1 files changed, 44 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index ccbb46652b..843b572401 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.59 2020/06/24 07:28:38 tb Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -96,6 +96,44 @@ tls13_client_hello_is_legacy(CBS *cbs)
        return (max_version < TLS1_3_VERSION);
 }
+int
+tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
+{
+        SSL *ssl = ctx->ssl;
+        /*
+         * RFC 8446, section 9.2. If the ClientHello has supported_versions
+         * containing TLSv1.3, presence or absence of some extensions requires
+         * presence or absence of others.
+         */
+        /*
+         * supported_groups and key_share must either both be present or
+         * both be absent.
+         */
+        if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) !=
+            tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share))
+                return 0;
+        /*
+         * If we got no pre_shared_key, then signature_algorithms and
+         * supported_groups must both be present.
+         */
+        if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) {
+                if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms))
+                        return 0;
+                if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups))
+                        return 0;
+        }
+        /*
+         * XXX - Require server_name from client? If so, we SHOULD enforce
+         * this here - RFC 8446, 9.2.
+         */
+        return 1;
+}
 static const uint8_t tls13_compression_null_only[] = { 0 };
 static int
@@ -172,6 +210,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                tls13_clienthello_hash_clear(ctx->hs);
        }
+        if (!tls13_client_hello_required_extensions(ctx)) {
+                ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
+                goto err;
+        }
        /*
         * If we got this far we have a supported versions extension that offers
         * TLS 1.3 or later. This requires the legacy version be set to 0x0303.

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index ccbb46652b..843b572401 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.59 2020/06/24 07:28:38 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -96,6 +96,44 @@ tls13_client_hello_is_legacy(CBS *cbs)
96	return (max_version < TLS1_3_VERSION);	96	return (max_version < TLS1_3_VERSION);
97	}	97	}
98		98
		99	int
		100	tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
		101	{
		102	SSL *ssl = ctx->ssl;
		103
		104	/*
		105	* RFC 8446, section 9.2. If the ClientHello has supported_versions
		106	* containing TLSv1.3, presence or absence of some extensions requires
		107	* presence or absence of others.
		108	*/
		109
		110	/*
		111	* supported_groups and key_share must either both be present or
		112	* both be absent.
		113	*/
		114	if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) !=
		115	tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share))
		116	return 0;
		117
		118	/*
		119	* If we got no pre_shared_key, then signature_algorithms and
		120	* supported_groups must both be present.
		121	*/
		122	if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) {
		123	if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms))
		124	return 0;
		125	if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups))
		126	return 0;
		127	}
		128
		129	/*
		130	* XXX - Require server_name from client? If so, we SHOULD enforce
		131	* this here - RFC 8446, 9.2.
		132	*/
		133
		134	return 1;
		135	}
		136
99	static const uint8_t tls13_compression_null_only[] = { 0 };	137	static const uint8_t tls13_compression_null_only[] = { 0 };
100		138
101	static int	139	static int
@@ -172,6 +210,11 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
172	tls13_clienthello_hash_clear(ctx->hs);	210	tls13_clienthello_hash_clear(ctx->hs);
173	}	211	}
174		212
		213	if (!tls13_client_hello_required_extensions(ctx)) {
		214	ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
		215	goto err;
		216	}
		217
175	/*	218	/*
176	* If we got this far we have a supported versions extension that offers	219	* If we got this far we have a supported versions extension that offers
177	* TLS 1.3 or later. This requires the legacy version be set to 0x0303.	220	* TLS 1.3 or later. This requires the legacy version be set to 0x0303.