summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_tlsext.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_tlsext.c')
-rw-r--r--src/lib/libssl/ssl_tlsext.c116
1 files changed, 39 insertions, 77 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index dca9de0305..4f4a39d4bb 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -174,7 +174,7 @@ int
174tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) 174tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type)
175{ 175{
176 return ssl_has_ecc_ciphers(s) || 176 return ssl_has_ecc_ciphers(s) ||
177 (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 177 (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
178} 178}
179 179
180int 180int
@@ -472,7 +472,8 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
472int 472int
473tlsext_ri_server_needs(SSL *s, uint16_t msg_type) 473tlsext_ri_server_needs(SSL *s, uint16_t msg_type)
474{ 474{
475 return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); 475 return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
476 S3I(s)->send_connection_binding);
476} 477}
477 478
478int 479int
@@ -554,7 +555,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
554int 555int
555tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) 556tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type)
556{ 557{
557 return (TLS1_get_client_version(s) >= TLS1_2_VERSION); 558 return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION);
558} 559}
559 560
560int 561int
@@ -564,8 +565,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
564 size_t tls_sigalgs_len = tls12_sigalgs_len; 565 size_t tls_sigalgs_len = tls12_sigalgs_len;
565 CBB sigalgs; 566 CBB sigalgs;
566 567
567 if (TLS1_get_client_version(s) >= TLS1_3_VERSION && 568 if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) {
568 S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) {
569 tls_sigalgs = tls13_sigalgs; 569 tls_sigalgs = tls13_sigalgs;
570 tls_sigalgs_len = tls13_sigalgs_len; 570 tls_sigalgs_len = tls13_sigalgs_len;
571 } 571 }
@@ -600,7 +600,7 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
600int 600int
601tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) 601tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type)
602{ 602{
603 return (s->version >= TLS1_3_VERSION); 603 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
604} 604}
605 605
606int 606int
@@ -610,7 +610,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
610 size_t tls_sigalgs_len = tls12_sigalgs_len; 610 size_t tls_sigalgs_len = tls12_sigalgs_len;
611 CBB sigalgs; 611 CBB sigalgs;
612 612
613 if (s->version >= TLS1_3_VERSION) { 613 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
614 tls_sigalgs = tls13_sigalgs; 614 tls_sigalgs = tls13_sigalgs;
615 tls_sigalgs_len = tls13_sigalgs_len; 615 tls_sigalgs_len = tls13_sigalgs_len;
616 } 616 }
@@ -632,7 +632,7 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
632{ 632{
633 CBS sigalgs; 633 CBS sigalgs;
634 634
635 if (s->version < TLS1_3_VERSION) 635 if (ssl_effective_tls_version(s) < TLS1_3_VERSION)
636 return 0; 636 return 0;
637 637
638 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 638 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
@@ -981,7 +981,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
981int 981int
982tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) 982tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type)
983{ 983{
984 if (s->version >= TLS1_3_VERSION && 984 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
985 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 985 s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
986 s->ctx->internal->tlsext_status_cb != NULL) { 986 s->ctx->internal->tlsext_status_cb != NULL) {
987 s->internal->tlsext_status_expected = 0; 987 s->internal->tlsext_status_expected = 0;
@@ -998,7 +998,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
998{ 998{
999 CBB ocsp_response; 999 CBB ocsp_response;
1000 1000
1001 if (s->version >= TLS1_3_VERSION) { 1001 if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
1002 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) 1002 if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
1003 return 0; 1003 return 0;
1004 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) 1004 if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
@@ -1016,11 +1016,10 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1016int 1016int
1017tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) 1017tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1018{ 1018{
1019 CBS response;
1020 uint16_t version = TLS1_get_client_version(s);
1021 uint8_t status_type; 1019 uint8_t status_type;
1020 CBS response;
1022 1021
1023 if (version >= TLS1_3_VERSION) { 1022 if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) {
1024 if (msg_type == SSL_TLSEXT_MSG_CR) { 1023 if (msg_type == SSL_TLSEXT_MSG_CR) {
1025 /* 1024 /*
1026 * RFC 8446, 4.4.2.1 - the server may request an OCSP 1025 * RFC 8446, 4.4.2.1 - the server may request an OCSP
@@ -1406,11 +1405,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1406int 1405int
1407tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) 1406tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1408{ 1407{
1409 /* XXX once this gets initialized when we get tls13_client.c */ 1408 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1410 if (S3I(s)->hs_tls13.max_version == 0)
1411 return 0;
1412 return (!SSL_is_dtls(s) && S3I(s)->hs_tls13.max_version >=
1413 TLS1_3_VERSION);
1414} 1409}
1415 1410
1416int 1411int
@@ -1457,7 +1452,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1457 * Ignore this client share if we're using earlier than TLSv1.3 1452 * Ignore this client share if we're using earlier than TLSv1.3
1458 * or we've already selected a key share. 1453 * or we've already selected a key share.
1459 */ 1454 */
1460 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1455 if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
1461 continue; 1456 continue;
1462 if (S3I(s)->hs_tls13.key_share != NULL) 1457 if (S3I(s)->hs_tls13.key_share != NULL)
1463 continue; 1458 continue;
@@ -1485,10 +1480,8 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1485int 1480int
1486tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1481tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1487{ 1482{
1488 if (SSL_is_dtls(s) || s->version < TLS1_3_VERSION) 1483 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
1489 return 0; 1484 tlsext_extension_seen(s, TLSEXT_TYPE_key_share));
1490
1491 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share);
1492} 1485}
1493 1486
1494int 1487int
@@ -1550,9 +1543,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1550int 1543int
1551tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1544tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1552{ 1545{
1553 if (SSL_is_dtls(s)) 1546 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION);
1554 return 0;
1555 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1556} 1547}
1557 1548
1558int 1549int
@@ -1562,11 +1553,8 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
1562 uint16_t version; 1553 uint16_t version;
1563 CBB versions; 1554 CBB versions;
1564 1555
1565 max = S3I(s)->hs_tls13.max_version; 1556 max = S3I(s)->hs.our_max_tls_version;
1566 min = S3I(s)->hs_tls13.min_version; 1557 min = S3I(s)->hs.our_min_tls_version;
1567
1568 if (min < TLS1_VERSION)
1569 return 0;
1570 1558
1571 if (!CBB_add_u8_length_prefixed(cbb, &versions)) 1559 if (!CBB_add_u8_length_prefixed(cbb, &versions))
1572 return 0; 1560 return 0;
@@ -1591,8 +1579,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1591 uint16_t max, min; 1579 uint16_t max, min;
1592 uint16_t matched_version = 0; 1580 uint16_t matched_version = 0;
1593 1581
1594 max = S3I(s)->hs_tls13.max_version; 1582 max = S3I(s)->hs.our_max_tls_version;
1595 min = S3I(s)->hs_tls13.min_version; 1583 min = S3I(s)->hs.our_min_tls_version;
1596 1584
1597 if (!CBS_get_u8_length_prefixed(cbs, &versions)) 1585 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1598 goto err; 1586 goto err;
@@ -1608,16 +1596,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1608 matched_version = version; 1596 matched_version = version;
1609 } 1597 }
1610 1598
1611 /* 1599 if (matched_version > 0) {
1612 * XXX if we haven't matched a version we should 1600 /* XXX - this should be stored for later processing. */
1613 * fail - but we currently need to succeed to
1614 * ignore this before the server code for 1.3
1615 * is set up and initialized.
1616 */
1617 if (max == 0)
1618 return 1; /* XXX */
1619
1620 if (matched_version != 0) {
1621 s->version = matched_version; 1601 s->version = matched_version;
1622 return 1; 1602 return 1;
1623 } 1603 }
@@ -1633,17 +1613,13 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1633int 1613int
1634tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1614tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1635{ 1615{
1636 return (!SSL_is_dtls(s) && s->version >= TLS1_3_VERSION); 1616 return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION);
1637} 1617}
1638 1618
1639int 1619int
1640tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) 1620tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
1641{ 1621{
1642 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1622 return CBB_add_u16(cbb, TLS1_3_VERSION);
1643 return 0;
1644 /* XXX set 1.2 in legacy version? */
1645
1646 return 1;
1647} 1623}
1648 1624
1649int 1625int
@@ -1656,6 +1632,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1656 return 0; 1632 return 0;
1657 } 1633 }
1658 1634
1635 /* XXX - need to fix for DTLS 1.3 */
1659 if (selected_version < TLS1_3_VERSION) { 1636 if (selected_version < TLS1_3_VERSION) {
1660 *alert = SSL_AD_ILLEGAL_PARAMETER; 1637 *alert = SSL_AD_ILLEGAL_PARAMETER;
1661 return 0; 1638 return 0;
@@ -1675,12 +1652,8 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1675int 1652int
1676tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1653tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1677{ 1654{
1678 if (SSL_is_dtls(s)) 1655 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1679 return 0; 1656 S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
1680 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1681 return 0;
1682 return (S3I(s)->hs_tls13.cookie_len > 0 &&
1683 S3I(s)->hs_tls13.cookie != NULL);
1684} 1657}
1685 1658
1686int 1659int
@@ -1734,17 +1707,12 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1734int 1707int
1735tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1708tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1736{ 1709{
1737
1738 if (SSL_is_dtls(s))
1739 return 0;
1740 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1741 return 0;
1742 /* 1710 /*
1743 * Server needs to set cookie value in tls13 handshake 1711 * Server needs to set cookie value in tls13 handshake
1744 * in order to send one, should only be sent with HRR. 1712 * in order to send one, should only be sent with HRR.
1745 */ 1713 */
1746 return (S3I(s)->hs_tls13.cookie_len > 0 && 1714 return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
1747 S3I(s)->hs_tls13.cookie != NULL); 1715 S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
1748} 1716}
1749 1717
1750int 1718int
@@ -2033,13 +2001,10 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2033 const struct tls_extension *tlsext; 2001 const struct tls_extension *tlsext;
2034 CBB extensions, extension_data; 2002 CBB extensions, extension_data;
2035 int extensions_present = 0; 2003 int extensions_present = 0;
2004 uint16_t tls_version;
2036 size_t i; 2005 size_t i;
2037 uint16_t version;
2038 2006
2039 if (is_server) 2007 tls_version = ssl_effective_tls_version(s);
2040 version = s->version;
2041 else
2042 version = TLS1_get_client_version(s);
2043 2008
2044 if (!CBB_add_u16_length_prefixed(cbb, &extensions)) 2009 if (!CBB_add_u16_length_prefixed(cbb, &extensions))
2045 return 0; 2010 return 0;
@@ -2049,7 +2014,7 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb)
2049 ext = tlsext_funcs(tlsext, is_server); 2014 ext = tlsext_funcs(tlsext, is_server);
2050 2015
2051 /* RFC 8446 Section 4.2 */ 2016 /* RFC 8446 Section 4.2 */
2052 if (version >= TLS1_3_VERSION && 2017 if (tls_version >= TLS1_3_VERSION &&
2053 !(tlsext->messages & msg_type)) 2018 !(tlsext->messages & msg_type))
2054 continue; 2019 continue;
2055 2020
@@ -2112,15 +2077,12 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2112 CBS extensions, extension_data; 2077 CBS extensions, extension_data;
2113 uint16_t type; 2078 uint16_t type;
2114 size_t idx; 2079 size_t idx;
2115 uint16_t version; 2080 uint16_t tls_version;
2116 int alert_desc; 2081 int alert_desc;
2117 2082
2118 S3I(s)->hs.extensions_seen = 0; 2083 tls_version = ssl_effective_tls_version(s);
2119 2084
2120 if (is_server) 2085 S3I(s)->hs.extensions_seen = 0;
2121 version = s->version;
2122 else
2123 version = TLS1_get_client_version(s);
2124 2086
2125 /* An empty extensions block is valid. */ 2087 /* An empty extensions block is valid. */
2126 if (CBS_len(cbs) == 0) 2088 if (CBS_len(cbs) == 0)
@@ -2143,7 +2105,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2143 CBS_len(&extension_data), 2105 CBS_len(&extension_data),
2144 s->internal->tlsext_debug_arg); 2106 s->internal->tlsext_debug_arg);
2145 2107
2146 if (!SSL_is_dtls(s) && version >= TLS1_3_VERSION && is_server && 2108 if (tls_version >= TLS1_3_VERSION && is_server &&
2147 msg_type == SSL_TLSEXT_MSG_CH) { 2109 msg_type == SSL_TLSEXT_MSG_CH) {
2148 if (!tlsext_clienthello_hash_extension(s, type, 2110 if (!tlsext_clienthello_hash_extension(s, type,
2149 &extension_data)) 2111 &extension_data))
@@ -2155,7 +2117,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2155 continue; 2117 continue;
2156 2118
2157 /* RFC 8446 Section 4.2 */ 2119 /* RFC 8446 Section 4.2 */
2158 if (version >= TLS1_3_VERSION && 2120 if (tls_version >= TLS1_3_VERSION &&
2159 !(tlsext->messages & msg_type)) { 2121 !(tlsext->messages & msg_type)) {
2160 alert_desc = SSL_AD_ILLEGAL_PARAMETER; 2122 alert_desc = SSL_AD_ILLEGAL_PARAMETER;
2161 goto err; 2123 goto err;