1 files changed, 107 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 400c69fa87..e8723b502c 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.3 2017/07/24 17:39:43 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.4 2017/08/11 05:06:34 doug Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -21,6 +21,103 @@
 #include "ssl_tlsext.h"
 /*
+ * Supported Point Formats Extension - RFC 4492 section 5.1.2
+ */
+static int
+tlsext_ecpf_build(SSL *s, CBB *cbb)
+{
+        CBB ecpf;
+        size_t formats_len;
+        const uint8_t *formats;
+        tls1_get_formatlist(s, 0, &formats, &formats_len);
+        if (formats_len == 0) {
+                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                return 0;
+        }
+        if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
+                return 0;
+        if (!CBB_add_bytes(&ecpf, formats, formats_len))
+                return 0;
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+static int
+tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS ecpf;
+        if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
+                goto err;
+        if (CBS_len(&ecpf) == 0)
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        /* Must contain uncompressed (0) */
+        if (!CBS_contains_zero_byte(&ecpf)) {
+                SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
+                goto err;
+        }
+        if (!s->internal->hit) {
+                if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
+                    &(SSI(s)->tlsext_ecpointformatlist_length)))
+                        goto err;
+        }
+        return 1;
+ err:
+        *alert = TLS1_AD_INTERNAL_ERROR;
+        return 0;
+}
+int
+tlsext_ecpf_clienthello_needs(SSL *s)
+{
+        return ssl_has_ecc_ciphers(s);
+}
+int
+tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb)
+{
+        return tlsext_ecpf_build(s, cbb);
+}
+int
+tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        return tlsext_ecpf_parse(s, cbs, alert);
+}
+int
+tlsext_ecpf_serverhello_needs(SSL *s)
+{
+        if (s->version == DTLS1_VERSION)
+                return 0;
+        return ssl_using_ecc_cipher(s);
+}
+int
+tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb)
+{
+        return tlsext_ecpf_build(s, cbb);
+}
+int
+tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert)
+{
+        return tlsext_ecpf_parse(s, cbs, alert);
+}
+/*
 * Renegotiation Indication - RFC 5746.
 */
 int
@@ -313,6 +410,15 @@ static struct tls_extension tls_extensions[] = {
                .serverhello_build = tlsext_ri_serverhello_build,
                .serverhello_parse = tlsext_ri_serverhello_parse,
        },
+        {
+                .type = TLSEXT_TYPE_ec_point_formats,
+                .clienthello_needs = tlsext_ecpf_clienthello_needs,
+                .clienthello_build = tlsext_ecpf_clienthello_build,
+                .clienthello_parse = tlsext_ecpf_clienthello_parse,
+                .serverhello_needs = tlsext_ecpf_serverhello_needs,
+                .serverhello_build = tlsext_ecpf_serverhello_build,
+                .serverhello_parse = tlsext_ecpf_serverhello_parse,
+        },
 };
 #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 400c69fa87..e8723b502c 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.3 2017/07/24 17:39:43 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.4 2017/08/11 05:06:34 doug Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -21,6 +21,103 @@
21	#include "ssl_tlsext.h"	21	#include "ssl_tlsext.h"
22		22
23	/*	23	/*
		24	* Supported Point Formats Extension - RFC 4492 section 5.1.2
		25	*/
		26	static int
		27	tlsext_ecpf_build(SSL s, CBB cbb)
		28	{
		29	CBB ecpf;
		30	size_t formats_len;
		31	const uint8_t *formats;
		32
		33	tls1_get_formatlist(s, 0, &formats, &formats_len);
		34
		35	if (formats_len == 0) {
		36	SSLerror(s, ERR_R_INTERNAL_ERROR);
		37	return 0;
		38	}
		39
		40	if (!CBB_add_u8_length_prefixed(cbb, &ecpf))
		41	return 0;
		42	if (!CBB_add_bytes(&ecpf, formats, formats_len))
		43	return 0;
		44	if (!CBB_flush(cbb))
		45	return 0;
		46
		47	return 1;
		48	}
		49
		50	static int
		51	tlsext_ecpf_parse(SSL s, CBS cbs, int *alert)
		52	{
		53	CBS ecpf;
		54
		55	if (!CBS_get_u8_length_prefixed(cbs, &ecpf))
		56	goto err;
		57	if (CBS_len(&ecpf) == 0)
		58	goto err;
		59	if (CBS_len(cbs) != 0)
		60	goto err;
		61
		62	/* Must contain uncompressed (0) */
		63	if (!CBS_contains_zero_byte(&ecpf)) {
		64	SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
		65	goto err;
		66	}
		67
		68	if (!s->internal->hit) {
		69	if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist),
		70	&(SSI(s)->tlsext_ecpointformatlist_length)))
		71	goto err;
		72	}
		73
		74	return 1;
		75
		76	err:
		77	*alert = TLS1_AD_INTERNAL_ERROR;
		78	return 0;
		79	}
		80
		81	int
		82	tlsext_ecpf_clienthello_needs(SSL *s)
		83	{
		84	return ssl_has_ecc_ciphers(s);
		85	}
		86
		87	int
		88	tlsext_ecpf_clienthello_build(SSL s, CBB cbb)
		89	{
		90	return tlsext_ecpf_build(s, cbb);
		91	}
		92
		93	int
		94	tlsext_ecpf_clienthello_parse(SSL s, CBS cbs, int *alert)
		95	{
		96	return tlsext_ecpf_parse(s, cbs, alert);
		97	}
		98
		99	int
		100	tlsext_ecpf_serverhello_needs(SSL *s)
		101	{
		102	if (s->version == DTLS1_VERSION)
		103	return 0;
		104
		105	return ssl_using_ecc_cipher(s);
		106	}
		107
		108	int
		109	tlsext_ecpf_serverhello_build(SSL s, CBB cbb)
		110	{
		111	return tlsext_ecpf_build(s, cbb);
		112	}
		113
		114	int
		115	tlsext_ecpf_serverhello_parse(SSL s, CBS cbs, int *alert)
		116	{
		117	return tlsext_ecpf_parse(s, cbs, alert);
		118	}
		119
		120	/*
24	* Renegotiation Indication - RFC 5746.	121	* Renegotiation Indication - RFC 5746.
25	*/	122	*/
26	int	123	int
@@ -313,6 +410,15 @@ static struct tls_extension tls_extensions[] = {
313	.serverhello_build = tlsext_ri_serverhello_build,	410	.serverhello_build = tlsext_ri_serverhello_build,
314	.serverhello_parse = tlsext_ri_serverhello_parse,	411	.serverhello_parse = tlsext_ri_serverhello_parse,
315	},	412	},
		413	{
		414	.type = TLSEXT_TYPE_ec_point_formats,
		415	.clienthello_needs = tlsext_ecpf_clienthello_needs,
		416	.clienthello_build = tlsext_ecpf_clienthello_build,
		417	.clienthello_parse = tlsext_ecpf_clienthello_parse,
		418	.serverhello_needs = tlsext_ecpf_serverhello_needs,
		419	.serverhello_build = tlsext_ecpf_serverhello_build,
		420	.serverhello_parse = tlsext_ecpf_serverhello_parse,
		421	},
316	};	422	};
317		423
318	#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))	424	#define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions))