diff options
Diffstat (limited to 'src/lib/libssl/ssl_tlsext.c')
-rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 116 |
1 files changed, 39 insertions, 77 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index dca9de0305..4f4a39d4bb 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssl_tlsext.c,v 1.86 2021/02/08 17:20:47 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
@@ -174,7 +174,7 @@ int | |||
174 | tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) | 174 | tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) |
175 | { | 175 | { |
176 | return ssl_has_ecc_ciphers(s) || | 176 | return ssl_has_ecc_ciphers(s) || |
177 | (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); | 177 | (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); |
178 | } | 178 | } |
179 | 179 | ||
180 | int | 180 | int |
@@ -472,7 +472,8 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
472 | int | 472 | int |
473 | tlsext_ri_server_needs(SSL *s, uint16_t msg_type) | 473 | tlsext_ri_server_needs(SSL *s, uint16_t msg_type) |
474 | { | 474 | { |
475 | return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); | 475 | return (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION && |
476 | S3I(s)->send_connection_binding); | ||
476 | } | 477 | } |
477 | 478 | ||
478 | int | 479 | int |
@@ -554,7 +555,7 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
554 | int | 555 | int |
555 | tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) | 556 | tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) |
556 | { | 557 | { |
557 | return (TLS1_get_client_version(s) >= TLS1_2_VERSION); | 558 | return (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION); |
558 | } | 559 | } |
559 | 560 | ||
560 | int | 561 | int |
@@ -564,8 +565,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
564 | size_t tls_sigalgs_len = tls12_sigalgs_len; | 565 | size_t tls_sigalgs_len = tls12_sigalgs_len; |
565 | CBB sigalgs; | 566 | CBB sigalgs; |
566 | 567 | ||
567 | if (TLS1_get_client_version(s) >= TLS1_3_VERSION && | 568 | if (S3I(s)->hs.our_min_tls_version >= TLS1_3_VERSION) { |
568 | S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { | ||
569 | tls_sigalgs = tls13_sigalgs; | 569 | tls_sigalgs = tls13_sigalgs; |
570 | tls_sigalgs_len = tls13_sigalgs_len; | 570 | tls_sigalgs_len = tls13_sigalgs_len; |
571 | } | 571 | } |
@@ -600,7 +600,7 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
600 | int | 600 | int |
601 | tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) | 601 | tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) |
602 | { | 602 | { |
603 | return (s->version >= TLS1_3_VERSION); | 603 | return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); |
604 | } | 604 | } |
605 | 605 | ||
606 | int | 606 | int |
@@ -610,7 +610,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
610 | size_t tls_sigalgs_len = tls12_sigalgs_len; | 610 | size_t tls_sigalgs_len = tls12_sigalgs_len; |
611 | CBB sigalgs; | 611 | CBB sigalgs; |
612 | 612 | ||
613 | if (s->version >= TLS1_3_VERSION) { | 613 | if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { |
614 | tls_sigalgs = tls13_sigalgs; | 614 | tls_sigalgs = tls13_sigalgs; |
615 | tls_sigalgs_len = tls13_sigalgs_len; | 615 | tls_sigalgs_len = tls13_sigalgs_len; |
616 | } | 616 | } |
@@ -632,7 +632,7 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
632 | { | 632 | { |
633 | CBS sigalgs; | 633 | CBS sigalgs; |
634 | 634 | ||
635 | if (s->version < TLS1_3_VERSION) | 635 | if (ssl_effective_tls_version(s) < TLS1_3_VERSION) |
636 | return 0; | 636 | return 0; |
637 | 637 | ||
638 | if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) | 638 | if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) |
@@ -981,7 +981,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
981 | int | 981 | int |
982 | tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) | 982 | tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) |
983 | { | 983 | { |
984 | if (s->version >= TLS1_3_VERSION && | 984 | if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && |
985 | s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && | 985 | s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && |
986 | s->ctx->internal->tlsext_status_cb != NULL) { | 986 | s->ctx->internal->tlsext_status_cb != NULL) { |
987 | s->internal->tlsext_status_expected = 0; | 987 | s->internal->tlsext_status_expected = 0; |
@@ -998,7 +998,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
998 | { | 998 | { |
999 | CBB ocsp_response; | 999 | CBB ocsp_response; |
1000 | 1000 | ||
1001 | if (s->version >= TLS1_3_VERSION) { | 1001 | if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) { |
1002 | if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) | 1002 | if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) |
1003 | return 0; | 1003 | return 0; |
1004 | if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) | 1004 | if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) |
@@ -1016,11 +1016,10 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
1016 | int | 1016 | int |
1017 | tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | 1017 | tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) |
1018 | { | 1018 | { |
1019 | CBS response; | ||
1020 | uint16_t version = TLS1_get_client_version(s); | ||
1021 | uint8_t status_type; | 1019 | uint8_t status_type; |
1020 | CBS response; | ||
1022 | 1021 | ||
1023 | if (version >= TLS1_3_VERSION) { | 1022 | if (ssl_effective_tls_version(s) >= TLS1_3_VERSION) { |
1024 | if (msg_type == SSL_TLSEXT_MSG_CR) { | 1023 | if (msg_type == SSL_TLSEXT_MSG_CR) { |
1025 | /* | 1024 | /* |
1026 | * RFC 8446, 4.4.2.1 - the server may request an OCSP | 1025 | * RFC 8446, 4.4.2.1 - the server may request an OCSP |
@@ -1406,11 +1405,7 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1406 | int | 1405 | int |
1407 | tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) | 1406 | tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) |
1408 | { | 1407 | { |
1409 | /* XXX once this gets initialized when we get tls13_client.c */ | 1408 | return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); |
1410 | if (S3I(s)->hs_tls13.max_version == 0) | ||
1411 | return 0; | ||
1412 | return (!SSL_is_dtls(s) && S3I(s)->hs_tls13.max_version >= | ||
1413 | TLS1_3_VERSION); | ||
1414 | } | 1409 | } |
1415 | 1410 | ||
1416 | int | 1411 | int |
@@ -1457,7 +1452,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1457 | * Ignore this client share if we're using earlier than TLSv1.3 | 1452 | * Ignore this client share if we're using earlier than TLSv1.3 |
1458 | * or we've already selected a key share. | 1453 | * or we've already selected a key share. |
1459 | */ | 1454 | */ |
1460 | if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) | 1455 | if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) |
1461 | continue; | 1456 | continue; |
1462 | if (S3I(s)->hs_tls13.key_share != NULL) | 1457 | if (S3I(s)->hs_tls13.key_share != NULL) |
1463 | continue; | 1458 | continue; |
@@ -1485,10 +1480,8 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1485 | int | 1480 | int |
1486 | tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) | 1481 | tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) |
1487 | { | 1482 | { |
1488 | if (SSL_is_dtls(s) || s->version < TLS1_3_VERSION) | 1483 | return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION && |
1489 | return 0; | 1484 | tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); |
1490 | |||
1491 | return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); | ||
1492 | } | 1485 | } |
1493 | 1486 | ||
1494 | int | 1487 | int |
@@ -1550,9 +1543,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1550 | int | 1543 | int |
1551 | tlsext_versions_client_needs(SSL *s, uint16_t msg_type) | 1544 | tlsext_versions_client_needs(SSL *s, uint16_t msg_type) |
1552 | { | 1545 | { |
1553 | if (SSL_is_dtls(s)) | 1546 | return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION); |
1554 | return 0; | ||
1555 | return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); | ||
1556 | } | 1547 | } |
1557 | 1548 | ||
1558 | int | 1549 | int |
@@ -1562,11 +1553,8 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
1562 | uint16_t version; | 1553 | uint16_t version; |
1563 | CBB versions; | 1554 | CBB versions; |
1564 | 1555 | ||
1565 | max = S3I(s)->hs_tls13.max_version; | 1556 | max = S3I(s)->hs.our_max_tls_version; |
1566 | min = S3I(s)->hs_tls13.min_version; | 1557 | min = S3I(s)->hs.our_min_tls_version; |
1567 | |||
1568 | if (min < TLS1_VERSION) | ||
1569 | return 0; | ||
1570 | 1558 | ||
1571 | if (!CBB_add_u8_length_prefixed(cbb, &versions)) | 1559 | if (!CBB_add_u8_length_prefixed(cbb, &versions)) |
1572 | return 0; | 1560 | return 0; |
@@ -1591,8 +1579,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1591 | uint16_t max, min; | 1579 | uint16_t max, min; |
1592 | uint16_t matched_version = 0; | 1580 | uint16_t matched_version = 0; |
1593 | 1581 | ||
1594 | max = S3I(s)->hs_tls13.max_version; | 1582 | max = S3I(s)->hs.our_max_tls_version; |
1595 | min = S3I(s)->hs_tls13.min_version; | 1583 | min = S3I(s)->hs.our_min_tls_version; |
1596 | 1584 | ||
1597 | if (!CBS_get_u8_length_prefixed(cbs, &versions)) | 1585 | if (!CBS_get_u8_length_prefixed(cbs, &versions)) |
1598 | goto err; | 1586 | goto err; |
@@ -1608,16 +1596,8 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1608 | matched_version = version; | 1596 | matched_version = version; |
1609 | } | 1597 | } |
1610 | 1598 | ||
1611 | /* | 1599 | if (matched_version > 0) { |
1612 | * XXX if we haven't matched a version we should | 1600 | /* XXX - this should be stored for later processing. */ |
1613 | * fail - but we currently need to succeed to | ||
1614 | * ignore this before the server code for 1.3 | ||
1615 | * is set up and initialized. | ||
1616 | */ | ||
1617 | if (max == 0) | ||
1618 | return 1; /* XXX */ | ||
1619 | |||
1620 | if (matched_version != 0) { | ||
1621 | s->version = matched_version; | 1601 | s->version = matched_version; |
1622 | return 1; | 1602 | return 1; |
1623 | } | 1603 | } |
@@ -1633,17 +1613,13 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1633 | int | 1613 | int |
1634 | tlsext_versions_server_needs(SSL *s, uint16_t msg_type) | 1614 | tlsext_versions_server_needs(SSL *s, uint16_t msg_type) |
1635 | { | 1615 | { |
1636 | return (!SSL_is_dtls(s) && s->version >= TLS1_3_VERSION); | 1616 | return (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION); |
1637 | } | 1617 | } |
1638 | 1618 | ||
1639 | int | 1619 | int |
1640 | tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) | 1620 | tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) |
1641 | { | 1621 | { |
1642 | if (!CBB_add_u16(cbb, TLS1_3_VERSION)) | 1622 | return CBB_add_u16(cbb, TLS1_3_VERSION); |
1643 | return 0; | ||
1644 | /* XXX set 1.2 in legacy version? */ | ||
1645 | |||
1646 | return 1; | ||
1647 | } | 1623 | } |
1648 | 1624 | ||
1649 | int | 1625 | int |
@@ -1656,6 +1632,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1656 | return 0; | 1632 | return 0; |
1657 | } | 1633 | } |
1658 | 1634 | ||
1635 | /* XXX - need to fix for DTLS 1.3 */ | ||
1659 | if (selected_version < TLS1_3_VERSION) { | 1636 | if (selected_version < TLS1_3_VERSION) { |
1660 | *alert = SSL_AD_ILLEGAL_PARAMETER; | 1637 | *alert = SSL_AD_ILLEGAL_PARAMETER; |
1661 | return 0; | 1638 | return 0; |
@@ -1675,12 +1652,8 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1675 | int | 1652 | int |
1676 | tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) | 1653 | tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) |
1677 | { | 1654 | { |
1678 | if (SSL_is_dtls(s)) | 1655 | return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && |
1679 | return 0; | 1656 | S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL); |
1680 | if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) | ||
1681 | return 0; | ||
1682 | return (S3I(s)->hs_tls13.cookie_len > 0 && | ||
1683 | S3I(s)->hs_tls13.cookie != NULL); | ||
1684 | } | 1657 | } |
1685 | 1658 | ||
1686 | int | 1659 | int |
@@ -1734,17 +1707,12 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
1734 | int | 1707 | int |
1735 | tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) | 1708 | tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) |
1736 | { | 1709 | { |
1737 | |||
1738 | if (SSL_is_dtls(s)) | ||
1739 | return 0; | ||
1740 | if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) | ||
1741 | return 0; | ||
1742 | /* | 1710 | /* |
1743 | * Server needs to set cookie value in tls13 handshake | 1711 | * Server needs to set cookie value in tls13 handshake |
1744 | * in order to send one, should only be sent with HRR. | 1712 | * in order to send one, should only be sent with HRR. |
1745 | */ | 1713 | */ |
1746 | return (S3I(s)->hs_tls13.cookie_len > 0 && | 1714 | return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && |
1747 | S3I(s)->hs_tls13.cookie != NULL); | 1715 | S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL); |
1748 | } | 1716 | } |
1749 | 1717 | ||
1750 | int | 1718 | int |
@@ -2033,13 +2001,10 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) | |||
2033 | const struct tls_extension *tlsext; | 2001 | const struct tls_extension *tlsext; |
2034 | CBB extensions, extension_data; | 2002 | CBB extensions, extension_data; |
2035 | int extensions_present = 0; | 2003 | int extensions_present = 0; |
2004 | uint16_t tls_version; | ||
2036 | size_t i; | 2005 | size_t i; |
2037 | uint16_t version; | ||
2038 | 2006 | ||
2039 | if (is_server) | 2007 | tls_version = ssl_effective_tls_version(s); |
2040 | version = s->version; | ||
2041 | else | ||
2042 | version = TLS1_get_client_version(s); | ||
2043 | 2008 | ||
2044 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) | 2009 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) |
2045 | return 0; | 2010 | return 0; |
@@ -2049,7 +2014,7 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) | |||
2049 | ext = tlsext_funcs(tlsext, is_server); | 2014 | ext = tlsext_funcs(tlsext, is_server); |
2050 | 2015 | ||
2051 | /* RFC 8446 Section 4.2 */ | 2016 | /* RFC 8446 Section 4.2 */ |
2052 | if (version >= TLS1_3_VERSION && | 2017 | if (tls_version >= TLS1_3_VERSION && |
2053 | !(tlsext->messages & msg_type)) | 2018 | !(tlsext->messages & msg_type)) |
2054 | continue; | 2019 | continue; |
2055 | 2020 | ||
@@ -2112,15 +2077,12 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) | |||
2112 | CBS extensions, extension_data; | 2077 | CBS extensions, extension_data; |
2113 | uint16_t type; | 2078 | uint16_t type; |
2114 | size_t idx; | 2079 | size_t idx; |
2115 | uint16_t version; | 2080 | uint16_t tls_version; |
2116 | int alert_desc; | 2081 | int alert_desc; |
2117 | 2082 | ||
2118 | S3I(s)->hs.extensions_seen = 0; | 2083 | tls_version = ssl_effective_tls_version(s); |
2119 | 2084 | ||
2120 | if (is_server) | 2085 | S3I(s)->hs.extensions_seen = 0; |
2121 | version = s->version; | ||
2122 | else | ||
2123 | version = TLS1_get_client_version(s); | ||
2124 | 2086 | ||
2125 | /* An empty extensions block is valid. */ | 2087 | /* An empty extensions block is valid. */ |
2126 | if (CBS_len(cbs) == 0) | 2088 | if (CBS_len(cbs) == 0) |
@@ -2143,7 +2105,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) | |||
2143 | CBS_len(&extension_data), | 2105 | CBS_len(&extension_data), |
2144 | s->internal->tlsext_debug_arg); | 2106 | s->internal->tlsext_debug_arg); |
2145 | 2107 | ||
2146 | if (!SSL_is_dtls(s) && version >= TLS1_3_VERSION && is_server && | 2108 | if (tls_version >= TLS1_3_VERSION && is_server && |
2147 | msg_type == SSL_TLSEXT_MSG_CH) { | 2109 | msg_type == SSL_TLSEXT_MSG_CH) { |
2148 | if (!tlsext_clienthello_hash_extension(s, type, | 2110 | if (!tlsext_clienthello_hash_extension(s, type, |
2149 | &extension_data)) | 2111 | &extension_data)) |
@@ -2155,7 +2117,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) | |||
2155 | continue; | 2117 | continue; |
2156 | 2118 | ||
2157 | /* RFC 8446 Section 4.2 */ | 2119 | /* RFC 8446 Section 4.2 */ |
2158 | if (version >= TLS1_3_VERSION && | 2120 | if (tls_version >= TLS1_3_VERSION && |
2159 | !(tlsext->messages & msg_type)) { | 2121 | !(tlsext->messages & msg_type)) { |
2160 | alert_desc = SSL_AD_ILLEGAL_PARAMETER; | 2122 | alert_desc = SSL_AD_ILLEGAL_PARAMETER; |
2161 | goto err; | 2123 | goto err; |