3 files changed, 87 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 5b4ecdb47d..1729401505 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.14 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.15 2019/04/04 16:53:57 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -81,12 +81,56 @@ tls13_legacy_connect(SSL *ssl)
        S3I(ssl)->hs.state = SSL_ST_CONNECT;
-        if ((ret = tls13_connect(ctx)) == TLS13_IO_SUCCESS)
+        ret = tls13_connect(ctx);
+        if (ret == TLS13_IO_USE_LEGACY)
+                return ssl->method->internal->ssl_connect(ssl);
+        if (ret == TLS13_IO_SUCCESS)
                S3I(ssl)->hs.state = SSL_ST_OK;
        return tls13_legacy_return_code(ssl, ret);
 }
+int
+tls13_use_legacy_client(struct tls13_ctx *ctx)
+{
+        SSL *s = ctx->ssl;
+        CBS cbs;
+        s->method = tls_legacy_client_method();
+        s->client_version = s->version = s->method->internal->max_version;
+        if (!ssl3_setup_init_buffer(s))
+                goto err;
+        if (!ssl3_setup_buffers(s))
+                goto err;
+        if (!ssl_init_wbio_buffer(s, 0))
+                goto err;
+        if (s->bbio != s->wbio)
+                s->wbio = BIO_push(s->bbio, s->wbio);
+        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+                goto err;
+        if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
+                goto err;
+        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
+            s->internal->init_buf->length - 4, NULL))
+                goto err;
+        S3I(s)->tmp.reuse_message = 1;
+        S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
+        S3I(s)->tmp.message_size = CBS_len(&cbs);
+        S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
+        return 1;
+ err:
+        return 0;
+}
 static int
 tls13_client_hello_build(SSL *s, CBB *cbb)
 {
@@ -156,6 +200,35 @@ static const uint8_t tls13_hello_retry_request_hash[] = {
 };
 static int
+tls13_server_hello_is_legacy(CBS *cbs)
+{
+        CBS extensions_block, extensions, extension_data;
+        uint16_t selected_version = 0;
+        uint16_t type;
+        CBS_dup(cbs, &extensions_block);
+        if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
+                return 1;
+        while (CBS_len(&extensions) > 0) {
+                if (!CBS_get_u16(&extensions, &type))
+                        return 1;
+                if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
+                        return 1;
+                if (type != TLSEXT_TYPE_supported_versions)
+                        continue;
+                if (!CBS_get_u16(&extension_data, &selected_version))
+                        return 1;
+                if (CBS_len(&extension_data) != 0)
+                        return 1;
+        }
+        return (selected_version < TLS1_3_VERSION);
+}
+static int
 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 {
        CBS server_random, session_id;
@@ -176,6 +249,9 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        if (!CBS_get_u8(cbs, &compression_method))
                goto err;
+        if (tls13_server_hello_is_legacy(cbs))
+                return tls13_use_legacy_client(ctx);
        if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
                goto err;
@@ -259,10 +335,9 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
        if (!tls13_server_hello_process(ctx, &cbs))
                goto err;
-        if (ctx->hs->server_version < TLS1_3_VERSION) {
+        /* See if we switched back to the legacy client method. */
-                /* XXX - switch back to legacy client. */
+        if (s->method->internal->version < TLS1_3_VERSION)
-                goto err;
+                return 1;
-        }
        if (ctx->handshake_stage.hs_type & WITH_HRR)
                return 1;
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index a55c20525a..cb39974da5 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.32 2019/03/17 15:48:02 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.33 2019/04/04 16:53:57 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -389,6 +389,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
        tls13_handshake_msg_free(ctx->hs_msg);
        ctx->hs_msg = NULL;
+        if (ctx->ssl->method->internal->version < TLS1_3_VERSION)
+                return TLS13_IO_USE_LEGACY;
        return ret;
 }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 1fe8f547a1..c9ef37a39f 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.26 2019/03/17 15:13:23 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.27 2019/04/04 16:53:57 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -35,6 +35,7 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_IO_FAILURE        -1
 #define TLS13_IO_WANT_POLLIN    -2
 #define TLS13_IO_WANT_POLLOUT   -3
+#define TLS13_IO_USE_LEGACY     -4
 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
 typedef int (*tls13_post_handshake_cb)(void *_cb_arg);

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 5b4ecdb47d..1729401505 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.14 2019/03/25 17:21:18 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.15 2019/04/04 16:53:57 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -81,12 +81,56 @@ tls13_legacy_connect(SSL *ssl)
81		81
82	S3I(ssl)->hs.state = SSL_ST_CONNECT;	82	S3I(ssl)->hs.state = SSL_ST_CONNECT;
83		83
84	if ((ret = tls13_connect(ctx)) == TLS13_IO_SUCCESS)	84	ret = tls13_connect(ctx);
		85	if (ret == TLS13_IO_USE_LEGACY)
		86	return ssl->method->internal->ssl_connect(ssl);
		87	if (ret == TLS13_IO_SUCCESS)
85	S3I(ssl)->hs.state = SSL_ST_OK;	88	S3I(ssl)->hs.state = SSL_ST_OK;
86		89
87	return tls13_legacy_return_code(ssl, ret);	90	return tls13_legacy_return_code(ssl, ret);
88	}	91	}
89		92
		93	int
		94	tls13_use_legacy_client(struct tls13_ctx *ctx)
		95	{
		96	SSL *s = ctx->ssl;
		97	CBS cbs;
		98
		99	s->method = tls_legacy_client_method();
		100	s->client_version = s->version = s->method->internal->max_version;
		101
		102	if (!ssl3_setup_init_buffer(s))
		103	goto err;
		104	if (!ssl3_setup_buffers(s))
		105	goto err;
		106	if (!ssl_init_wbio_buffer(s, 0))
		107	goto err;
		108
		109	if (s->bbio != s->wbio)
		110	s->wbio = BIO_push(s->bbio, s->wbio);
		111
		112	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
		113	goto err;
		114
		115	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
		116	goto err;
		117
		118	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
		119	s->internal->init_buf->length - 4, NULL))
		120	goto err;
		121
		122	S3I(s)->tmp.reuse_message = 1;
		123	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
		124	S3I(s)->tmp.message_size = CBS_len(&cbs);
		125
		126	S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
		127
		128	return 1;
		129
		130	err:
		131	return 0;
		132	}
		133
90	static int	134	static int
91	tls13_client_hello_build(SSL s, CBB cbb)	135	tls13_client_hello_build(SSL s, CBB cbb)
92	{	136	{
@@ -156,6 +200,35 @@ static const uint8_t tls13_hello_retry_request_hash[] = {
156	};	200	};
157		201
158	static int	202	static int
		203	tls13_server_hello_is_legacy(CBS *cbs)
		204	{
		205	CBS extensions_block, extensions, extension_data;
		206	uint16_t selected_version = 0;
		207	uint16_t type;
		208
		209	CBS_dup(cbs, &extensions_block);
		210
		211	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
		212	return 1;
		213
		214	while (CBS_len(&extensions) > 0) {
		215	if (!CBS_get_u16(&extensions, &type))
		216	return 1;
		217	if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
		218	return 1;
		219
		220	if (type != TLSEXT_TYPE_supported_versions)
		221	continue;
		222	if (!CBS_get_u16(&extension_data, &selected_version))
		223	return 1;
		224	if (CBS_len(&extension_data) != 0)
		225	return 1;
		226	}
		227
		228	return (selected_version < TLS1_3_VERSION);
		229	}
		230
		231	static int
159	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)	232	tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
160	{	233	{
161	CBS server_random, session_id;	234	CBS server_random, session_id;
@@ -176,6 +249,9 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
176	if (!CBS_get_u8(cbs, &compression_method))	249	if (!CBS_get_u8(cbs, &compression_method))
177	goto err;	250	goto err;
178		251
		252	if (tls13_server_hello_is_legacy(cbs))
		253	return tls13_use_legacy_client(ctx);
		254
179	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))	255	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
180	goto err;	256	goto err;
181		257
@@ -259,10 +335,9 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
259	if (!tls13_server_hello_process(ctx, &cbs))	335	if (!tls13_server_hello_process(ctx, &cbs))
260	goto err;	336	goto err;
261		337
262	if (ctx->hs->server_version < TLS1_3_VERSION) {	338	/* See if we switched back to the legacy client method. */
263	/* XXX - switch back to legacy client. */	339	if (s->method->internal->version < TLS1_3_VERSION)
264	goto err;	340	return 1;
265	}
266		341
267	if (ctx->handshake_stage.hs_type & WITH_HRR)	342	if (ctx->handshake_stage.hs_type & WITH_HRR)
268	return 1;	343	return 1;


diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index a55c20525a..cb39974da5 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.32 2019/03/17 15:48:02 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.33 2019/04/04 16:53:57 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -389,6 +389,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
389	tls13_handshake_msg_free(ctx->hs_msg);	389	tls13_handshake_msg_free(ctx->hs_msg);
390	ctx->hs_msg = NULL;	390	ctx->hs_msg = NULL;
391		391
		392	if (ctx->ssl->method->internal->version < TLS1_3_VERSION)
		393	return TLS13_IO_USE_LEGACY;
		394
392	return ret;	395	return ret;
393	}	396	}
394		397


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 1fe8f547a1..c9ef37a39f 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.26 2019/03/17 15:13:23 jsing Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.27 2019/04/04 16:53:57 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -35,6 +35,7 @@ __BEGIN_HIDDEN_DECLS
35	#define TLS13_IO_FAILURE -1	35	#define TLS13_IO_FAILURE -1
36	#define TLS13_IO_WANT_POLLIN -2	36	#define TLS13_IO_WANT_POLLIN -2
37	#define TLS13_IO_WANT_POLLOUT -3	37	#define TLS13_IO_WANT_POLLOUT -3
		38	#define TLS13_IO_USE_LEGACY -4
38		39
39	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);	40	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);
40	typedef int (tls13_post_handshake_cb)(void _cb_arg);	41	typedef int (tls13_post_handshake_cb)(void _cb_arg);