Implement a rolling hash of the ClientHello message, Enforce RFC 8446

section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
author: beck <> 2020-06-06 01:40:09 +0000
committer: beck <> 2020-06-06 01:40:09 +0000
commit: 2d835ca8318d9ce502e9fd2dced3ef440decb39d (patch)
tree: 921562c039b5a27a1e18f71fe397784a1d3435d3 /src
parent: f599916be5b15add90651fc8802c4f96fc257310 (diff)
download: openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.gz
openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.bz2
openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.zip
7 files changed, 181 insertions, 9 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index e2fef72588..c2cf922973 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.195 2020/06/05 18:14:05 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.196 2020/06/06 01:40:08 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1568,6 +1568,7 @@ ssl3_free(SSL *s)
        tls13_key_share_free(S3I(s)->hs_tls13.key_share);
        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
+        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
        sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
@@ -1612,6 +1613,7 @@ ssl3_clear(SSL *s)
        freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
        S3I(s)->hs_tls13.cookie = NULL;
        S3I(s)->hs_tls13.cookie_len = 0;
+        tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
        S3I(s)->hs.extensions_seen = 0;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index bfc3c1ad9b..bf1f846d13 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.279 2020/05/31 18:03:32 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.280 2020/06/06 01:40:09 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -470,6 +470,12 @@ typedef struct ssl_handshake_tls13_st {
        /* Legacy session ID. */
        uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
        size_t legacy_session_id_len;
+        /* ClientHello hash, used to validate following HelloRetryRequest */
+        EVP_MD_CTX *clienthello_md_ctx;
+        unsigned char *clienthello_hash;
+        unsigned int clienthello_hash_len;
 } SSL_HANDSHAKE_TLS13;
 typedef struct ssl_ctx_internal_st {
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index cf54fc4d2c..f6943c83ae 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.74 2020/05/29 17:39:42 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2059,6 +2059,33 @@ tlsext_build(SSL *s, CBB *cbb, int is_server, uint16_t msg_type)
        return 1;
 }
+int
+tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs)
+{
+        /*
+         * RFC 8446 4.1.2. For subsequent CH, early data will be removed,
+         * cookie may be added, padding may be removed.
+         */
+        struct tls13_ctx *ctx = s->internal->tls13;
+        if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie ||
+            type == TLSEXT_TYPE_padding)
+                return 1;
+        if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
+            sizeof(type)))
+                return 0;
+        /*
+         * key_share data may be changed, and pre_shared_key data may
+         * be changed
+         */
+        if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share)
+                return 1;
+        if (!tls13_clienthello_hash_update(ctx, cbs))
+                return 0;
+        return 1;
+}
 static int
 tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
 {
@@ -2098,6 +2125,13 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                            CBS_len(&extension_data),
                            s->internal->tlsext_debug_arg);
+                if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server &&
+                    msg_type == SSL_TLSEXT_MSG_CH) {
+                        if (!tlsext_clienthello_hash_extension(s, type,
+                            &extension_data))
+                                goto err;
+                }
                /* Unknown extensions are ignored. */
                if ((tlsext = tls_extension_find(type, &idx)) == NULL)
                        continue;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 96ed981959..a18184f505 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.83 2020/05/29 17:47:30 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.84 2020/06/06 01:40:09 beck Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -386,6 +386,13 @@ int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
    int(*build_extensions)(SSL *s, CBB *cbb, uint16_t msg_type));
 int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
+int tls13_clienthello_hash_init(struct tls13_ctx *ctx);
+void tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs);
+int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
+    size_t len);
+int tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs);
+int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx);
+int tls13_clienthello_hash_validate(struct tls13_ctx *ctx);
 int tls13_error_set(struct tls13_error *error, int code, int subcode,
    const char *file, int line, const char *fmt, ...);
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 174da2f9c3..b5939aecab 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.50 2020/05/22 02:37:27 beck Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.51 2020/06/06 01:40:09 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -486,3 +486,82 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
        return ret;
 }
+int
+tls13_clienthello_hash_init(struct tls13_ctx *ctx)
+{
+        if (ctx->hs->clienthello_md_ctx != NULL)
+                return 0;
+        if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
+                return 0;
+        if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
+            EVP_sha256(), NULL))
+                return 0;
+        if ((ctx->hs->clienthello_hash == NULL) &&
+            (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
+            NULL)
+                return 0;
+        return 1;
+}
+void
+tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
+{
+        EVP_MD_CTX_free(hs->clienthello_md_ctx);
+        hs->clienthello_md_ctx = NULL;
+        freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
+        hs->clienthello_hash = NULL;
+}
+int
+tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
+    size_t len)
+{
+        return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
+}
+int
+tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
+{
+        return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
+            CBS_len(cbs));
+}
+int
+tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
+{
+        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+            ctx->hs->clienthello_hash,
+            &ctx->hs->clienthello_hash_len))
+                return 0;
+        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
+        ctx->hs->clienthello_md_ctx = NULL;
+        return 1;
+}
+int
+tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
+{
+        unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
+        unsigned int new_ch_hash_len;
+        if (ctx->hs->clienthello_hash == NULL)
+                return 0;
+        if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+            new_ch_hash, &new_ch_hash_len))
+                return 0;
+        EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
+        ctx->hs->clienthello_md_ctx = NULL;
+        if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
+                return 0;
+        if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
+            new_ch_hash_len) != 0)
+                return 0;
+        return 1;
+}
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index edc87fcdcb..ccbb46652b 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.57 2020/06/04 18:46:21 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -126,11 +126,52 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                return tls13_use_legacy_server(ctx);
        }
+        /* Add decoded values to the current ClientHello hash */
+        if (!tls13_clienthello_hash_init(ctx)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
+        if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
+            sizeof(legacy_version))) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
+        if (!tls13_clienthello_hash_update(ctx, &client_random)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
+        if (!tls13_clienthello_hash_update(ctx, &session_id)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
+        if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
+        if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                goto err;
+        }
        if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {
                ctx->alert = alert_desc;
                goto err;
        }
+        /* Finalize first ClientHello hash, or validate against it */
+        if (!ctx->hs->hrr) {
+                if (!tls13_clienthello_hash_finalize(ctx)) {
+                        ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
+                        goto err;
+                }
+        } else {
+                if (!tls13_clienthello_hash_validate(ctx)) {
+                        ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+                        goto err;
+                }
+                tls13_clienthello_hash_clear(ctx->hs);
+        }
        /*
         * If we got this far we have a supported versions extension that offers
         * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
@@ -146,8 +187,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        }
        if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
-            sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len))
+            sizeof(ctx->hs->legacy_session_id),
+            &ctx->hs->legacy_session_id_len)) {
+                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
                goto err;
+        }
        /* Parse cipher suites list and select preferred cipher. */
        if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index c1e89bd43b..f81bf558f4 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.6 2020/06/03 04:47:03 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.7 2020/06/06 01:40:08 beck Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -79,6 +79,7 @@ tls13_tests = TestGroup("TLSv1.3 tests", [
    Test("test-tls13-legacy-version.py"),
    Test("test-tls13-nociphers.py"),
    Test("test-tls13-record-padding.py"),
+    Test("test-tls13-shuffled-extentions.py"),
    # The skipped tests fail due to a bug in BIO_gets() which masks the retry
    # signalled from an SSL_read() failure. Testing with httpd(8) shows we're
@@ -145,7 +146,6 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
 tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
    # Other test failures bugs in keyshare/tlsext negotiation?
-    Test("test-tls13-shuffled-extentions.py"),    # should reject 2nd CH
    Test("test-tls13-unrecognised-groups.py"),    # unexpected closure
    # 5 failures:
author	beck <>	2020-06-06 01:40:09 +0000
committer	beck <>	2020-06-06 01:40:09 +0000
commit	2d835ca8318d9ce502e9fd2dced3ef440decb39d (patch)
tree	921562c039b5a27a1e18f71fe397784a1d3435d3 /src
parent	f599916be5b15add90651fc8802c4f96fc257310 (diff)
download	openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.gz openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.tar.bz2 openbsd-2d835ca8318d9ce502e9fd2dced3ef440decb39d.zip

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index e2fef72588..c2cf922973 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.195 2020/06/05 18:14:05 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.196 2020/06/06 01:40:08 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1568,6 +1568,7 @@ ssl3_free(SSL *s)
1568	tls13_key_share_free(S3I(s)->hs_tls13.key_share);	1568	tls13_key_share_free(S3I(s)->hs_tls13.key_share);
1569	tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);	1569	tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
1570	freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);	1570	freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
		1571	tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
1571		1572
1572	sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);	1573	sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1573		1574
@@ -1612,6 +1613,7 @@ ssl3_clear(SSL *s)
1612	freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);	1613	freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1613	S3I(s)->hs_tls13.cookie = NULL;	1614	S3I(s)->hs_tls13.cookie = NULL;
1614	S3I(s)->hs_tls13.cookie_len = 0;	1615	S3I(s)->hs_tls13.cookie_len = 0;
		1616	tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
1615		1617
1616	S3I(s)->hs.extensions_seen = 0;	1618	S3I(s)->hs.extensions_seen = 0;
1617		1619


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index bfc3c1ad9b..bf1f846d13 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.279 2020/05/31 18:03:32 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.280 2020/06/06 01:40:09 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -470,6 +470,12 @@ typedef struct ssl_handshake_tls13_st {
470	/* Legacy session ID. */	470	/* Legacy session ID. */
471	uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];	471	uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
472	size_t legacy_session_id_len;	472	size_t legacy_session_id_len;
		473
		474	/* ClientHello hash, used to validate following HelloRetryRequest */
		475	EVP_MD_CTX *clienthello_md_ctx;
		476	unsigned char *clienthello_hash;
		477	unsigned int clienthello_hash_len;
		478
473	} SSL_HANDSHAKE_TLS13;	479	} SSL_HANDSHAKE_TLS13;
474		480
475	typedef struct ssl_ctx_internal_st {	481	typedef struct ssl_ctx_internal_st {


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index cf54fc4d2c..f6943c83ae 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.74 2020/05/29 17:39:42 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.75 2020/06/06 01:40:09 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2059,6 +2059,33 @@ tlsext_build(SSL s, CBB cbb, int is_server, uint16_t msg_type)
2059	return 1;	2059	return 1;
2060	}	2060	}
2061		2061
		2062	int
		2063	tlsext_clienthello_hash_extension(SSL s, uint16_t type, CBS cbs)
		2064	{
		2065	/*
		2066	* RFC 8446 4.1.2. For subsequent CH, early data will be removed,
		2067	* cookie may be added, padding may be removed.
		2068	*/
		2069	struct tls13_ctx *ctx = s->internal->tls13;
		2070
		2071	if (type == TLSEXT_TYPE_early_data \|\| type == TLSEXT_TYPE_cookie \|\|
		2072	type == TLSEXT_TYPE_padding)
		2073	return 1;
		2074	if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type,
		2075	sizeof(type)))
		2076	return 0;
		2077	/*
		2078	* key_share data may be changed, and pre_shared_key data may
		2079	* be changed
		2080	*/
		2081	if (type == TLSEXT_TYPE_pre_shared_key \|\| type == TLSEXT_TYPE_key_share)
		2082	return 1;
		2083	if (!tls13_clienthello_hash_update(ctx, cbs))
		2084	return 0;
		2085
		2086	return 1;
		2087	}
		2088
2062	static int	2089	static int
2063	tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)	2090	tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
2064	{	2091	{
@@ -2098,6 +2125,13 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
2098	CBS_len(&extension_data),	2125	CBS_len(&extension_data),
2099	s->internal->tlsext_debug_arg);	2126	s->internal->tlsext_debug_arg);
2100		2127
		2128	if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server &&
		2129	msg_type == SSL_TLSEXT_MSG_CH) {
		2130	if (!tlsext_clienthello_hash_extension(s, type,
		2131	&extension_data))
		2132	goto err;
		2133	}
		2134
2101	/* Unknown extensions are ignored. */	2135	/* Unknown extensions are ignored. */
2102	if ((tlsext = tls_extension_find(type, &idx)) == NULL)	2136	if ((tlsext = tls_extension_find(type, &idx)) == NULL)
2103	continue;	2137	continue;


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 96ed981959..a18184f505 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.83 2020/05/29 17:47:30 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.84 2020/06/06 01:40:09 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -386,6 +386,13 @@ int tls13_cert_add(struct tls13_ctx ctx, CBB cbb, X509 *cert,
386	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type));	386	int(build_extensions)(SSL s, CBB *cbb, uint16_t msg_type));
387		387
388	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);	388	int tls13_synthetic_handshake_message(struct tls13_ctx *ctx);
		389	int tls13_clienthello_hash_init(struct tls13_ctx *ctx);
		390	void tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs);
		391	int tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
		392	size_t len);
		393	int tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs);
		394	int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx);
		395	int tls13_clienthello_hash_validate(struct tls13_ctx *ctx);
389		396
390	int tls13_error_set(struct tls13_error *error, int code, int subcode,	397	int tls13_error_set(struct tls13_error *error, int code, int subcode,
391	const char file, int line, const char fmt, ...);	398	const char file, int line, const char fmt, ...);


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 174da2f9c3..b5939aecab 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.50 2020/05/22 02:37:27 beck Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.51 2020/06/06 01:40:09 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -486,3 +486,82 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
486		486
487	return ret;	487	return ret;
488	}	488	}
		489
		490	int
		491	tls13_clienthello_hash_init(struct tls13_ctx *ctx)
		492	{
		493	if (ctx->hs->clienthello_md_ctx != NULL)
		494	return 0;
		495	if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
		496	return 0;
		497	if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
		498	EVP_sha256(), NULL))
		499	return 0;
		500
		501	if ((ctx->hs->clienthello_hash == NULL) &&
		502	(ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
		503	NULL)
		504	return 0;
		505
		506	return 1;
		507	}
		508
		509	void
		510	tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
		511	{
		512	EVP_MD_CTX_free(hs->clienthello_md_ctx);
		513	hs->clienthello_md_ctx = NULL;
		514	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
		515	hs->clienthello_hash = NULL;
		516	}
		517
		518	int
		519	tls13_clienthello_hash_update_bytes(struct tls13_ctx ctx, void data,
		520	size_t len)
		521	{
		522	return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
		523	}
		524
		525	int
		526	tls13_clienthello_hash_update(struct tls13_ctx ctx, CBS cbs)
		527	{
		528	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
		529	CBS_len(cbs));
		530	}
		531
		532	int
		533	tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
		534	{
		535	if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
		536	ctx->hs->clienthello_hash,
		537	&ctx->hs->clienthello_hash_len))
		538	return 0;
		539	EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
		540	ctx->hs->clienthello_md_ctx = NULL;
		541	return 1;
		542	}
		543
		544	int
		545	tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
		546	{
		547	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
		548	unsigned int new_ch_hash_len;
		549
		550	if (ctx->hs->clienthello_hash == NULL)
		551	return 0;
		552
		553	if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
		554	new_ch_hash, &new_ch_hash_len))
		555	return 0;
		556	EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
		557	ctx->hs->clienthello_md_ctx = NULL;
		558
		559	if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
		560	return 0;
		561	if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
		562	new_ch_hash_len) != 0)
		563	return 0;
		564
		565	return 1;
		566	}
		567


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index edc87fcdcb..ccbb46652b 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.57 2020/06/04 18:46:21 tb Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -126,11 +126,52 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
126	return tls13_use_legacy_server(ctx);	126	return tls13_use_legacy_server(ctx);
127	}	127	}
128		128
		129	/* Add decoded values to the current ClientHello hash */
		130	if (!tls13_clienthello_hash_init(ctx)) {
		131	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		132	goto err;
		133	}
		134	if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
		135	sizeof(legacy_version))) {
		136	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		137	goto err;
		138	}
		139	if (!tls13_clienthello_hash_update(ctx, &client_random)) {
		140	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		141	goto err;
		142	}
		143	if (!tls13_clienthello_hash_update(ctx, &session_id)) {
		144	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		145	goto err;
		146	}
		147	if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
		148	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		149	goto err;
		150	}
		151	if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
		152	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		153	goto err;
		154	}
		155
129	if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {	156	if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {
130	ctx->alert = alert_desc;	157	ctx->alert = alert_desc;
131	goto err;	158	goto err;
132	}	159	}
133		160
		161	/* Finalize first ClientHello hash, or validate against it */
		162	if (!ctx->hs->hrr) {
		163	if (!tls13_clienthello_hash_finalize(ctx)) {
		164	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
		165	goto err;
		166	}
		167	} else {
		168	if (!tls13_clienthello_hash_validate(ctx)) {
		169	ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
		170	goto err;
		171	}
		172	tls13_clienthello_hash_clear(ctx->hs);
		173	}
		174
134	/*	175	/*
135	* If we got this far we have a supported versions extension that offers	176	* If we got this far we have a supported versions extension that offers
136	* TLS 1.3 or later. This requires the legacy version be set to 0x0303.	177	* TLS 1.3 or later. This requires the legacy version be set to 0x0303.
@@ -146,8 +187,11 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
146	goto err;	187	goto err;
147	}	188	}
148	if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,	189	if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
149	sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len))	190	sizeof(ctx->hs->legacy_session_id),
		191	&ctx->hs->legacy_session_id_len)) {
		192	ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
150	goto err;	193	goto err;
		194	}
151		195
152	/* Parse cipher suites list and select preferred cipher. */	196	/* Parse cipher suites list and select preferred cipher. */
153	if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {	197	if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {


diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index c1e89bd43b..f81bf558f4 100644 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
1	# $OpenBSD: tlsfuzzer.py,v 1.6 2020/06/03 04:47:03 tb Exp $	1	# $OpenBSD: tlsfuzzer.py,v 1.7 2020/06/06 01:40:08 beck Exp $
2	#	2	#
3	# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>	3	# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4	#	4	#
@@ -79,6 +79,7 @@ tls13_tests = TestGroup("TLSv1.3 tests", [
79	Test("test-tls13-legacy-version.py"),	79	Test("test-tls13-legacy-version.py"),
80	Test("test-tls13-nociphers.py"),	80	Test("test-tls13-nociphers.py"),
81	Test("test-tls13-record-padding.py"),	81	Test("test-tls13-record-padding.py"),
		82	Test("test-tls13-shuffled-extentions.py"),
82		83
83	# The skipped tests fail due to a bug in BIO_gets() which masks the retry	84	# The skipped tests fail due to a bug in BIO_gets() which masks the retry
84	# signalled from an SSL_read() failure. Testing with httpd(8) shows we're	85	# signalled from an SSL_read() failure. Testing with httpd(8) shows we're
@@ -145,7 +146,6 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
145		146
146	tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [	147	tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
147	# Other test failures bugs in keyshare/tlsext negotiation?	148	# Other test failures bugs in keyshare/tlsext negotiation?
148	Test("test-tls13-shuffled-extentions.py"), # should reject 2nd CH
149	Test("test-tls13-unrecognised-groups.py"), # unexpected closure	149	Test("test-tls13-unrecognised-groups.py"), # unexpected closure
150		150
151	# 5 failures:	151	# 5 failures: