Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent
in the ClientHello: key_share and supported_groups must either both be
present or both be absent. If no pre_shared_key was sent, the CH must
contain both signature_algorithms and supported_groups. If either of
these conditions is violated, servers must abort the handshake with a
missing_extensions alert. Add a function that enforces this. If we are
going to enforce that clients send an SNI, we can also do this in this
function.

Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py

ok beck inoguchi jsing

1 files changed, 44 insertions, 1 deletions

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index ccbb46652b..843b572401 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.59 2020/06/24 07:28:38 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -96,6 +96,44 @@ tls13_client_hello_is_legacy(CBS *cbs)
         return (max_version < TLS1_3_VERSION);
 }
 
+int
+tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
+{
+        SSL *ssl = ctx->ssl;
+
+        /*
+         * RFC 8446, section 9.2. If the ClientHello has supported_versions
+         * containing TLSv1.3, presence or absence of some extensions requires
+         * presence or absence of others.
+         */
+
+        /*
+         * supported_groups and key_share must either both be present or
+         * both be absent.
+         */
+        if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) !=
+            tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share))
+                return 0;
+
+        /*
+         * If we got no pre_shared_key, then signature_algorithms and
+         * supported_groups must both be present.
+         */
+        if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) {
+                if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms))
+                        return 0;
+                if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups))
+                        return 0;
+        }
+
+        /*
+         * XXX - Require server_name from client? If so, we SHOULD enforce
+         * this here - RFC 8446, 9.2.
+         */
+
+        return 1;
+}
+
 static const uint8_t tls13_compression_null_only[] = { 0 };
 
 static int
@@ -172,6 +210,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 tls13_clienthello_hash_clear(ctx->hs);
         }
 
+        if (!tls13_client_hello_required_extensions(ctx)) {
+                ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
+                goto err;
+        }
+
         /*
          * If we got this far we have a supported versions extension that offers
          * TLS 1.3 or later. This requires the legacy version be set to 0x0303.