Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent
in the ClientHello: key_share and supported_groups must either both be
present or both be absent. If no pre_shared_key was sent, the CH must
contain both signature_algorithms and supported_groups. If either of
these conditions is violated, servers must abort the handshake with a
missing_extensions alert. Add a function that enforces this. If we are
going to enforce that clients send an SNI, we can also do this in this
function.

Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py

ok beck inoguchi jsing

1 files changed, 44 insertions, 1 deletions

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index ccbb46652bd..843b5724019 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.58 2020/06/06 01:40:09 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.59 2020/06/24 07:28:38 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -96,6 +96,44 @@ tls13_client_hello_is_legacy(CBS *cbs)
 	return (max_version < TLS1_3_VERSION);
 }
 
+int
+tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
+{
+	SSL *ssl = ctx->ssl;
+
+	/*
+	 * RFC 8446, section 9.2. If the ClientHello has supported_versions
+	 * containing TLSv1.3, presence or absence of some extensions requires
+	 * presence or absence of others.
+	 */
+
+	/*
+	 * supported_groups and key_share must either both be present or
+	 * both be absent.
+	 */
+	if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) !=
+	    tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share))
+		return 0;
+
+	/*
+	 * If we got no pre_shared_key, then signature_algorithms and
+	 * supported_groups must both be present.
+	 */
+	if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) {
+		if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms))
+			return 0;
+		if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups))
+			return 0;
+	}
+
+	/*
+	 * XXX - Require server_name from client? If so, we SHOULD enforce
+	 * this here - RFC 8446, 9.2.
+	 */
+
+	return 1;
+}
+
 static const uint8_t tls13_compression_null_only[] = { 0 };
 
 static int
@@ -172,6 +210,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		tls13_clienthello_hash_clear(ctx->hs);
 	}
 
+	if (!tls13_client_hello_required_extensions(ctx)) {
+		ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
+		goto err;
+	}
+
 	/*
 	 * If we got this far we have a supported versions extension that offers
 	 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.