2 files changed, 34 insertions, 16 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 4cb7c5bf90..a0e2f7320b 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.62 2020/02/18 16:12:14 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1288,13 +1288,27 @@ tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
                        return 0;
                /*
-                 * XXX support other groups later.
+                 * XXX - check key exchange against supported groups from client.
-                 * XXX enforce group can only appear once.
+                 * XXX - check that groups only appear once.
                 */
-                if (S3I(s)->hs_tls13.key_share == NULL ||
-                    tls13_key_share_group(S3I(s)->hs_tls13.key_share) != group)
+                /*
+                 * Ignore this client share if we're using earlier than TLSv1.3
+                 * or we've already selected a key share.
+                 */
+                if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
+                        continue;
+                if (S3I(s)->hs_tls13.key_share != NULL)
                        continue;
+                /* XXX - consider implementing server preference. */
+                if (!tls1_check_curve(s, group))
+                        continue;
+                /* Decode and store the selected key share. */
+                S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
+                if (S3I(s)->hs_tls13.key_share == NULL)
+                        goto err;
                if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
                    group, &key_exchange))
                        goto err;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 1aebf5840c..f3d21a7477 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.29 2020/04/17 17:16:53 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -49,11 +49,6 @@ tls13_server_init(struct tls13_ctx *ctx)
        if ((s->session = SSL_SESSION_new()) == NULL)
                return 0;
-        if ((ctx->hs->key_share = tls13_key_share_new_nid(NID_X25519)) == NULL)
-                return 0;
-        if (!tls13_key_share_generate(ctx->hs->key_share))
-                return 0;
        arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
        return 1;
@@ -284,6 +279,14 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (s->method->internal->version < TLS1_3_VERSION)
                return 1;
+        /*
+         * If no matching key share was provided, we need to send a
+         * HelloRetryRequest, if matching security parameters exist.
+         */
+        if (ctx->hs->key_share == NULL)
+                ctx->handshake_stage.hs_type |= WITH_HRR;
+        /* XXX - check this is the correct point */
        tls13_record_layer_allow_ccs(ctx->rl, 1);
        return 1;
@@ -524,6 +527,12 @@ err:
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
+        if (ctx->hs->key_share == NULL)
+                return 0;
+        if (!tls13_key_share_generate(ctx->hs->key_share))
+                return 0;
        if (!tls13_server_hello_build(ctx, cbb))
                return 0;
@@ -542,11 +551,6 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
        SSL *s = ctx->ssl;
        int ret = 0;
-        /* XXX - handle other key share types. */
-        if (ctx->hs->key_share == NULL) {
-                /* XXX - alert. */
-                goto err;
-        }
        if (!tls13_key_share_derive(ctx->hs->key_share,
            &shared_key, &shared_key_len))
                goto err;

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 4cb7c5bf90..a0e2f7320b 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.62 2020/02/18 16:12:14 tb Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1288,13 +1288,27 @@ tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)
1288	return 0;	1288	return 0;
1289		1289
1290	/*	1290	/*
1291	* XXX support other groups later.	1291	* XXX - check key exchange against supported groups from client.
1292	* XXX enforce group can only appear once.	1292	* XXX - check that groups only appear once.
1293	*/	1293	*/
1294	if (S3I(s)->hs_tls13.key_share == NULL \|\|	1294
1295	tls13_key_share_group(S3I(s)->hs_tls13.key_share) != group)	1295	/*
		1296	* Ignore this client share if we're using earlier than TLSv1.3
		1297	* or we've already selected a key share.
		1298	*/
		1299	if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
		1300	continue;
		1301	if (S3I(s)->hs_tls13.key_share != NULL)
1296	continue;	1302	continue;
1297		1303
		1304	/* XXX - consider implementing server preference. */
		1305	if (!tls1_check_curve(s, group))
		1306	continue;
		1307
		1308	/* Decode and store the selected key share. */
		1309	S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
		1310	if (S3I(s)->hs_tls13.key_share == NULL)
		1311	goto err;
1298	if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,	1312	if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
1299	group, &key_exchange))	1313	group, &key_exchange))
1300	goto err;	1314	goto err;


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 1aebf5840c..f3d21a7477 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.29 2020/04/17 17:16:53 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.30 2020/04/21 17:06:16 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -49,11 +49,6 @@ tls13_server_init(struct tls13_ctx *ctx)
49	if ((s->session = SSL_SESSION_new()) == NULL)	49	if ((s->session = SSL_SESSION_new()) == NULL)
50	return 0;	50	return 0;
51		51
52	if ((ctx->hs->key_share = tls13_key_share_new_nid(NID_X25519)) == NULL)
53	return 0;
54	if (!tls13_key_share_generate(ctx->hs->key_share))
55	return 0;
56
57	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);	52	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
58		53
59	return 1;	54	return 1;
@@ -284,6 +279,14 @@ tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
284	if (s->method->internal->version < TLS1_3_VERSION)	279	if (s->method->internal->version < TLS1_3_VERSION)
285	return 1;	280	return 1;
286		281
		282	/*
		283	* If no matching key share was provided, we need to send a
		284	* HelloRetryRequest, if matching security parameters exist.
		285	*/
		286	if (ctx->hs->key_share == NULL)
		287	ctx->handshake_stage.hs_type \|= WITH_HRR;
		288
		289	/* XXX - check this is the correct point */
287	tls13_record_layer_allow_ccs(ctx->rl, 1);	290	tls13_record_layer_allow_ccs(ctx->rl, 1);
288		291
289	return 1;	292	return 1;
@@ -524,6 +527,12 @@ err:
524	int	527	int
525	tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)	528	tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)
526	{	529	{
		530	if (ctx->hs->key_share == NULL)
		531	return 0;
		532
		533	if (!tls13_key_share_generate(ctx->hs->key_share))
		534	return 0;
		535
527	if (!tls13_server_hello_build(ctx, cbb))	536	if (!tls13_server_hello_build(ctx, cbb))
528	return 0;	537	return 0;
529		538
@@ -542,11 +551,6 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
542	SSL *s = ctx->ssl;	551	SSL *s = ctx->ssl;
543	int ret = 0;	552	int ret = 0;
544		553
545	/* XXX - handle other key share types. */
546	if (ctx->hs->key_share == NULL) {
547	/* XXX - alert. */
548	goto err;
549	}
550	if (!tls13_key_share_derive(ctx->hs->key_share,	554	if (!tls13_key_share_derive(ctx->hs->key_share,
551	&shared_key, &shared_key_len))	555	&shared_key, &shared_key_len))
552	goto err;	556	goto err;