From 1b5079de613ae3744d2654a6d70ce52644fc66eb Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 24 Jun 2020 07:28:38 +0000 Subject: Enforce restrictions for ClientHello extensions RFC 8446 section 9.2 imposes some requirements on the extensions sent in the ClientHello: key_share and supported_groups must either both be present or both be absent. If no pre_shared_key was sent, the CH must contain both signature_algorithms and supported_groups. If either of these conditions is violated, servers must abort the handshake with a missing_extensions alert. Add a function that enforces this. If we are going to enforce that clients send an SNI, we can also do this in this function. Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py ok beck inoguchi jsing --- src/lib/libssl/tls13_server.c | 45 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index ccbb46652b..843b572401 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.59 2020/06/24 07:28:38 tb Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -96,6 +96,44 @@ tls13_client_hello_is_legacy(CBS *cbs) return (max_version < TLS1_3_VERSION); } +int +tls13_client_hello_required_extensions(struct tls13_ctx *ctx) +{ + SSL *ssl = ctx->ssl; + + /* + * RFC 8446, section 9.2. If the ClientHello has supported_versions + * containing TLSv1.3, presence or absence of some extensions requires + * presence or absence of others. + */ + + /* + * supported_groups and key_share must either both be present or + * both be absent. + */ + if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) != + tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share)) + return 0; + + /* + * If we got no pre_shared_key, then signature_algorithms and + * supported_groups must both be present. + */ + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) { + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms)) + return 0; + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups)) + return 0; + } + + /* + * XXX - Require server_name from client? If so, we SHOULD enforce + * this here - RFC 8446, 9.2. + */ + + return 1; +} + static const uint8_t tls13_compression_null_only[] = { 0 }; static int @@ -172,6 +210,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) tls13_clienthello_hash_clear(ctx->hs); } + if (!tls13_client_hello_required_extensions(ctx)) { + ctx->alert = TLS13_ALERT_MISSING_EXTENSION; + goto err; + } + /* * If we got this far we have a supported versions extension that offers * TLS 1.3 or later. This requires the legacy version be set to 0x0303. -- cgit v1.2.3-55-g6feb