Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent
in the ClientHello: key_share and supported_groups must either both be
present o

Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent
in the ClientHello: key_share and supported_groups must either both be
present or both be absent. If no pre_shared_key was sent, the CH must
contain both signature_algorithms and supported_groups. If either of
these conditions is violated, servers must abort the handshake with a
missing_extensions alert. Add a function that enforces this. If we are
going to enforce that clients send an SNI, we can also do this in this
function.

Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py

ok beck inoguchi jsing

show more ...

Implement a rolling hash of the ClientHello message, Enforce RFC 8446
section 4.1.2 to ensure subsequent ClientHello messages after a
HelloRetryRequest messages must be unchanged from the initial
Cli

Implement a rolling hash of the ClientHello message, Enforce RFC 8446
section 4.1.2 to ensure subsequent ClientHello messages after a
HelloRetryRequest messages must be unchanged from the initial
ClientHello.

ok tb@ jsing@

show more ...

Align tls13_server_select_certificate() with
tls13_client_select_certificate().

ok inoguchi

distracting whitespace

Improve server certificate selection for TLSv1.3.

This allows an EC certificate to be selected and used, if the client
sigalgs would allow it.

With feedback from tb@

ok inoguchi@ tb@

Wire up the servername callback in the TLSv1.3 server.

This makes SNI work correctly with TLSv1.3.

Found the hard way by danj@, gonzalo@ and others.

ok beck@ inoguchi@ tb@

Wire up SSL_MODE_AUTO_RETRY mode to retrying after PHH messages.

ok beck@ inoguchi@ tb@

Do not assume that server_group != 0 or tlsext_supportedgroups != NULL
implies that we're dealing with a HRR in the extension handling code.

Explicitly check that we're in this situation by inspecti

Do not assume that server_group != 0 or tlsext_supportedgroups != NULL
implies that we're dealing with a HRR in the extension handling code.

Explicitly check that we're in this situation by inspecting the flag in
the handshake context. Add missing error checks and send the appropriate
alerts. The hrr flag needs to be unset after parsing the client hello
retry to avoid breaking the server hello handling. All this is far from
ideal, but better than nothing.

The correct fix would likely be to make the message type available
but that would need to be part of a more extensive rearchitecture of
the extension handling.

Discussed at length with jsing

show more ...

Ensure we only attach an ocsp staple to a leaf certificate, because
for the moment that is all we support. fixes an issue where gnuTLS
cares that mistmatching staples come back on the certs in the ch

Ensure we only attach an ocsp staple to a leaf certificate, because
for the moment that is all we support. fixes an issue where gnuTLS
cares that mistmatching staples come back on the certs in the chain.

This should be fixed correctly later by associating the staple
to the individual certs rather than the ssl, so this is temporary.

running on www@.

ok tb@, "got that's oopy but an interim ok" jsing@

show more ...

Actually set the hrr flag when sending a HelloRetryRequest.

Without this, when SNI is in use the second ClientHello will result in an
error.

Found the hard way by sthen@.

ok sthen@ tb@

Replace SSL_PKEY_RSA_ENC/SSL_PKEY_RSA_SIGN with SSL_PKEY_RSA.

Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomple

Replace SSL_PKEY_RSA_ENC/SSL_PKEY_RSA_SIGN with SSL_PKEY_RSA.

Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:

/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */

And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.

Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.

ok tb@

show more ...

Add support for TLS 1.3 server to send certificate status
messages with oscp staples.

ok jsing@ tb@

Avoid sending an empty certificate list from the TLSv1.3 server.

A TLSv1.3 server must always send a certificate - return an error and abort
the handshake if none is available.

ok inoguchi@ tb@

Switch back to the legacy stack where the maximum is less than TLSv1.3.

This allows a server configured to only support TLSv1.2 and earlier, to
correctly handle connections from a TLSv1.3 capable cl

Switch back to the legacy stack where the maximum is less than TLSv1.3.

This allows a server configured to only support TLSv1.2 and earlier, to
correctly handle connections from a TLSv1.3 capable client.

Issue reported by pvk@

ok inoguchi@ tb@

show more ...

Set the record layer legacy version from the TLSv1.3 server.

This will be used to handle record version checks.

ok tb@

Use ssl_get_new_session() in the TLSv1.3 server.

This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_v

Use ssl_get_new_session() in the TLSv1.3 server.

This correctly handles session being non-NULL and sets up a few more
things, including ssl_version. Also stop setting the ssl_version to the
server_version, as this is only used on the client side.

ok tb@

show more ...

Send dummy ChangeCipherSpec messages from the TLSv1.3 server

If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS righ

Send dummy ChangeCipherSpec messages from the TLSv1.3 server

If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.

Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.

with/ok jsing

show more ...

Honour SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the TLSv1.3 server.

ok beck@

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. T

Provide alert defines for TLSv1.3 and use in the TLSv1.3 code.

Rather than using a mess of SSL_AL_*, SSL_AD_*, SSL3_AD_* and TLS1_AD_*
defines, provide our own TLS13_ALERT_* defines and use those. This also
provides the alerts that are new to TLSv1.3.

ok beck@

show more ...

Back out server side CCS sending. It breaks TLSv1.3 client communication
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I c

Back out server side CCS sending. It breaks TLSv1.3 client communication
with TLSv1.2 servers, since it makes clients send their dummy CCS too
early... There's an obvious but dirty bandaid which I can't bring myself
to applying - this business is already disgusting enough.

Issue found the hard way by sthen

show more ...

Send dummy ChangeCipherSpec messages from the TLSv1.3 server

If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS righ

Send dummy ChangeCipherSpec messages from the TLSv1.3 server

If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.

ok jsing

show more ...

Make the test for the legacy_compression_method vector in the ClientHello
stricter. Previously, we would accept any vector if it advertised the
"null" compression method. RFC 8446 4.1.2 specifies t

Make the test for the legacy_compression_method vector in the ClientHello
stricter. Previously, we would accept any vector if it advertised the
"null" compression method. RFC 8446 4.1.2 specifies that the only legal
vector has length one and contains a zero byte for the null method.

ok jsing

show more ...

Add support for HelloRetryRequests in the TLSv1.3 server.

ok inoguchi@ tb@

crazy whitespace on one line

Refactor tls13_server_hello_sent().

Split the record protection engagement code into a separate
tls13_server_engage_record_protection() function and call this from
tls13_server_hello_sent(). Also mo

Refactor tls13_server_hello_sent().

Split the record protection engagement code into a separate
tls13_server_engage_record_protection() function and call this from
tls13_server_hello_sent(). Also move some functions around to keep the
logical ordering/grouping.

ok inoguchi@ tb@ (as part of a larger diff)

show more ...