1 files changed, 22 insertions, 326 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 06105f976d..d5c30c4e73 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.33 2019/01/23 18:24:40 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,26 +536,9 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
        if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                return 0;
-        switch (TLS1_get_client_version(s)) {
+        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
-        case TLS1_2_VERSION:
-                if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
-                        return 0;
-                break;
-        case TLS1_3_VERSION: 
-                if  (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
-                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
-                            tls12_sigalgs_len))
-                                return 0;
-                } else {
-                        if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
-                            tls13_sigalgs_len))
-                                return 0;               }
-                break;
-        default:
-                /* Should not happen */
                return 0;
-        }
        if (!CBB_flush(cbb))
                return 0;
@@ -570,17 +553,7 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
                return 0;
-        switch (s->version) {
+        return tls1_process_sigalgs(s, &sigalgs);
-        case TLS1_3_VERSION:
-                return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
-                    tls13_sigalgs_len);
-        case TLS1_2_VERSION:
-                return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
-                    tls12_sigalgs_len);
-        default:
-                /* Fail if we get a version > what we recognize */
-                return 0;
-        }
 }
 int
@@ -1270,7 +1243,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
        return 1;
- err:
+err:
        freezero(public_key, X25519_KEY_LENGTH);
        freezero(private_key, X25519_KEY_LENGTH);
@@ -1280,100 +1253,24 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
 int
 tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        CBS client_shares;
+        /* XXX we accept this but currently ignore it */
-        CBS key_exchange;
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
-        uint16_t group;
+                *alert = TLS1_AD_INTERNAL_ERROR;
-        size_t out_len;
+                return 0;
-        int ret = 0;
-        if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        while (CBS_len(&client_shares) > 0) {
-                /* Unpack client share. */
-                if (!CBS_get_u16(&client_shares, &group))
-                        goto err;
-                if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
-                        goto err;
-                /*
-                 * Skip this client share if not X25519
-                 * XXX support other groups later.
-                 */
-                if (ret || group != tls1_ec_nid2curve_id(NID_X25519))
-                        continue;
-                if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
-                        goto err;
-                if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
-                    &out_len))
-                        goto err;
-                ret = 1;
        }
-        return ret;
+        return 1;
- err:
-        *alert = SSL_AD_DECODE_ERROR;
-        return 0;
 }
 int
 tlsext_keyshare_server_needs(SSL *s)
 {
-        size_t idx;
+        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
-        if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
-                return 0;
-        if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
-                return 0;
-        return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
 }
 int
 tlsext_keyshare_server_build(SSL *s, CBB *cbb)
 {
-        uint8_t *public_key = NULL, *private_key = NULL;
-        CBB key_exchange;
-        /* X25519 */
-        if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
-                return 0;
-        /* Generate X25519 key pair. */
-        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
-                goto err;
-        X25519_keypair(public_key, private_key);
-        /* Add the group and serialize the public key. */
-        if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
-                goto err;
-        if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
-                goto err;
-        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
-                goto err;
-        if (!CBB_flush(cbb))
-                goto err;
-        S3I(s)->hs_tls13.x25519_public = public_key;
-        S3I(s)->hs_tls13.x25519_private = private_key;
-        return 1;
- err:
-        freezero(public_key, X25519_KEY_LENGTH);
-        freezero(private_key, X25519_KEY_LENGTH);
        return 0;
 }
@@ -1394,10 +1291,6 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
        if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
                goto err;
        if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1420,9 +1313,8 @@ tlsext_versions_client_needs(SSL *s)
        /* XXX once this gets initialized when we get tls13_client.c */
        if (S3I(s)->hs_tls13.max_version == 0)
                return 0;
-        if (SSL_IS_DTLS(s))
+        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
-                return 0;
+            TLS1_3_VERSION);
-        return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
 }
 int
@@ -1456,41 +1348,13 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
 int
 tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
 {
-        CBS versions;
+        /* XXX we accept this but currently ignore it */
-        uint16_t version;
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
-        uint16_t max, min;
+                *alert = TLS1_AD_INTERNAL_ERROR;
-        uint16_t matched_version = 0;
+                return 0;
-        max = S3I(s)->hs_tls13.max_version;
-        min = S3I(s)->hs_tls13.min_version;
-        if (!CBS_get_u8_length_prefixed(cbs, &versions))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if (CBS_len(&versions) < 2)
-                goto err;
-        while(CBS_len(&versions) > 0) {
-                if (!CBS_get_u16(&versions, &version))
-                        goto err;
-                /*
-                 * XXX What is below implements client preference, and
-                 * ignores any server preference entirely.
-                 */
-                if (matched_version == 0 && version >= min && version <= max)
-                        matched_version = version;
        }
-        if (matched_version != 0)
-                s->version = matched_version;
        return 1;
- err:
-        *alert = SSL_AD_DECODE_ERROR;
-        return 0;
 }
 int
@@ -1502,11 +1366,7 @@ tlsext_versions_server_needs(SSL *s)
 int
 tlsext_versions_server_build(SSL *s, CBB *cbb)
 {
-        if (!CBB_add_u16(cbb, TLS1_3_VERSION))
+        return 0;
-                return 0;
-        /* XXX set 1.2 in legacy version?  */
-        return 1;
 }
 int
@@ -1519,161 +1379,12 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
                return 0;
        }
-        if (CBS_len(cbs) != 0) {
-                *alert = SSL_AD_DECODE_ERROR;
-                return 0;
-        }
-        if (selected_version < TLS1_3_VERSION) {
-                *alert = SSL_AD_ILLEGAL_PARAMETER;
-                return 0;
-        }
        /* XXX test between min and max once initialization code goes in */
        S3I(s)->hs_tls13.server_version = selected_version;
        return 1;
 }
-/*
- * Cookie - RFC 8446 section 4.2.2.
- */
-int
-tlsext_cookie_client_needs(SSL *s)
-{
-        /* XXX once this gets initialized when we get tls13_client.c */
-        if (S3I(s)->hs_tls13.max_version == 0)
-                return 0;
-        if (SSL_IS_DTLS(s))
-                return 0;
-        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
-                return 0;
-        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
-            (S3I(s)->hs_tls13.cookie != NULL));
-}
-int
-tlsext_cookie_client_build(SSL *s, CBB *cbb)
-{
-        CBB cookie;
-        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
-                return 0;
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
-                return 0;
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
-{
-        CBS cookie;
-        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
-                goto err;
-        /*
-         * Check provided cookie value against what server previously
-         * sent - client *MUST* send the same cookie with new CR after
-         * a cookie is sent by the server with an HRR
-         */
-        if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len) != 0) {
-                /* XXX special cookie mismatch alert? */
-                *alert = SSL_AD_ILLEGAL_PARAMETER;
-                return 0;
-        }
-        return 1;
- err:
-        *alert = SSL_AD_DECODE_ERROR;
-        return 0;
-}
-int
-tlsext_cookie_server_needs(SSL *s)
-{
-        /* XXX once this gets initialized when we get tls13_client.c */
-        if (S3I(s)->hs_tls13.max_version == 0)
-                return 0;
-        if (SSL_IS_DTLS(s))
-                return 0;
-        if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
-                return 0;
-        /*
-         * Server needs to set cookie value in tls13 handshake
-         * in order to send one, should only be sent with HRR.
-         */
-        return ((S3I(s)->hs_tls13.cookie_len > 0) &&
-            (S3I(s)->hs_tls13.cookie != NULL));
-}
-int
-tlsext_cookie_server_build(SSL *s, CBB *cbb)
-{
-        CBB cookie;
-        if (!CBB_add_u16_length_prefixed(cbb, &cookie))
-                return 0;
-        if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
-            S3I(s)->hs_tls13.cookie_len))
-                return 0;
-        if (!CBB_flush(cbb))
-                return 0;
-        return 1;
-}
-int
-tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
-{
-        CBS cookie;
-        /*
-         * XXX This currently assumes we will not get a second
-         * HRR from a server with a cookie to process after accepting
-         * one from the server in the same handshake
-         */
-        if ((S3I(s)->hs_tls13.cookie != NULL) ||
-            S3I(s)->hs_tls13.cookie_len != 0) {
-                *alert = SSL_AD_ILLEGAL_PARAMETER;
-                return 0;
-        }
-        if (!CBS_get_u16_length_prefixed(cbs, &cookie))
-                goto err;
-        if (CBS_len(cbs) != 0)
-                goto err;
-        if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
-                goto err;
-        memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
-        S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
-        return 1;
- err:
-        *alert = SSL_AD_DECODE_ERROR;
-        return 0;
-}
 struct tls_extension_funcs {
        int (*needs)(SSL *s);
        int (*build)(SSL *s, CBB *cbb);
@@ -1831,20 +1542,6 @@ static struct tls_extension tls_extensions[] = {
                        .parse = tlsext_alpn_client_parse,
                },
        },
-        {
-                .type = TLSEXT_TYPE_cookie,
-                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
-                .client = {
-                        .needs = tlsext_cookie_client_needs,
-                        .build = tlsext_cookie_client_build,
-                        .parse = tlsext_cookie_server_parse,
-                },
-                .server = {
-                        .needs = tlsext_cookie_server_needs,
-                        .build = tlsext_cookie_server_build,
-                        .parse = tlsext_cookie_client_parse,
-                },
-        },
 #ifndef OPENSSL_NO_SRTP
        {
                .type = TLSEXT_TYPE_use_srtp,
@@ -1868,7 +1565,7 @@ static struct tls_extension tls_extensions[] = {
 /* Ensure that extensions fit in a uint32_t bitmask. */
 CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
-struct tls_extension *
+static struct tls_extension *
 tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
 {
        size_t i;
@@ -1948,12 +1645,11 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
        struct tls_extension_funcs *ext;
        struct tls_extension *tlsext;
        CBS extensions, extension_data;
+        uint32_t extensions_seen = 0;
        uint16_t type;
        size_t idx;
        uint16_t version;
-        S3I(s)->hs.extensions_seen = 0;
        if (is_server)
                version = s->version;
        else
@@ -1992,9 +1688,9 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                }
                /* Check for duplicate known extensions. */
-                if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
+                if ((extensions_seen & (1 << idx)) != 0)
                        return 0;
-                S3I(s)->hs.extensions_seen |= (1 << idx);
+                extensions_seen |= (1 << idx);
                ext = tlsext_funcs(tlsext, is_server);
                if (!ext->parse(s, &extension_data, alert))

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 06105f976d..d5c30c4e73 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.33 2019/01/23 18:24:40 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,26 +536,9 @@ tlsext_sigalgs_client_build(SSL s, CBB cbb)
536	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))	536	if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
537	return 0;	537	return 0;
538		538
539	switch (TLS1_get_client_version(s)) {	539	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
540	case TLS1_2_VERSION:
541	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
542	return 0;
543	break;
544	case TLS1_3_VERSION:
545	if (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
546	if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
547	tls12_sigalgs_len))
548	return 0;
549	} else {
550	if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
551	tls13_sigalgs_len))
552	return 0; }
553
554	break;
555	default:
556	/* Should not happen */
557	return 0;	540	return 0;
558	}	541
559	if (!CBB_flush(cbb))	542	if (!CBB_flush(cbb))
560	return 0;	543	return 0;
561		544
@@ -570,17 +553,7 @@ tlsext_sigalgs_server_parse(SSL s, CBS cbs, int *alert)
570	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))	553	if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
571	return 0;	554	return 0;
572		555
573	switch (s->version) {	556	return tls1_process_sigalgs(s, &sigalgs);
574	case TLS1_3_VERSION:
575	return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
576	tls13_sigalgs_len);
577	case TLS1_2_VERSION:
578	return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
579	tls12_sigalgs_len);
580	default:
581	/* Fail if we get a version > what we recognize */
582	return 0;
583	}
584	}	557	}
585		558
586	int	559	int
@@ -1270,7 +1243,7 @@ tlsext_keyshare_client_build(SSL s, CBB cbb)
1270		1243
1271	return 1;	1244	return 1;
1272		1245
1273	err:	1246	err:
1274	freezero(public_key, X25519_KEY_LENGTH);	1247	freezero(public_key, X25519_KEY_LENGTH);
1275	freezero(private_key, X25519_KEY_LENGTH);	1248	freezero(private_key, X25519_KEY_LENGTH);
1276		1249
@@ -1280,100 +1253,24 @@ tlsext_keyshare_client_build(SSL s, CBB cbb)
1280	int	1253	int
1281	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)	1254	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)
1282	{	1255	{
1283	CBS client_shares;	1256	/* XXX we accept this but currently ignore it */
1284	CBS key_exchange;	1257	if (!CBS_skip(cbs, CBS_len(cbs))) {
1285	uint16_t group;	1258	*alert = TLS1_AD_INTERNAL_ERROR;
1286	size_t out_len;	1259	return 0;
1287	int ret = 0;
1288
1289	if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1290	goto err;
1291
1292	if (CBS_len(cbs) != 0)
1293	goto err;
1294
1295	while (CBS_len(&client_shares) > 0) {
1296
1297	/* Unpack client share. */
1298	if (!CBS_get_u16(&client_shares, &group))
1299	goto err;
1300
1301	if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1302	goto err;
1303
1304	/*
1305	* Skip this client share if not X25519
1306	* XXX support other groups later.
1307	*/
1308	if (ret \|\| group != tls1_ec_nid2curve_id(NID_X25519))
1309	continue;
1310
1311	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1312	goto err;
1313
1314	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
1315	&out_len))
1316	goto err;
1317
1318	ret = 1;
1319	}	1260	}
1320		1261
1321	return ret;	1262	return 1;
1322
1323	err:
1324	*alert = SSL_AD_DECODE_ERROR;
1325	return 0;
1326	}	1263	}
1327		1264
1328	int	1265	int
1329	tlsext_keyshare_server_needs(SSL *s)	1266	tlsext_keyshare_server_needs(SSL *s)
1330	{	1267	{
1331	size_t idx;	1268	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
1332
1333	if (SSL_IS_DTLS(s) \|\| s->version < TLS1_3_VERSION)
1334	return 0;
1335	if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
1336	return 0;
1337	return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1338	}	1269	}
1339		1270
1340	int	1271	int
1341	tlsext_keyshare_server_build(SSL s, CBB cbb)	1272	tlsext_keyshare_server_build(SSL s, CBB cbb)
1342	{	1273	{
1343	uint8_t public_key = NULL, private_key = NULL;
1344	CBB key_exchange;
1345
1346	/* X25519 */
1347	if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
1348	return 0;
1349
1350	/* Generate X25519 key pair. */
1351	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1352	goto err;
1353	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1354	goto err;
1355	X25519_keypair(public_key, private_key);
1356
1357	/* Add the group and serialize the public key. */
1358	if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
1359	goto err;
1360	if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1361	goto err;
1362	if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
1363	goto err;
1364
1365	if (!CBB_flush(cbb))
1366	goto err;
1367
1368	S3I(s)->hs_tls13.x25519_public = public_key;
1369	S3I(s)->hs_tls13.x25519_private = private_key;
1370
1371	return 1;
1372
1373	err:
1374	freezero(public_key, X25519_KEY_LENGTH);
1375	freezero(private_key, X25519_KEY_LENGTH);
1376
1377	return 0;	1274	return 0;
1378	}	1275	}
1379		1276
@@ -1394,10 +1291,6 @@ tlsext_keyshare_client_parse(SSL s, CBS cbs, int *alert)
1394		1291
1395	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))	1292	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1396	goto err;	1293	goto err;
1397
1398	if (CBS_len(cbs) != 0)
1399	goto err;
1400
1401	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)	1294	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1402	goto err;	1295	goto err;
1403	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,	1296	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1420,9 +1313,8 @@ tlsext_versions_client_needs(SSL *s)
1420	/* XXX once this gets initialized when we get tls13_client.c */	1313	/* XXX once this gets initialized when we get tls13_client.c */
1421	if (S3I(s)->hs_tls13.max_version == 0)	1314	if (S3I(s)->hs_tls13.max_version == 0)
1422	return 0;	1315	return 0;
1423	if (SSL_IS_DTLS(s))	1316	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
1424	return 0;	1317	TLS1_3_VERSION);
1425	return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1426	}	1318	}
1427		1319
1428	int	1320	int
@@ -1456,41 +1348,13 @@ tlsext_versions_client_build(SSL s, CBB cbb)
1456	int	1348	int
1457	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)	1349	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)
1458	{	1350	{
1459	CBS versions;	1351	/* XXX we accept this but currently ignore it */
1460	uint16_t version;	1352	if (!CBS_skip(cbs, CBS_len(cbs))) {
1461	uint16_t max, min;	1353	*alert = TLS1_AD_INTERNAL_ERROR;
1462	uint16_t matched_version = 0;	1354	return 0;
1463
1464	max = S3I(s)->hs_tls13.max_version;
1465	min = S3I(s)->hs_tls13.min_version;
1466
1467	if (!CBS_get_u8_length_prefixed(cbs, &versions))
1468	goto err;
1469
1470	if (CBS_len(cbs) != 0)
1471	goto err;
1472
1473	if (CBS_len(&versions) < 2)
1474	goto err;
1475
1476	while(CBS_len(&versions) > 0) {
1477	if (!CBS_get_u16(&versions, &version))
1478	goto err;
1479	/*
1480	* XXX What is below implements client preference, and
1481	* ignores any server preference entirely.
1482	*/
1483	if (matched_version == 0 && version >= min && version <= max)
1484	matched_version = version;
1485	}	1355	}
1486	if (matched_version != 0)
1487	s->version = matched_version;
1488		1356
1489	return 1;	1357	return 1;
1490
1491	err:
1492	*alert = SSL_AD_DECODE_ERROR;
1493	return 0;
1494	}	1358	}
1495		1359
1496	int	1360	int
@@ -1502,11 +1366,7 @@ tlsext_versions_server_needs(SSL *s)
1502	int	1366	int
1503	tlsext_versions_server_build(SSL s, CBB cbb)	1367	tlsext_versions_server_build(SSL s, CBB cbb)
1504	{	1368	{
1505	if (!CBB_add_u16(cbb, TLS1_3_VERSION))	1369	return 0;
1506	return 0;
1507	/* XXX set 1.2 in legacy version? */
1508
1509	return 1;
1510	}	1370	}
1511		1371
1512	int	1372	int
@@ -1519,161 +1379,12 @@ tlsext_versions_client_parse(SSL s, CBS cbs, int *alert)
1519	return 0;	1379	return 0;
1520	}	1380	}
1521		1381
1522	if (CBS_len(cbs) != 0) {
1523	*alert = SSL_AD_DECODE_ERROR;
1524	return 0;
1525	}
1526
1527	if (selected_version < TLS1_3_VERSION) {
1528	*alert = SSL_AD_ILLEGAL_PARAMETER;
1529	return 0;
1530	}
1531
1532	/* XXX test between min and max once initialization code goes in */	1382	/* XXX test between min and max once initialization code goes in */
1533	S3I(s)->hs_tls13.server_version = selected_version;	1383	S3I(s)->hs_tls13.server_version = selected_version;
1534		1384
1535	return 1;	1385	return 1;
1536	}	1386	}
1537		1387
1538
1539	/*
1540	* Cookie - RFC 8446 section 4.2.2.
1541	*/
1542
1543	int
1544	tlsext_cookie_client_needs(SSL *s)
1545	{
1546	/* XXX once this gets initialized when we get tls13_client.c */
1547	if (S3I(s)->hs_tls13.max_version == 0)
1548	return 0;
1549	if (SSL_IS_DTLS(s))
1550	return 0;
1551	if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1552	return 0;
1553	return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1554	(S3I(s)->hs_tls13.cookie != NULL));
1555	}
1556
1557	int
1558	tlsext_cookie_client_build(SSL s, CBB cbb)
1559	{
1560	CBB cookie;
1561
1562	if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1563	return 0;
1564
1565	if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1566	S3I(s)->hs_tls13.cookie_len))
1567	return 0;
1568
1569	if (!CBB_flush(cbb))
1570	return 0;
1571
1572	return 1;
1573	}
1574
1575	int
1576	tlsext_cookie_server_parse(SSL s, CBS cbs, int *alert)
1577	{
1578	CBS cookie;
1579
1580	if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1581	goto err;
1582
1583	if (CBS_len(cbs) != 0)
1584	goto err;
1585
1586	if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
1587	goto err;
1588
1589	/*
1590	* Check provided cookie value against what server previously
1591	* sent - client MUST send the same cookie with new CR after
1592	* a cookie is sent by the server with an HRR
1593	*/
1594	if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
1595	S3I(s)->hs_tls13.cookie_len) != 0) {
1596	/* XXX special cookie mismatch alert? */
1597	*alert = SSL_AD_ILLEGAL_PARAMETER;
1598	return 0;
1599	}
1600
1601	return 1;
1602
1603	err:
1604	*alert = SSL_AD_DECODE_ERROR;
1605	return 0;
1606	}
1607
1608	int
1609	tlsext_cookie_server_needs(SSL *s)
1610	{
1611	/* XXX once this gets initialized when we get tls13_client.c */
1612	if (S3I(s)->hs_tls13.max_version == 0)
1613	return 0;
1614	if (SSL_IS_DTLS(s))
1615	return 0;
1616	if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1617	return 0;
1618	/*
1619	* Server needs to set cookie value in tls13 handshake
1620	* in order to send one, should only be sent with HRR.
1621	*/
1622	return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1623	(S3I(s)->hs_tls13.cookie != NULL));
1624	}
1625
1626	int
1627	tlsext_cookie_server_build(SSL s, CBB cbb)
1628	{
1629	CBB cookie;
1630
1631	if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1632	return 0;
1633	if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1634	S3I(s)->hs_tls13.cookie_len))
1635	return 0;
1636	if (!CBB_flush(cbb))
1637	return 0;
1638
1639	return 1;
1640	}
1641
1642	int
1643	tlsext_cookie_client_parse(SSL s, CBS cbs, int *alert)
1644	{
1645	CBS cookie;
1646
1647	/*
1648	* XXX This currently assumes we will not get a second
1649	* HRR from a server with a cookie to process after accepting
1650	* one from the server in the same handshake
1651	*/
1652	if ((S3I(s)->hs_tls13.cookie != NULL) \|\|
1653	S3I(s)->hs_tls13.cookie_len != 0) {
1654	*alert = SSL_AD_ILLEGAL_PARAMETER;
1655	return 0;
1656	}
1657
1658	if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1659	goto err;
1660
1661	if (CBS_len(cbs) != 0)
1662	goto err;
1663
1664	if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
1665	goto err;
1666
1667	memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
1668	S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
1669
1670	return 1;
1671
1672	err:
1673	*alert = SSL_AD_DECODE_ERROR;
1674	return 0;
1675	}
1676
1677	struct tls_extension_funcs {	1388	struct tls_extension_funcs {
1678	int (needs)(SSL s);	1389	int (needs)(SSL s);
1679	int (build)(SSL s, CBB *cbb);	1390	int (build)(SSL s, CBB *cbb);
@@ -1831,20 +1542,6 @@ static struct tls_extension tls_extensions[] = {
1831	.parse = tlsext_alpn_client_parse,	1542	.parse = tlsext_alpn_client_parse,
1832	},	1543	},
1833	},	1544	},
1834	{
1835	.type = TLSEXT_TYPE_cookie,
1836	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_HRR,
1837	.client = {
1838	.needs = tlsext_cookie_client_needs,
1839	.build = tlsext_cookie_client_build,
1840	.parse = tlsext_cookie_server_parse,
1841	},
1842	.server = {
1843	.needs = tlsext_cookie_server_needs,
1844	.build = tlsext_cookie_server_build,
1845	.parse = tlsext_cookie_client_parse,
1846	},
1847	},
1848	#ifndef OPENSSL_NO_SRTP	1545	#ifndef OPENSSL_NO_SRTP
1849	{	1546	{
1850	.type = TLSEXT_TYPE_use_srtp,	1547	.type = TLSEXT_TYPE_use_srtp,
@@ -1868,7 +1565,7 @@ static struct tls_extension tls_extensions[] = {
1868	/* Ensure that extensions fit in a uint32_t bitmask. */	1565	/* Ensure that extensions fit in a uint32_t bitmask. */
1869	CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));	1566	CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1870		1567
1871	struct tls_extension *	1568	static struct tls_extension *
1872	tls_extension_find(uint16_t type, size_t *tls_extensions_idx)	1569	tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1873	{	1570	{
1874	size_t i;	1571	size_t i;
@@ -1948,12 +1645,11 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
1948	struct tls_extension_funcs *ext;	1645	struct tls_extension_funcs *ext;
1949	struct tls_extension *tlsext;	1646	struct tls_extension *tlsext;
1950	CBS extensions, extension_data;	1647	CBS extensions, extension_data;
		1648	uint32_t extensions_seen = 0;
1951	uint16_t type;	1649	uint16_t type;
1952	size_t idx;	1650	size_t idx;
1953	uint16_t version;	1651	uint16_t version;
1954		1652
1955	S3I(s)->hs.extensions_seen = 0;
1956
1957	if (is_server)	1653	if (is_server)
1958	version = s->version;	1654	version = s->version;
1959	else	1655	else
@@ -1992,9 +1688,9 @@ tlsext_parse(SSL s, CBS cbs, int *alert, int is_server, uint16_t msg_type)
1992	}	1688	}
1993		1689
1994	/* Check for duplicate known extensions. */	1690	/* Check for duplicate known extensions. */
1995	if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)	1691	if ((extensions_seen & (1 << idx)) != 0)
1996	return 0;	1692	return 0;
1997	S3I(s)->hs.extensions_seen \|= (1 << idx);	1693	extensions_seen \|= (1 << idx);
1998		1694
1999	ext = tlsext_funcs(tlsext, is_server);	1695	ext = tlsext_funcs(tlsext, is_server);
2000	if (!ext->parse(s, &extension_data, alert))	1696	if (!ext->parse(s, &extension_data, alert))