3 files changed, 30 insertions, 19 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 07b9ede345..b842cbd39c 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.21 2020/01/21 03:40:05 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -241,8 +241,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        uint16_t cipher_suite, legacy_version;
        uint8_t compression_method;
        const SSL_CIPHER *cipher;
+        int alert_desc;
        SSL *s = ctx->ssl;
-        int alert;
        if (!CBS_get_u16(cbs, &legacy_version))
                goto err;
@@ -258,8 +258,10 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        if (tls13_server_hello_is_legacy(cbs))
                return tls13_use_legacy_client(ctx);
-        if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
+        if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
+                ctx->alert = alert_desc;
                goto err;
+        }
        if (CBS_len(cbs) != 0)
                goto err;
@@ -273,14 +275,14 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         */
        if (ctx->hs->server_version != 0) {
                if (legacy_version != TLS1_2_VERSION) {
-                        /* XXX - alert. */
+                        ctx->alert = SSL_AD_PROTOCOL_VERSION;
                        goto err;
                }
        } else {
                if (legacy_version < ctx->hs->min_version ||
                    legacy_version > ctx->hs->max_version ||
                    legacy_version > TLS1_2_VERSION) {
-                        /* XXX - alert. */
+                        ctx->alert = SSL_AD_PROTOCOL_VERSION;
                        goto err;
                }
                ctx->hs->server_version = legacy_version;
@@ -295,19 +297,19 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        cipher = ssl3_get_cipher_by_value(cipher_suite);
        if (cipher == NULL ||
            sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
-                /* XXX - alert. */
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        if (ctx->hs->server_version == TLS1_3_VERSION &&
            cipher->algorithm_ssl != SSL_TLSV1_3) {
-                /* XXX - alert. */
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
        /* XXX - move this to hs_tls13? */
        S3I(s)->hs.new_cipher = cipher;
        if (compression_method != 0) {
-                /* XXX - alert. */
+                ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
                goto err;
        }
@@ -318,8 +320,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        return 1;
 err:
-        /* XXX - send alert. */
+        if (ctx->alert == 0)
+                ctx->alert = TLS1_AD_DECODE_ERROR;
        return 0;
 }
@@ -407,14 +409,16 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
 int
 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
 {
-        int alert;
        CBS cbs;
+        int alert_desc;
        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
                goto err;
-        if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))
+        if (!tlsext_client_parse(ctx->ssl, &cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) {
+                ctx->alert = alert_desc;
                goto err;
+        }
        if (CBS_len(&cbs) != 0)
                goto err;
@@ -422,8 +426,8 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
        return 1;
 err:
-        /* XXX - send alert. */
+        if (ctx->alert == 0)
+                ctx->alert = TLS1_AD_DECODE_ERROR;
        return 0;
 }
@@ -627,13 +631,14 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
                goto err;
        if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
            CBS_len(&signature)) <= 0) {
-                /* XXX - send alert. */
                goto err;
        }
        ret = 1;
 err:
+        if (!ret)
+                ctx->alert = TLS1_AD_DECODE_ERROR;
        CBB_cleanup(&cbb);
        EVP_MD_CTX_free(mdctx);
        free(sig_content);
@@ -688,7 +693,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx)
                goto err;
        if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
-                /* XXX - send alert. */
+                ctx->alert = TLS1_AD_DECRYPTION_FAILED;
                goto err;
        }
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index c86187caec..48a01d3ca4 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.37 2020/01/20 22:04:17 beck Exp $       */
+/*      $OpenBSD: tls13_handshake.c,v 1.38 2020/01/21 03:40:05 beck Exp $       */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -291,7 +291,8 @@ tls13_handshake_perform(struct tls13_ctx *ctx)
                        ctx->handshake_completed = 1;
                        tls13_record_layer_handshake_completed(ctx->rl);
                        return TLS13_IO_SUCCESS;
-                }
+                } else if (ctx->alert)
+                        return tls13_send_alert(ctx->rl, ctx->alert);
                if (action->sender == ctx->mode) {
                        if ((ret = tls13_handshake_send_action(ctx, action)) <= 0)
@@ -329,6 +330,8 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
                /* XXX - provide CBB. */
                if (!action->send(ctx))
                        return TLS13_IO_FAILURE;
+                else if (ctx->alert)
+                        return tls13_send_alert(ctx->rl, ctx->alert);
        }
        if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
@@ -389,6 +392,8 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
        ret = TLS13_IO_FAILURE;
        if (action->recv(ctx))
                ret = TLS13_IO_SUCCESS;
+        else if (ctx->alert)
+                ret = tls13_send_alert(ctx->rl, ctx->alert);
        tls13_handshake_msg_free(ctx->hs_msg);
        ctx->hs_msg = NULL;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 41833f233f..530ace41af 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.38 2020/01/21 03:40:05 beck Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -186,6 +186,7 @@ struct tls13_ctx {
        struct tls13_record_layer *rl;
        struct tls13_handshake_msg *hs_msg;
        uint8_t key_update_request;
+        uint8_t alert;
        int phh_count;
        time_t phh_last_seen;
 };

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 07b9ede345..b842cbd39c 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.21 2020/01/21 03:40:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -241,8 +241,8 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
241	uint16_t cipher_suite, legacy_version;	241	uint16_t cipher_suite, legacy_version;
242	uint8_t compression_method;	242	uint8_t compression_method;
243	const SSL_CIPHER *cipher;	243	const SSL_CIPHER *cipher;
		244	int alert_desc;
244	SSL *s = ctx->ssl;	245	SSL *s = ctx->ssl;
245	int alert;
246		246
247	if (!CBS_get_u16(cbs, &legacy_version))	247	if (!CBS_get_u16(cbs, &legacy_version))
248	goto err;	248	goto err;
@@ -258,8 +258,10 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
258	if (tls13_server_hello_is_legacy(cbs))	258	if (tls13_server_hello_is_legacy(cbs))
259	return tls13_use_legacy_client(ctx);	259	return tls13_use_legacy_client(ctx);
260		260
261	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))	261	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
		262	ctx->alert = alert_desc;
262	goto err;	263	goto err;
		264	}
263		265
264	if (CBS_len(cbs) != 0)	266	if (CBS_len(cbs) != 0)
265	goto err;	267	goto err;
@@ -273,14 +275,14 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
273	*/	275	*/
274	if (ctx->hs->server_version != 0) {	276	if (ctx->hs->server_version != 0) {
275	if (legacy_version != TLS1_2_VERSION) {	277	if (legacy_version != TLS1_2_VERSION) {
276	/* XXX - alert. */	278	ctx->alert = SSL_AD_PROTOCOL_VERSION;
277	goto err;	279	goto err;
278	}	280	}
279	} else {	281	} else {
280	if (legacy_version < ctx->hs->min_version \|\|	282	if (legacy_version < ctx->hs->min_version \|\|
281	legacy_version > ctx->hs->max_version \|\|	283	legacy_version > ctx->hs->max_version \|\|
282	legacy_version > TLS1_2_VERSION) {	284	legacy_version > TLS1_2_VERSION) {
283	/* XXX - alert. */	285	ctx->alert = SSL_AD_PROTOCOL_VERSION;
284	goto err;	286	goto err;
285	}	287	}
286	ctx->hs->server_version = legacy_version;	288	ctx->hs->server_version = legacy_version;
@@ -295,19 +297,19 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
295	cipher = ssl3_get_cipher_by_value(cipher_suite);	297	cipher = ssl3_get_cipher_by_value(cipher_suite);
296	if (cipher == NULL \|\|	298	if (cipher == NULL \|\|
297	sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {	299	sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
298	/* XXX - alert. */	300	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
299	goto err;	301	goto err;
300	}	302	}
301	if (ctx->hs->server_version == TLS1_3_VERSION &&	303	if (ctx->hs->server_version == TLS1_3_VERSION &&
302	cipher->algorithm_ssl != SSL_TLSV1_3) {	304	cipher->algorithm_ssl != SSL_TLSV1_3) {
303	/* XXX - alert. */	305	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
304	goto err;	306	goto err;
305	}	307	}
306	/* XXX - move this to hs_tls13? */	308	/* XXX - move this to hs_tls13? */
307	S3I(s)->hs.new_cipher = cipher;	309	S3I(s)->hs.new_cipher = cipher;
308		310
309	if (compression_method != 0) {	311	if (compression_method != 0) {
310	/* XXX - alert. */	312	ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
311	goto err;	313	goto err;
312	}	314	}
313		315
@@ -318,8 +320,8 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
318	return 1;	320	return 1;
319		321
320	err:	322	err:
321	/* XXX - send alert. */	323	if (ctx->alert == 0)
322		324	ctx->alert = TLS1_AD_DECODE_ERROR;
323	return 0;	325	return 0;
324	}	326	}
325		327
@@ -407,14 +409,16 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
407	int	409	int
408	tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)	410	tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
409	{	411	{
410	int alert;
411	CBS cbs;	412	CBS cbs;
		413	int alert_desc;
412		414
413	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))	415	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
414	goto err;	416	goto err;
415		417
416	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))	418	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) {
		419	ctx->alert = alert_desc;
417	goto err;	420	goto err;
		421	}
418		422
419	if (CBS_len(&cbs) != 0)	423	if (CBS_len(&cbs) != 0)
420	goto err;	424	goto err;
@@ -422,8 +426,8 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
422	return 1;	426	return 1;
423		427
424	err:	428	err:
425	/* XXX - send alert. */	429	if (ctx->alert == 0)
426		430	ctx->alert = TLS1_AD_DECODE_ERROR;
427	return 0;	431	return 0;
428	}	432	}
429		433
@@ -627,13 +631,14 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
627	goto err;	631	goto err;
628	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),	632	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
629	CBS_len(&signature)) <= 0) {	633	CBS_len(&signature)) <= 0) {
630	/* XXX - send alert. */
631	goto err;	634	goto err;
632	}	635	}
633		636
634	ret = 1;	637	ret = 1;
635		638
636	err:	639	err:
		640	if (!ret)
		641	ctx->alert = TLS1_AD_DECODE_ERROR;
637	CBB_cleanup(&cbb);	642	CBB_cleanup(&cbb);
638	EVP_MD_CTX_free(mdctx);	643	EVP_MD_CTX_free(mdctx);
639	free(sig_content);	644	free(sig_content);
@@ -688,7 +693,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx)
688	goto err;	693	goto err;
689		694
690	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {	695	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
691	/* XXX - send alert. */	696	ctx->alert = TLS1_AD_DECRYPTION_FAILED;
692	goto err;	697	goto err;
693	}	698	}
694		699


diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index c86187caec..48a01d3ca4 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.37 2020/01/20 22:04:17 beck Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.38 2020/01/21 03:40:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -291,7 +291,8 @@ tls13_handshake_perform(struct tls13_ctx *ctx)
291	ctx->handshake_completed = 1;	291	ctx->handshake_completed = 1;
292	tls13_record_layer_handshake_completed(ctx->rl);	292	tls13_record_layer_handshake_completed(ctx->rl);
293	return TLS13_IO_SUCCESS;	293	return TLS13_IO_SUCCESS;
294	}	294	} else if (ctx->alert)
		295	return tls13_send_alert(ctx->rl, ctx->alert);
295		296
296	if (action->sender == ctx->mode) {	297	if (action->sender == ctx->mode) {
297	if ((ret = tls13_handshake_send_action(ctx, action)) <= 0)	298	if ((ret = tls13_handshake_send_action(ctx, action)) <= 0)
@@ -329,6 +330,8 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
329	/* XXX - provide CBB. */	330	/* XXX - provide CBB. */
330	if (!action->send(ctx))	331	if (!action->send(ctx))
331	return TLS13_IO_FAILURE;	332	return TLS13_IO_FAILURE;
		333	else if (ctx->alert)
		334	return tls13_send_alert(ctx->rl, ctx->alert);
332	}	335	}
333		336
334	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)	337	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
@@ -389,6 +392,8 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
389	ret = TLS13_IO_FAILURE;	392	ret = TLS13_IO_FAILURE;
390	if (action->recv(ctx))	393	if (action->recv(ctx))
391	ret = TLS13_IO_SUCCESS;	394	ret = TLS13_IO_SUCCESS;
		395	else if (ctx->alert)
		396	ret = tls13_send_alert(ctx->rl, ctx->alert);
392		397
393	tls13_handshake_msg_free(ctx->hs_msg);	398	tls13_handshake_msg_free(ctx->hs_msg);
394	ctx->hs_msg = NULL;	399	ctx->hs_msg = NULL;


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 41833f233f..530ace41af 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.38 2020/01/21 03:40:05 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -186,6 +186,7 @@ struct tls13_ctx {
186	struct tls13_record_layer *rl;	186	struct tls13_record_layer *rl;
187	struct tls13_handshake_msg *hs_msg;	187	struct tls13_handshake_msg *hs_msg;
188	uint8_t key_update_request;	188	uint8_t key_update_request;
		189	uint8_t alert;
189	int phh_count;	190	int phh_count;
190	time_t phh_last_seen;	191	time_t phh_last_seen;
191	};	192	};