1 files changed, 135 insertions, 2 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 90a339dc61..ee7b92b9a3 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.6 2020/01/22 13:10:51 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.7 2020/01/22 15:47:22 jsing Exp $ */
 /*
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -16,6 +16,7 @@
 */
 #include "ssl_locl.h"
+#include "ssl_tlsext.h"
 #include "tls13_handshake.h"
 #include "tls13_internal.h"
@@ -40,7 +41,8 @@ tls13_server_init(struct tls13_ctx *ctx)
                return 0;
        }
-        /* XXX implement. */
+        if (!tls1_transcript_init(s))
+                return 0;
        return 1;
 }
@@ -79,10 +81,141 @@ tls13_legacy_accept(SSL *ssl)
 }
 int
+tls13_use_legacy_server(struct tls13_ctx *ctx)
+{
+        SSL *s = ctx->ssl;
+        CBS cbs;
+        s->method = tls_legacy_server_method();
+        s->client_version = s->version = s->method->internal->max_version;
+        s->server = 1;
+        if (!ssl3_setup_init_buffer(s))
+                goto err;
+        if (!ssl3_setup_buffers(s))
+                goto err;
+        if (!ssl_init_wbio_buffer(s, 0))
+                goto err;
+        if (s->bbio != s->wbio)
+                s->wbio = BIO_push(s->bbio, s->wbio);
+        /* Stash any unprocessed data from the last record. */
+        tls13_record_layer_rbuf(ctx->rl, &cbs);
+        if (CBS_len(&cbs) > 0) {
+                if (!CBS_write_bytes(&cbs,
+                    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
+                    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
+                        goto err;
+                S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
+                S3I(s)->rbuf.left = CBS_len(&cbs);
+                S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
+                S3I(s)->rrec.length = CBS_len(&cbs);
+                s->internal->rstate = SSL_ST_READ_BODY;
+                s->internal->packet = S3I(s)->rbuf.buf;
+                s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
+                s->internal->mac_packet = 1;
+        }
+        /* Stash the current handshake message. */
+        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
+        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
+            s->internal->init_buf->length, NULL))
+                goto err;
+        S3I(s)->tmp.reuse_message = 1;
+        S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
+        S3I(s)->tmp.message_size = CBS_len(&cbs);
+        S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+        return 1;
+ err:
+        return 0;
+}
+static int
+tls13_client_hello_is_legacy(CBS *cbs)
+{
+        CBS extensions_block, extensions, extension_data;
+        uint16_t selected_version = 0;
+        uint16_t type;
+        CBS_dup(cbs, &extensions_block);
+        if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
+                return 1;
+        while (CBS_len(&extensions) > 0) {
+                if (!CBS_get_u16(&extensions, &type))
+                        return 1;
+                if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
+                        return 1;
+                if (type != TLSEXT_TYPE_supported_versions)
+                        continue;
+                if (!CBS_get_u16(&extension_data, &selected_version))
+                        return 1;
+                if (CBS_len(&extension_data) != 0)
+                        return 1;
+        }
+        return (selected_version < TLS1_3_VERSION);
+}
+static int
+tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
+{
+        CBS cipher_suites, client_random, compression_methods, session_id;
+        uint16_t legacy_version;
+        SSL *s = ctx->ssl;
+        int alert;
+        if (!CBS_get_u16(cbs, &legacy_version))
+                goto err;
+        if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &session_id))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
+                goto err;
+        if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
+                goto err;
+        if (tls13_client_hello_is_legacy(cbs)) {
+                if (!CBS_skip(cbs, CBS_len(cbs)))
+                        goto err;
+                return tls13_use_legacy_server(ctx);
+        }
+        if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
+                goto err;
+        /* XXX - implement. */
+ err:
+        return 0;
+}
+int
 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
+        SSL *s = ctx->ssl;
+        if (!tls13_client_hello_process(ctx, cbs))
+                goto err;
+        /* See if we switched back to the legacy client method. */
+        if (s->method->internal->version < TLS1_3_VERSION)
+                return 1;
        tls13_record_layer_allow_ccs(ctx->rl, 1);
+        return 1;
+ err:
        return 0;
 }

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 90a339dc61..ee7b92b9a3 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.6 2020/01/22 13:10:51 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.7 2020/01/22 15:47:22 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -16,6 +16,7 @@
16	*/	16	*/
17		17
18	#include "ssl_locl.h"	18	#include "ssl_locl.h"
		19	#include "ssl_tlsext.h"
19		20
20	#include "tls13_handshake.h"	21	#include "tls13_handshake.h"
21	#include "tls13_internal.h"	22	#include "tls13_internal.h"
@@ -40,7 +41,8 @@ tls13_server_init(struct tls13_ctx *ctx)
40	return 0;	41	return 0;
41	}	42	}
42		43
43	/* XXX implement. */	44	if (!tls1_transcript_init(s))
		45	return 0;
44		46
45	return 1;	47	return 1;
46	}	48	}
@@ -79,10 +81,141 @@ tls13_legacy_accept(SSL *ssl)
79	}	81	}
80		82
81	int	83	int
		84	tls13_use_legacy_server(struct tls13_ctx *ctx)
		85	{
		86	SSL *s = ctx->ssl;
		87	CBS cbs;
		88
		89	s->method = tls_legacy_server_method();
		90	s->client_version = s->version = s->method->internal->max_version;
		91	s->server = 1;
		92
		93	if (!ssl3_setup_init_buffer(s))
		94	goto err;
		95	if (!ssl3_setup_buffers(s))
		96	goto err;
		97	if (!ssl_init_wbio_buffer(s, 0))
		98	goto err;
		99
		100	if (s->bbio != s->wbio)
		101	s->wbio = BIO_push(s->bbio, s->wbio);
		102
		103	/* Stash any unprocessed data from the last record. */
		104	tls13_record_layer_rbuf(ctx->rl, &cbs);
		105	if (CBS_len(&cbs) > 0) {
		106	if (!CBS_write_bytes(&cbs,
		107	S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
		108	S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
		109	goto err;
		110
		111	S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
		112	S3I(s)->rbuf.left = CBS_len(&cbs);
		113	S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
		114	S3I(s)->rrec.length = CBS_len(&cbs);
		115	s->internal->rstate = SSL_ST_READ_BODY;
		116	s->internal->packet = S3I(s)->rbuf.buf;
		117	s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
		118	s->internal->mac_packet = 1;
		119	}
		120
		121	/* Stash the current handshake message. */
		122	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
		123	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
		124	s->internal->init_buf->length, NULL))
		125	goto err;
		126
		127	S3I(s)->tmp.reuse_message = 1;
		128	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
		129	S3I(s)->tmp.message_size = CBS_len(&cbs);
		130
		131	S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
		132
		133	return 1;
		134
		135	err:
		136	return 0;
		137	}
		138
		139	static int
		140	tls13_client_hello_is_legacy(CBS *cbs)
		141	{
		142	CBS extensions_block, extensions, extension_data;
		143	uint16_t selected_version = 0;
		144	uint16_t type;
		145
		146	CBS_dup(cbs, &extensions_block);
		147
		148	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
		149	return 1;
		150
		151	while (CBS_len(&extensions) > 0) {
		152	if (!CBS_get_u16(&extensions, &type))
		153	return 1;
		154	if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
		155	return 1;
		156
		157	if (type != TLSEXT_TYPE_supported_versions)
		158	continue;
		159	if (!CBS_get_u16(&extension_data, &selected_version))
		160	return 1;
		161	if (CBS_len(&extension_data) != 0)
		162	return 1;
		163	}
		164
		165	return (selected_version < TLS1_3_VERSION);
		166	}
		167
		168	static int
		169	tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
		170	{
		171	CBS cipher_suites, client_random, compression_methods, session_id;
		172	uint16_t legacy_version;
		173	SSL *s = ctx->ssl;
		174	int alert;
		175
		176	if (!CBS_get_u16(cbs, &legacy_version))
		177	goto err;
		178	if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
		179	goto err;
		180	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
		181	goto err;
		182	if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
		183	goto err;
		184	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
		185	goto err;
		186
		187	if (tls13_client_hello_is_legacy(cbs)) {
		188	if (!CBS_skip(cbs, CBS_len(cbs)))
		189	goto err;
		190	return tls13_use_legacy_server(ctx);
		191	}
		192
		193	if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
		194	goto err;
		195
		196	/* XXX - implement. */
		197
		198	err:
		199	return 0;
		200	}
		201
		202	int
82	tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)	203	tls13_client_hello_recv(struct tls13_ctx ctx, CBS cbs)
83	{	204	{
		205	SSL *s = ctx->ssl;
		206
		207	if (!tls13_client_hello_process(ctx, cbs))
		208	goto err;
		209
		210	/* See if we switched back to the legacy client method. */
		211	if (s->method->internal->version < TLS1_3_VERSION)
		212	return 1;
		213
84	tls13_record_layer_allow_ccs(ctx->rl, 1);	214	tls13_record_layer_allow_ccs(ctx->rl, 1);
85		215
		216	return 1;
		217
		218	err:
86	return 0;	219	return 0;
87	}	220	}
88		221