1 files changed, 222 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index da34a79f7d..91b3b7d958 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.28 2019/01/18 03:39:27 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.29 2019/01/18 12:09:52 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -16,6 +16,7 @@
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <openssl/curve25519.h>
 #include <openssl/ocsp.h>
 #include "ssl_locl.h"
@@ -1193,6 +1194,196 @@ tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert)
 #endif /* OPENSSL_NO_SRTP */
+/*
+ * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
+ */
+int
+tlsext_keyshare_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
+            TLS1_3_VERSION);
+}
+int
+tlsext_keyshare_client_build(SSL *s, CBB *cbb)
+{
+        uint8_t *public_key = NULL, *private_key = NULL;
+        CBB client_shares, key_exchange;
+        /* Generate and provide key shares. */
+        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
+                return 0;
+        /* XXX - other groups. */
+        /* Generate X25519 key pair. */
+        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        X25519_keypair(public_key, private_key);
+        /* Add the group and serialize the public key. */
+        if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519)))
+                goto err;
+        if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
+                goto err;
+        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
+                goto err;
+        if (!CBB_flush(cbb))
+                goto err;
+        S3I(s)->hs_tls13.x25519_public = public_key;
+        S3I(s)->hs_tls13.x25519_private = private_key;
+        return 1;
+err:
+        freezero(public_key, X25519_KEY_LENGTH);
+        freezero(private_key, X25519_KEY_LENGTH);
+        return 0;
+}
+int
+tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        /* XXX we accept this but currently ignore it */
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
+                *alert = TLS1_AD_INTERNAL_ERROR;
+                return 0;
+        }
+        return 1;
+}
+int
+tlsext_keyshare_server_needs(SSL *s)
+{
+        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+}
+int
+tlsext_keyshare_server_build(SSL *s, CBB *cbb)
+{
+        return 0;
+}
+int
+tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS key_exchange;
+        uint16_t group;
+        size_t out_len;
+        /* Unpack server share. */
+        if (!CBS_get_u16(cbs, &group))
+                goto err;
+        /* Handle other groups and verify that they're valid. */
+        if (group != tls1_ec_nid2curve_id(NID_X25519))
+                goto err;
+        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
+                goto err;
+        if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
+                goto err;
+        if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
+                &out_len))
+                goto err;
+        return 1;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
+/*
+ * Supported Versions - RFC 8446 section 4.2.1.
+ */
+int
+tlsext_versions_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
+            TLS1_3_VERSION);
+}
+int
+tlsext_versions_client_build(SSL *s, CBB *cbb)
+{
+        uint16_t version;
+        CBB versions;
+        uint16_t max, min;
+        max = S3I(s)->hs_tls13.max_version;
+        min = S3I(s)->hs_tls13.min_version;
+        if (min < TLS1_VERSION)
+                return 0;
+        if (!CBB_add_u8_length_prefixed(cbb, &versions))
+                return 0;
+        /* XXX - fix, but contiguous for now... */
+        for (version = max; version >= min; version--) {
+                if (!CBB_add_u16(&versions, version))
+                        return 0;
+        }
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        /* XXX we accept this but currently ignore it */
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
+                *alert = TLS1_AD_INTERNAL_ERROR;
+                return 0;
+        }
+        return 1;
+}
+int
+tlsext_versions_server_needs(SSL *s)
+{
+        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+}
+int
+tlsext_versions_server_build(SSL *s, CBB *cbb)
+{
+        return 0;
+}
+int
+tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        uint16_t selected_version;
+        if (!CBS_get_u16(cbs, &selected_version)) {
+                *alert = SSL_AD_DECODE_ERROR;
+                return 0;
+        }
+        /* XXX test between min and max once initialization code goes in */
+        S3I(s)->hs_tls13.server_version = selected_version;
+        return 1;
+}
 struct tls_extension_funcs {
        int (*needs)(SSL *s);
        int (*build)(SSL *s, CBB *cbb);
@@ -1208,6 +1399,36 @@ struct tls_extension {
 static struct tls_extension tls_extensions[] = {
        {
+                .type = TLSEXT_TYPE_supported_versions,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
+                    SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_versions_client_needs,
+                        .build = tlsext_versions_client_build,
+                        .parse = tlsext_versions_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_versions_server_needs,
+                        .build = tlsext_versions_server_build,
+                        .parse = tlsext_versions_client_parse,
+                },
+        },
+        {
+                .type = TLSEXT_TYPE_key_share,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
+                    SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_keyshare_client_needs,
+                        .build = tlsext_keyshare_client_build,
+                        .parse = tlsext_keyshare_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_keyshare_server_needs,
+                        .build = tlsext_keyshare_server_build,
+                        .parse = tlsext_keyshare_client_parse,
+                },
+        },
+        {
                .type = TLSEXT_TYPE_server_name,
                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
                .client = {

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index da34a79f7d..91b3b7d958 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.28 2019/01/18 03:39:27 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.29 2019/01/18 12:09:52 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -16,6 +16,7 @@
16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18	*/	18	*/
		19	#include <openssl/curve25519.h>
19	#include <openssl/ocsp.h>	20	#include <openssl/ocsp.h>
20		21
21	#include "ssl_locl.h"	22	#include "ssl_locl.h"
@@ -1193,6 +1194,196 @@ tlsext_srtp_client_parse(SSL s, CBS cbs, int *alert)
1193		1194
1194	#endif /* OPENSSL_NO_SRTP */	1195	#endif /* OPENSSL_NO_SRTP */
1195		1196
		1197	/*
		1198	* TLSv1.3 Key Share - RFC 8446 section 4.2.8.
		1199	*/
		1200	int
		1201	tlsext_keyshare_client_needs(SSL *s)
		1202	{
		1203	/* XXX once this gets initialized when we get tls13_client.c */
		1204	if (S3I(s)->hs_tls13.max_version == 0)
		1205	return 0;
		1206	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
		1207	TLS1_3_VERSION);
		1208	}
		1209
		1210	int
		1211	tlsext_keyshare_client_build(SSL s, CBB cbb)
		1212	{
		1213	uint8_t public_key = NULL, private_key = NULL;
		1214	CBB client_shares, key_exchange;
		1215
		1216	/* Generate and provide key shares. */
		1217	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
		1218	return 0;
		1219
		1220	/* XXX - other groups. */
		1221
		1222	/* Generate X25519 key pair. */
		1223	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1224	goto err;
		1225	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1226	goto err;
		1227	X25519_keypair(public_key, private_key);
		1228
		1229	/* Add the group and serialize the public key. */
		1230	if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519)))
		1231	goto err;
		1232	if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
		1233	goto err;
		1234	if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
		1235	goto err;
		1236
		1237	if (!CBB_flush(cbb))
		1238	goto err;
		1239
		1240	S3I(s)->hs_tls13.x25519_public = public_key;
		1241	S3I(s)->hs_tls13.x25519_private = private_key;
		1242
		1243	return 1;
		1244
		1245	err:
		1246	freezero(public_key, X25519_KEY_LENGTH);
		1247	freezero(private_key, X25519_KEY_LENGTH);
		1248
		1249	return 0;
		1250	}
		1251
		1252	int
		1253	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)
		1254	{
		1255	/* XXX we accept this but currently ignore it */
		1256	if (!CBS_skip(cbs, CBS_len(cbs))) {
		1257	*alert = TLS1_AD_INTERNAL_ERROR;
		1258	return 0;
		1259	}
		1260
		1261	return 1;
		1262	}
		1263
		1264	int
		1265	tlsext_keyshare_server_needs(SSL *s)
		1266	{
		1267	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
		1268	}
		1269
		1270	int
		1271	tlsext_keyshare_server_build(SSL s, CBB cbb)
		1272	{
		1273	return 0;
		1274	}
		1275
		1276	int
		1277	tlsext_keyshare_client_parse(SSL s, CBS cbs, int *alert)
		1278	{
		1279	CBS key_exchange;
		1280	uint16_t group;
		1281	size_t out_len;
		1282
		1283	/* Unpack server share. */
		1284	if (!CBS_get_u16(cbs, &group))
		1285	goto err;
		1286
		1287	/* Handle other groups and verify that they're valid. */
		1288	if (group != tls1_ec_nid2curve_id(NID_X25519))
		1289	goto err;
		1290
		1291	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
		1292	goto err;
		1293	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
		1294	goto err;
		1295	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
		1296	&out_len))
		1297	goto err;
		1298
		1299	return 1;
		1300
		1301	err:
		1302	*alert = SSL_AD_DECODE_ERROR;
		1303	return 0;
		1304	}
		1305
		1306	/*
		1307	* Supported Versions - RFC 8446 section 4.2.1.
		1308	*/
		1309	int
		1310	tlsext_versions_client_needs(SSL *s)
		1311	{
		1312	/* XXX once this gets initialized when we get tls13_client.c */
		1313	if (S3I(s)->hs_tls13.max_version == 0)
		1314	return 0;
		1315	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
		1316	TLS1_3_VERSION);
		1317	}
		1318
		1319	int
		1320	tlsext_versions_client_build(SSL s, CBB cbb)
		1321	{
		1322	uint16_t version;
		1323	CBB versions;
		1324	uint16_t max, min;
		1325
		1326	max = S3I(s)->hs_tls13.max_version;
		1327	min = S3I(s)->hs_tls13.min_version;
		1328
		1329	if (min < TLS1_VERSION)
		1330	return 0;
		1331
		1332	if (!CBB_add_u8_length_prefixed(cbb, &versions))
		1333	return 0;
		1334
		1335	/* XXX - fix, but contiguous for now... */
		1336	for (version = max; version >= min; version--) {
		1337	if (!CBB_add_u16(&versions, version))
		1338	return 0;
		1339	}
		1340
		1341	if (!CBB_flush(cbb))
		1342	return 0;
		1343
		1344	return 1;
		1345	}
		1346
		1347	int
		1348	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)
		1349	{
		1350	/* XXX we accept this but currently ignore it */
		1351	if (!CBS_skip(cbs, CBS_len(cbs))) {
		1352	*alert = TLS1_AD_INTERNAL_ERROR;
		1353	return 0;
		1354	}
		1355
		1356	return 1;
		1357	}
		1358
		1359	int
		1360	tlsext_versions_server_needs(SSL *s)
		1361	{
		1362	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
		1363	}
		1364
		1365	int
		1366	tlsext_versions_server_build(SSL s, CBB cbb)
		1367	{
		1368	return 0;
		1369	}
		1370
		1371	int
		1372	tlsext_versions_client_parse(SSL s, CBS cbs, int *alert)
		1373	{
		1374	uint16_t selected_version;
		1375
		1376	if (!CBS_get_u16(cbs, &selected_version)) {
		1377	*alert = SSL_AD_DECODE_ERROR;
		1378	return 0;
		1379	}
		1380
		1381	/* XXX test between min and max once initialization code goes in */
		1382	S3I(s)->hs_tls13.server_version = selected_version;
		1383
		1384	return 1;
		1385	}
		1386
1196	struct tls_extension_funcs {	1387	struct tls_extension_funcs {
1197	int (needs)(SSL s);	1388	int (needs)(SSL s);
1198	int (build)(SSL s, CBB *cbb);	1389	int (build)(SSL s, CBB *cbb);
@@ -1208,6 +1399,36 @@ struct tls_extension {
1208		1399
1209	static struct tls_extension tls_extensions[] = {	1400	static struct tls_extension tls_extensions[] = {
1210	{	1401	{
		1402	.type = TLSEXT_TYPE_supported_versions,
		1403	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_SH \|
		1404	SSL_TLSEXT_MSG_HRR,
		1405	.client = {
		1406	.needs = tlsext_versions_client_needs,
		1407	.build = tlsext_versions_client_build,
		1408	.parse = tlsext_versions_server_parse,
		1409	},
		1410	.server = {
		1411	.needs = tlsext_versions_server_needs,
		1412	.build = tlsext_versions_server_build,
		1413	.parse = tlsext_versions_client_parse,
		1414	},
		1415	},
		1416	{
		1417	.type = TLSEXT_TYPE_key_share,
		1418	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_SH \|
		1419	SSL_TLSEXT_MSG_HRR,
		1420	.client = {
		1421	.needs = tlsext_keyshare_client_needs,
		1422	.build = tlsext_keyshare_client_build,
		1423	.parse = tlsext_keyshare_server_parse,
		1424	},
		1425	.server = {
		1426	.needs = tlsext_keyshare_server_needs,
		1427	.build = tlsext_keyshare_server_build,
		1428	.parse = tlsext_keyshare_client_parse,
		1429	},
		1430	},
		1431	{
1211	.type = TLSEXT_TYPE_server_name,	1432	.type = TLSEXT_TYPE_server_name,
1212	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_EE,	1433	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_EE,
1213	.client = {	1434	.client = {