summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c6
-rw-r--r--src/lib/libssl/ssl_locl.h5
-rw-r--r--src/lib/libssl/ssl_tlsext.c308
-rw-r--r--src/lib/libssl/ssl_tlsext.h10
-rw-r--r--src/regress/lib/libssl/tlsext/tlsexttest.c441
5 files changed, 742 insertions, 28 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 36142f0415..6e4e8eb1d3 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.181 2019/01/24 01:50:41 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.182 2019/01/24 02:56:41 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1569,6 +1569,7 @@ ssl3_free(SSL *s)
1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1572 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1572 1573
1573 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1574 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1574 1575
@@ -1605,6 +1606,9 @@ ssl3_clear(SSL *s)
1605 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1606 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1606 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1607 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1607 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1608 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1609 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1610 S3I(s)->hs_tls13.cookie = NULL;
1611 S3I(s)->hs_tls13.cookie_len = 0;
1608 1612
1609 S3I(s)->hs.extensions_seen = 0; 1613 S3I(s)->hs.extensions_seen = 0;
1610 1614
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5d560f5935..90aca26625 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.232 2019/01/24 01:50:41 beck Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.233 2019/01/24 02:56:41 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -448,6 +448,9 @@ typedef struct ssl_handshake_tls13_st {
448 uint8_t *x25519_peer_public; 448 uint8_t *x25519_peer_public;
449 449
450 struct tls13_secrets *secrets; 450 struct tls13_secrets *secrets;
451
452 uint8_t *cookie;
453 size_t cookie_len;
451} SSL_HANDSHAKE_TLS13; 454} SSL_HANDSHAKE_TLS13;
452 455
453typedef struct ssl_ctx_internal_st { 456typedef struct ssl_ctx_internal_st {
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 35c764f646..20acb43ccf 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.35 2019/01/24 01:50:41 beck Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.36 2019/01/24 02:56:41 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1273,7 +1273,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
1273 1273
1274 return 1; 1274 return 1;
1275 1275
1276err: 1276 err:
1277 freezero(public_key, X25519_KEY_LENGTH); 1277 freezero(public_key, X25519_KEY_LENGTH);
1278 freezero(private_key, X25519_KEY_LENGTH); 1278 freezero(private_key, X25519_KEY_LENGTH);
1279 1279
@@ -1283,24 +1283,105 @@ err:
1283int 1283int
1284tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1284tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
1285{ 1285{
1286 /* XXX we accept this but currently ignore it */ 1286 CBS client_shares;
1287 if (!CBS_skip(cbs, CBS_len(cbs))) { 1287 CBS key_exchange;
1288 *alert = TLS1_AD_INTERNAL_ERROR; 1288 uint16_t group;
1289 return 0; 1289 size_t out_len;
1290 int ret = 0;
1291
1292 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1293 goto err;
1294
1295 if (CBS_len(cbs) != 0)
1296 goto err;
1297
1298 while (CBS_len(&client_shares) > 0) {
1299
1300 /* Unpack client share. */
1301 if (!CBS_get_u16(&client_shares, &group))
1302 goto err;
1303
1304 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1305 goto err;
1306
1307 /*
1308 * Skip this client share if not X25519
1309 * XXX support other groups later.
1310 * XXX enforce group can only appear once.
1311 */
1312 if (S3I(s)->hs_tls13.x25519_peer_public != NULL ||
1313 group != tls1_ec_nid2curve_id(NID_X25519))
1314 continue;
1315
1316 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1317 goto err;
1318
1319 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
1320 &out_len))
1321 goto err;
1322
1323 ret = 1;
1290 } 1324 }
1291 1325
1292 return 1; 1326 return ret;
1327
1328 err:
1329 *alert = SSL_AD_DECODE_ERROR;
1330 return 0;
1293} 1331}
1294 1332
1295int 1333int
1296tlsext_keyshare_server_needs(SSL *s) 1334tlsext_keyshare_server_needs(SSL *s)
1297{ 1335{
1298 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1336 size_t idx;
1337
1338 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
1339 return 0;
1340 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
1341 return 0;
1342 /* XXX move seen check to a function */
1343 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1299} 1344}
1300 1345
1301int 1346int
1302tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1347tlsext_keyshare_server_build(SSL *s, CBB *cbb)
1303{ 1348{
1349 uint8_t *public_key = NULL, *private_key = NULL;
1350 CBB key_exchange;
1351
1352 /* XXX deduplicate with client code */
1353
1354 /* X25519 */
1355 if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
1356 return 0;
1357
1358 /* Generate X25519 key pair. */
1359 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1360 goto err;
1361 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1362 goto err;
1363 X25519_keypair(public_key, private_key);
1364
1365 /* Add the group and serialize the public key. */
1366 if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
1367 goto err;
1368 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1369 goto err;
1370 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
1371 goto err;
1372
1373 if (!CBB_flush(cbb))
1374 goto err;
1375
1376 S3I(s)->hs_tls13.x25519_public = public_key;
1377 S3I(s)->hs_tls13.x25519_private = private_key;
1378
1379 return 1;
1380
1381 err:
1382 freezero(public_key, X25519_KEY_LENGTH);
1383 freezero(private_key, X25519_KEY_LENGTH);
1384
1304 return 0; 1385 return 0;
1305} 1386}
1306 1387
@@ -1321,8 +1402,10 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
1321 1402
1322 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1403 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1323 goto err; 1404 goto err;
1405
1324 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1406 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1325 goto err; 1407 goto err;
1408
1326 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1409 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
1327 &out_len)) 1410 &out_len))
1328 goto err; 1411 goto err;
@@ -1340,11 +1423,9 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
1340int 1423int
1341tlsext_versions_client_needs(SSL *s) 1424tlsext_versions_client_needs(SSL *s)
1342{ 1425{
1343 /* XXX once this gets initialized when we get tls13_client.c */ 1426 if (SSL_IS_DTLS(s))
1344 if (S3I(s)->hs_tls13.max_version == 0)
1345 return 0; 1427 return 0;
1346 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1428 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1347 TLS1_3_VERSION);
1348} 1429}
1349 1430
1350int 1431int
@@ -1378,13 +1459,48 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
1378int 1459int
1379tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1460tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
1380{ 1461{
1381 /* XXX we accept this but currently ignore it */ 1462 CBS versions;
1382 if (!CBS_skip(cbs, CBS_len(cbs))) { 1463 uint16_t version;
1383 *alert = TLS1_AD_INTERNAL_ERROR; 1464 uint16_t max, min;
1384 return 0; 1465 uint16_t matched_version = 0;
1466
1467 max = S3I(s)->hs_tls13.max_version;
1468 min = S3I(s)->hs_tls13.min_version;
1469
1470 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1471 goto err;
1472
1473 while (CBS_len(&versions) > 0) {
1474 if (!CBS_get_u16(&versions, &version))
1475 goto err;
1476 /*
1477 * XXX What is below implements client preference, and
1478 * ignores any server preference entirely.
1479 */
1480 if (matched_version == 0 && version >= min && version <= max)
1481 matched_version = version;
1385 } 1482 }
1386 1483
1387 return 1; 1484 /*
1485 * XXX if we haven't mached a version we should
1486 * fail - but we currently need to succeed to
1487 * ignore this before the server code for 1.3
1488 * is set up and initialized.
1489 */
1490 if (max == 0)
1491 return 1; /* XXX */
1492
1493 if (matched_version != 0) {
1494 s->version = matched_version;
1495 return 1;
1496 }
1497
1498 *alert = SSL_AD_PROTOCOL_VERSION;
1499 return 0;
1500
1501err:
1502 *alert = SSL_AD_DECODE_ERROR;
1503 return 0;
1388} 1504}
1389 1505
1390int 1506int
@@ -1396,7 +1512,11 @@ tlsext_versions_server_needs(SSL *s)
1396int 1512int
1397tlsext_versions_server_build(SSL *s, CBB *cbb) 1513tlsext_versions_server_build(SSL *s, CBB *cbb)
1398{ 1514{
1399 return 0; 1515 if (!CBB_add_u16(cbb, TLS1_3_VERSION))
1516 return 0;
1517 /* XXX set 1.2 in legacy version? */
1518
1519 return 1;
1400} 1520}
1401 1521
1402int 1522int
@@ -1409,12 +1529,147 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
1409 return 0; 1529 return 0;
1410 } 1530 }
1411 1531
1532 if (selected_version < TLS1_3_VERSION) {
1533 *alert = SSL_AD_ILLEGAL_PARAMETER;
1534 return 0;
1535 }
1536
1412 /* XXX test between min and max once initialization code goes in */ 1537 /* XXX test between min and max once initialization code goes in */
1413 S3I(s)->hs_tls13.server_version = selected_version; 1538 S3I(s)->hs_tls13.server_version = selected_version;
1414 1539
1415 return 1; 1540 return 1;
1416} 1541}
1417 1542
1543
1544/*
1545 * Cookie - RFC 8446 section 4.2.2.
1546 */
1547
1548int
1549tlsext_cookie_client_needs(SSL *s)
1550{
1551 if (SSL_IS_DTLS(s))
1552 return 0;
1553 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1554 return 0;
1555 return (S3I(s)->hs_tls13.cookie_len > 0 &&
1556 S3I(s)->hs_tls13.cookie != NULL);
1557}
1558
1559int
1560tlsext_cookie_client_build(SSL *s, CBB *cbb)
1561{
1562 CBB cookie;
1563
1564 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1565 return 0;
1566
1567 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1568 S3I(s)->hs_tls13.cookie_len))
1569 return 0;
1570
1571 if (!CBB_flush(cbb))
1572 return 0;
1573
1574 return 1;
1575}
1576
1577int
1578tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
1579{
1580 CBS cookie;
1581
1582 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1583 goto err;
1584
1585 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
1586 goto err;
1587
1588 /*
1589 * Check provided cookie value against what server previously
1590 * sent - client *MUST* send the same cookie with new CR after
1591 * a cookie is sent by the server with an HRR.
1592 */
1593 if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie,
1594 S3I(s)->hs_tls13.cookie_len)) {
1595 /* XXX special cookie mismatch alert? */
1596 *alert = SSL_AD_ILLEGAL_PARAMETER;
1597 return 0;
1598 }
1599
1600 return 1;
1601
1602 err:
1603 *alert = SSL_AD_DECODE_ERROR;
1604 return 0;
1605}
1606
1607int
1608tlsext_cookie_server_needs(SSL *s)
1609{
1610
1611 if (SSL_IS_DTLS(s))
1612 return 0;
1613 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1614 return 0;
1615 /*
1616 * Server needs to set cookie value in tls13 handshake
1617 * in order to send one, should only be sent with HRR.
1618 */
1619 return (S3I(s)->hs_tls13.cookie_len > 0 &&
1620 S3I(s)->hs_tls13.cookie != NULL);
1621}
1622
1623int
1624tlsext_cookie_server_build(SSL *s, CBB *cbb)
1625{
1626 CBB cookie;
1627
1628 /* XXX deduplicate with client code */
1629
1630 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1631 return 0;
1632
1633 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1634 S3I(s)->hs_tls13.cookie_len))
1635 return 0;
1636
1637 if (!CBB_flush(cbb))
1638 return 0;
1639
1640 return 1;
1641}
1642
1643int
1644tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
1645{
1646 CBS cookie;
1647
1648 /*
1649 * XXX This currently assumes we will not get a second
1650 * HRR from a server with a cookie to process after accepting
1651 * one from the server in the same handshake
1652 */
1653 if (S3I(s)->hs_tls13.cookie != NULL ||
1654 S3I(s)->hs_tls13.cookie_len != 0) {
1655 *alert = SSL_AD_ILLEGAL_PARAMETER;
1656 return 0;
1657 }
1658
1659 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1660 goto err;
1661
1662 if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie,
1663 &S3I(s)->hs_tls13.cookie_len))
1664 goto err;
1665
1666 return 1;
1667
1668 err:
1669 *alert = SSL_AD_DECODE_ERROR;
1670 return 0;
1671}
1672
1418struct tls_extension_funcs { 1673struct tls_extension_funcs {
1419 int (*needs)(SSL *s); 1674 int (*needs)(SSL *s);
1420 int (*build)(SSL *s, CBB *cbb); 1675 int (*build)(SSL *s, CBB *cbb);
@@ -1572,6 +1827,20 @@ static struct tls_extension tls_extensions[] = {
1572 .parse = tlsext_alpn_client_parse, 1827 .parse = tlsext_alpn_client_parse,
1573 }, 1828 },
1574 }, 1829 },
1830 {
1831 .type = TLSEXT_TYPE_cookie,
1832 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1833 .client = {
1834 .needs = tlsext_cookie_client_needs,
1835 .build = tlsext_cookie_client_build,
1836 .parse = tlsext_cookie_server_parse,
1837 },
1838 .server = {
1839 .needs = tlsext_cookie_server_needs,
1840 .build = tlsext_cookie_server_build,
1841 .parse = tlsext_cookie_client_parse,
1842 },
1843 },
1575#ifndef OPENSSL_NO_SRTP 1844#ifndef OPENSSL_NO_SRTP
1576 { 1845 {
1577 .type = TLSEXT_TYPE_use_srtp, 1846 .type = TLSEXT_TYPE_use_srtp,
@@ -1595,7 +1864,7 @@ static struct tls_extension tls_extensions[] = {
1595/* Ensure that extensions fit in a uint32_t bitmask. */ 1864/* Ensure that extensions fit in a uint32_t bitmask. */
1596CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1865CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1597 1866
1598static struct tls_extension * 1867struct tls_extension *
1599tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1868tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1600{ 1869{
1601 size_t i; 1870 size_t i;
@@ -1719,6 +1988,7 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
1719 } 1988 }
1720 1989
1721 /* Check for duplicate known extensions. */ 1990 /* Check for duplicate known extensions. */
1991 /* XXX move seen check to a function */
1722 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1992 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
1723 return 0; 1993 return 0;
1724 S3I(s)->hs.extensions_seen |= (1 << idx); 1994 S3I(s)->hs.extensions_seen |= (1 << idx);
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index e82be579d0..2f90a03ee9 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.h,v 1.19 2019/01/23 18:24:40 beck Exp $ */ 1/* $OpenBSD: ssl_tlsext.h,v 1.20 2019/01/24 02:56:41 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -101,6 +101,13 @@ int tlsext_keyshare_server_needs(SSL *s);
101int tlsext_keyshare_server_build(SSL *s, CBB *cbb); 101int tlsext_keyshare_server_build(SSL *s, CBB *cbb);
102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert); 102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert);
103 103
104int tlsext_cookie_client_needs(SSL *s);
105int tlsext_cookie_client_build(SSL *s, CBB *cbb);
106int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert);
107int tlsext_cookie_server_needs(SSL *s);
108int tlsext_cookie_server_build(SSL *s, CBB *cbb);
109int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert);
110
104#ifndef OPENSSL_NO_SRTP 111#ifndef OPENSSL_NO_SRTP
105int tlsext_srtp_client_needs(SSL *s); 112int tlsext_srtp_client_needs(SSL *s);
106int tlsext_srtp_client_build(SSL *s, CBB *cbb); 113int tlsext_srtp_client_build(SSL *s, CBB *cbb);
@@ -116,6 +123,7 @@ int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
116int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type); 123int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type);
117int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type); 124int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
118 125
126struct tls_extension *tls_extension_find(uint16_t, size_t *);
119__END_HIDDEN_DECLS 127__END_HIDDEN_DECLS
120 128
121#endif 129#endif
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 05b18b5b05..d9b048dbfc 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tlsexttest.c,v 1.26 2019/01/24 00:07:58 beck Exp $ */ 1/* $OpenBSD: tlsexttest.c,v 1.27 2019/01/24 02:56:41 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2929,11 +2929,15 @@ test_tlsext_serverhello_build(void)
2929 return (failure); 2929 return (failure);
2930} 2930}
2931 2931
2932static unsigned char tlsext_versions_client[] = { 2932const unsigned char tlsext_versions_client[] = {
2933 0x08, 0x03, 0x04, 0x03, 0x03, 0x03, 2933 0x08, 0x03, 0x04, 0x03, 0x03, 0x03,
2934 0x02, 0x03, 0x01, 2934 0x02, 0x03, 0x01,
2935}; 2935};
2936 2936
2937const unsigned char tlsext_versions_server[] = {
2938 0x03, 0x04,
2939};
2940
2937static int 2941static int
2938test_tlsext_versions_client(void) 2942test_tlsext_versions_client(void)
2939{ 2943{
@@ -3001,12 +3005,12 @@ test_tlsext_versions_client(void)
3001 3005
3002 if (dlen != sizeof(tlsext_versions_client)) { 3006 if (dlen != sizeof(tlsext_versions_client)) {
3003 FAIL("got versions with length %zu, " 3007 FAIL("got versions with length %zu, "
3004 "want length %zu\n", dlen, (size_t) sizeof(tlsext_versions_client)); 3008 "want length %zu\n", dlen, sizeof(tlsext_versions_client));
3005 failure = 1; 3009 failure = 1;
3006 goto done; 3010 goto done;
3007 } 3011 }
3008 3012
3009 CBS_init(&cbs, tlsext_versions_client, sizeof(tlsext_versions_client)); 3013 CBS_init(&cbs, data, dlen);
3010 if (!tlsext_versions_server_parse(ssl, &cbs, &alert)) { 3014 if (!tlsext_versions_server_parse(ssl, &cbs, &alert)) {
3011 FAIL("failed to parse client versions\n"); 3015 FAIL("failed to parse client versions\n");
3012 failure = 1; 3016 failure = 1;
@@ -3026,7 +3030,82 @@ test_tlsext_versions_client(void)
3026 return (failure); 3030 return (failure);
3027} 3031}
3028 3032
3029static unsigned char tlsext_keyshare_client[] = { 3033
3034static int
3035test_tlsext_versions_server(void)
3036{
3037 unsigned char *data = NULL;
3038 SSL_CTX *ssl_ctx = NULL;
3039 SSL *ssl = NULL;
3040 int failure = 0;
3041 size_t dlen;
3042 int alert;
3043 CBB cbb;
3044 CBS cbs;
3045
3046 CBB_init(&cbb, 0);
3047
3048 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3049 errx(1, "failed to create SSL_CTX");
3050 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3051 errx(1, "failed to create SSL");
3052
3053 ssl->version = TLS1_2_VERSION;
3054
3055 if (tlsext_versions_server_needs(ssl)) {
3056 FAIL("server should not need versions\n");
3057 failure = 1;
3058 goto done;
3059 }
3060
3061 ssl->version = TLS1_3_VERSION;
3062
3063 if (!tlsext_versions_server_needs(ssl)) {
3064 FAIL("server should need versions\n");
3065 failure = 1;
3066 goto done;
3067 }
3068
3069 if (!tlsext_versions_server_build(ssl, &cbb)) {
3070 FAIL("server should have built versions\n");
3071 failure = 1;
3072 goto done;
3073 }
3074
3075 if (!CBB_finish(&cbb, &data, &dlen)) {
3076 FAIL("failed to finish CBB");
3077 failure = 1;
3078 goto done;
3079 }
3080
3081 if (dlen != sizeof(tlsext_versions_server)) {
3082 FAIL("got versions with length %zu, "
3083 "want length %zu\n", dlen, sizeof(tlsext_versions_server));
3084 failure = 1;
3085 goto done;
3086 }
3087
3088 CBS_init(&cbs, data, dlen);
3089 if (!tlsext_versions_client_parse(ssl, &cbs, &alert)) {
3090 FAIL("failed to parse client versions\n");
3091 failure = 1;
3092 goto done;
3093 }
3094 if (CBS_len(&cbs) != 0) {
3095 FAIL("extension data remaining");
3096 failure = 1;
3097 goto done;
3098 }
3099 done:
3100 CBB_cleanup(&cbb);
3101 SSL_CTX_free(ssl_ctx);
3102 SSL_free(ssl);
3103 free(data);
3104
3105 return (failure);
3106}
3107
3108const unsigned char tlsext_keyshare_client[] = {
3030 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xba, 0x83, 3109 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xba, 0x83,
3031 0x2e, 0x4a, 0x18, 0xbe, 0x96, 0xd2, 0x71, 0x70, 3110 0x2e, 0x4a, 0x18, 0xbe, 0x96, 0xd2, 0x71, 0x70,
3032 0x18, 0x04, 0xf9, 0x9d, 0x76, 0x98, 0xef, 0xe8, 3111 0x18, 0x04, 0xf9, 0x9d, 0x76, 0x98, 0xef, 0xe8,
@@ -3034,6 +3113,14 @@ static unsigned char tlsext_keyshare_client[] = {
3034 0xad, 0x5b, 0xa4, 0xe9, 0x8b, 0x6b, 3113 0xad, 0x5b, 0xa4, 0xe9, 0x8b, 0x6b,
3035}; 3114};
3036 3115
3116const unsigned char tlsext_keyshare_server[] = {
3117 0x00, 0x1d, 0x00, 0x20, 0xe5, 0xe8, 0x5a, 0xb9,
3118 0x7e, 0x12, 0x62, 0xe3, 0xd8, 0x7f, 0x6e, 0x3c,
3119 0xec, 0xa6, 0x8b, 0x99, 0x45, 0x77, 0x8e, 0x11,
3120 0xb3, 0xb9, 0x12, 0xb6, 0xbe, 0x35, 0xca, 0x51,
3121 0x76, 0x1e, 0xe8, 0x22
3122};
3123
3037static int 3124static int
3038test_tlsext_keyshare_client(void) 3125test_tlsext_keyshare_client(void)
3039{ 3126{
@@ -3095,17 +3182,22 @@ test_tlsext_keyshare_client(void)
3095 goto done; 3182 goto done;
3096 } 3183 }
3097 3184
3098 CBS_init(&cbs, tlsext_keyshare_client, sizeof(tlsext_keyshare_client)); 3185 (ssl)->version = TLS1_3_VERSION;
3186 CBS_init(&cbs, data, dlen);
3187
3099 if (!tlsext_keyshare_server_parse(ssl, &cbs, &alert)) { 3188 if (!tlsext_keyshare_server_parse(ssl, &cbs, &alert)) {
3100 FAIL("failed to parse client keyshare\n"); 3189 FAIL("failed to parse client keyshare\n");
3101 failure = 1; 3190 failure = 1;
3102 goto done; 3191 goto done;
3103 } 3192 }
3193
3104 if (CBS_len(&cbs) != 0) { 3194 if (CBS_len(&cbs) != 0) {
3105 FAIL("extension data remaining"); 3195 FAIL("extension data remaining");
3106 failure = 1; 3196 failure = 1;
3107 goto done; 3197 goto done;
3108 } 3198 }
3199
3200
3109 done: 3201 done:
3110 CBB_cleanup(&cbb); 3202 CBB_cleanup(&cbb);
3111 SSL_CTX_free(ssl_ctx); 3203 SSL_CTX_free(ssl_ctx);
@@ -3115,6 +3207,338 @@ test_tlsext_keyshare_client(void)
3115 return (failure); 3207 return (failure);
3116} 3208}
3117 3209
3210static int
3211test_tlsext_keyshare_server(void)
3212{
3213 unsigned char *data = NULL;
3214 SSL_CTX *ssl_ctx = NULL;
3215 SSL *ssl = NULL;
3216 int failure = 0;
3217 size_t dlen, idx;
3218 int alert;
3219 CBB cbb;
3220 CBS cbs;
3221 uint8_t bogokey[] = {
3222 0xe5, 0xe8, 0x5a, 0xb9, 0x7e, 0x12, 0x62, 0xe3,
3223 0xd8, 0x7f, 0x6e, 0x3c, 0xec, 0xa6, 0x8b, 0x99,
3224 0x45, 0x77, 0x8e, 0x11, 0xb3, 0xb9, 0x12, 0xb6,
3225 0xbe, 0x35, 0xca, 0x51, 0x76, 0x1e, 0xe8, 0x22
3226 };
3227
3228 CBB_init(&cbb, 0);
3229
3230 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3231 errx(1, "failed to create SSL_CTX");
3232 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3233 errx(1, "failed to create SSL");
3234
3235 (ssl)->version = 0;
3236 if (tlsext_keyshare_server_needs(ssl)) {
3237 FAIL("server should not need keyshare\n");
3238 failure = 1;
3239 goto done;
3240 }
3241
3242 (ssl)->version = TLS1_2_VERSION;
3243 if (tlsext_keyshare_server_needs(ssl)) {
3244 FAIL("server should not need keyshare\n");
3245 failure = 1;
3246 goto done;
3247 }
3248
3249 ssl->version = TLS1_3_VERSION;
3250 if (tlsext_keyshare_server_needs(ssl)) {
3251 FAIL("client should not need keyshare\n");
3252 failure = 1;
3253 goto done;
3254 }
3255
3256 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
3257 FAIL("Can't find keyshare extension");
3258 S3I(ssl)->hs.extensions_seen |= (1 << idx);
3259
3260 if (!tlsext_keyshare_server_needs(ssl)) {
3261 FAIL("server should need keyshare");
3262 failure = 1;
3263 goto done;
3264 }
3265
3266 if (tlsext_keyshare_server_build(ssl, &cbb)) {
3267 FAIL("server should not have built a keyshare response");
3268 failure = 1;
3269 goto done;
3270 }
3271
3272 S3I(ssl)->hs_tls13.x25519_peer_public = bogokey;
3273 if (!tlsext_keyshare_server_build(ssl, &cbb)) {
3274 FAIL("server should be able to build a keyshare response");
3275 failure = 1;
3276 goto done;
3277 }
3278 S3I(ssl)->hs_tls13.x25519_peer_public = NULL;
3279
3280 if (!CBB_finish(&cbb, &data, &dlen)) {
3281 FAIL("failed to finish CBB");
3282 failure = 1;
3283 goto done;
3284 }
3285
3286 if (dlen != sizeof(tlsext_keyshare_server)) {
3287 FAIL("got server keyshare with length %zu, "
3288 "want length %zu\n", dlen, sizeof(tlsext_keyshare_server));
3289 failure = 1;
3290 goto done;
3291 }
3292
3293 CBS_init(&cbs, data, dlen);
3294
3295 if (!tlsext_keyshare_client_parse(ssl, &cbs, &alert)) {
3296 FAIL("failed to parse server keyshare\n");
3297 failure = 1;
3298 goto done;
3299 }
3300
3301 if (CBS_len(&cbs) != 0) {
3302 FAIL("extension data remaining");
3303 failure = 1;
3304 goto done;
3305 }
3306
3307done:
3308 CBB_cleanup(&cbb);
3309 SSL_CTX_free(ssl_ctx);
3310 SSL_free(ssl);
3311 free(data);
3312
3313 return (failure);
3314}
3315
3316/* One day I hope to be the only Muppet in this codebase */
3317const uint8_t cookie[] = "\n"
3318 " .---. .---. \n"
3319 " : : o : me want cookie! \n"
3320 " _..-: o : :-.._ / \n"
3321 " .-'' ' `---' `---' ' ``-. \n"
3322 " .' ' ' ' . ' . ' ' `. \n"
3323 " : '.---.,,.,...,.,.,.,..---. ' ; \n"
3324 " `. ' `. .' ' .' \n"
3325 " `. '`. .' ' .' \n"
3326 " `. `-._ _.-' ' .' .----. \n"
3327 " `. ' ''--...--'' . ' .' .' o `. \n"
3328 " .'`-._' ' . ' _.-'`. : o : \n"
3329 " jgs .' ```--.....--''' ' `:_ o : \n"
3330 " .' ' ' ' ' ; `.;';';';' \n"
3331 " ; ' ' ' . ; .' ; ; ; \n"
3332 " ; ' ' ' ' .' .-' \n"
3333 " ' ' ' ' ' ' _.-' \n";
3334
3335static int
3336test_tlsext_cookie_client(void)
3337{
3338 unsigned char *data = NULL;
3339 SSL_CTX *ssl_ctx = NULL;
3340 SSL *ssl = NULL;
3341 int failure = 0;
3342 size_t dlen;
3343 int alert;
3344 CBB cbb;
3345 CBS cbs;
3346
3347 CBB_init(&cbb, 0);
3348
3349 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3350 errx(1, "failed to create SSL_CTX");
3351 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3352 errx(1, "failed to create SSL");
3353
3354 S3I(ssl)->hs_tls13.max_version = 0;
3355 if (tlsext_cookie_client_needs(ssl)) {
3356 FAIL("client should not need cookie\n");
3357 failure = 1;
3358 goto done;
3359 }
3360
3361 S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION;
3362 if (tlsext_cookie_client_needs(ssl)) {
3363 FAIL("client should not need cookie\n");
3364 failure = 1;
3365 goto done;
3366 }
3367
3368
3369 S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION;
3370 if (tlsext_cookie_client_needs(ssl)) {
3371 FAIL("client should not need cookie\n");
3372 failure = 1;
3373 goto done;
3374 }
3375
3376 /* Normally would be set by receiving a server cookie in an HRR */
3377 S3I(ssl)->hs_tls13.cookie = strdup(cookie);
3378 S3I(ssl)->hs_tls13.cookie_len = strlen(cookie);
3379
3380 if (!tlsext_cookie_client_needs(ssl)) {
3381 FAIL("client should need cookie");
3382 failure = 1;
3383 goto done;
3384 }
3385
3386 if (!tlsext_cookie_client_build(ssl, &cbb)) {
3387 FAIL("client should have built a cookie response");
3388 failure = 1;
3389 goto done;
3390 }
3391
3392 if (!CBB_finish(&cbb, &data, &dlen)) {
3393 FAIL("failed to finish CBB");
3394 failure = 1;
3395 goto done;
3396 }
3397
3398 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
3399 FAIL("got cookie with length %zu, "
3400 "want length %zu\n", dlen, strlen(cookie) +
3401 sizeof(uint16_t));
3402 failure = 1;
3403 goto done;
3404 }
3405
3406 CBS_init(&cbs, data, dlen);
3407
3408 /* Checks cookie against what's in the hs_tls13 */
3409 if (!tlsext_cookie_server_parse(ssl, &cbs, &alert)) {
3410 FAIL("failed to parse client cookie\n");
3411 failure = 1;
3412 goto done;
3413 }
3414
3415 if (CBS_len(&cbs) != 0) {
3416 FAIL("extension data remaining");
3417 failure = 1;
3418 goto done;
3419 }
3420
3421 done:
3422 CBB_cleanup(&cbb);
3423 SSL_CTX_free(ssl_ctx);
3424 SSL_free(ssl);
3425 free(data);
3426
3427 return (failure);
3428}
3429
3430static int
3431test_tlsext_cookie_server(void)
3432{
3433 unsigned char *data = NULL;
3434 SSL_CTX *ssl_ctx = NULL;
3435 SSL *ssl = NULL;
3436 int failure = 0;
3437 size_t dlen;
3438 int alert;
3439 CBB cbb;
3440 CBS cbs;
3441
3442 CBB_init(&cbb, 0);
3443
3444 if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
3445 errx(1, "failed to create SSL_CTX");
3446 if ((ssl = SSL_new(ssl_ctx)) == NULL)
3447 errx(1, "failed to create SSL");
3448
3449 S3I(ssl)->hs_tls13.max_version = 0;
3450 if (tlsext_cookie_server_needs(ssl)) {
3451 FAIL("server should not need cookie\n");
3452 failure = 1;
3453 goto done;
3454 }
3455
3456 S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION;
3457 if (tlsext_cookie_server_needs(ssl)) {
3458 FAIL("server should not need cookie\n");
3459 failure = 1;
3460 goto done;
3461 }
3462
3463
3464 S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION;
3465 if (tlsext_cookie_server_needs(ssl)) {
3466 FAIL("server should not need cookie\n");
3467 failure = 1;
3468 goto done;
3469 }
3470
3471 /* Normally would be set by server before sending HRR */
3472 S3I(ssl)->hs_tls13.cookie = strdup(cookie);
3473 S3I(ssl)->hs_tls13.cookie_len = strlen(cookie);
3474
3475 if (!tlsext_cookie_server_needs(ssl)) {
3476 FAIL("server should need cookie");
3477 failure = 1;
3478 goto done;
3479 }
3480
3481 if (!tlsext_cookie_server_build(ssl, &cbb)) {
3482 FAIL("server have built a cookie response");
3483 failure = 1;
3484 goto done;
3485 }
3486
3487 if (!CBB_finish(&cbb, &data, &dlen)) {
3488 FAIL("failed to finish CBB");
3489 failure = 1;
3490 goto done;
3491 }
3492
3493 if (dlen != strlen(cookie) + sizeof(uint16_t)) {
3494 FAIL("got cookie with length %zu, "
3495 "want length %zu\n", dlen, strlen(cookie) +
3496 sizeof(uint16_t));
3497 failure = 1;
3498 goto done;
3499 }
3500
3501 CBS_init(&cbs, data, dlen);
3502
3503 if (tlsext_cookie_client_parse(ssl, &cbs, &alert)) {
3504 FAIL("client should not have parsed server cookie\n");
3505 failure = 1;
3506 goto done;
3507 }
3508
3509 freezero(S3I(ssl)->hs_tls13.cookie, S3I(ssl)->hs_tls13.cookie_len);
3510 S3I(ssl)->hs_tls13.cookie = NULL;
3511 S3I(ssl)->hs_tls13.cookie_len = 0;
3512
3513 if (!tlsext_cookie_client_parse(ssl, &cbs, &alert)) {
3514 FAIL("failed to parse server cookie\n");
3515 failure = 1;
3516 goto done;
3517 }
3518
3519 if (memcmp(cookie, S3I(ssl)->hs_tls13.cookie,
3520 S3I(ssl)->hs_tls13.cookie_len) != 0) {
3521 FAIL("parsed server cookie does not match sent cookie\n");
3522 failure = 1;
3523 goto done;
3524 }
3525
3526 if (CBS_len(&cbs) != 0) {
3527 FAIL("extension data remaining");
3528 failure = 1;
3529 goto done;
3530 }
3531
3532done:
3533 CBB_cleanup(&cbb);
3534 SSL_CTX_free(ssl_ctx);
3535 SSL_free(ssl);
3536 free(data);
3537
3538 return (failure);
3539}
3540
3541
3118int 3542int
3119main(int argc, char **argv) 3543main(int argc, char **argv)
3120{ 3544{
@@ -3148,8 +3572,13 @@ main(int argc, char **argv)
3148 failed |= test_tlsext_sessionticket_server(); 3572 failed |= test_tlsext_sessionticket_server();
3149 3573
3150 failed |= test_tlsext_versions_client(); 3574 failed |= test_tlsext_versions_client();
3575 failed |= test_tlsext_versions_server();
3151 3576
3152 failed |= test_tlsext_keyshare_client(); 3577 failed |= test_tlsext_keyshare_client();
3578 failed |= test_tlsext_keyshare_server();
3579
3580 failed |= test_tlsext_cookie_client();
3581 failed |= test_tlsext_cookie_server();
3153 3582
3154#ifndef OPENSSL_NO_SRTP 3583#ifndef OPENSSL_NO_SRTP
3155 failed |= test_tlsext_srtp_client(); 3584 failed |= test_tlsext_srtp_client();
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-14 00:26:34 +0000