Correct several issues in the current TLSv1.3 server code.

Correct the parsing of the client hello support versions extension. This has one or more values, rather than just the single selected version. Allocate an SSL_SESSION - this is unused currently, but is needed as soon as we start parsing extensions. Also, pull the cipher suites list off correctly - this is u16 prefixed, not u8. ok beck@
author: jsing <> 2020-01-23 11:47:13 +0000
committer: jsing <> 2020-01-23 11:47:13 +0000
commit: 19a3c1d96385a70d4641d597c708f03c347280ae (patch)
tree: 0695bd7c209a3204a49c4b95c1c100e5f7223a6c /src
parent: e1c90a4e070ba366916c4e95414e9b0b2c2d5df7 (diff)
download: openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.tar.gz
openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.tar.bz2
openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.zip
1 files changed, 15 insertions, 6 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index e56d4c16fd..3c832aec65 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.11 2020/01/23 10:48:36 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.12 2020/01/23 11:47:13 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -45,6 +45,9 @@ tls13_server_init(struct tls13_ctx *ctx)
        if (!tls1_transcript_init(s))
                return 0;
+        if ((s->session = SSL_SESSION_new()) == NULL)
+                return 0;
        arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
        return 1;
@@ -142,8 +145,8 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
 static int
 tls13_client_hello_is_legacy(CBS *cbs)
 {
-        CBS extensions_block, extensions, extension_data;
+        CBS extensions_block, extensions, extension_data, versions;
-        uint16_t selected_version = 0;
+        uint16_t version, max_version = 0;
        uint16_t type;
        CBS_dup(cbs, &extensions_block);
@@ -159,13 +162,19 @@ tls13_client_hello_is_legacy(CBS *cbs)
                if (type != TLSEXT_TYPE_supported_versions)
                        continue;
-                if (!CBS_get_u16(&extension_data, &selected_version))
+                if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
                        return 1;
+                while (CBS_len(&versions) > 0) {
+                        if (!CBS_get_u16(&versions, &version))
+                                return 1;
+                        if (version >= max_version)
+                                max_version = version;
+                }
                if (CBS_len(&extension_data) != 0)
                        return 1;
        }
-        return (selected_version < TLS1_3_VERSION);
+        return (max_version < TLS1_3_VERSION);
 }
 static int
@@ -182,7 +191,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        if (!CBS_get_u8_length_prefixed(cbs, &session_id))
                goto err;
-        if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
+        if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
                goto err;
        if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
                goto err;
author	jsing <>	2020-01-23 11:47:13 +0000
committer	jsing <>	2020-01-23 11:47:13 +0000
commit	19a3c1d96385a70d4641d597c708f03c347280ae (patch)
tree	0695bd7c209a3204a49c4b95c1c100e5f7223a6c /src
parent	e1c90a4e070ba366916c4e95414e9b0b2c2d5df7 (diff)
download	openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.tar.gz openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.tar.bz2 openbsd-19a3c1d96385a70d4641d597c708f03c347280ae.zip