summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/s3_lib.c8
-rw-r--r--src/lib/libssl/ssl_clnt.c5
-rw-r--r--src/lib/libssl/ssl_locl.h10
-rw-r--r--src/lib/libssl/ssl_sigalgs.c21
-rw-r--r--src/lib/libssl/ssl_sigalgs.h4
-rw-r--r--src/lib/libssl/ssl_tlsext.c348
-rw-r--r--src/lib/libssl/ssl_tlsext.h10
-rw-r--r--src/lib/libssl/t1_lib.c10
-rw-r--r--src/regress/lib/libssl/client/clienttest.c31
-rw-r--r--src/regress/lib/libssl/tlsext/tlsexttest.c22
10 files changed, 408 insertions, 61 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 9e4998cb42..53aab7c1e5 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.178 2019/01/21 01:20:11 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.179 2019/01/23 16:46:04 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1569,6 +1569,7 @@ ssl3_free(SSL *s)
1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1572 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1572 1573
1573 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1574 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1574 1575
@@ -1605,6 +1606,11 @@ ssl3_clear(SSL *s)
1605 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1606 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1606 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1607 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1607 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1608 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1609 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1610 S3I(s)->hs_tls13.cookie = NULL;
1611 S3I(s)->hs_tls13.cookie_len = 0;
1612
1613 S3I(s)->hs.extensions_seen = 0;
1608 1614
1609 rp = S3I(s)->rbuf.buf; 1615 rp = S3I(s)->rbuf.buf;
1610 wp = S3I(s)->wbuf.buf; 1616 wp = S3I(s)->wbuf.buf;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index acc48389c0..ee26a200b1 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.52 2019/01/18 00:54:42 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.53 2019/01/23 16:46:04 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s)
1680 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1680 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1681 goto err; 1681 goto err;
1682 } 1682 }
1683 if (!tls1_process_sigalgs(s, &sigalgs)) { 1683 if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
1684 tls12_sigalgs_len)) {
1684 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1685 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1685 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1686 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1686 goto err; 1687 goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 7903d84890..e4b1341db5 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.228 2019/01/21 10:28:52 tb Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.229 2019/01/23 16:46:04 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -429,6 +429,9 @@ typedef struct ssl_handshake_st {
429 /* key_block is the record-layer key block for TLS 1.2 and earlier. */ 429 /* key_block is the record-layer key block for TLS 1.2 and earlier. */
430 int key_block_len; 430 int key_block_len;
431 unsigned char *key_block; 431 unsigned char *key_block;
432
433 /* Extensions seen in this handshake. */
434 uint32_t extensions_seen;
432} SSL_HANDSHAKE; 435} SSL_HANDSHAKE;
433 436
434typedef struct ssl_handshake_tls13_st { 437typedef struct ssl_handshake_tls13_st {
@@ -445,6 +448,9 @@ typedef struct ssl_handshake_tls13_st {
445 uint8_t *x25519_peer_public; 448 uint8_t *x25519_peer_public;
446 449
447 struct tls13_secrets *secrets; 450 struct tls13_secrets *secrets;
451
452 uint8_t *cookie;
453 size_t cookie_len;
448} SSL_HANDSHAKE_TLS13; 454} SSL_HANDSHAKE_TLS13;
449 455
450typedef struct ssl_ctx_internal_st { 456typedef struct ssl_ctx_internal_st {
@@ -1313,7 +1319,7 @@ int tls1_process_ticket(SSL *s, const unsigned char *session_id,
1313 int session_id_len, CBS *ext_block, SSL_SESSION **ret); 1319 int session_id_len, CBS *ext_block, SSL_SESSION **ret);
1314 1320
1315long ssl_get_algorithm2(SSL *s); 1321long ssl_get_algorithm2(SSL *s);
1316int tls1_process_sigalgs(SSL *s, CBS *cbs); 1322int tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *, size_t);
1317 1323
1318int tls1_check_ec_server_key(SSL *s); 1324int tls1_check_ec_server_key(SSL *s);
1319 1325
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index a6b4251d70..23f65f5070 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.11 2018/11/16 02:41:16 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.12 2019/01/23 16:46:04 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
4 * 4 *
5 * Permission to use, copy, modify, and/or distribute this software for any 5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above 6 * purpose with or without fee is hereby granted, provided that the above
@@ -163,13 +163,30 @@ const struct ssl_sigalg sigalgs[] = {
163 }, 163 },
164}; 164};
165 165
166/* Sigalgs for tls 1.3, in preference order, */
167uint16_t tls13_sigalgs[] = {
168 SIGALG_RSA_PSS_RSAE_SHA512,
169 SIGALG_RSA_PKCS1_SHA512,
170 SIGALG_ECDSA_SECP512R1_SHA512,
171 SIGALG_RSA_PSS_RSAE_SHA384,
172 SIGALG_RSA_PKCS1_SHA384,
173 SIGALG_ECDSA_SECP384R1_SHA384,
174 SIGALG_RSA_PSS_RSAE_SHA256,
175 SIGALG_RSA_PKCS1_SHA256,
176 SIGALG_ECDSA_SECP256R1_SHA256,
177};
178size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
179
166/* Sigalgs for tls 1.2, in preference order, */ 180/* Sigalgs for tls 1.2, in preference order, */
167uint16_t tls12_sigalgs[] = { 181uint16_t tls12_sigalgs[] = {
182 SIGALG_RSA_PSS_RSAE_SHA512,
168 SIGALG_RSA_PKCS1_SHA512, 183 SIGALG_RSA_PKCS1_SHA512,
169 SIGALG_ECDSA_SECP512R1_SHA512, 184 SIGALG_ECDSA_SECP512R1_SHA512,
170 SIGALG_GOSTR12_512_STREEBOG_512, 185 SIGALG_GOSTR12_512_STREEBOG_512,
186 SIGALG_RSA_PSS_RSAE_SHA384,
171 SIGALG_RSA_PKCS1_SHA384, 187 SIGALG_RSA_PKCS1_SHA384,
172 SIGALG_ECDSA_SECP384R1_SHA384, 188 SIGALG_ECDSA_SECP384R1_SHA384,
189 SIGALG_RSA_PSS_RSAE_SHA256,
173 SIGALG_RSA_PKCS1_SHA256, 190 SIGALG_RSA_PKCS1_SHA256,
174 SIGALG_ECDSA_SECP256R1_SHA256, 191 SIGALG_ECDSA_SECP256R1_SHA256,
175 SIGALG_GOSTR12_256_STREEBOG_256, 192 SIGALG_GOSTR12_256_STREEBOG_256,
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 5ae595835b..8ea4df9e31 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.8 2018/11/16 02:41:16 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.h,v 1.9 2019/01/23 16:46:04 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -71,6 +71,8 @@ struct ssl_sigalg{
71 71
72extern uint16_t tls12_sigalgs[]; 72extern uint16_t tls12_sigalgs[];
73extern size_t tls12_sigalgs_len; 73extern size_t tls12_sigalgs_len;
74extern uint16_t tls13_sigalgs[];
75extern size_t tls13_sigalgs_len;
74 76
75const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); 77const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
76const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len); 78const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6eec807f56..06105f976d 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.31 2019/01/20 02:53:56 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,9 +536,26 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
536 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 536 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
537 return 0; 537 return 0;
538 538
539 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) 539 switch (TLS1_get_client_version(s)) {
540 return 0; 540 case TLS1_2_VERSION:
541 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
542 return 0;
543 break;
544 case TLS1_3_VERSION:
545 if (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
546 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
547 tls12_sigalgs_len))
548 return 0;
549 } else {
550 if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
551 tls13_sigalgs_len))
552 return 0; }
541 553
554 break;
555 default:
556 /* Should not happen */
557 return 0;
558 }
542 if (!CBB_flush(cbb)) 559 if (!CBB_flush(cbb))
543 return 0; 560 return 0;
544 561
@@ -553,7 +570,17 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
553 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 570 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
554 return 0; 571 return 0;
555 572
556 return tls1_process_sigalgs(s, &sigalgs); 573 switch (s->version) {
574 case TLS1_3_VERSION:
575 return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
576 tls13_sigalgs_len);
577 case TLS1_2_VERSION:
578 return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
579 tls12_sigalgs_len);
580 default:
581 /* Fail if we get a version > what we recognize */
582 return 0;
583 }
557} 584}
558 585
559int 586int
@@ -1243,7 +1270,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
1243 1270
1244 return 1; 1271 return 1;
1245 1272
1246err: 1273 err:
1247 freezero(public_key, X25519_KEY_LENGTH); 1274 freezero(public_key, X25519_KEY_LENGTH);
1248 freezero(private_key, X25519_KEY_LENGTH); 1275 freezero(private_key, X25519_KEY_LENGTH);
1249 1276
@@ -1253,24 +1280,100 @@ err:
1253int 1280int
1254tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1281tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
1255{ 1282{
1256 /* XXX we accept this but currently ignore it */ 1283 CBS client_shares;
1257 if (!CBS_skip(cbs, CBS_len(cbs))) { 1284 CBS key_exchange;
1258 *alert = TLS1_AD_INTERNAL_ERROR; 1285 uint16_t group;
1259 return 0; 1286 size_t out_len;
1287 int ret = 0;
1288
1289 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1290 goto err;
1291
1292 if (CBS_len(cbs) != 0)
1293 goto err;
1294
1295 while (CBS_len(&client_shares) > 0) {
1296
1297 /* Unpack client share. */
1298 if (!CBS_get_u16(&client_shares, &group))
1299 goto err;
1300
1301 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1302 goto err;
1303
1304 /*
1305 * Skip this client share if not X25519
1306 * XXX support other groups later.
1307 */
1308 if (ret || group != tls1_ec_nid2curve_id(NID_X25519))
1309 continue;
1310
1311 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1312 goto err;
1313
1314 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
1315 &out_len))
1316 goto err;
1317
1318 ret = 1;
1260 } 1319 }
1261 1320
1262 return 1; 1321 return ret;
1322
1323 err:
1324 *alert = SSL_AD_DECODE_ERROR;
1325 return 0;
1263} 1326}
1264 1327
1265int 1328int
1266tlsext_keyshare_server_needs(SSL *s) 1329tlsext_keyshare_server_needs(SSL *s)
1267{ 1330{
1268 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1331 size_t idx;
1332
1333 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
1334 return 0;
1335 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
1336 return 0;
1337 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1269} 1338}
1270 1339
1271int 1340int
1272tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1341tlsext_keyshare_server_build(SSL *s, CBB *cbb)
1273{ 1342{
1343 uint8_t *public_key = NULL, *private_key = NULL;
1344 CBB key_exchange;
1345
1346 /* X25519 */
1347 if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
1348 return 0;
1349
1350 /* Generate X25519 key pair. */
1351 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1352 goto err;
1353 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1354 goto err;
1355 X25519_keypair(public_key, private_key);
1356
1357 /* Add the group and serialize the public key. */
1358 if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
1359 goto err;
1360 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1361 goto err;
1362 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
1363 goto err;
1364
1365 if (!CBB_flush(cbb))
1366 goto err;
1367
1368 S3I(s)->hs_tls13.x25519_public = public_key;
1369 S3I(s)->hs_tls13.x25519_private = private_key;
1370
1371 return 1;
1372
1373 err:
1374 freezero(public_key, X25519_KEY_LENGTH);
1375 freezero(private_key, X25519_KEY_LENGTH);
1376
1274 return 0; 1377 return 0;
1275} 1378}
1276 1379
@@ -1291,6 +1394,10 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
1291 1394
1292 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1395 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1293 goto err; 1396 goto err;
1397
1398 if (CBS_len(cbs) != 0)
1399 goto err;
1400
1294 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1401 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1295 goto err; 1402 goto err;
1296 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1403 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1313,8 +1420,9 @@ tlsext_versions_client_needs(SSL *s)
1313 /* XXX once this gets initialized when we get tls13_client.c */ 1420 /* XXX once this gets initialized when we get tls13_client.c */
1314 if (S3I(s)->hs_tls13.max_version == 0) 1421 if (S3I(s)->hs_tls13.max_version == 0)
1315 return 0; 1422 return 0;
1316 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1423 if (SSL_IS_DTLS(s))
1317 TLS1_3_VERSION); 1424 return 0;
1425 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1318} 1426}
1319 1427
1320int 1428int
@@ -1348,13 +1456,41 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
1348int 1456int
1349tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1457tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
1350{ 1458{
1351 /* XXX we accept this but currently ignore it */ 1459 CBS versions;
1352 if (!CBS_skip(cbs, CBS_len(cbs))) { 1460 uint16_t version;
1353 *alert = TLS1_AD_INTERNAL_ERROR; 1461 uint16_t max, min;
1354 return 0; 1462 uint16_t matched_version = 0;
1463
1464 max = S3I(s)->hs_tls13.max_version;
1465 min = S3I(s)->hs_tls13.min_version;
1466
1467 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1468 goto err;
1469
1470 if (CBS_len(cbs) != 0)
1471 goto err;
1472
1473 if (CBS_len(&versions) < 2)
1474 goto err;
1475
1476 while(CBS_len(&versions) > 0) {
1477 if (!CBS_get_u16(&versions, &version))
1478 goto err;
1479 /*
1480 * XXX What is below implements client preference, and
1481 * ignores any server preference entirely.
1482 */
1483 if (matched_version == 0 && version >= min && version <= max)
1484 matched_version = version;
1355 } 1485 }
1486 if (matched_version != 0)
1487 s->version = matched_version;
1356 1488
1357 return 1; 1489 return 1;
1490
1491 err:
1492 *alert = SSL_AD_DECODE_ERROR;
1493 return 0;
1358} 1494}
1359 1495
1360int 1496int
@@ -1366,7 +1502,11 @@ tlsext_versions_server_needs(SSL *s)
1366int 1502int
1367tlsext_versions_server_build(SSL *s, CBB *cbb) 1503tlsext_versions_server_build(SSL *s, CBB *cbb)
1368{ 1504{
1369 return 0; 1505 if (!CBB_add_u16(cbb, TLS1_3_VERSION))
1506 return 0;
1507 /* XXX set 1.2 in legacy version? */
1508
1509 return 1;
1370} 1510}
1371 1511
1372int 1512int
@@ -1379,12 +1519,161 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
1379 return 0; 1519 return 0;
1380 } 1520 }
1381 1521
1522 if (CBS_len(cbs) != 0) {
1523 *alert = SSL_AD_DECODE_ERROR;
1524 return 0;
1525 }
1526
1527 if (selected_version < TLS1_3_VERSION) {
1528 *alert = SSL_AD_ILLEGAL_PARAMETER;
1529 return 0;
1530 }
1531
1382 /* XXX test between min and max once initialization code goes in */ 1532 /* XXX test between min and max once initialization code goes in */
1383 S3I(s)->hs_tls13.server_version = selected_version; 1533 S3I(s)->hs_tls13.server_version = selected_version;
1384 1534
1385 return 1; 1535 return 1;
1386} 1536}
1387 1537
1538
1539/*
1540 * Cookie - RFC 8446 section 4.2.2.
1541 */
1542
1543int
1544tlsext_cookie_client_needs(SSL *s)
1545{
1546 /* XXX once this gets initialized when we get tls13_client.c */
1547 if (S3I(s)->hs_tls13.max_version == 0)
1548 return 0;
1549 if (SSL_IS_DTLS(s))
1550 return 0;
1551 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1552 return 0;
1553 return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1554 (S3I(s)->hs_tls13.cookie != NULL));
1555}
1556
1557int
1558tlsext_cookie_client_build(SSL *s, CBB *cbb)
1559{
1560 CBB cookie;
1561
1562 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1563 return 0;
1564
1565 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1566 S3I(s)->hs_tls13.cookie_len))
1567 return 0;
1568
1569 if (!CBB_flush(cbb))
1570 return 0;
1571
1572 return 1;
1573}
1574
1575int
1576tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
1577{
1578 CBS cookie;
1579
1580 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1581 goto err;
1582
1583 if (CBS_len(cbs) != 0)
1584 goto err;
1585
1586 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
1587 goto err;
1588
1589 /*
1590 * Check provided cookie value against what server previously
1591 * sent - client *MUST* send the same cookie with new CR after
1592 * a cookie is sent by the server with an HRR
1593 */
1594 if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
1595 S3I(s)->hs_tls13.cookie_len) != 0) {
1596 /* XXX special cookie mismatch alert? */
1597 *alert = SSL_AD_ILLEGAL_PARAMETER;
1598 return 0;
1599 }
1600
1601 return 1;
1602
1603 err:
1604 *alert = SSL_AD_DECODE_ERROR;
1605 return 0;
1606}
1607
1608int
1609tlsext_cookie_server_needs(SSL *s)
1610{
1611 /* XXX once this gets initialized when we get tls13_client.c */
1612 if (S3I(s)->hs_tls13.max_version == 0)
1613 return 0;
1614 if (SSL_IS_DTLS(s))
1615 return 0;
1616 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1617 return 0;
1618 /*
1619 * Server needs to set cookie value in tls13 handshake
1620 * in order to send one, should only be sent with HRR.
1621 */
1622 return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1623 (S3I(s)->hs_tls13.cookie != NULL));
1624}
1625
1626int
1627tlsext_cookie_server_build(SSL *s, CBB *cbb)
1628{
1629 CBB cookie;
1630
1631 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1632 return 0;
1633 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1634 S3I(s)->hs_tls13.cookie_len))
1635 return 0;
1636 if (!CBB_flush(cbb))
1637 return 0;
1638
1639 return 1;
1640}
1641
1642int
1643tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
1644{
1645 CBS cookie;
1646
1647 /*
1648 * XXX This currently assumes we will not get a second
1649 * HRR from a server with a cookie to process after accepting
1650 * one from the server in the same handshake
1651 */
1652 if ((S3I(s)->hs_tls13.cookie != NULL) ||
1653 S3I(s)->hs_tls13.cookie_len != 0) {
1654 *alert = SSL_AD_ILLEGAL_PARAMETER;
1655 return 0;
1656 }
1657
1658 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1659 goto err;
1660
1661 if (CBS_len(cbs) != 0)
1662 goto err;
1663
1664 if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
1665 goto err;
1666
1667 memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
1668 S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
1669
1670 return 1;
1671
1672 err:
1673 *alert = SSL_AD_DECODE_ERROR;
1674 return 0;
1675}
1676
1388struct tls_extension_funcs { 1677struct tls_extension_funcs {
1389 int (*needs)(SSL *s); 1678 int (*needs)(SSL *s);
1390 int (*build)(SSL *s, CBB *cbb); 1679 int (*build)(SSL *s, CBB *cbb);
@@ -1542,6 +1831,20 @@ static struct tls_extension tls_extensions[] = {
1542 .parse = tlsext_alpn_client_parse, 1831 .parse = tlsext_alpn_client_parse,
1543 }, 1832 },
1544 }, 1833 },
1834 {
1835 .type = TLSEXT_TYPE_cookie,
1836 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1837 .client = {
1838 .needs = tlsext_cookie_client_needs,
1839 .build = tlsext_cookie_client_build,
1840 .parse = tlsext_cookie_server_parse,
1841 },
1842 .server = {
1843 .needs = tlsext_cookie_server_needs,
1844 .build = tlsext_cookie_server_build,
1845 .parse = tlsext_cookie_client_parse,
1846 },
1847 },
1545#ifndef OPENSSL_NO_SRTP 1848#ifndef OPENSSL_NO_SRTP
1546 { 1849 {
1547 .type = TLSEXT_TYPE_use_srtp, 1850 .type = TLSEXT_TYPE_use_srtp,
@@ -1565,7 +1868,7 @@ static struct tls_extension tls_extensions[] = {
1565/* Ensure that extensions fit in a uint32_t bitmask. */ 1868/* Ensure that extensions fit in a uint32_t bitmask. */
1566CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1869CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1567 1870
1568static struct tls_extension * 1871struct tls_extension *
1569tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1872tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1570{ 1873{
1571 size_t i; 1874 size_t i;
@@ -1645,11 +1948,12 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
1645 struct tls_extension_funcs *ext; 1948 struct tls_extension_funcs *ext;
1646 struct tls_extension *tlsext; 1949 struct tls_extension *tlsext;
1647 CBS extensions, extension_data; 1950 CBS extensions, extension_data;
1648 uint32_t extensions_seen = 0;
1649 uint16_t type; 1951 uint16_t type;
1650 size_t idx; 1952 size_t idx;
1651 uint16_t version; 1953 uint16_t version;
1652 1954
1955 S3I(s)->hs.extensions_seen = 0;
1956
1653 if (is_server) 1957 if (is_server)
1654 version = s->version; 1958 version = s->version;
1655 else 1959 else
@@ -1688,9 +1992,9 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
1688 } 1992 }
1689 1993
1690 /* Check for duplicate known extensions. */ 1994 /* Check for duplicate known extensions. */
1691 if ((extensions_seen & (1 << idx)) != 0) 1995 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
1692 return 0; 1996 return 0;
1693 extensions_seen |= (1 << idx); 1997 S3I(s)->hs.extensions_seen |= (1 << idx);
1694 1998
1695 ext = tlsext_funcs(tlsext, is_server); 1999 ext = tlsext_funcs(tlsext, is_server);
1696 if (!ext->parse(s, &extension_data, alert)) 2000 if (!ext->parse(s, &extension_data, alert))
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 940366b7d8..8472a8058b 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.h,v 1.17 2019/01/18 12:18:10 beck Exp $ */ 1/* $OpenBSD: ssl_tlsext.h,v 1.18 2019/01/23 16:46:04 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -101,6 +101,13 @@ int tlsext_keyshare_server_needs(SSL *s);
101int tlsext_keyshare_server_build(SSL *s, CBB *cbb); 101int tlsext_keyshare_server_build(SSL *s, CBB *cbb);
102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert); 102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert);
103 103
104int tlsext_cookie_client_needs(SSL *s);
105int tlsext_cookie_client_build(SSL *s, CBB *cbb);
106int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert);
107int tlsext_cookie_server_needs(SSL *s);
108int tlsext_cookie_server_build(SSL *s, CBB *cbb);
109int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert);
110
104#ifndef OPENSSL_NO_SRTP 111#ifndef OPENSSL_NO_SRTP
105int tlsext_srtp_client_needs(SSL *s); 112int tlsext_srtp_client_needs(SSL *s);
106int tlsext_srtp_client_build(SSL *s, CBB *cbb); 113int tlsext_srtp_client_build(SSL *s, CBB *cbb);
@@ -116,6 +123,7 @@ int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
116int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type); 123int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type);
117int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type); 124int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
118 125
126struct tls_extension *tls_extension_find(uint16_t, size_t *);
119__END_HIDDEN_DECLS 127__END_HIDDEN_DECLS
120 128
121#endif 129#endif
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 1402996e42..567b3e48e0 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.150 2018/11/10 01:19:09 beck Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.151 2019/01/23 16:46:04 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1002,11 +1002,12 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1002 1002
1003/* Set preferred digest for each key type */ 1003/* Set preferred digest for each key type */
1004int 1004int
1005tls1_process_sigalgs(SSL *s, CBS *cbs) 1005tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len)
1006{ 1006{
1007 CERT *c = s->cert; 1007 CERT *c = s->cert;
1008 1008
1009 /* Extension ignored for inappropriate versions */ 1009 /* Extension ignored for inappropriate versions */
1010 /* XXX get rid of this? */
1010 if (!SSL_USE_SIGALGS(s)) 1011 if (!SSL_USE_SIGALGS(s))
1011 return 1; 1012 return 1;
1012 1013
@@ -1023,9 +1024,8 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)
1023 if (!CBS_get_u16(cbs, &sig_alg)) 1024 if (!CBS_get_u16(cbs, &sig_alg))
1024 return 0; 1025 return 0;
1025 1026
1026 if ((sigalg = ssl_sigalg(sig_alg, tls12_sigalgs, 1027 if ((sigalg = ssl_sigalg(sig_alg, sigalgs, sigalgs_len)) !=
1027 tls12_sigalgs_len)) != NULL && 1028 NULL && c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
1028 c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
1029 c->pkeys[sigalg->pkey_idx].sigalg = sigalg; 1029 c->pkeys[sigalg->pkey_idx].sigalg = sigalg;
1030 if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN) 1030 if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
1031 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg; 1031 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg;
diff --git a/src/regress/lib/libssl/client/clienttest.c b/src/regress/lib/libssl/client/clienttest.c
index cb45dc583c..25a8790e61 100644
--- a/src/regress/lib/libssl/client/clienttest.c
+++ b/src/regress/lib/libssl/client/clienttest.c
@@ -141,15 +141,15 @@ static unsigned char cipher_list_tls12_chacha[] = {
141}; 141};
142 142
143static unsigned char client_hello_tls12[] = { 143static unsigned char client_hello_tls12[] = {
144 0x16, 0x03, 0x01, 0x00, 0xbf, 0x01, 0x00, 0x00, 144 0x16, 0x03, 0x01, 0x00, 0xc5, 0x01, 0x00, 0x00,
145 0xbb, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 145 0xc1, 0x03, 0x03, 0xc9, 0xf9, 0x1f, 0x05, 0xaf,
146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 146 0x61, 0xd7, 0xe7, 0x84, 0xd1, 0x1c, 0x6f, 0x79,
147 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 147 0x32, 0x04, 0x8e, 0x5c, 0xe3, 0x18, 0x5a, 0x85,
148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 148 0xee, 0x44, 0xe1, 0xca, 0x32, 0xce, 0x07, 0xd3,
149 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0xcc, 0xa9, 149 0xdb, 0x0f, 0x91, 0x00, 0x00, 0x5c, 0xc0, 0x30,
150 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 150 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
151 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 151 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
152 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85, 152 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85,
153 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 153 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d,
154 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 154 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84,
155 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 155 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23,
@@ -158,14 +158,15 @@ static unsigned char client_hello_tls12[] = {
158 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 158 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41,
159 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04, 159 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04,
160 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 160 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
161 0x00, 0xff, 0x01, 0x00, 0x00, 0x36, 0x00, 0x0b, 161 0x00, 0xff, 0x01, 0x00, 0x00, 0x3c, 0x00, 0x0b,
162 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 162 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08,
163 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 163 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
164 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x1c, 164 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x22,
165 0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef, 165 0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
166 0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03, 166 0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
167 0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 167 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
168 0x02, 0x01, 0x02, 0x03, 168 0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
169 0x02, 0x03,
169}; 170};
170 171
171struct client_hello_test { 172struct client_hello_test {
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 7a9f7d9be7..3387b86f3f 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tlsexttest.c,v 1.22 2019/01/18 12:09:52 beck Exp $ */ 1/* $OpenBSD: tlsexttest.c,v 1.23 2019/01/23 16:46:04 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1505,10 +1505,11 @@ test_tlsext_ri_server(void)
1505 */ 1505 */
1506 1506
1507static unsigned char tlsext_sigalgs_client[] = { 1507static unsigned char tlsext_sigalgs_client[] = {
1508 0x00, 0x1a, 0x06, 0x01, 0x06, 0x03, 0xef, 0xef, 1508 0x00, 0x20, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03,
1509 0x05, 0x01, 0x05, 0x03, 0x04, 0x01, 0x04, 0x03, 1509 0xef, 0xef, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03,
1510 0xee, 0xee, 0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 1510 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0xee, 0xee,
1511 0x02, 0x01, 0x02, 0x03, 1511 0xed, 0xed, 0x03, 0x01, 0x03, 0x03, 0x02, 0x01,
1512 0x02, 0x03,
1512}; 1513};
1513 1514
1514static int 1515static int
@@ -2732,13 +2733,14 @@ test_tlsext_srtp_server(void)
2732#endif /* OPENSSL_NO_SRTP */ 2733#endif /* OPENSSL_NO_SRTP */
2733 2734
2734unsigned char tlsext_clienthello_default[] = { 2735unsigned char tlsext_clienthello_default[] = {
2735 0x00, 0x36, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 2736 0x00, 0x3c, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
2736 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 2737 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d,
2737 0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00, 2738 0x00, 0x17, 0x00, 0x18, 0x00, 0x23, 0x00, 0x00,
2738 0x00, 0x0d, 0x00, 0x1c, 0x00, 0x1a, 0x06, 0x01, 2739 0x00, 0x0d, 0x00, 0x22, 0x00, 0x20, 0x08, 0x06,
2739 0x06, 0x03, 0xef, 0xef, 0x05, 0x01, 0x05, 0x03, 2740 0x06, 0x01, 0x06, 0x03, 0xef, 0xef, 0x08, 0x05,
2740 0x04, 0x01, 0x04, 0x03, 0xee, 0xee, 0xed, 0xed, 2741 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01,
2741 0x03, 0x01, 0x03, 0x03, 0x02, 0x01, 0x02, 0x03, 2742 0x04, 0x03, 0xee, 0xee, 0xed, 0xed, 0x03, 0x01,
2743 0x03, 0x03, 0x02, 0x01, 0x02, 0x03,
2742}; 2744};
2743 2745
2744unsigned char tlsext_clienthello_disabled[] = {}; 2746unsigned char tlsext_clienthello_disabled[] = {};
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 21:39:26 +0000