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
 {
         size_t i;
@@ -1645,11 +1948,12 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
         struct tls_extension_funcs *ext;
         struct tls_extension *tlsext;
         CBS extensions, extension_data;
-        uint32_t extensions_seen = 0;
         uint16_t type;
         size_t idx;
         uint16_t version;
 
+        S3I(s)->hs.extensions_seen = 0;
+
         if (is_server)
                 version = s->version;
         else
@@ -1688,9 +1992,9 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                 }
 
                 /* Check for duplicate known extensions. */
-                if ((extensions_seen & (1 << idx)) != 0)
+                if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
                         return 0;
-                extensions_seen |= (1 << idx);
+                S3I(s)->hs.extensions_seen |= (1 << idx);
 
                 ext = tlsext_funcs(tlsext, is_server);
                 if (!ext->parse(s, &extension_data, alert))
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 940366b7d8..8472a8058b 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.h,v 1.17 2019/01/18 12:18:10 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.h,v 1.18 2019/01/23 16:46:04 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -101,6 +101,13 @@ int tlsext_keyshare_server_needs(SSL *s);
 int tlsext_keyshare_server_build(SSL *s, CBB *cbb);
 int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert);
 
+int tlsext_cookie_client_needs(SSL *s);
+int tlsext_cookie_client_build(SSL *s, CBB *cbb);
+int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert);
+int tlsext_cookie_server_needs(SSL *s);
+int tlsext_cookie_server_build(SSL *s, CBB *cbb);
+int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert);
+
 #ifndef OPENSSL_NO_SRTP
 int tlsext_srtp_client_needs(SSL *s);
 int tlsext_srtp_client_build(SSL *s, CBB *cbb);
@@ -116,6 +123,7 @@ int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
 int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type);
 int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
 
+struct tls_extension *tls_extension_find(uint16_t, size_t *);
 __END_HIDDEN_DECLS
 
 #endif
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 1402996e42..567b3e48e0 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.150 2018/11/10 01:19:09 beck Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.151 2019/01/23 16:46:04 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1002,11 +1002,12 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 
 /* Set preferred digest for each key type */
 int
-tls1_process_sigalgs(SSL *s, CBS *cbs)
+tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len)
 {
         CERT *c = s->cert;
 
         /* Extension ignored for inappropriate versions */
+        /* XXX get rid of this? */
         if (!SSL_USE_SIGALGS(s))
                 return 1;
 
@@ -1023,9 +1024,8 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)
                 if (!CBS_get_u16(cbs, &sig_alg))
                         return 0;
 
-                if ((sigalg = ssl_sigalg(sig_alg, tls12_sigalgs,
-                    tls12_sigalgs_len)) != NULL &&
-                    c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
+                if ((sigalg = ssl_sigalg(sig_alg, sigalgs, sigalgs_len)) !=
+                    NULL && c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
                         c->pkeys[sigalg->pkey_idx].sigalg = sigalg;
                         if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
                                 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg;