4 files changed, 71 insertions, 11 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4ec29ea956..ed9a69918a 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -809,3 +809,66 @@ tls13_client_finished_sent(struct tls13_ctx *ctx)
        return tls13_record_layer_set_write_traffic_key(ctx->rl,
            &secrets->client_application_traffic);
 }
+static int
+tls13_client_hello_retry_process(struct tls13_ctx *ctx, CBS *cbs)
+{
+        CBS server_random, session_id;
+        uint16_t cipher_suite, legacy_version;
+        uint8_t compression_method;
+        int alert_desc;
+        SSL *s = ctx->ssl;
+        if (!CBS_get_u16(cbs, &legacy_version))
+                goto err;
+        if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &session_id))
+                goto err;
+        if (!CBS_get_u16(cbs, &cipher_suite))
+                goto err;
+        if (!CBS_get_u8(cbs, &compression_method))
+                goto err;
+        /*
+         * XXX currently this will change state and be hazardous later
+         * if we decide to support sending an updated client hello.
+         * however, since we will not today (and are going to return
+         * illegal parameter as per section 4.1.4) we just ensure
+         * that the extensions parse correctly.
+         */
+        if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
+                ctx->alert = alert_desc;
+                goto err;
+        }
+        if (CBS_len(cbs) != 0)
+                goto err;
+        /* XXX for now, just say no, we will not change our hello */
+        ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+ err:
+        if (ctx->alert == 0)
+                ctx->alert = TLS1_AD_DECODE_ERROR;
+        return 0;
+}
+int
+tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
+{
+        int ret = 0;
+        CBS cbs;
+        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+                goto err;
+        if (!tls13_client_hello_retry_process(ctx, &cbs)) {
+                if (ctx->alert == SSL_AD_ILLEGAL_PARAMETER)
+                        tls13_set_errorx(ctx, TLS13_ERR_HRR_FAILED, 0,
+                            "Unsatisfiable hello retry request", NULL);
+                goto err;
+        }
+err:
+        return ret;
+}
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 7fee37f5dd..167ed1f254 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.40 2020/01/22 01:02:28 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.41 2020/01/22 02:21:05 beck Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -38,6 +38,7 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_IO_USE_LEGACY     -4
 #define TLS13_ERR_VERIFY_FAILED 16
+#define TLS13_ERR_HRR_FAILED    17
 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
 typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *cbs);
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index bb749a9b68..e353e9fdad 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.17 2020/01/22 01:02:28 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.18 2020/01/22 02:21:05 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -353,6 +353,9 @@ tls13_legacy_error(SSL *ssl)
        case TLS13_ERR_VERIFY_FAILED:
                reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
                break;
+        case TLS13_ERR_HRR_FAILED:
+                reason = SSL_R_NO_CIPHERS_AVAILABLE;
+                break;
        }
        ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 541e341936..10d85a62b3 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.3 2019/11/17 14:25:03 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.4 2020/01/22 02:21:05 beck Exp $ */
 /*
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -97,13 +97,6 @@ tls13_server_hello_retry_recv(struct tls13_ctx *ctx)
 }
 int
-tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
-{
-        return 0;
-}
-int
 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx)
 {
        return 0;

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 4ec29ea956..ed9a69918a 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -809,3 +809,66 @@ tls13_client_finished_sent(struct tls13_ctx *ctx)
809	return tls13_record_layer_set_write_traffic_key(ctx->rl,	809	return tls13_record_layer_set_write_traffic_key(ctx->rl,
810	&secrets->client_application_traffic);	810	&secrets->client_application_traffic);
811	}	811	}
		812
		813
		814	static int
		815	tls13_client_hello_retry_process(struct tls13_ctx ctx, CBS cbs)
		816	{
		817	CBS server_random, session_id;
		818	uint16_t cipher_suite, legacy_version;
		819	uint8_t compression_method;
		820	int alert_desc;
		821	SSL *s = ctx->ssl;
		822
		823	if (!CBS_get_u16(cbs, &legacy_version))
		824	goto err;
		825	if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
		826	goto err;
		827	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
		828	goto err;
		829	if (!CBS_get_u16(cbs, &cipher_suite))
		830	goto err;
		831	if (!CBS_get_u8(cbs, &compression_method))
		832	goto err;
		833
		834	/*
		835	* XXX currently this will change state and be hazardous later
		836	* if we decide to support sending an updated client hello.
		837	* however, since we will not today (and are going to return
		838	* illegal parameter as per section 4.1.4) we just ensure
		839	* that the extensions parse correctly.
		840	*/
		841	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
		842	ctx->alert = alert_desc;
		843	goto err;
		844	}
		845
		846	if (CBS_len(cbs) != 0)
		847	goto err;
		848
		849	/* XXX for now, just say no, we will not change our hello */
		850	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
		851	err:
		852	if (ctx->alert == 0)
		853	ctx->alert = TLS1_AD_DECODE_ERROR;
		854	return 0;
		855	}
		856
		857	int
		858	tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
		859	{
		860	int ret = 0;
		861	CBS cbs;
		862
		863	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
		864	goto err;
		865
		866	if (!tls13_client_hello_retry_process(ctx, &cbs)) {
		867	if (ctx->alert == SSL_AD_ILLEGAL_PARAMETER)
		868	tls13_set_errorx(ctx, TLS13_ERR_HRR_FAILED, 0,
		869	"Unsatisfiable hello retry request", NULL);
		870	goto err;
		871	}
		872	err:
		873	return ret;
		874	}


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 7fee37f5dd..167ed1f254 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.40 2020/01/22 01:02:28 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.41 2020/01/22 02:21:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -38,6 +38,7 @@ __BEGIN_HIDDEN_DECLS
38	#define TLS13_IO_USE_LEGACY -4	38	#define TLS13_IO_USE_LEGACY -4
39		39
40	#define TLS13_ERR_VERIFY_FAILED 16	40	#define TLS13_ERR_VERIFY_FAILED 16
		41	#define TLS13_ERR_HRR_FAILED 17
41		42
42	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);	43	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);
43	typedef ssize_t (tls13_phh_recv_cb)(void _cb_arg, CBS *cbs);	44	typedef ssize_t (tls13_phh_recv_cb)(void _cb_arg, CBS *cbs);


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index bb749a9b68..e353e9fdad 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.17 2020/01/22 01:02:28 jsing Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.18 2020/01/22 02:21:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -353,6 +353,9 @@ tls13_legacy_error(SSL *ssl)
353	case TLS13_ERR_VERIFY_FAILED:	353	case TLS13_ERR_VERIFY_FAILED:
354	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;	354	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
355	break;	355	break;
		356	case TLS13_ERR_HRR_FAILED:
		357	reason = SSL_R_NO_CIPHERS_AVAILABLE;
		358	break;
356	}	359	}
357		360
358	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,	361	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 541e341936..10d85a62b3 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.3 2019/11/17 14:25:03 tb Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.4 2020/01/22 02:21:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -97,13 +97,6 @@ tls13_server_hello_retry_recv(struct tls13_ctx *ctx)
97	}	97	}
98		98
99	int	99	int
100	tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
101	{
102	return 0;
103	}
104
105
106	int
107	tls13_client_end_of_early_data_send(struct tls13_ctx *ctx)	100	tls13_client_end_of_early_data_send(struct tls13_ctx *ctx)
108	{	101	{
109	return 0;	102	return 0;