1 files changed, 64 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4ec29ea956..ed9a69918a 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -809,3 +809,66 @@ tls13_client_finished_sent(struct tls13_ctx *ctx)
        return tls13_record_layer_set_write_traffic_key(ctx->rl,
            &secrets->client_application_traffic);
 }
+static int
+tls13_client_hello_retry_process(struct tls13_ctx *ctx, CBS *cbs)
+{
+        CBS server_random, session_id;
+        uint16_t cipher_suite, legacy_version;
+        uint8_t compression_method;
+        int alert_desc;
+        SSL *s = ctx->ssl;
+        if (!CBS_get_u16(cbs, &legacy_version))
+                goto err;
+        if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &session_id))
+                goto err;
+        if (!CBS_get_u16(cbs, &cipher_suite))
+                goto err;
+        if (!CBS_get_u8(cbs, &compression_method))
+                goto err;
+        /*
+         * XXX currently this will change state and be hazardous later
+         * if we decide to support sending an updated client hello.
+         * however, since we will not today (and are going to return
+         * illegal parameter as per section 4.1.4) we just ensure
+         * that the extensions parse correctly.
+         */
+        if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
+                ctx->alert = alert_desc;
+                goto err;
+        }
+        if (CBS_len(cbs) != 0)
+                goto err;
+        /* XXX for now, just say no, we will not change our hello */
+        ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+ err:
+        if (ctx->alert == 0)
+                ctx->alert = TLS1_AD_DECODE_ERROR;
+        return 0;
+}
+int
+tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
+{
+        int ret = 0;
+        CBS cbs;
+        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+                goto err;
+        if (!tls13_client_hello_retry_process(ctx, &cbs)) {
+                if (ctx->alert == SSL_AD_ILLEGAL_PARAMETER)
+                        tls13_set_errorx(ctx, TLS13_ERR_HRR_FAILED, 0,
+                            "Unsatisfiable hello retry request", NULL);
+                goto err;
+        }
+err:
+        return ret;
+}

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 4ec29ea956..ed9a69918a 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -809,3 +809,66 @@ tls13_client_finished_sent(struct tls13_ctx *ctx)
809	return tls13_record_layer_set_write_traffic_key(ctx->rl,	809	return tls13_record_layer_set_write_traffic_key(ctx->rl,
810	&secrets->client_application_traffic);	810	&secrets->client_application_traffic);
811	}	811	}
		812
		813
		814	static int
		815	tls13_client_hello_retry_process(struct tls13_ctx ctx, CBS cbs)
		816	{
		817	CBS server_random, session_id;
		818	uint16_t cipher_suite, legacy_version;
		819	uint8_t compression_method;
		820	int alert_desc;
		821	SSL *s = ctx->ssl;
		822
		823	if (!CBS_get_u16(cbs, &legacy_version))
		824	goto err;
		825	if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
		826	goto err;
		827	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
		828	goto err;
		829	if (!CBS_get_u16(cbs, &cipher_suite))
		830	goto err;
		831	if (!CBS_get_u8(cbs, &compression_method))
		832	goto err;
		833
		834	/*
		835	* XXX currently this will change state and be hazardous later
		836	* if we decide to support sending an updated client hello.
		837	* however, since we will not today (and are going to return
		838	* illegal parameter as per section 4.1.4) we just ensure
		839	* that the extensions parse correctly.
		840	*/
		841	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
		842	ctx->alert = alert_desc;
		843	goto err;
		844	}
		845
		846	if (CBS_len(cbs) != 0)
		847	goto err;
		848
		849	/* XXX for now, just say no, we will not change our hello */
		850	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
		851	err:
		852	if (ctx->alert == 0)
		853	ctx->alert = TLS1_AD_DECODE_ERROR;
		854	return 0;
		855	}
		856
		857	int
		858	tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
		859	{
		860	int ret = 0;
		861	CBS cbs;
		862
		863	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
		864	goto err;
		865
		866	if (!tls13_client_hello_retry_process(ctx, &cbs)) {
		867	if (ctx->alert == SSL_AD_ILLEGAL_PARAMETER)
		868	tls13_set_errorx(ctx, TLS13_ERR_HRR_FAILED, 0,
		869	"Unsatisfiable hello retry request", NULL);
		870	goto err;
		871	}
		872	err:
		873	return ret;
		874	}