5 files changed, 104 insertions, 66 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 0da08f62c3..dffabf1753 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.50 2020/04/21 16:55:17 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -281,6 +281,24 @@ tls13_server_hello_is_legacy(CBS *cbs)
 }
 static int
+tls13_server_hello_is_retry(CBS *cbs)
+{
+        CBS server_hello, server_random;
+        uint16_t legacy_version;
+        CBS_dup(cbs, &server_hello);
+        if (!CBS_get_u16(&server_hello, &legacy_version))
+                return 0;
+        if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
+                return 0;
+        /* See if this is a HelloRetryRequest. */
+        return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
+            sizeof(tls13_hello_retry_request_hash));
+}
+static int
 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 {
        CBS server_random, session_id;
@@ -331,7 +349,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        /* From here on in we know we are doing TLSv1.3. */
        tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
-        /* See if this is a Hello Retry Request. */
+        /* See if this is a HelloRetryRequest. */
+        /* XXX - see if we can avoid doing this twice. */
        if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
            sizeof(tls13_hello_retry_request_hash))) {
                tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
@@ -515,40 +534,75 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 }
 int
+tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
+{
+        /*
+         * The state machine has no way of knowing if we're going to receive a
+         * HelloRetryRequest or a ServerHello. As such, we have to handle
+         * this case here and hand off to the appropriate function.
+         */
+        if (!tls13_server_hello_is_retry(cbs)) {
+                ctx->handshake_stage.hs_type |= WITHOUT_HRR;
+                return tls13_server_hello_recv(ctx, cbs);
+        }
+        if (!tls13_server_hello_process(ctx, cbs))
+                return 0;
+        /*
+         * This may have been a TLSv1.2 or earlier ServerHello that just happened
+         * to have matching server random...
+         */
+        if (ctx->hs->use_legacy)
+                return tls13_use_legacy_client(ctx);
+        if (!ctx->hs->hrr)
+                return 0;
+        if (!tls13_client_synthetic_handshake_message(ctx))
+                return 0;
+        if (!tls13_handshake_msg_record(ctx))
+                return 0;
+        ctx->hs->hrr = 0;
+        return 1;
+}
+int
 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        SSL *s = ctx->ssl;
        /*
-         * We may have received a legacy (pre-TLSv1.3) server hello,
+         * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
-         * a TLSv1.3 server hello or a TLSv1.3 hello retry request.
+         * ServerHello. HelloRetryRequests have already been handled.
         */
        if (!tls13_server_hello_process(ctx, cbs))
                return 0;
-        tls1_transcript_unfreeze(s);
+        if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
+                tls1_transcript_unfreeze(s);
-        if (ctx->hs->hrr) {
+                if (!tls13_handshake_msg_record(ctx))
-                if (!tls13_client_synthetic_handshake_message(ctx))
                        return 0;
        }
-        if (!tls13_handshake_msg_record(ctx))
+        if (ctx->hs->use_legacy) {
-                return 0;
+                if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
+                        return 0;
-        if (ctx->hs->use_legacy)
                return tls13_use_legacy_client(ctx);
+        }
-        if (!ctx->hs->hrr) {
+        if (ctx->hs->hrr) {
-                if (!tls13_client_engage_record_protection(ctx))
+                /* The server has sent two HelloRetryRequests. */
-                        return 0;
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+                return 0;
        }
-        ctx->handshake_stage.hs_type |= NEGOTIATED;
+        if (!tls13_client_engage_record_protection(ctx))
-        if (ctx->hs->hrr)
+                return 0;
-                ctx->handshake_stage.hs_type |= WITH_HRR;
-        ctx->hs->hrr = 0;
+        ctx->handshake_stage.hs_type |= NEGOTIATED;
        return 1;
 }
@@ -581,24 +635,6 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 }
 int
-tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
-{
-        if (!tls13_server_hello_process(ctx, cbs))
-                return 0;
-        if (ctx->hs->use_legacy)
-                return 0; /* XXX alert */
-        if (ctx->hs->hrr)
-                return 0; /* XXX alert */
-        if (!tls13_client_engage_record_protection(ctx))
-                return 0;
-        return 1;
-}
-int
 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        int alert_desc;
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 51585d31ba..86046144de 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.52 2020/03/10 17:15:02 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.53 2020/04/22 17:05:07 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -96,11 +96,11 @@ struct tls13_handshake_action state_machine[] = {
                .sent = tls13_server_hello_sent,
                .recv = tls13_server_hello_recv,
        },
-        [SERVER_HELLO_RETRY] = {
+        [SERVER_HELLO_RETRY_REQUEST] = {
                .handshake_type = TLS13_MT_SERVER_HELLO,
                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_retry_send,
+                .send = tls13_server_hello_retry_request_send,
-                .recv = tls13_server_hello_retry_recv,
+                .recv = tls13_server_hello_retry_request_recv,
        },
        [SERVER_ENCRYPTED_EXTENSIONS] = {
                .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -145,10 +145,14 @@ struct tls13_handshake_action state_machine[] = {
 enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        [INITIAL] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
        },
        [NEGOTIATED] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
@@ -159,11 +163,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR] = {
+        [NEGOTIATED | WITHOUT_HRR] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
                SERVER_CERTIFICATE,
@@ -175,6 +177,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITHOUT_CR] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE,
@@ -183,11 +187,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITHOUT_CR] = {
+        [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE,
                SERVER_CERTIFICATE_VERIFY,
@@ -197,17 +199,17 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITH_PSK] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_FINISHED,
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITH_PSK] = {
+        [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_FINISHED,
                CLIENT_FINISHED,
@@ -215,6 +217,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
        },
        [NEGOTIATED | WITH_CCV] = {
                CLIENT_HELLO,
+                SERVER_HELLO_RETRY_REQUEST,
+                CLIENT_HELLO_RETRY,
                SERVER_HELLO,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
@@ -226,11 +230,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
                CLIENT_FINISHED,
                APPLICATION_DATA,
        },
-        [NEGOTIATED | WITH_HRR | WITH_CCV] = {
+        [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
                CLIENT_HELLO,
                SERVER_HELLO,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO_RETRY,
                SERVER_ENCRYPTED_EXTENSIONS,
                SERVER_CERTIFICATE_REQUEST,
                SERVER_CERTIFICATE,
diff --git a/src/lib/libssl/tls13_handshake.h b/src/lib/libssl/tls13_handshake.h
index 956d27c61a..8a08b9fd5b 100644
--- a/src/lib/libssl/tls13_handshake.h
+++ b/src/lib/libssl/tls13_handshake.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_handshake.h,v 1.4 2020/03/10 17:15:02 jsing Exp $ */
+/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
 *
@@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS
 #define INITIAL                 0x00
 #define NEGOTIATED              0x01
-#define WITH_HRR                0x02
+#define WITHOUT_HRR             0x02
 #define WITHOUT_CR              0x04
 #define WITH_PSK                0x08
 #define WITH_CCV                0x10
@@ -33,9 +33,9 @@ __BEGIN_HIDDEN_DECLS
 enum tls13_message_type {
        INVALID,
        CLIENT_HELLO,
-        SERVER_HELLO,
+        SERVER_HELLO_RETRY_REQUEST,
        CLIENT_HELLO_RETRY,
-        SERVER_HELLO_RETRY,
+        SERVER_HELLO,
        SERVER_ENCRYPTED_EXTENSIONS,
        SERVER_CERTIFICATE_REQUEST,
        SERVER_CERTIFICATE,
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index c5b893bc16..ee82a44693 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.64 2020/04/21 16:55:17 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.65 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -309,8 +309,8 @@ int tls13_client_finished_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_hello_sent(struct tls13_ctx *ctx);
-int tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs);
+int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs);
-int tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index f3d21a7477..9bc4cb6170 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.31 2020/04/22 17:05:07 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -280,11 +280,11 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
                return 1;
        /*
-         * If no matching key share was provided, we need to send a
+         * If a matching key share was provided, we do not need to
-         * HelloRetryRequest, if matching security parameters exist.
+         * send a HelloRetryRequest.
         */
-        if (ctx->hs->key_share == NULL)
+        if (ctx->hs->key_share != NULL)
-                ctx->handshake_stage.hs_type |= WITH_HRR;
+                ctx->handshake_stage.hs_type |= WITHOUT_HRR;
        /* XXX - check this is the correct point */
        tls13_record_layer_allow_ccs(ctx->rl, 1);
@@ -608,7 +608,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
 }
 int
-tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
+tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        return 0;
 }

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 0da08f62c3..dffabf1753 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.50 2020/04/21 16:55:17 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -281,6 +281,24 @@ tls13_server_hello_is_legacy(CBS *cbs)
281	}	281	}
282		282
283	static int	283	static int
		284	tls13_server_hello_is_retry(CBS *cbs)
		285	{
		286	CBS server_hello, server_random;
		287	uint16_t legacy_version;
		288
		289	CBS_dup(cbs, &server_hello);
		290
		291	if (!CBS_get_u16(&server_hello, &legacy_version))
		292	return 0;
		293	if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
		294	return 0;
		295
		296	/* See if this is a HelloRetryRequest. */
		297	return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
		298	sizeof(tls13_hello_retry_request_hash));
		299	}
		300
		301	static int
284	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)	302	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
285	{	303	{
286	CBS server_random, session_id;	304	CBS server_random, session_id;
@@ -331,7 +349,8 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
331	/* From here on in we know we are doing TLSv1.3. */	349	/* From here on in we know we are doing TLSv1.3. */
332	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);	350	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
333		351
334	/* See if this is a Hello Retry Request. */	352	/* See if this is a HelloRetryRequest. */
		353	/* XXX - see if we can avoid doing this twice. */
335	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,	354	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
336	sizeof(tls13_hello_retry_request_hash))) {	355	sizeof(tls13_hello_retry_request_hash))) {
337	tlsext_msg_type = SSL_TLSEXT_MSG_HRR;	356	tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
@@ -515,40 +534,75 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
515	}	534	}
516		535
517	int	536	int
		537	tls13_server_hello_retry_request_recv(struct tls13_ctx ctx, CBS cbs)
		538	{
		539	/*
		540	* The state machine has no way of knowing if we're going to receive a
		541	* HelloRetryRequest or a ServerHello. As such, we have to handle
		542	* this case here and hand off to the appropriate function.
		543	*/
		544	if (!tls13_server_hello_is_retry(cbs)) {
		545	ctx->handshake_stage.hs_type \|= WITHOUT_HRR;
		546	return tls13_server_hello_recv(ctx, cbs);
		547	}
		548
		549	if (!tls13_server_hello_process(ctx, cbs))
		550	return 0;
		551
		552	/*
		553	* This may have been a TLSv1.2 or earlier ServerHello that just happened
		554	* to have matching server random...
		555	*/
		556	if (ctx->hs->use_legacy)
		557	return tls13_use_legacy_client(ctx);
		558
		559	if (!ctx->hs->hrr)
		560	return 0;
		561
		562	if (!tls13_client_synthetic_handshake_message(ctx))
		563	return 0;
		564	if (!tls13_handshake_msg_record(ctx))
		565	return 0;
		566
		567	ctx->hs->hrr = 0;
		568
		569	return 1;
		570	}
		571
		572	int
518	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)	573	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)
519	{	574	{
520	SSL *s = ctx->ssl;	575	SSL *s = ctx->ssl;
521		576
522	/*	577	/*
523	* We may have received a legacy (pre-TLSv1.3) server hello,	578	* We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
524	* a TLSv1.3 server hello or a TLSv1.3 hello retry request.	579	* ServerHello. HelloRetryRequests have already been handled.
525	*/	580	*/
526	if (!tls13_server_hello_process(ctx, cbs))	581	if (!tls13_server_hello_process(ctx, cbs))
527	return 0;	582	return 0;
528		583
529	tls1_transcript_unfreeze(s);	584	if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
530		585	tls1_transcript_unfreeze(s);
531	if (ctx->hs->hrr) {	586	if (!tls13_handshake_msg_record(ctx))
532	if (!tls13_client_synthetic_handshake_message(ctx))
533	return 0;	587	return 0;
534	}	588	}
535		589
536	if (!tls13_handshake_msg_record(ctx))	590	if (ctx->hs->use_legacy) {
537	return 0;	591	if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
538		592	return 0;
539	if (ctx->hs->use_legacy)
540	return tls13_use_legacy_client(ctx);	593	return tls13_use_legacy_client(ctx);
		594	}
541		595
542	if (!ctx->hs->hrr) {	596	if (ctx->hs->hrr) {
543	if (!tls13_client_engage_record_protection(ctx))	597	/* The server has sent two HelloRetryRequests. */
544	return 0;	598	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
		599	return 0;
545	}	600	}
546		601
547	ctx->handshake_stage.hs_type \|= NEGOTIATED;	602	if (!tls13_client_engage_record_protection(ctx))
548	if (ctx->hs->hrr)	603	return 0;
549	ctx->handshake_stage.hs_type \|= WITH_HRR;
550		604
551	ctx->hs->hrr = 0;	605	ctx->handshake_stage.hs_type \|= NEGOTIATED;
552		606
553	return 1;	607	return 1;
554	}	608	}
@@ -581,24 +635,6 @@ tls13_client_hello_retry_send(struct tls13_ctx ctx, CBB cbb)
581	}	635	}
582		636
583	int	637	int
584	tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs)
585	{
586	if (!tls13_server_hello_process(ctx, cbs))
587	return 0;
588
589	if (ctx->hs->use_legacy)
590	return 0; /* XXX alert */
591
592	if (ctx->hs->hrr)
593	return 0; /* XXX alert */
594
595	if (!tls13_client_engage_record_protection(ctx))
596	return 0;
597
598	return 1;
599	}
600
601	int
602	tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs)	638	tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs)
603	{	639	{
604	int alert_desc;	640	int alert_desc;


diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 51585d31ba..86046144de 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.52 2020/03/10 17:15:02 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.53 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -96,11 +96,11 @@ struct tls13_handshake_action state_machine[] = {
96	.sent = tls13_server_hello_sent,	96	.sent = tls13_server_hello_sent,
97	.recv = tls13_server_hello_recv,	97	.recv = tls13_server_hello_recv,
98	},	98	},
99	[SERVER_HELLO_RETRY] = {	99	[SERVER_HELLO_RETRY_REQUEST] = {
100	.handshake_type = TLS13_MT_SERVER_HELLO,	100	.handshake_type = TLS13_MT_SERVER_HELLO,
101	.sender = TLS13_HS_SERVER,	101	.sender = TLS13_HS_SERVER,
102	.send = tls13_server_hello_retry_send,	102	.send = tls13_server_hello_retry_request_send,
103	.recv = tls13_server_hello_retry_recv,	103	.recv = tls13_server_hello_retry_request_recv,
104	},	104	},
105	[SERVER_ENCRYPTED_EXTENSIONS] = {	105	[SERVER_ENCRYPTED_EXTENSIONS] = {
106	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,	106	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -145,10 +145,14 @@ struct tls13_handshake_action state_machine[] = {
145	enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {	145	enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
146	[INITIAL] = {	146	[INITIAL] = {
147	CLIENT_HELLO,	147	CLIENT_HELLO,
		148	SERVER_HELLO_RETRY_REQUEST,
		149	CLIENT_HELLO_RETRY,
148	SERVER_HELLO,	150	SERVER_HELLO,
149	},	151	},
150	[NEGOTIATED] = {	152	[NEGOTIATED] = {
151	CLIENT_HELLO,	153	CLIENT_HELLO,
		154	SERVER_HELLO_RETRY_REQUEST,
		155	CLIENT_HELLO_RETRY,
152	SERVER_HELLO,	156	SERVER_HELLO,
153	SERVER_ENCRYPTED_EXTENSIONS,	157	SERVER_ENCRYPTED_EXTENSIONS,
154	SERVER_CERTIFICATE_REQUEST,	158	SERVER_CERTIFICATE_REQUEST,
@@ -159,11 +163,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
159	CLIENT_FINISHED,	163	CLIENT_FINISHED,
160	APPLICATION_DATA,	164	APPLICATION_DATA,
161	},	165	},
162	[NEGOTIATED \| WITH_HRR] = {	166	[NEGOTIATED \| WITHOUT_HRR] = {
163	CLIENT_HELLO,	167	CLIENT_HELLO,
164	SERVER_HELLO,	168	SERVER_HELLO,
165	CLIENT_HELLO_RETRY,
166	SERVER_HELLO_RETRY,
167	SERVER_ENCRYPTED_EXTENSIONS,	169	SERVER_ENCRYPTED_EXTENSIONS,
168	SERVER_CERTIFICATE_REQUEST,	170	SERVER_CERTIFICATE_REQUEST,
169	SERVER_CERTIFICATE,	171	SERVER_CERTIFICATE,
@@ -175,6 +177,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
175	},	177	},
176	[NEGOTIATED \| WITHOUT_CR] = {	178	[NEGOTIATED \| WITHOUT_CR] = {
177	CLIENT_HELLO,	179	CLIENT_HELLO,
		180	SERVER_HELLO_RETRY_REQUEST,
		181	CLIENT_HELLO_RETRY,
178	SERVER_HELLO,	182	SERVER_HELLO,
179	SERVER_ENCRYPTED_EXTENSIONS,	183	SERVER_ENCRYPTED_EXTENSIONS,
180	SERVER_CERTIFICATE,	184	SERVER_CERTIFICATE,
@@ -183,11 +187,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
183	CLIENT_FINISHED,	187	CLIENT_FINISHED,
184	APPLICATION_DATA,	188	APPLICATION_DATA,
185	},	189	},
186	[NEGOTIATED \| WITH_HRR \| WITHOUT_CR] = {	190	[NEGOTIATED \| WITHOUT_HRR \| WITHOUT_CR] = {
187	CLIENT_HELLO,	191	CLIENT_HELLO,
188	SERVER_HELLO,	192	SERVER_HELLO,
189	CLIENT_HELLO_RETRY,
190	SERVER_HELLO_RETRY,
191	SERVER_ENCRYPTED_EXTENSIONS,	193	SERVER_ENCRYPTED_EXTENSIONS,
192	SERVER_CERTIFICATE,	194	SERVER_CERTIFICATE,
193	SERVER_CERTIFICATE_VERIFY,	195	SERVER_CERTIFICATE_VERIFY,
@@ -197,17 +199,17 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
197	},	199	},
198	[NEGOTIATED \| WITH_PSK] = {	200	[NEGOTIATED \| WITH_PSK] = {
199	CLIENT_HELLO,	201	CLIENT_HELLO,
		202	SERVER_HELLO_RETRY_REQUEST,
		203	CLIENT_HELLO_RETRY,
200	SERVER_HELLO,	204	SERVER_HELLO,
201	SERVER_ENCRYPTED_EXTENSIONS,	205	SERVER_ENCRYPTED_EXTENSIONS,
202	SERVER_FINISHED,	206	SERVER_FINISHED,
203	CLIENT_FINISHED,	207	CLIENT_FINISHED,
204	APPLICATION_DATA,	208	APPLICATION_DATA,
205	},	209	},
206	[NEGOTIATED \| WITH_HRR \| WITH_PSK] = {	210	[NEGOTIATED \| WITHOUT_HRR \| WITH_PSK] = {
207	CLIENT_HELLO,	211	CLIENT_HELLO,
208	SERVER_HELLO,	212	SERVER_HELLO,
209	CLIENT_HELLO_RETRY,
210	SERVER_HELLO_RETRY,
211	SERVER_ENCRYPTED_EXTENSIONS,	213	SERVER_ENCRYPTED_EXTENSIONS,
212	SERVER_FINISHED,	214	SERVER_FINISHED,
213	CLIENT_FINISHED,	215	CLIENT_FINISHED,
@@ -215,6 +217,8 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
215	},	217	},
216	[NEGOTIATED \| WITH_CCV] = {	218	[NEGOTIATED \| WITH_CCV] = {
217	CLIENT_HELLO,	219	CLIENT_HELLO,
		220	SERVER_HELLO_RETRY_REQUEST,
		221	CLIENT_HELLO_RETRY,
218	SERVER_HELLO,	222	SERVER_HELLO,
219	SERVER_ENCRYPTED_EXTENSIONS,	223	SERVER_ENCRYPTED_EXTENSIONS,
220	SERVER_CERTIFICATE_REQUEST,	224	SERVER_CERTIFICATE_REQUEST,
@@ -226,11 +230,9 @@ enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
226	CLIENT_FINISHED,	230	CLIENT_FINISHED,
227	APPLICATION_DATA,	231	APPLICATION_DATA,
228	},	232	},
229	[NEGOTIATED \| WITH_HRR \| WITH_CCV] = {	233	[NEGOTIATED \| WITHOUT_HRR \| WITH_CCV] = {
230	CLIENT_HELLO,	234	CLIENT_HELLO,
231	SERVER_HELLO,	235	SERVER_HELLO,
232	CLIENT_HELLO_RETRY,
233	SERVER_HELLO_RETRY,
234	SERVER_ENCRYPTED_EXTENSIONS,	236	SERVER_ENCRYPTED_EXTENSIONS,
235	SERVER_CERTIFICATE_REQUEST,	237	SERVER_CERTIFICATE_REQUEST,
236	SERVER_CERTIFICATE,	238	SERVER_CERTIFICATE,


diff --git a/src/lib/libssl/tls13_handshake.h b/src/lib/libssl/tls13_handshake.h index 956d27c61a..8a08b9fd5b 100644 --- a/src/lib/libssl/tls13_handshake.h +++ b/src/lib/libssl/tls13_handshake.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.h,v 1.4 2020/03/10 17:15:02 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
4	*	4	*
@@ -24,7 +24,7 @@ __BEGIN_HIDDEN_DECLS
24		24
25	#define INITIAL 0x00	25	#define INITIAL 0x00
26	#define NEGOTIATED 0x01	26	#define NEGOTIATED 0x01
27	#define WITH_HRR 0x02	27	#define WITHOUT_HRR 0x02
28	#define WITHOUT_CR 0x04	28	#define WITHOUT_CR 0x04
29	#define WITH_PSK 0x08	29	#define WITH_PSK 0x08
30	#define WITH_CCV 0x10	30	#define WITH_CCV 0x10
@@ -33,9 +33,9 @@ __BEGIN_HIDDEN_DECLS
33	enum tls13_message_type {	33	enum tls13_message_type {
34	INVALID,	34	INVALID,
35	CLIENT_HELLO,	35	CLIENT_HELLO,
36	SERVER_HELLO,	36	SERVER_HELLO_RETRY_REQUEST,
37	CLIENT_HELLO_RETRY,	37	CLIENT_HELLO_RETRY,
38	SERVER_HELLO_RETRY,	38	SERVER_HELLO,
39	SERVER_ENCRYPTED_EXTENSIONS,	39	SERVER_ENCRYPTED_EXTENSIONS,
40	SERVER_CERTIFICATE_REQUEST,	40	SERVER_CERTIFICATE_REQUEST,
41	SERVER_CERTIFICATE,	41	SERVER_CERTIFICATE,


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index c5b893bc16..ee82a44693 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.64 2020/04/21 16:55:17 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.65 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -309,8 +309,8 @@ int tls13_client_finished_sent(struct tls13_ctx *ctx);
309	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);	309	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);
310	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);	310	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);
311	int tls13_server_hello_sent(struct tls13_ctx *ctx);	311	int tls13_server_hello_sent(struct tls13_ctx *ctx);
312	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);	312	int tls13_server_hello_retry_request_recv(struct tls13_ctx ctx, CBS cbs);
313	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);	313	int tls13_server_hello_retry_request_send(struct tls13_ctx ctx, CBB cbb);
314	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);	314	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);
315	int tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb);	315	int tls13_server_encrypted_extensions_send(struct tls13_ctx ctx, CBB cbb);
316	int tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs);	316	int tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs);


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index f3d21a7477..9bc4cb6170 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.31 2020/04/22 17:05:07 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -280,11 +280,11 @@ tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
280	return 1;	280	return 1;
281		281
282	/*	282	/*
283	* If no matching key share was provided, we need to send a	283	* If a matching key share was provided, we do not need to
284	* HelloRetryRequest, if matching security parameters exist.	284	* send a HelloRetryRequest.
285	*/	285	*/
286	if (ctx->hs->key_share == NULL)	286	if (ctx->hs->key_share != NULL)
287	ctx->handshake_stage.hs_type \|= WITH_HRR;	287	ctx->handshake_stage.hs_type \|= WITHOUT_HRR;
288		288
289	/* XXX - check this is the correct point */	289	/* XXX - check this is the correct point */
290	tls13_record_layer_allow_ccs(ctx->rl, 1);	290	tls13_record_layer_allow_ccs(ctx->rl, 1);
@@ -608,7 +608,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
608	}	608	}
609		609
610	int	610	int
611	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)	611	tls13_server_hello_retry_request_send(struct tls13_ctx ctx, CBB cbb)
612	{	612	{
613	return 0;	613	return 0;
614	}	614	}