diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 5 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_internal.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_record_layer.c | 16 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 6 |
4 files changed, 22 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index ef4c3de75f..b42167a58a 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.25 2020/01/22 03:20:09 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.26 2020/01/22 05:06:23 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -223,6 +223,7 @@ int | |||
| 223 | tls13_client_hello_sent(struct tls13_ctx *ctx) | 223 | tls13_client_hello_sent(struct tls13_ctx *ctx) |
| 224 | { | 224 | { |
| 225 | tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); | 225 | tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); |
| 226 | tls13_record_layer_allow_ccs(ctx->rl, 1); | ||
| 226 | 227 | ||
| 227 | return 1; | 228 | return 1; |
| 228 | } | 229 | } |
| @@ -750,6 +751,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx) | |||
| 750 | &secrets->server_application_traffic)) | 751 | &secrets->server_application_traffic)) |
| 751 | goto err; | 752 | goto err; |
| 752 | 753 | ||
| 754 | tls13_record_layer_allow_ccs(ctx->rl, 0); | ||
| 755 | |||
| 753 | ret = 1; | 756 | ret = 1; |
| 754 | 757 | ||
| 755 | err: | 758 | err: |
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 1eb05b7100..fc1d6c1889 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_internal.h,v 1.42 2020/01/22 02:39:45 tb Exp $ */ | 1 | /* $OpenBSD: tls13_internal.h,v 1.43 2020/01/22 05:06:23 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> | 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> |
| @@ -117,6 +117,7 @@ struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read, | |||
| 117 | tls13_phh_recv_cb phh_recv_cb, | 117 | tls13_phh_recv_cb phh_recv_cb, |
| 118 | tls13_phh_sent_cb phh_sent_cb, void *cb_arg); | 118 | tls13_phh_sent_cb phh_sent_cb, void *cb_arg); |
| 119 | void tls13_record_layer_free(struct tls13_record_layer *rl); | 119 | void tls13_record_layer_free(struct tls13_record_layer *rl); |
| 120 | void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); | ||
| 120 | void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs); | 121 | void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs); |
| 121 | void tls13_record_layer_set_aead(struct tls13_record_layer *rl, | 122 | void tls13_record_layer_set_aead(struct tls13_record_layer *rl, |
| 122 | const EVP_AEAD *aead); | 123 | const EVP_AEAD *aead); |
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 600990a878..ef558d52df 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_record_layer.c,v 1.20 2020/01/22 02:39:45 tb Exp $ */ | 1 | /* $OpenBSD: tls13_record_layer.c,v 1.21 2020/01/22 05:06:23 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -29,7 +29,8 @@ static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, | |||
| 29 | 29 | ||
| 30 | struct tls13_record_layer { | 30 | struct tls13_record_layer { |
| 31 | uint16_t legacy_version; | 31 | uint16_t legacy_version; |
| 32 | int change_cipher_spec_seen; | 32 | int ccs_allowed; |
| 33 | int ccs_seen; | ||
| 33 | int handshake_completed; | 34 | int handshake_completed; |
| 34 | int phh; | 35 | int phh; |
| 35 | 36 | ||
| @@ -200,6 +201,12 @@ tls13_record_layer_update_nonce(struct tls13_secret *nonce, | |||
| 200 | } | 201 | } |
| 201 | 202 | ||
| 202 | void | 203 | void |
| 204 | tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) | ||
| 205 | { | ||
| 206 | rl->ccs_allowed = allow; | ||
| 207 | } | ||
| 208 | |||
| 209 | void | ||
| 203 | tls13_record_layer_set_aead(struct tls13_record_layer *rl, | 210 | tls13_record_layer_set_aead(struct tls13_record_layer *rl, |
| 204 | const EVP_AEAD *aead) | 211 | const EVP_AEAD *aead) |
| 205 | { | 212 | { |
| @@ -756,8 +763,7 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) | |||
| 756 | * ignored. | 763 | * ignored. |
| 757 | */ | 764 | */ |
| 758 | if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { | 765 | if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
| 759 | /* XXX - need to check after ClientHello, before Finished. */ | 766 | if (!rl->ccs_allowed || rl->ccs_seen) |
| 760 | if (rl->handshake_completed || rl->change_cipher_spec_seen) | ||
| 761 | return tls13_send_alert(rl, SSL_AD_UNEXPECTED_MESSAGE); | 767 | return tls13_send_alert(rl, SSL_AD_UNEXPECTED_MESSAGE); |
| 762 | if (!tls13_record_content(rl->rrec, &cbs)) | 768 | if (!tls13_record_content(rl->rrec, &cbs)) |
| 763 | return tls13_send_alert(rl, TLS1_AD_DECODE_ERROR); | 769 | return tls13_send_alert(rl, TLS1_AD_DECODE_ERROR); |
| @@ -765,7 +771,7 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) | |||
| 765 | return tls13_send_alert(rl, TLS1_AD_DECODE_ERROR); | 771 | return tls13_send_alert(rl, TLS1_AD_DECODE_ERROR); |
| 766 | if (ccs != 1) | 772 | if (ccs != 1) |
| 767 | return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER); | 773 | return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER); |
| 768 | rl->change_cipher_spec_seen = 1; | 774 | rl->ccs_seen = 1; |
| 769 | tls13_record_layer_rrec_free(rl); | 775 | tls13_record_layer_rrec_free(rl); |
| 770 | return TLS13_IO_WANT_POLLIN; | 776 | return TLS13_IO_WANT_POLLIN; |
| 771 | } | 777 | } |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 10d85a62b3..fc3e80ad58 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.4 2020/01/22 02:21:05 beck Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.5 2020/01/22 05:06:23 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -81,6 +81,8 @@ tls13_legacy_accept(SSL *ssl) | |||
| 81 | int | 81 | int |
| 82 | tls13_client_hello_recv(struct tls13_ctx *ctx) | 82 | tls13_client_hello_recv(struct tls13_ctx *ctx) |
| 83 | { | 83 | { |
| 84 | tls13_record_layer_allow_ccs(ctx->rl, 1); | ||
| 85 | |||
| 84 | return 0; | 86 | return 0; |
| 85 | } | 87 | } |
| 86 | 88 | ||
| @@ -135,6 +137,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx) | |||
| 135 | int | 137 | int |
| 136 | tls13_client_finished_recv(struct tls13_ctx *ctx) | 138 | tls13_client_finished_recv(struct tls13_ctx *ctx) |
| 137 | { | 139 | { |
| 140 | tls13_record_layer_allow_ccs(ctx->rl, 0); | ||
| 141 | |||
| 138 | return 0; | 142 | return 0; |
| 139 | } | 143 | } |
| 140 | 144 | ||