From 2b2534fdcdeffb25edd8a1d5b7ebc30d146ba0f3 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 25 Mar 2024 03:23:59 +0000 Subject: [PATCH] Decouple TLS extension table order from tlsext_randomize_build_order() The PSK extension must be the last extension in the client hello. This is currently implemented by relying on the fact that it is the last extension in the TLS extension table. Remove this dependency so that we can reorder the table as needed. ok tb@ --- lib/libssl/ssl_tlsext.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 5dd4b69dc5a..7b8164352a6 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.137 2023/04/28 18:14:59 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.138 2024/03/25 03:23:59 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -2185,8 +2185,6 @@ static const struct tls_extension tls_extensions[] = { }, }, { - /* MUST be last extension in CH per RFC 8446 section 4.2. */ - .type = TLSEXT_TYPE_pre_shared_key, .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, .client = { @@ -2250,6 +2248,7 @@ tlsext_funcs(const struct tls_extension *tlsext, int is_server) int tlsext_randomize_build_order(SSL *s) { + const struct tls_extension *psk_ext; size_t idx, new_idx, psk_idx; size_t alpn_idx = 0, sni_idx = 0; @@ -2261,9 +2260,11 @@ tlsext_randomize_build_order(SSL *s) return 0; s->tlsext_build_order_len = N_TLS_EXTENSIONS; - /* RFC 8446, section 4.2: PSK must be the last extension in the CH. */ - psk_idx = N_TLS_EXTENSIONS - 1; - s->tlsext_build_order[psk_idx] = &tls_extensions[psk_idx]; + /* RFC 8446, section 4.2 - PSK MUST be the last extension in the CH. */ + if ((psk_ext = tls_extension_find(TLSEXT_TYPE_pre_shared_key, + &psk_idx)) == NULL) + return 0; + s->tlsext_build_order[N_TLS_EXTENSIONS - 1] = psk_ext; /* Fisher-Yates shuffle with PSK fixed. */ for (idx = 0; idx < psk_idx; idx++) { -- 2.20.1