Wire up the TLSv1.3 server.

This currently only has enough code to handle fallback to the legacy TLS stack for TLSv1.2 or earlier, however allows for further development and testing. ok beck@
author: jsing <> 2020-01-22 15:47:22 +0000
committer: jsing <> 2020-01-22 15:47:22 +0000
commit: 10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de (patch)
tree: 1108aa572ec1515fb5e57ca2cad76f6f6230b16c /src/lib/libssl/tls13_server.c
parent: 7655835d7e1b8fa812246e1e652a1747a4f67b32 (diff)
download: openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.tar.gz
openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.tar.bz2
openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.zip
1 files changed, 135 insertions, 2 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 90a339dc61..ee7b92b9a3 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.6 2020/01/22 13:10:51 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.7 2020/01/22 15:47:22 jsing Exp $ */
 /*
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -16,6 +16,7 @@
 */
 #include "ssl_locl.h"
+#include "ssl_tlsext.h"
 #include "tls13_handshake.h"
 #include "tls13_internal.h"
@@ -40,7 +41,8 @@ tls13_server_init(struct tls13_ctx *ctx)
                return 0;
        }
-        /* XXX implement. */
+        if (!tls1_transcript_init(s))
+                return 0;
        return 1;
 }
@@ -79,10 +81,141 @@ tls13_legacy_accept(SSL *ssl)
 }
 int
+tls13_use_legacy_server(struct tls13_ctx *ctx)
+{
+        SSL *s = ctx->ssl;
+        CBS cbs;
+        s->method = tls_legacy_server_method();
+        s->client_version = s->version = s->method->internal->max_version;
+        s->server = 1;
+        if (!ssl3_setup_init_buffer(s))
+                goto err;
+        if (!ssl3_setup_buffers(s))
+                goto err;
+        if (!ssl_init_wbio_buffer(s, 0))
+                goto err;
+        if (s->bbio != s->wbio)
+                s->wbio = BIO_push(s->bbio, s->wbio);
+        /* Stash any unprocessed data from the last record. */
+        tls13_record_layer_rbuf(ctx->rl, &cbs);
+        if (CBS_len(&cbs) > 0) {
+                if (!CBS_write_bytes(&cbs,
+                    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
+                    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
+                        goto err;
+                S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
+                S3I(s)->rbuf.left = CBS_len(&cbs);
+                S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
+                S3I(s)->rrec.length = CBS_len(&cbs);
+                s->internal->rstate = SSL_ST_READ_BODY;
+                s->internal->packet = S3I(s)->rbuf.buf;
+                s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
+                s->internal->mac_packet = 1;
+        }
+        /* Stash the current handshake message. */
+        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
+        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
+            s->internal->init_buf->length, NULL))
+                goto err;
+        S3I(s)->tmp.reuse_message = 1;
+        S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
+        S3I(s)->tmp.message_size = CBS_len(&cbs);
+        S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+        return 1;
+ err:
+        return 0;
+}
+static int
+tls13_client_hello_is_legacy(CBS *cbs)
+{
+        CBS extensions_block, extensions, extension_data;
+        uint16_t selected_version = 0;
+        uint16_t type;
+        CBS_dup(cbs, &extensions_block);
+        if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
+                return 1;
+        while (CBS_len(&extensions) > 0) {
+                if (!CBS_get_u16(&extensions, &type))
+                        return 1;
+                if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
+                        return 1;
+                if (type != TLSEXT_TYPE_supported_versions)
+                        continue;
+                if (!CBS_get_u16(&extension_data, &selected_version))
+                        return 1;
+                if (CBS_len(&extension_data) != 0)
+                        return 1;
+        }
+        return (selected_version < TLS1_3_VERSION);
+}
+static int
+tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
+{
+        CBS cipher_suites, client_random, compression_methods, session_id;
+        uint16_t legacy_version;
+        SSL *s = ctx->ssl;
+        int alert;
+        if (!CBS_get_u16(cbs, &legacy_version))
+                goto err;
+        if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &session_id))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
+                goto err;
+        if (tls13_client_hello_is_legacy(cbs)) {
+                if (!CBS_skip(cbs, CBS_len(cbs)))
+                        goto err;
+                return tls13_use_legacy_server(ctx);
+        }
+        if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
+                goto err;
+        /* XXX - implement. */
+ err:
+        return 0;
+}
+int
 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
+        SSL *s = ctx->ssl;
+        if (!tls13_client_hello_process(ctx, cbs))
+                goto err;
+        /* See if we switched back to the legacy client method. */
+        if (s->method->internal->version < TLS1_3_VERSION)
+                return 1;
        tls13_record_layer_allow_ccs(ctx->rl, 1);
+        return 1;
+ err:
        return 0;
 }
author	jsing <>	2020-01-22 15:47:22 +0000
committer	jsing <>	2020-01-22 15:47:22 +0000
commit	10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de (patch)
tree	1108aa572ec1515fb5e57ca2cad76f6f6230b16c /src/lib/libssl/tls13_server.c
parent	7655835d7e1b8fa812246e1e652a1747a4f67b32 (diff)
download	openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.tar.gz openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.tar.bz2 openbsd-10c7e6c36bf0dc3cca36f953f4d1a51e178aa2de.zip

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 90a339dc61..ee7b92b9a3 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.6 2020/01/22 13:10:51 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.7 2020/01/22 15:47:22 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -16,6 +16,7 @@
16	*/	16	*/
17		17
18	#include "ssl_locl.h"	18	#include "ssl_locl.h"
		19	#include "ssl_tlsext.h"
19		20
20	#include "tls13_handshake.h"	21	#include "tls13_handshake.h"
21	#include "tls13_internal.h"	22	#include "tls13_internal.h"
@@ -40,7 +41,8 @@ tls13_server_init(struct tls13_ctx *ctx)
40	return 0;	41	return 0;
41	}	42	}
42		43
43	/* XXX implement. */	44	if (!tls1_transcript_init(s))
		45	return 0;
44		46
45	return 1;	47	return 1;
46	}	48	}
@@ -79,10 +81,141 @@ tls13_legacy_accept(SSL *ssl)
79	}	81	}
80		82
81	int	83	int
		84	tls13_use_legacy_server(struct tls13_ctx *ctx)
		85	{
		86	SSL *s = ctx->ssl;
		87	CBS cbs;
		88
		89	s->method = tls_legacy_server_method();
		90	s->client_version = s->version = s->method->internal->max_version;
		91	s->server = 1;
		92
		93	if (!ssl3_setup_init_buffer(s))
		94	goto err;
		95	if (!ssl3_setup_buffers(s))
		96	goto err;
		97	if (!ssl_init_wbio_buffer(s, 0))
		98	goto err;
		99
		100	if (s->bbio != s->wbio)
		101	s->wbio = BIO_push(s->bbio, s->wbio);
		102
		103	/* Stash any unprocessed data from the last record. */
		104	tls13_record_layer_rbuf(ctx->rl, &cbs);
		105	if (CBS_len(&cbs) > 0) {
		106	if (!CBS_write_bytes(&cbs,
		107	S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
		108	S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
		109	goto err;
		110
		111	S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
		112	S3I(s)->rbuf.left = CBS_len(&cbs);
		113	S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
		114	S3I(s)->rrec.length = CBS_len(&cbs);
		115	s->internal->rstate = SSL_ST_READ_BODY;
		116	s->internal->packet = S3I(s)->rbuf.buf;
		117	s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
		118	s->internal->mac_packet = 1;
		119	}
		120
		121	/* Stash the current handshake message. */
		122	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
		123	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
		124	s->internal->init_buf->length, NULL))
		125	goto err;
		126
		127	S3I(s)->tmp.reuse_message = 1;
		128	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
		129	S3I(s)->tmp.message_size = CBS_len(&cbs);
		130
		131	S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
		132
		133	return 1;
		134
		135	err:
		136	return 0;
		137	}
		138
		139	static int
		140	tls13_client_hello_is_legacy(CBS *cbs)
		141	{
		142	CBS extensions_block, extensions, extension_data;
		143	uint16_t selected_version = 0;
		144	uint16_t type;
		145
		146	CBS_dup(cbs, &extensions_block);
		147
		148	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
		149	return 1;
		150
		151	while (CBS_len(&extensions) > 0) {
		152	if (!CBS_get_u16(&extensions, &type))
		153	return 1;
		154	if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
		155	return 1;
		156
		157	if (type != TLSEXT_TYPE_supported_versions)
		158	continue;
		159	if (!CBS_get_u16(&extension_data, &selected_version))
		160	return 1;
		161	if (CBS_len(&extension_data) != 0)
		162	return 1;
		163	}
		164
		165	return (selected_version < TLS1_3_VERSION);
		166	}
		167
		168	static int
		169	tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
		170	{
		171	CBS cipher_suites, client_random, compression_methods, session_id;
		172	uint16_t legacy_version;
		173	SSL *s = ctx->ssl;
		174	int alert;
		175
		176	if (!CBS_get_u16(cbs, &legacy_version))
		177	goto err;
		178	if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
		179	goto err;
		180	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
		181	goto err;
		182	if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
		183	goto err;
		184	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
		185	goto err;
		186
		187	if (tls13_client_hello_is_legacy(cbs)) {
		188	if (!CBS_skip(cbs, CBS_len(cbs)))
		189	goto err;
		190	return tls13_use_legacy_server(ctx);
		191	}
		192
		193	if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
		194	goto err;
		195
		196	/* XXX - implement. */
		197
		198	err:
		199	return 0;
		200	}
		201
		202	int
82	tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)	203	tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
83	{	204	{
		205	SSL *s = ctx->ssl;
		206
		207	if (!tls13_client_hello_process(ctx, cbs))
		208	goto err;
		209
		210	/* See if we switched back to the legacy client method. */
		211	if (s->method->internal->version < TLS1_3_VERSION)
		212	return 1;
		213
84	tls13_record_layer_allow_ccs(ctx->rl, 1);	214	tls13_record_layer_allow_ccs(ctx->rl, 1);
85		215
		216	return 1;
		217
		218	err:
86	return 0;	219	return 0;
87	}	220	}
88		221