Switch to encrypted records in the TLSv1.3 server.

This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.

ok beck@ tb@

3 files changed, 78 insertions, 4 deletions

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 1157d6ecac..518073f4a1 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.41 2020/01/23 02:24:38 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $      */
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -97,6 +97,7 @@ struct tls13_handshake_action state_machine[] = {
                 .handshake_type = TLS13_MT_SERVER_HELLO,
                 .sender = TLS13_HS_SERVER,
                 .send = tls13_server_hello_send,
+                .sent = tls13_server_hello_sent,
                 .recv = tls13_server_hello_recv,
         },
         [SERVER_HELLO_RETRY] = {
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 7b3670bf45..b42889712f 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.51 2020/01/24 04:36:29 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.52 2020/01/24 04:43:09 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -280,6 +280,7 @@ int tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index b64fec8edc..aeeea599bc 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <openssl/curve25519.h>
+
 #include "ssl_locl.h"
 #include "ssl_tlsext.h"
 
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
                 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                 return 0;
         }
+        s->version = ctx->hs->max_version;
 
         if (!tls1_transcript_init(s))
                 return 0;
@@ -382,11 +385,80 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
         if (!tls13_server_hello_build(ctx, cbb))
                 return 0;
 
-        ctx->handshake_stage.hs_type |= NEGOTIATED;
         return 1;
 }
 
 int
+tls13_server_hello_sent(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets;
+        struct tls13_secret context;
+        unsigned char buf[EVP_MAX_MD_SIZE];
+        uint8_t *shared_key = NULL;
+        size_t hash_len;
+        SSL *s = ctx->ssl;
+        int ret = 0;
+
+        /* XXX - handle other key share types. */
+        if (ctx->hs->x25519_peer_public == NULL) {
+                /* XXX - alert. */
+                goto err;
+        }
+        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if (!X25519(shared_key, ctx->hs->x25519_private,
+            ctx->hs->x25519_peer_public))
+                goto err;
+
+        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->ssl_version = ctx->hs->server_version;
+
+        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+
+        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
+                goto err;
+        S3I(ctx->ssl)->hs_tls13.secrets = secrets;
+
+        /* XXX - pass in hash. */
+        if (!tls1_transcript_hash_init(s))
+                goto err;
+        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
+                goto err;
+        context.data = buf;
+        context.len = hash_len;
+
+        /* Early secrets. */
+        if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
+            secrets->zeros.len, &context))
+                goto err;
+
+        /* Handshake secrets. */
+        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+            X25519_KEY_LENGTH, &context))
+                goto err;
+
+        tls13_record_layer_set_aead(ctx->rl, ctx->aead);
+        tls13_record_layer_set_hash(ctx->rl, ctx->hash);
+
+        if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
+            &secrets->client_handshake_traffic))
+                goto err;
+        if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
+            &secrets->server_handshake_traffic))
+                goto err;
+
+        ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR;
+        ret = 1;
+
+ err:
+        freezero(shared_key, X25519_KEY_LENGTH);
+        return ret;
+}
+
+int
 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         return 0;