summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/s3_lib.c8
-rw-r--r--src/lib/libssl/ssl_clnt.c5
-rw-r--r--src/lib/libssl/ssl_locl.h10
-rw-r--r--src/lib/libssl/ssl_sigalgs.c21
-rw-r--r--src/lib/libssl/ssl_sigalgs.h4
-rw-r--r--src/lib/libssl/ssl_tlsext.c348
-rw-r--r--src/lib/libssl/ssl_tlsext.h10
-rw-r--r--src/lib/libssl/t1_lib.c10
8 files changed, 36 insertions, 380 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 53aab7c1e5..496bf7394c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.179 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.180 2019/01/23 18:24:40 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1569,7 +1569,6 @@ ssl3_free(SSL *s)
1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1569 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1570 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1571 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1572 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1573 1572
1574 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1573 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1575 1574
@@ -1606,11 +1605,6 @@ ssl3_clear(SSL *s)
1606 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH); 1605 freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
1607 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH); 1606 freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
1608 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH); 1607 freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1609 freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
1610 S3I(s)->hs_tls13.cookie = NULL;
1611 S3I(s)->hs_tls13.cookie_len = 0;
1612
1613 S3I(s)->hs.extensions_seen = 0;
1614 1608
1615 rp = S3I(s)->rbuf.buf; 1609 rp = S3I(s)->rbuf.buf;
1616 wp = S3I(s)->wbuf.buf; 1610 wp = S3I(s)->wbuf.buf;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index ee26a200b1..26755d7c03 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.53 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.54 2019/01/23 18:24:40 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1680,8 +1680,7 @@ ssl3_get_certificate_request(SSL *s)
1680 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); 1680 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1681 goto err; 1681 goto err;
1682 } 1682 }
1683 if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs, 1683 if (!tls1_process_sigalgs(s, &sigalgs)) {
1684 tls12_sigalgs_len)) {
1685 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1684 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1686 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1685 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1687 goto err; 1686 goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index e4b1341db5..7fd155648c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.229 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.230 2019/01/23 18:24:40 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -429,9 +429,6 @@ typedef struct ssl_handshake_st {
429 /* key_block is the record-layer key block for TLS 1.2 and earlier. */ 429 /* key_block is the record-layer key block for TLS 1.2 and earlier. */
430 int key_block_len; 430 int key_block_len;
431 unsigned char *key_block; 431 unsigned char *key_block;
432
433 /* Extensions seen in this handshake. */
434 uint32_t extensions_seen;
435} SSL_HANDSHAKE; 432} SSL_HANDSHAKE;
436 433
437typedef struct ssl_handshake_tls13_st { 434typedef struct ssl_handshake_tls13_st {
@@ -448,9 +445,6 @@ typedef struct ssl_handshake_tls13_st {
448 uint8_t *x25519_peer_public; 445 uint8_t *x25519_peer_public;
449 446
450 struct tls13_secrets *secrets; 447 struct tls13_secrets *secrets;
451
452 uint8_t *cookie;
453 size_t cookie_len;
454} SSL_HANDSHAKE_TLS13; 448} SSL_HANDSHAKE_TLS13;
455 449
456typedef struct ssl_ctx_internal_st { 450typedef struct ssl_ctx_internal_st {
@@ -1319,7 +1313,7 @@ int tls1_process_ticket(SSL *s, const unsigned char *session_id,
1319 int session_id_len, CBS *ext_block, SSL_SESSION **ret); 1313 int session_id_len, CBS *ext_block, SSL_SESSION **ret);
1320 1314
1321long ssl_get_algorithm2(SSL *s); 1315long ssl_get_algorithm2(SSL *s);
1322int tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *, size_t); 1316int tls1_process_sigalgs(SSL *s, CBS *cbs);
1323 1317
1324int tls1_check_ec_server_key(SSL *s); 1318int tls1_check_ec_server_key(SSL *s);
1325 1319
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 23f65f5070..182ea1edaa 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
1/* $OpenBSD: ssl_sigalgs.c,v 1.12 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.c,v 1.13 2019/01/23 18:24:40 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 * 4 *
5 * Permission to use, copy, modify, and/or distribute this software for any 5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above 6 * purpose with or without fee is hereby granted, provided that the above
@@ -163,30 +163,13 @@ const struct ssl_sigalg sigalgs[] = {
163 }, 163 },
164}; 164};
165 165
166/* Sigalgs for tls 1.3, in preference order, */
167uint16_t tls13_sigalgs[] = {
168 SIGALG_RSA_PSS_RSAE_SHA512,
169 SIGALG_RSA_PKCS1_SHA512,
170 SIGALG_ECDSA_SECP512R1_SHA512,
171 SIGALG_RSA_PSS_RSAE_SHA384,
172 SIGALG_RSA_PKCS1_SHA384,
173 SIGALG_ECDSA_SECP384R1_SHA384,
174 SIGALG_RSA_PSS_RSAE_SHA256,
175 SIGALG_RSA_PKCS1_SHA256,
176 SIGALG_ECDSA_SECP256R1_SHA256,
177};
178size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
179
180/* Sigalgs for tls 1.2, in preference order, */ 166/* Sigalgs for tls 1.2, in preference order, */
181uint16_t tls12_sigalgs[] = { 167uint16_t tls12_sigalgs[] = {
182 SIGALG_RSA_PSS_RSAE_SHA512,
183 SIGALG_RSA_PKCS1_SHA512, 168 SIGALG_RSA_PKCS1_SHA512,
184 SIGALG_ECDSA_SECP512R1_SHA512, 169 SIGALG_ECDSA_SECP512R1_SHA512,
185 SIGALG_GOSTR12_512_STREEBOG_512, 170 SIGALG_GOSTR12_512_STREEBOG_512,
186 SIGALG_RSA_PSS_RSAE_SHA384,
187 SIGALG_RSA_PKCS1_SHA384, 171 SIGALG_RSA_PKCS1_SHA384,
188 SIGALG_ECDSA_SECP384R1_SHA384, 172 SIGALG_ECDSA_SECP384R1_SHA384,
189 SIGALG_RSA_PSS_RSAE_SHA256,
190 SIGALG_RSA_PKCS1_SHA256, 173 SIGALG_RSA_PKCS1_SHA256,
191 SIGALG_ECDSA_SECP256R1_SHA256, 174 SIGALG_ECDSA_SECP256R1_SHA256,
192 SIGALG_GOSTR12_256_STREEBOG_256, 175 SIGALG_GOSTR12_256_STREEBOG_256,
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 8ea4df9e31..a45700389b 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_sigalgs.h,v 1.9 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_sigalgs.h,v 1.10 2019/01/23 18:24:40 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -71,8 +71,6 @@ struct ssl_sigalg{
71 71
72extern uint16_t tls12_sigalgs[]; 72extern uint16_t tls12_sigalgs[];
73extern size_t tls12_sigalgs_len; 73extern size_t tls12_sigalgs_len;
74extern uint16_t tls13_sigalgs[];
75extern size_t tls13_sigalgs_len;
76 74
77const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); 75const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
78const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len); 76const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 06105f976d..d5c30c4e73 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.32 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.33 2019/01/23 18:24:40 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,26 +536,9 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
536 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) 536 if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
537 return 0; 537 return 0;
538 538
539 switch (TLS1_get_client_version(s)) { 539 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
540 case TLS1_2_VERSION:
541 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
542 return 0;
543 break;
544 case TLS1_3_VERSION:
545 if (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
546 if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
547 tls12_sigalgs_len))
548 return 0;
549 } else {
550 if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
551 tls13_sigalgs_len))
552 return 0; }
553
554 break;
555 default:
556 /* Should not happen */
557 return 0; 540 return 0;
558 } 541
559 if (!CBB_flush(cbb)) 542 if (!CBB_flush(cbb))
560 return 0; 543 return 0;
561 544
@@ -570,17 +553,7 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
570 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) 553 if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
571 return 0; 554 return 0;
572 555
573 switch (s->version) { 556 return tls1_process_sigalgs(s, &sigalgs);
574 case TLS1_3_VERSION:
575 return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
576 tls13_sigalgs_len);
577 case TLS1_2_VERSION:
578 return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
579 tls12_sigalgs_len);
580 default:
581 /* Fail if we get a version > what we recognize */
582 return 0;
583 }
584} 557}
585 558
586int 559int
@@ -1270,7 +1243,7 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
1270 1243
1271 return 1; 1244 return 1;
1272 1245
1273 err: 1246err:
1274 freezero(public_key, X25519_KEY_LENGTH); 1247 freezero(public_key, X25519_KEY_LENGTH);
1275 freezero(private_key, X25519_KEY_LENGTH); 1248 freezero(private_key, X25519_KEY_LENGTH);
1276 1249
@@ -1280,100 +1253,24 @@ tlsext_keyshare_client_build(SSL *s, CBB *cbb)
1280int 1253int
1281tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert) 1254tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
1282{ 1255{
1283 CBS client_shares; 1256 /* XXX we accept this but currently ignore it */
1284 CBS key_exchange; 1257 if (!CBS_skip(cbs, CBS_len(cbs))) {
1285 uint16_t group; 1258 *alert = TLS1_AD_INTERNAL_ERROR;
1286 size_t out_len; 1259 return 0;
1287 int ret = 0;
1288
1289 if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
1290 goto err;
1291
1292 if (CBS_len(cbs) != 0)
1293 goto err;
1294
1295 while (CBS_len(&client_shares) > 0) {
1296
1297 /* Unpack client share. */
1298 if (!CBS_get_u16(&client_shares, &group))
1299 goto err;
1300
1301 if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange))
1302 goto err;
1303
1304 /*
1305 * Skip this client share if not X25519
1306 * XXX support other groups later.
1307 */
1308 if (ret || group != tls1_ec_nid2curve_id(NID_X25519))
1309 continue;
1310
1311 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1312 goto err;
1313
1314 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
1315 &out_len))
1316 goto err;
1317
1318 ret = 1;
1319 } 1260 }
1320 1261
1321 return ret; 1262 return 1;
1322
1323 err:
1324 *alert = SSL_AD_DECODE_ERROR;
1325 return 0;
1326} 1263}
1327 1264
1328int 1265int
1329tlsext_keyshare_server_needs(SSL *s) 1266tlsext_keyshare_server_needs(SSL *s)
1330{ 1267{
1331 size_t idx; 1268 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
1332
1333 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)
1334 return 0;
1335 if (tls_extension_find(TLSEXT_TYPE_key_share, &idx) == NULL)
1336 return 0;
1337 return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0);
1338} 1269}
1339 1270
1340int 1271int
1341tlsext_keyshare_server_build(SSL *s, CBB *cbb) 1272tlsext_keyshare_server_build(SSL *s, CBB *cbb)
1342{ 1273{
1343 uint8_t *public_key = NULL, *private_key = NULL;
1344 CBB key_exchange;
1345
1346 /* X25519 */
1347 if (S3I(s)->hs_tls13.x25519_peer_public == NULL)
1348 return 0;
1349
1350 /* Generate X25519 key pair. */
1351 if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
1352 goto err;
1353 if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
1354 goto err;
1355 X25519_keypair(public_key, private_key);
1356
1357 /* Add the group and serialize the public key. */
1358 if (!CBB_add_u16(cbb, tls1_ec_nid2curve_id(NID_X25519)))
1359 goto err;
1360 if (!CBB_add_u16_length_prefixed(cbb, &key_exchange))
1361 goto err;
1362 if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
1363 goto err;
1364
1365 if (!CBB_flush(cbb))
1366 goto err;
1367
1368 S3I(s)->hs_tls13.x25519_public = public_key;
1369 S3I(s)->hs_tls13.x25519_private = private_key;
1370
1371 return 1;
1372
1373 err:
1374 freezero(public_key, X25519_KEY_LENGTH);
1375 freezero(private_key, X25519_KEY_LENGTH);
1376
1377 return 0; 1274 return 0;
1378} 1275}
1379 1276
@@ -1394,10 +1291,6 @@ tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
1394 1291
1395 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) 1292 if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
1396 goto err; 1293 goto err;
1397
1398 if (CBS_len(cbs) != 0)
1399 goto err;
1400
1401 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH) 1294 if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
1402 goto err; 1295 goto err;
1403 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public, 1296 if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
@@ -1420,9 +1313,8 @@ tlsext_versions_client_needs(SSL *s)
1420 /* XXX once this gets initialized when we get tls13_client.c */ 1313 /* XXX once this gets initialized when we get tls13_client.c */
1421 if (S3I(s)->hs_tls13.max_version == 0) 1314 if (S3I(s)->hs_tls13.max_version == 0)
1422 return 0; 1315 return 0;
1423 if (SSL_IS_DTLS(s)) 1316 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
1424 return 0; 1317 TLS1_3_VERSION);
1425 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1426} 1318}
1427 1319
1428int 1320int
@@ -1456,41 +1348,13 @@ tlsext_versions_client_build(SSL *s, CBB *cbb)
1456int 1348int
1457tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert) 1349tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
1458{ 1350{
1459 CBS versions; 1351 /* XXX we accept this but currently ignore it */
1460 uint16_t version; 1352 if (!CBS_skip(cbs, CBS_len(cbs))) {
1461 uint16_t max, min; 1353 *alert = TLS1_AD_INTERNAL_ERROR;
1462 uint16_t matched_version = 0; 1354 return 0;
1463
1464 max = S3I(s)->hs_tls13.max_version;
1465 min = S3I(s)->hs_tls13.min_version;
1466
1467 if (!CBS_get_u8_length_prefixed(cbs, &versions))
1468 goto err;
1469
1470 if (CBS_len(cbs) != 0)
1471 goto err;
1472
1473 if (CBS_len(&versions) < 2)
1474 goto err;
1475
1476 while(CBS_len(&versions) > 0) {
1477 if (!CBS_get_u16(&versions, &version))
1478 goto err;
1479 /*
1480 * XXX What is below implements client preference, and
1481 * ignores any server preference entirely.
1482 */
1483 if (matched_version == 0 && version >= min && version <= max)
1484 matched_version = version;
1485 } 1355 }
1486 if (matched_version != 0)
1487 s->version = matched_version;
1488 1356
1489 return 1; 1357 return 1;
1490
1491 err:
1492 *alert = SSL_AD_DECODE_ERROR;
1493 return 0;
1494} 1358}
1495 1359
1496int 1360int
@@ -1502,11 +1366,7 @@ tlsext_versions_server_needs(SSL *s)
1502int 1366int
1503tlsext_versions_server_build(SSL *s, CBB *cbb) 1367tlsext_versions_server_build(SSL *s, CBB *cbb)
1504{ 1368{
1505 if (!CBB_add_u16(cbb, TLS1_3_VERSION)) 1369 return 0;
1506 return 0;
1507 /* XXX set 1.2 in legacy version? */
1508
1509 return 1;
1510} 1370}
1511 1371
1512int 1372int
@@ -1519,161 +1379,12 @@ tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
1519 return 0; 1379 return 0;
1520 } 1380 }
1521 1381
1522 if (CBS_len(cbs) != 0) {
1523 *alert = SSL_AD_DECODE_ERROR;
1524 return 0;
1525 }
1526
1527 if (selected_version < TLS1_3_VERSION) {
1528 *alert = SSL_AD_ILLEGAL_PARAMETER;
1529 return 0;
1530 }
1531
1532 /* XXX test between min and max once initialization code goes in */ 1382 /* XXX test between min and max once initialization code goes in */
1533 S3I(s)->hs_tls13.server_version = selected_version; 1383 S3I(s)->hs_tls13.server_version = selected_version;
1534 1384
1535 return 1; 1385 return 1;
1536} 1386}
1537 1387
1538
1539/*
1540 * Cookie - RFC 8446 section 4.2.2.
1541 */
1542
1543int
1544tlsext_cookie_client_needs(SSL *s)
1545{
1546 /* XXX once this gets initialized when we get tls13_client.c */
1547 if (S3I(s)->hs_tls13.max_version == 0)
1548 return 0;
1549 if (SSL_IS_DTLS(s))
1550 return 0;
1551 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1552 return 0;
1553 return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1554 (S3I(s)->hs_tls13.cookie != NULL));
1555}
1556
1557int
1558tlsext_cookie_client_build(SSL *s, CBB *cbb)
1559{
1560 CBB cookie;
1561
1562 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1563 return 0;
1564
1565 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1566 S3I(s)->hs_tls13.cookie_len))
1567 return 0;
1568
1569 if (!CBB_flush(cbb))
1570 return 0;
1571
1572 return 1;
1573}
1574
1575int
1576tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert)
1577{
1578 CBS cookie;
1579
1580 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1581 goto err;
1582
1583 if (CBS_len(cbs) != 0)
1584 goto err;
1585
1586 if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
1587 goto err;
1588
1589 /*
1590 * Check provided cookie value against what server previously
1591 * sent - client *MUST* send the same cookie with new CR after
1592 * a cookie is sent by the server with an HRR
1593 */
1594 if (memcmp(CBS_data(&cookie), S3I(s)->hs_tls13.cookie,
1595 S3I(s)->hs_tls13.cookie_len) != 0) {
1596 /* XXX special cookie mismatch alert? */
1597 *alert = SSL_AD_ILLEGAL_PARAMETER;
1598 return 0;
1599 }
1600
1601 return 1;
1602
1603 err:
1604 *alert = SSL_AD_DECODE_ERROR;
1605 return 0;
1606}
1607
1608int
1609tlsext_cookie_server_needs(SSL *s)
1610{
1611 /* XXX once this gets initialized when we get tls13_client.c */
1612 if (S3I(s)->hs_tls13.max_version == 0)
1613 return 0;
1614 if (SSL_IS_DTLS(s))
1615 return 0;
1616 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1617 return 0;
1618 /*
1619 * Server needs to set cookie value in tls13 handshake
1620 * in order to send one, should only be sent with HRR.
1621 */
1622 return ((S3I(s)->hs_tls13.cookie_len > 0) &&
1623 (S3I(s)->hs_tls13.cookie != NULL));
1624}
1625
1626int
1627tlsext_cookie_server_build(SSL *s, CBB *cbb)
1628{
1629 CBB cookie;
1630
1631 if (!CBB_add_u16_length_prefixed(cbb, &cookie))
1632 return 0;
1633 if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
1634 S3I(s)->hs_tls13.cookie_len))
1635 return 0;
1636 if (!CBB_flush(cbb))
1637 return 0;
1638
1639 return 1;
1640}
1641
1642int
1643tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert)
1644{
1645 CBS cookie;
1646
1647 /*
1648 * XXX This currently assumes we will not get a second
1649 * HRR from a server with a cookie to process after accepting
1650 * one from the server in the same handshake
1651 */
1652 if ((S3I(s)->hs_tls13.cookie != NULL) ||
1653 S3I(s)->hs_tls13.cookie_len != 0) {
1654 *alert = SSL_AD_ILLEGAL_PARAMETER;
1655 return 0;
1656 }
1657
1658 if (!CBS_get_u16_length_prefixed(cbs, &cookie))
1659 goto err;
1660
1661 if (CBS_len(cbs) != 0)
1662 goto err;
1663
1664 if ((S3I(s)->hs_tls13.cookie = malloc(CBS_len(&cookie))) == NULL)
1665 goto err;
1666
1667 memcpy(S3I(s)->hs_tls13.cookie, CBS_data(&cookie), CBS_len(&cookie));
1668 S3I(s)->hs_tls13.cookie_len = CBS_len(&cookie);
1669
1670 return 1;
1671
1672 err:
1673 *alert = SSL_AD_DECODE_ERROR;
1674 return 0;
1675}
1676
1677struct tls_extension_funcs { 1388struct tls_extension_funcs {
1678 int (*needs)(SSL *s); 1389 int (*needs)(SSL *s);
1679 int (*build)(SSL *s, CBB *cbb); 1390 int (*build)(SSL *s, CBB *cbb);
@@ -1831,20 +1542,6 @@ static struct tls_extension tls_extensions[] = {
1831 .parse = tlsext_alpn_client_parse, 1542 .parse = tlsext_alpn_client_parse,
1832 }, 1543 },
1833 }, 1544 },
1834 {
1835 .type = TLSEXT_TYPE_cookie,
1836 .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR,
1837 .client = {
1838 .needs = tlsext_cookie_client_needs,
1839 .build = tlsext_cookie_client_build,
1840 .parse = tlsext_cookie_server_parse,
1841 },
1842 .server = {
1843 .needs = tlsext_cookie_server_needs,
1844 .build = tlsext_cookie_server_build,
1845 .parse = tlsext_cookie_client_parse,
1846 },
1847 },
1848#ifndef OPENSSL_NO_SRTP 1545#ifndef OPENSSL_NO_SRTP
1849 { 1546 {
1850 .type = TLSEXT_TYPE_use_srtp, 1547 .type = TLSEXT_TYPE_use_srtp,
@@ -1868,7 +1565,7 @@ static struct tls_extension tls_extensions[] = {
1868/* Ensure that extensions fit in a uint32_t bitmask. */ 1565/* Ensure that extensions fit in a uint32_t bitmask. */
1869CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); 1566CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8));
1870 1567
1871struct tls_extension * 1568static struct tls_extension *
1872tls_extension_find(uint16_t type, size_t *tls_extensions_idx) 1569tls_extension_find(uint16_t type, size_t *tls_extensions_idx)
1873{ 1570{
1874 size_t i; 1571 size_t i;
@@ -1948,12 +1645,11 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
1948 struct tls_extension_funcs *ext; 1645 struct tls_extension_funcs *ext;
1949 struct tls_extension *tlsext; 1646 struct tls_extension *tlsext;
1950 CBS extensions, extension_data; 1647 CBS extensions, extension_data;
1648 uint32_t extensions_seen = 0;
1951 uint16_t type; 1649 uint16_t type;
1952 size_t idx; 1650 size_t idx;
1953 uint16_t version; 1651 uint16_t version;
1954 1652
1955 S3I(s)->hs.extensions_seen = 0;
1956
1957 if (is_server) 1653 if (is_server)
1958 version = s->version; 1654 version = s->version;
1959 else 1655 else
@@ -1992,9 +1688,9 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
1992 } 1688 }
1993 1689
1994 /* Check for duplicate known extensions. */ 1690 /* Check for duplicate known extensions. */
1995 if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) 1691 if ((extensions_seen & (1 << idx)) != 0)
1996 return 0; 1692 return 0;
1997 S3I(s)->hs.extensions_seen |= (1 << idx); 1693 extensions_seen |= (1 << idx);
1998 1694
1999 ext = tlsext_funcs(tlsext, is_server); 1695 ext = tlsext_funcs(tlsext, is_server);
2000 if (!ext->parse(s, &extension_data, alert)) 1696 if (!ext->parse(s, &extension_data, alert))
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 8472a8058b..e82be579d0 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.h,v 1.18 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: ssl_tlsext.h,v 1.19 2019/01/23 18:24:40 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -101,13 +101,6 @@ int tlsext_keyshare_server_needs(SSL *s);
101int tlsext_keyshare_server_build(SSL *s, CBB *cbb); 101int tlsext_keyshare_server_build(SSL *s, CBB *cbb);
102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert); 102int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert);
103 103
104int tlsext_cookie_client_needs(SSL *s);
105int tlsext_cookie_client_build(SSL *s, CBB *cbb);
106int tlsext_cookie_client_parse(SSL *s, CBS *cbs, int *alert);
107int tlsext_cookie_server_needs(SSL *s);
108int tlsext_cookie_server_build(SSL *s, CBB *cbb);
109int tlsext_cookie_server_parse(SSL *s, CBS *cbs, int *alert);
110
111#ifndef OPENSSL_NO_SRTP 104#ifndef OPENSSL_NO_SRTP
112int tlsext_srtp_client_needs(SSL *s); 105int tlsext_srtp_client_needs(SSL *s);
113int tlsext_srtp_client_build(SSL *s, CBB *cbb); 106int tlsext_srtp_client_build(SSL *s, CBB *cbb);
@@ -123,7 +116,6 @@ int tlsext_client_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
123int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type); 116int tlsext_server_build(SSL *s, CBB *cbb, uint16_t msg_type);
124int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type); 117int tlsext_server_parse(SSL *s, CBS *cbs, int *alert, uint16_t msg_type);
125 118
126struct tls_extension *tls_extension_find(uint16_t, size_t *);
127__END_HIDDEN_DECLS 119__END_HIDDEN_DECLS
128 120
129#endif 121#endif
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 567b3e48e0..cde022939d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.151 2019/01/23 16:46:04 beck Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.152 2019/01/23 18:24:40 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1002,12 +1002,11 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1002 1002
1003/* Set preferred digest for each key type */ 1003/* Set preferred digest for each key type */
1004int 1004int
1005tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len) 1005tls1_process_sigalgs(SSL *s, CBS *cbs)
1006{ 1006{
1007 CERT *c = s->cert; 1007 CERT *c = s->cert;
1008 1008
1009 /* Extension ignored for inappropriate versions */ 1009 /* Extension ignored for inappropriate versions */
1010 /* XXX get rid of this? */
1011 if (!SSL_USE_SIGALGS(s)) 1010 if (!SSL_USE_SIGALGS(s))
1012 return 1; 1011 return 1;
1013 1012
@@ -1024,8 +1023,9 @@ tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len)
1024 if (!CBS_get_u16(cbs, &sig_alg)) 1023 if (!CBS_get_u16(cbs, &sig_alg))
1025 return 0; 1024 return 0;
1026 1025
1027 if ((sigalg = ssl_sigalg(sig_alg, sigalgs, sigalgs_len)) != 1026 if ((sigalg = ssl_sigalg(sig_alg, tls12_sigalgs,
1028 NULL && c->pkeys[sigalg->pkey_idx].sigalg == NULL) { 1027 tls12_sigalgs_len)) != NULL &&
1028 c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
1029 c->pkeys[sigalg->pkey_idx].sigalg = sigalg; 1029 c->pkeys[sigalg->pkey_idx].sigalg = sigalg;
1030 if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN) 1030 if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
1031 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg; 1031 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 17:03:26 +0000