diff options
| author | jsing <> | 2020-04-21 17:06:16 +0000 |
|---|---|---|
| committer | jsing <> | 2020-04-21 17:06:16 +0000 |
| commit | c430432c2ef1ea560124b642f581c3e1ddb24f69 (patch) | |
| tree | a6e80309b40425e0e84fb4d06928951cccb718ed /src/lib | |
| parent | 1844f7460b773d8974e63d5f022ffd6843c22fda (diff) | |
| download | openbsd-c430432c2ef1ea560124b642f581c3e1ddb24f69.tar.gz openbsd-c430432c2ef1ea560124b642f581c3e1ddb24f69.tar.bz2 openbsd-c430432c2ef1ea560124b642f581c3e1ddb24f69.zip | |
Handle TLSv1.3 key shares other than X25519 on the server side.
Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first of the
key shares that matches one of our supported groups.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 24 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 26 |
2 files changed, 34 insertions, 16 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 4cb7c5bf90..a0e2f7320b 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.62 2020/02/18 16:12:14 tb Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1288,13 +1288,27 @@ tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) | |||
| 1288 | return 0; | 1288 | return 0; |
| 1289 | 1289 | ||
| 1290 | /* | 1290 | /* |
| 1291 | * XXX support other groups later. | 1291 | * XXX - check key exchange against supported groups from client. |
| 1292 | * XXX enforce group can only appear once. | 1292 | * XXX - check that groups only appear once. |
| 1293 | */ | 1293 | */ |
| 1294 | if (S3I(s)->hs_tls13.key_share == NULL || | 1294 | |
| 1295 | tls13_key_share_group(S3I(s)->hs_tls13.key_share) != group) | 1295 | /* |
| 1296 | * Ignore this client share if we're using earlier than TLSv1.3 | ||
| 1297 | * or we've already selected a key share. | ||
| 1298 | */ | ||
| 1299 | if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) | ||
| 1300 | continue; | ||
| 1301 | if (S3I(s)->hs_tls13.key_share != NULL) | ||
| 1296 | continue; | 1302 | continue; |
| 1297 | 1303 | ||
| 1304 | /* XXX - consider implementing server preference. */ | ||
| 1305 | if (!tls1_check_curve(s, group)) | ||
| 1306 | continue; | ||
| 1307 | |||
| 1308 | /* Decode and store the selected key share. */ | ||
| 1309 | S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); | ||
| 1310 | if (S3I(s)->hs_tls13.key_share == NULL) | ||
| 1311 | goto err; | ||
| 1298 | if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, | 1312 | if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, |
| 1299 | group, &key_exchange)) | 1313 | group, &key_exchange)) |
| 1300 | goto err; | 1314 | goto err; |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 1aebf5840c..f3d21a7477 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.29 2020/04/17 17:16:53 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -49,11 +49,6 @@ tls13_server_init(struct tls13_ctx *ctx) | |||
| 49 | if ((s->session = SSL_SESSION_new()) == NULL) | 49 | if ((s->session = SSL_SESSION_new()) == NULL) |
| 50 | return 0; | 50 | return 0; |
| 51 | 51 | ||
| 52 | if ((ctx->hs->key_share = tls13_key_share_new_nid(NID_X25519)) == NULL) | ||
| 53 | return 0; | ||
| 54 | if (!tls13_key_share_generate(ctx->hs->key_share)) | ||
| 55 | return 0; | ||
| 56 | |||
| 57 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); | 52 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 58 | 53 | ||
| 59 | return 1; | 54 | return 1; |
| @@ -284,6 +279,14 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 284 | if (s->method->internal->version < TLS1_3_VERSION) | 279 | if (s->method->internal->version < TLS1_3_VERSION) |
| 285 | return 1; | 280 | return 1; |
| 286 | 281 | ||
| 282 | /* | ||
| 283 | * If no matching key share was provided, we need to send a | ||
| 284 | * HelloRetryRequest, if matching security parameters exist. | ||
| 285 | */ | ||
| 286 | if (ctx->hs->key_share == NULL) | ||
| 287 | ctx->handshake_stage.hs_type |= WITH_HRR; | ||
| 288 | |||
| 289 | /* XXX - check this is the correct point */ | ||
| 287 | tls13_record_layer_allow_ccs(ctx->rl, 1); | 290 | tls13_record_layer_allow_ccs(ctx->rl, 1); |
| 288 | 291 | ||
| 289 | return 1; | 292 | return 1; |
| @@ -524,6 +527,12 @@ err: | |||
| 524 | int | 527 | int |
| 525 | tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) | 528 | tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) |
| 526 | { | 529 | { |
| 530 | if (ctx->hs->key_share == NULL) | ||
| 531 | return 0; | ||
| 532 | |||
| 533 | if (!tls13_key_share_generate(ctx->hs->key_share)) | ||
| 534 | return 0; | ||
| 535 | |||
| 527 | if (!tls13_server_hello_build(ctx, cbb)) | 536 | if (!tls13_server_hello_build(ctx, cbb)) |
| 528 | return 0; | 537 | return 0; |
| 529 | 538 | ||
| @@ -542,11 +551,6 @@ tls13_server_hello_sent(struct tls13_ctx *ctx) | |||
| 542 | SSL *s = ctx->ssl; | 551 | SSL *s = ctx->ssl; |
| 543 | int ret = 0; | 552 | int ret = 0; |
| 544 | 553 | ||
| 545 | /* XXX - handle other key share types. */ | ||
| 546 | if (ctx->hs->key_share == NULL) { | ||
| 547 | /* XXX - alert. */ | ||
| 548 | goto err; | ||
| 549 | } | ||
| 550 | if (!tls13_key_share_derive(ctx->hs->key_share, | 554 | if (!tls13_key_share_derive(ctx->hs->key_share, |
| 551 | &shared_key, &shared_key_len)) | 555 | &shared_key, &shared_key_len)) |
| 552 | goto err; | 556 | goto err; |