Switch to encrypted records in the TLSv1.3 server.

This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
author: jsing <> 2020-01-24 04:43:09 +0000
committer: jsing <> 2020-01-24 04:43:09 +0000
commit: 964a70381982bd3478237eede73feae9fa32b0e6 (patch)
tree: f271583fde3bbe55c9242508f9c0faa3bde9978d /src/lib
parent: 7c51231fdacb3958fb78ae8cfc85984bfd3854d6 (diff)
download: openbsd-964a70381982bd3478237eede73feae9fa32b0e6.tar.gz
openbsd-964a70381982bd3478237eede73feae9fa32b0e6.tar.bz2
openbsd-964a70381982bd3478237eede73feae9fa32b0e6.zip
3 files changed, 78 insertions, 4 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 1157d6ecac..518073f4a1 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.41 2020/01/23 02:24:38 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -97,6 +97,7 @@ struct tls13_handshake_action state_machine[] = {
                .handshake_type = TLS13_MT_SERVER_HELLO,
                .sender = TLS13_HS_SERVER,
                .send = tls13_server_hello_send,
+                .sent = tls13_server_hello_sent,
                .recv = tls13_server_hello_recv,
        },
        [SERVER_HELLO_RETRY] = {
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 7b3670bf45..b42889712f 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.51 2020/01/24 04:36:29 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.52 2020/01/24 04:43:09 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -280,6 +280,7 @@ int tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index b64fec8edc..aeeea599bc 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <openssl/curve25519.h>
 #include "ssl_locl.h"
 #include "ssl_tlsext.h"
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
+        s->version = ctx->hs->max_version;
        if (!tls1_transcript_init(s))
                return 0;
@@ -382,11 +385,80 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!tls13_server_hello_build(ctx, cbb))
                return 0;
-        ctx->handshake_stage.hs_type |= NEGOTIATED;
        return 1;
 }
 int
+tls13_server_hello_sent(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets;
+        struct tls13_secret context;
+        unsigned char buf[EVP_MAX_MD_SIZE];
+        uint8_t *shared_key = NULL;
+        size_t hash_len;
+        SSL *s = ctx->ssl;
+        int ret = 0;
+        /* XXX - handle other key share types. */
+        if (ctx->hs->x25519_peer_public == NULL) {
+                /* XXX - alert. */
+                goto err;
+        }
+        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if (!X25519(shared_key, ctx->hs->x25519_private,
+            ctx->hs->x25519_peer_public))
+                goto err;
+        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->ssl_version = ctx->hs->server_version;
+        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
+                goto err;
+        S3I(ctx->ssl)->hs_tls13.secrets = secrets;
+        /* XXX - pass in hash. */
+        if (!tls1_transcript_hash_init(s))
+                goto err;
+        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
+                goto err;
+        context.data = buf;
+        context.len = hash_len;
+        /* Early secrets. */
+        if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
+            secrets->zeros.len, &context))
+                goto err;
+        /* Handshake secrets. */
+        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+            X25519_KEY_LENGTH, &context))
+                goto err;
+        tls13_record_layer_set_aead(ctx->rl, ctx->aead);
+        tls13_record_layer_set_hash(ctx->rl, ctx->hash);
+        if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
+            &secrets->client_handshake_traffic))
+                goto err;
+        if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
+            &secrets->server_handshake_traffic))
+                goto err;
+        ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR;
+        ret = 1;
+ err:
+        freezero(shared_key, X25519_KEY_LENGTH);
+        return ret;
+}
+int
 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        return 0;
author	jsing <>	2020-01-24 04:43:09 +0000
committer	jsing <>	2020-01-24 04:43:09 +0000
commit	964a70381982bd3478237eede73feae9fa32b0e6 (patch)
tree	f271583fde3bbe55c9242508f9c0faa3bde9978d /src/lib
parent	7c51231fdacb3958fb78ae8cfc85984bfd3854d6 (diff)
download	openbsd-964a70381982bd3478237eede73feae9fa32b0e6.tar.gz openbsd-964a70381982bd3478237eede73feae9fa32b0e6.tar.bz2 openbsd-964a70381982bd3478237eede73feae9fa32b0e6.zip

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 1157d6ecac..518073f4a1 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.41 2020/01/23 02:24:38 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -97,6 +97,7 @@ struct tls13_handshake_action state_machine[] = {
97	.handshake_type = TLS13_MT_SERVER_HELLO,	97	.handshake_type = TLS13_MT_SERVER_HELLO,
98	.sender = TLS13_HS_SERVER,	98	.sender = TLS13_HS_SERVER,
99	.send = tls13_server_hello_send,	99	.send = tls13_server_hello_send,
		100	.sent = tls13_server_hello_sent,
100	.recv = tls13_server_hello_recv,	101	.recv = tls13_server_hello_recv,
101	},	102	},
102	[SERVER_HELLO_RETRY] = {	103	[SERVER_HELLO_RETRY] = {


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 7b3670bf45..b42889712f 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.51 2020/01/24 04:36:29 beck Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.52 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -280,6 +280,7 @@ int tls13_client_key_update_send(struct tls13_ctx ctx, CBB cbb);
280	int tls13_client_key_update_recv(struct tls13_ctx ctx, CBS cbs);	280	int tls13_client_key_update_recv(struct tls13_ctx ctx, CBS cbs);
281	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);	281	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);
282	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);	282	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);
		283	int tls13_server_hello_sent(struct tls13_ctx *ctx);
283	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);	284	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);
284	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);	285	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);
285	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);	286	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index b64fec8edc..aeeea599bc 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/	17	*/
18		18
		19	#include <openssl/curve25519.h>
		20
19	#include "ssl_locl.h"	21	#include "ssl_locl.h"
20	#include "ssl_tlsext.h"	22	#include "ssl_tlsext.h"
21		23
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
41	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);	43	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
42	return 0;	44	return 0;
43	}	45	}
		46	s->version = ctx->hs->max_version;
44		47
45	if (!tls1_transcript_init(s))	48	if (!tls1_transcript_init(s))
46	return 0;	49	return 0;
@@ -382,11 +385,80 @@ tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)
382	if (!tls13_server_hello_build(ctx, cbb))	385	if (!tls13_server_hello_build(ctx, cbb))
383	return 0;	386	return 0;
384		387
385	ctx->handshake_stage.hs_type \|= NEGOTIATED;
386	return 1;	388	return 1;
387	}	389	}
388		390
389	int	391	int
		392	tls13_server_hello_sent(struct tls13_ctx *ctx)
		393	{
		394	struct tls13_secrets *secrets;
		395	struct tls13_secret context;
		396	unsigned char buf[EVP_MAX_MD_SIZE];
		397	uint8_t *shared_key = NULL;
		398	size_t hash_len;
		399	SSL *s = ctx->ssl;
		400	int ret = 0;
		401
		402	/* XXX - handle other key share types. */
		403	if (ctx->hs->x25519_peer_public == NULL) {
		404	/* XXX - alert. */
		405	goto err;
		406	}
		407	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
		408	goto err;
		409	if (!X25519(shared_key, ctx->hs->x25519_private,
		410	ctx->hs->x25519_peer_public))
		411	goto err;
		412
		413	s->session->cipher = S3I(s)->hs.new_cipher;
		414	s->session->ssl_version = ctx->hs->server_version;
		415
		416	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
		417	goto err;
		418	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
		419	goto err;
		420
		421	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
		422	goto err;
		423	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
		424
		425	/* XXX - pass in hash. */
		426	if (!tls1_transcript_hash_init(s))
		427	goto err;
		428	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
		429	goto err;
		430	context.data = buf;
		431	context.len = hash_len;
		432
		433	/* Early secrets. */
		434	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
		435	secrets->zeros.len, &context))
		436	goto err;
		437
		438	/* Handshake secrets. */
		439	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
		440	X25519_KEY_LENGTH, &context))
		441	goto err;
		442
		443	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
		444	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
		445
		446	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
		447	&secrets->client_handshake_traffic))
		448	goto err;
		449	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
		450	&secrets->server_handshake_traffic))
		451	goto err;
		452
		453	ctx->handshake_stage.hs_type \|= NEGOTIATED \| WITHOUT_CR;
		454	ret = 1;
		455
		456	err:
		457	freezero(shared_key, X25519_KEY_LENGTH);
		458	return ret;
		459	}
		460
		461	int
390	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)	462	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)
391	{	463	{
392	return 0;	464	return 0;