4 files changed, 262 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 091713d12a..0761c5b5ce 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.176 2018/11/08 22:28:52 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.177 2019/01/18 12:09:52 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1627,6 +1627,11 @@ ssl3_clear(SSL *s)
        s->internal->packet_length = 0;
        s->version = TLS1_VERSION;
+        tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
+        freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
+        freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
+        freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
 }
 static long
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 94bb76eca3..1653b2ab96 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.225 2018/11/21 15:13:29 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.226 2019/01/18 12:09:52 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -162,6 +162,7 @@
 #include "bytestring.h"
 #include "ssl_sigalgs.h"
+#include "tls13_internal.h"
 __BEGIN_HIDDEN_DECLS
@@ -430,6 +431,22 @@ typedef struct ssl_handshake_st {
        unsigned char *key_block;
 } SSL_HANDSHAKE;
+typedef struct ssl_handshake_tls13_st {
+        uint16_t min_version;
+        uint16_t max_version;
+        uint16_t version;
+        /* Version proposed by peer server. */
+        uint16_t server_version;
+        /* X25519 key share. */
+        uint8_t *x25519_public;
+        uint8_t *x25519_private;
+        uint8_t *x25519_peer_public;
+        struct tls13_secrets *secrets;
+} SSL_HANDSHAKE_TLS13;
 typedef struct ssl_ctx_internal_st {
        uint16_t min_version;
        uint16_t max_version;
@@ -803,6 +820,7 @@ typedef struct ssl3_state_internal_st {
        int in_read_app_data;
        SSL_HANDSHAKE hs;
+        SSL_HANDSHAKE_TLS13 hs_tls13;
        struct  {
                int new_mac_secret_size;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index da34a79f7d..91b3b7d958 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.28 2019/01/18 03:39:27 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.29 2019/01/18 12:09:52 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -16,6 +16,7 @@
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <openssl/curve25519.h>
 #include <openssl/ocsp.h>
 #include "ssl_locl.h"
@@ -1193,6 +1194,196 @@ tlsext_srtp_client_parse(SSL *s, CBS *cbs, int *alert)
 #endif /* OPENSSL_NO_SRTP */
+/*
+ * TLSv1.3 Key Share - RFC 8446 section 4.2.8.
+ */
+int
+tlsext_keyshare_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
+            TLS1_3_VERSION);
+}
+int
+tlsext_keyshare_client_build(SSL *s, CBB *cbb)
+{
+        uint8_t *public_key = NULL, *private_key = NULL;
+        CBB client_shares, key_exchange;
+        /* Generate and provide key shares. */
+        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
+                return 0;
+        /* XXX - other groups. */
+        /* Generate X25519 key pair. */
+        if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        X25519_keypair(public_key, private_key);
+        /* Add the group and serialize the public key. */
+        if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519)))
+                goto err;
+        if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
+                goto err;
+        if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
+                goto err;
+        if (!CBB_flush(cbb))
+                goto err;
+        S3I(s)->hs_tls13.x25519_public = public_key;
+        S3I(s)->hs_tls13.x25519_private = private_key;
+        return 1;
+err:
+        freezero(public_key, X25519_KEY_LENGTH);
+        freezero(private_key, X25519_KEY_LENGTH);
+        return 0;
+}
+int
+tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        /* XXX we accept this but currently ignore it */
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
+                *alert = TLS1_AD_INTERNAL_ERROR;
+                return 0;
+        }
+        return 1;
+}
+int
+tlsext_keyshare_server_needs(SSL *s)
+{
+        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+}
+int
+tlsext_keyshare_server_build(SSL *s, CBB *cbb)
+{
+        return 0;
+}
+int
+tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        CBS key_exchange;
+        uint16_t group;
+        size_t out_len;
+        /* Unpack server share. */
+        if (!CBS_get_u16(cbs, &group))
+                goto err;
+        /* Handle other groups and verify that they're valid. */
+        if (group != tls1_ec_nid2curve_id(NID_X25519))
+                goto err;
+        if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
+                goto err;
+        if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
+                goto err;
+        if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
+                &out_len))
+                goto err;
+        return 1;
+ err:
+        *alert = SSL_AD_DECODE_ERROR;
+        return 0;
+}
+/*
+ * Supported Versions - RFC 8446 section 4.2.1.
+ */
+int
+tlsext_versions_client_needs(SSL *s)
+{
+        /* XXX once this gets initialized when we get tls13_client.c */
+        if (S3I(s)->hs_tls13.max_version == 0)
+                return 0;
+        return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
+            TLS1_3_VERSION);
+}
+int
+tlsext_versions_client_build(SSL *s, CBB *cbb)
+{
+        uint16_t version;
+        CBB versions;
+        uint16_t max, min;
+        max = S3I(s)->hs_tls13.max_version;
+        min = S3I(s)->hs_tls13.min_version;
+        if (min < TLS1_VERSION)
+                return 0;
+        if (!CBB_add_u8_length_prefixed(cbb, &versions))
+                return 0;
+        /* XXX - fix, but contiguous for now... */
+        for (version = max; version >= min; version--) {
+                if (!CBB_add_u16(&versions, version))
+                        return 0;
+        }
+        if (!CBB_flush(cbb))
+                return 0;
+        return 1;
+}
+int
+tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert)
+{
+        /* XXX we accept this but currently ignore it */
+        if (!CBS_skip(cbs, CBS_len(cbs))) {
+                *alert = TLS1_AD_INTERNAL_ERROR;
+                return 0;
+        }
+        return 1;
+}
+int
+tlsext_versions_server_needs(SSL *s)
+{
+        return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
+}
+int
+tlsext_versions_server_build(SSL *s, CBB *cbb)
+{
+        return 0;
+}
+int
+tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert)
+{
+        uint16_t selected_version;
+        if (!CBS_get_u16(cbs, &selected_version)) {
+                *alert = SSL_AD_DECODE_ERROR;
+                return 0;
+        }
+        /* XXX test between min and max once initialization code goes in */
+        S3I(s)->hs_tls13.server_version = selected_version;
+        return 1;
+}
 struct tls_extension_funcs {
        int (*needs)(SSL *s);
        int (*build)(SSL *s, CBB *cbb);
@@ -1208,6 +1399,36 @@ struct tls_extension {
 static struct tls_extension tls_extensions[] = {
        {
+                .type = TLSEXT_TYPE_supported_versions,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
+                    SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_versions_client_needs,
+                        .build = tlsext_versions_client_build,
+                        .parse = tlsext_versions_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_versions_server_needs,
+                        .build = tlsext_versions_server_build,
+                        .parse = tlsext_versions_client_parse,
+                },
+        },
+        {
+                .type = TLSEXT_TYPE_key_share,
+                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH |
+                    SSL_TLSEXT_MSG_HRR,
+                .client = {
+                        .needs = tlsext_keyshare_client_needs,
+                        .build = tlsext_keyshare_client_build,
+                        .parse = tlsext_keyshare_server_parse,
+                },
+                .server = {
+                        .needs = tlsext_keyshare_server_needs,
+                        .build = tlsext_keyshare_server_build,
+                        .parse = tlsext_keyshare_client_parse,
+                },
+        },
+        {
                .type = TLSEXT_TYPE_server_name,
                .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE,
                .client = {
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index e5c1628c98..8f5aaa89dc 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.h,v 1.15 2019/01/18 00:54:42 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.h,v 1.16 2019/01/18 12:09:52 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -86,6 +86,20 @@ int tlsext_sessionticket_server_needs(SSL *s);
 int tlsext_sessionticket_server_build(SSL *s, CBB *cbb);
 int tlsext_sessionticket_server_parse(SSL *s, CBS *cbs, int *alert);
+int tlsext_versions_client_needs(SSL *s);
+int tlsext_versions_client_build(SSL *s, CBB *cbb);
+int tlsext_versions_client_parse(SSL *s, CBS *cbs, int *alert);
+int tlsext_versions_server_needs(SSL *s);
+int tlsext_versions_server_build(SSL *s, CBB *cbb);
+int tlsext_versions_server_parse(SSL *s, CBS *cbs, int *alert);
+int tlsext_keyshare_client_needs(SSL *s);
+int tlsext_keyshare_client_build(SSL *s, CBB *cbb);
+int tlsext_keyshare_client_parse(SSL *s, CBS *cbs, int *alert);
+int tlsext_keyshare_server_needs(SSL *s);
+int tlsext_keyshare_server_build(SSL *s, CBB *cbb);
+int tlsext_keyshare_server_parse(SSL *s, CBS *cbs, int *alert);
 #ifndef OPENSSL_NO_SRTP
 int tlsext_srtp_client_needs(SSL *s);
 int tlsext_srtp_client_build(SSL *s, CBB *cbb);

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 091713d12a..0761c5b5ce 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.176 2018/11/08 22:28:52 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.177 2019/01/18 12:09:52 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1627,6 +1627,11 @@ ssl3_clear(SSL *s)
1627		1627
1628	s->internal->packet_length = 0;	1628	s->internal->packet_length = 0;
1629	s->version = TLS1_VERSION;	1629	s->version = TLS1_VERSION;
		1630
		1631	tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
		1632	freezero(S3I(s)->hs_tls13.x25519_private, X25519_KEY_LENGTH);
		1633	freezero(S3I(s)->hs_tls13.x25519_public, X25519_KEY_LENGTH);
		1634	freezero(S3I(s)->hs_tls13.x25519_peer_public, X25519_KEY_LENGTH);
1630	}	1635	}
1631		1636
1632	static long	1637	static long


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 94bb76eca3..1653b2ab96 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.225 2018/11/21 15:13:29 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.226 2019/01/18 12:09:52 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -162,6 +162,7 @@
162		162
163	#include "bytestring.h"	163	#include "bytestring.h"
164	#include "ssl_sigalgs.h"	164	#include "ssl_sigalgs.h"
		165	#include "tls13_internal.h"
165		166
166	__BEGIN_HIDDEN_DECLS	167	__BEGIN_HIDDEN_DECLS
167		168
@@ -430,6 +431,22 @@ typedef struct ssl_handshake_st {
430	unsigned char *key_block;	431	unsigned char *key_block;
431	} SSL_HANDSHAKE;	432	} SSL_HANDSHAKE;
432		433
		434	typedef struct ssl_handshake_tls13_st {
		435	uint16_t min_version;
		436	uint16_t max_version;
		437	uint16_t version;
		438
		439	/* Version proposed by peer server. */
		440	uint16_t server_version;
		441
		442	/* X25519 key share. */
		443	uint8_t *x25519_public;
		444	uint8_t *x25519_private;
		445	uint8_t *x25519_peer_public;
		446
		447	struct tls13_secrets *secrets;
		448	} SSL_HANDSHAKE_TLS13;
		449
433	typedef struct ssl_ctx_internal_st {	450	typedef struct ssl_ctx_internal_st {
434	uint16_t min_version;	451	uint16_t min_version;
435	uint16_t max_version;	452	uint16_t max_version;
@@ -803,6 +820,7 @@ typedef struct ssl3_state_internal_st {
803	int in_read_app_data;	820	int in_read_app_data;
804		821
805	SSL_HANDSHAKE hs;	822	SSL_HANDSHAKE hs;
		823	SSL_HANDSHAKE_TLS13 hs_tls13;
806		824
807	struct {	825	struct {
808	int new_mac_secret_size;	826	int new_mac_secret_size;


diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index da34a79f7d..91b3b7d958 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.28 2019/01/18 03:39:27 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.29 2019/01/18 12:09:52 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -16,6 +16,7 @@
16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	16	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	17	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18	*/	18	*/
		19	#include <openssl/curve25519.h>
19	#include <openssl/ocsp.h>	20	#include <openssl/ocsp.h>
20		21
21	#include "ssl_locl.h"	22	#include "ssl_locl.h"
@@ -1193,6 +1194,196 @@ tlsext_srtp_client_parse(SSL s, CBS cbs, int *alert)
1193		1194
1194	#endif /* OPENSSL_NO_SRTP */	1195	#endif /* OPENSSL_NO_SRTP */
1195		1196
		1197	/*
		1198	* TLSv1.3 Key Share - RFC 8446 section 4.2.8.
		1199	*/
		1200	int
		1201	tlsext_keyshare_client_needs(SSL *s)
		1202	{
		1203	/* XXX once this gets initialized when we get tls13_client.c */
		1204	if (S3I(s)->hs_tls13.max_version == 0)
		1205	return 0;
		1206	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
		1207	TLS1_3_VERSION);
		1208	}
		1209
		1210	int
		1211	tlsext_keyshare_client_build(SSL s, CBB cbb)
		1212	{
		1213	uint8_t public_key = NULL, private_key = NULL;
		1214	CBB client_shares, key_exchange;
		1215
		1216	/* Generate and provide key shares. */
		1217	if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
		1218	return 0;
		1219
		1220	/* XXX - other groups. */
		1221
		1222	/* Generate X25519 key pair. */
		1223	if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1224	goto err;
		1225	if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL)
		1226	goto err;
		1227	X25519_keypair(public_key, private_key);
		1228
		1229	/* Add the group and serialize the public key. */
		1230	if (!CBB_add_u16(&client_shares, tls1_ec_nid2curve_id(NID_X25519)))
		1231	goto err;
		1232	if (!CBB_add_u16_length_prefixed(&client_shares, &key_exchange))
		1233	goto err;
		1234	if (!CBB_add_bytes(&key_exchange, public_key, X25519_KEY_LENGTH))
		1235	goto err;
		1236
		1237	if (!CBB_flush(cbb))
		1238	goto err;
		1239
		1240	S3I(s)->hs_tls13.x25519_public = public_key;
		1241	S3I(s)->hs_tls13.x25519_private = private_key;
		1242
		1243	return 1;
		1244
		1245	err:
		1246	freezero(public_key, X25519_KEY_LENGTH);
		1247	freezero(private_key, X25519_KEY_LENGTH);
		1248
		1249	return 0;
		1250	}
		1251
		1252	int
		1253	tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert)
		1254	{
		1255	/* XXX we accept this but currently ignore it */
		1256	if (!CBS_skip(cbs, CBS_len(cbs))) {
		1257	*alert = TLS1_AD_INTERNAL_ERROR;
		1258	return 0;
		1259	}
		1260
		1261	return 1;
		1262	}
		1263
		1264	int
		1265	tlsext_keyshare_server_needs(SSL *s)
		1266	{
		1267	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
		1268	}
		1269
		1270	int
		1271	tlsext_keyshare_server_build(SSL s, CBB cbb)
		1272	{
		1273	return 0;
		1274	}
		1275
		1276	int
		1277	tlsext_keyshare_client_parse(SSL s, CBS cbs, int *alert)
		1278	{
		1279	CBS key_exchange;
		1280	uint16_t group;
		1281	size_t out_len;
		1282
		1283	/* Unpack server share. */
		1284	if (!CBS_get_u16(cbs, &group))
		1285	goto err;
		1286
		1287	/* Handle other groups and verify that they're valid. */
		1288	if (group != tls1_ec_nid2curve_id(NID_X25519))
		1289	goto err;
		1290
		1291	if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
		1292	goto err;
		1293	if (CBS_len(&key_exchange) != X25519_KEY_LENGTH)
		1294	goto err;
		1295	if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
		1296	&out_len))
		1297	goto err;
		1298
		1299	return 1;
		1300
		1301	err:
		1302	*alert = SSL_AD_DECODE_ERROR;
		1303	return 0;
		1304	}
		1305
		1306	/*
		1307	* Supported Versions - RFC 8446 section 4.2.1.
		1308	*/
		1309	int
		1310	tlsext_versions_client_needs(SSL *s)
		1311	{
		1312	/* XXX once this gets initialized when we get tls13_client.c */
		1313	if (S3I(s)->hs_tls13.max_version == 0)
		1314	return 0;
		1315	return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >=
		1316	TLS1_3_VERSION);
		1317	}
		1318
		1319	int
		1320	tlsext_versions_client_build(SSL s, CBB cbb)
		1321	{
		1322	uint16_t version;
		1323	CBB versions;
		1324	uint16_t max, min;
		1325
		1326	max = S3I(s)->hs_tls13.max_version;
		1327	min = S3I(s)->hs_tls13.min_version;
		1328
		1329	if (min < TLS1_VERSION)
		1330	return 0;
		1331
		1332	if (!CBB_add_u8_length_prefixed(cbb, &versions))
		1333	return 0;
		1334
		1335	/* XXX - fix, but contiguous for now... */
		1336	for (version = max; version >= min; version--) {
		1337	if (!CBB_add_u16(&versions, version))
		1338	return 0;
		1339	}
		1340
		1341	if (!CBB_flush(cbb))
		1342	return 0;
		1343
		1344	return 1;
		1345	}
		1346
		1347	int
		1348	tlsext_versions_server_parse(SSL s, CBS cbs, int *alert)
		1349	{
		1350	/* XXX we accept this but currently ignore it */
		1351	if (!CBS_skip(cbs, CBS_len(cbs))) {
		1352	*alert = TLS1_AD_INTERNAL_ERROR;
		1353	return 0;
		1354	}
		1355
		1356	return 1;
		1357	}
		1358
		1359	int
		1360	tlsext_versions_server_needs(SSL *s)
		1361	{
		1362	return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION);
		1363	}
		1364
		1365	int
		1366	tlsext_versions_server_build(SSL s, CBB cbb)
		1367	{
		1368	return 0;
		1369	}
		1370
		1371	int
		1372	tlsext_versions_client_parse(SSL s, CBS cbs, int *alert)
		1373	{
		1374	uint16_t selected_version;
		1375
		1376	if (!CBS_get_u16(cbs, &selected_version)) {
		1377	*alert = SSL_AD_DECODE_ERROR;
		1378	return 0;
		1379	}
		1380
		1381	/* XXX test between min and max once initialization code goes in */
		1382	S3I(s)->hs_tls13.server_version = selected_version;
		1383
		1384	return 1;
		1385	}
		1386
1196	struct tls_extension_funcs {	1387	struct tls_extension_funcs {
1197	int (needs)(SSL s);	1388	int (needs)(SSL s);
1198	int (build)(SSL s, CBB *cbb);	1389	int (build)(SSL s, CBB *cbb);
@@ -1208,6 +1399,36 @@ struct tls_extension {
1208		1399
1209	static struct tls_extension tls_extensions[] = {	1400	static struct tls_extension tls_extensions[] = {
1210	{	1401	{
		1402	.type = TLSEXT_TYPE_supported_versions,
		1403	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_SH \|
		1404	SSL_TLSEXT_MSG_HRR,
		1405	.client = {
		1406	.needs = tlsext_versions_client_needs,
		1407	.build = tlsext_versions_client_build,
		1408	.parse = tlsext_versions_server_parse,
		1409	},
		1410	.server = {
		1411	.needs = tlsext_versions_server_needs,
		1412	.build = tlsext_versions_server_build,
		1413	.parse = tlsext_versions_client_parse,
		1414	},
		1415	},
		1416	{
		1417	.type = TLSEXT_TYPE_key_share,
		1418	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_SH \|
		1419	SSL_TLSEXT_MSG_HRR,
		1420	.client = {
		1421	.needs = tlsext_keyshare_client_needs,
		1422	.build = tlsext_keyshare_client_build,
		1423	.parse = tlsext_keyshare_server_parse,
		1424	},
		1425	.server = {
		1426	.needs = tlsext_keyshare_server_needs,
		1427	.build = tlsext_keyshare_server_build,
		1428	.parse = tlsext_keyshare_client_parse,
		1429	},
		1430	},
		1431	{
1211	.type = TLSEXT_TYPE_server_name,	1432	.type = TLSEXT_TYPE_server_name,
1212	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_EE,	1433	.messages = SSL_TLSEXT_MSG_CH \| SSL_TLSEXT_MSG_EE,
1213	.client = {	1434	.client = {


diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h index e5c1628c98..8f5aaa89dc 100644 --- a/src/lib/libssl/ssl_tlsext.h +++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.h,v 1.15 2019/01/18 00:54:42 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.h,v 1.16 2019/01/18 12:09:52 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -86,6 +86,20 @@ int tlsext_sessionticket_server_needs(SSL *s);
86	int tlsext_sessionticket_server_build(SSL s, CBB cbb);	86	int tlsext_sessionticket_server_build(SSL s, CBB cbb);
87	int tlsext_sessionticket_server_parse(SSL s, CBS cbs, int *alert);	87	int tlsext_sessionticket_server_parse(SSL s, CBS cbs, int *alert);
88		88
		89	int tlsext_versions_client_needs(SSL *s);
		90	int tlsext_versions_client_build(SSL s, CBB cbb);
		91	int tlsext_versions_client_parse(SSL s, CBS cbs, int *alert);
		92	int tlsext_versions_server_needs(SSL *s);
		93	int tlsext_versions_server_build(SSL s, CBB cbb);
		94	int tlsext_versions_server_parse(SSL s, CBS cbs, int *alert);
		95
		96	int tlsext_keyshare_client_needs(SSL *s);
		97	int tlsext_keyshare_client_build(SSL s, CBB cbb);
		98	int tlsext_keyshare_client_parse(SSL s, CBS cbs, int *alert);
		99	int tlsext_keyshare_server_needs(SSL *s);
		100	int tlsext_keyshare_server_build(SSL s, CBB cbb);
		101	int tlsext_keyshare_server_parse(SSL s, CBS cbs, int *alert);
		102
89	#ifndef OPENSSL_NO_SRTP	103	#ifndef OPENSSL_NO_SRTP
90	int tlsext_srtp_client_needs(SSL *s);	104	int tlsext_srtp_client_needs(SSL *s);
91	int tlsext_srtp_client_build(SSL s, CBB cbb);	105	int tlsext_srtp_client_build(SSL s, CBB cbb);