3 files changed, 78 insertions, 4 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 1157d6ecac..518073f4a1 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.41 2020/01/23 02:24:38 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -97,6 +97,7 @@ struct tls13_handshake_action state_machine[] = {
                .handshake_type = TLS13_MT_SERVER_HELLO,
                .sender = TLS13_HS_SERVER,
                .send = tls13_server_hello_send,
+                .sent = tls13_server_hello_sent,
                .recv = tls13_server_hello_recv,
        },
        [SERVER_HELLO_RETRY] = {
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 7b3670bf45..b42889712f 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.51 2020/01/24 04:36:29 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.52 2020/01/24 04:43:09 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -280,6 +280,7 @@ int tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index b64fec8edc..aeeea599bc 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <openssl/curve25519.h>
 #include "ssl_locl.h"
 #include "ssl_tlsext.h"
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
                SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
                return 0;
        }
+        s->version = ctx->hs->max_version;
        if (!tls1_transcript_init(s))
                return 0;
@@ -382,11 +385,80 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
        if (!tls13_server_hello_build(ctx, cbb))
                return 0;
-        ctx->handshake_stage.hs_type |= NEGOTIATED;
        return 1;
 }
 int
+tls13_server_hello_sent(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets;
+        struct tls13_secret context;
+        unsigned char buf[EVP_MAX_MD_SIZE];
+        uint8_t *shared_key = NULL;
+        size_t hash_len;
+        SSL *s = ctx->ssl;
+        int ret = 0;
+        /* XXX - handle other key share types. */
+        if (ctx->hs->x25519_peer_public == NULL) {
+                /* XXX - alert. */
+                goto err;
+        }
+        if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
+                goto err;
+        if (!X25519(shared_key, ctx->hs->x25519_private,
+            ctx->hs->x25519_peer_public))
+                goto err;
+        s->session->cipher = S3I(s)->hs.new_cipher;
+        s->session->ssl_version = ctx->hs->server_version;
+        if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+        if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+                goto err;
+        if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
+                goto err;
+        S3I(ctx->ssl)->hs_tls13.secrets = secrets;
+        /* XXX - pass in hash. */
+        if (!tls1_transcript_hash_init(s))
+                goto err;
+        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
+                goto err;
+        context.data = buf;
+        context.len = hash_len;
+        /* Early secrets. */
+        if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
+            secrets->zeros.len, &context))
+                goto err;
+        /* Handshake secrets. */
+        if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+            X25519_KEY_LENGTH, &context))
+                goto err;
+        tls13_record_layer_set_aead(ctx->rl, ctx->aead);
+        tls13_record_layer_set_hash(ctx->rl, ctx->hash);
+        if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
+            &secrets->client_handshake_traffic))
+                goto err;
+        if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
+            &secrets->server_handshake_traffic))
+                goto err;
+        ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR;
+        ret = 1;
+ err:
+        freezero(shared_key, X25519_KEY_LENGTH);
+        return ret;
+}
+int
 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        return 0;

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 1157d6ecac..518073f4a1 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.41 2020/01/23 02:24:38 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -97,6 +97,7 @@ struct tls13_handshake_action state_machine[] = {
97	.handshake_type = TLS13_MT_SERVER_HELLO,	97	.handshake_type = TLS13_MT_SERVER_HELLO,
98	.sender = TLS13_HS_SERVER,	98	.sender = TLS13_HS_SERVER,
99	.send = tls13_server_hello_send,	99	.send = tls13_server_hello_send,
		100	.sent = tls13_server_hello_sent,
100	.recv = tls13_server_hello_recv,	101	.recv = tls13_server_hello_recv,
101	},	102	},
102	[SERVER_HELLO_RETRY] = {	103	[SERVER_HELLO_RETRY] = {


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 7b3670bf45..b42889712f 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.51 2020/01/24 04:36:29 beck Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.52 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -280,6 +280,7 @@ int tls13_client_key_update_send(struct tls13_ctx ctx, CBB cbb);
280	int tls13_client_key_update_recv(struct tls13_ctx ctx, CBS cbs);	280	int tls13_client_key_update_recv(struct tls13_ctx ctx, CBS cbs);
281	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);	281	int tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs);
282	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);	282	int tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb);
		283	int tls13_server_hello_sent(struct tls13_ctx *ctx);
283	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);	284	int tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs);
284	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);	285	int tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb);
285	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);	286	int tls13_server_encrypted_extensions_recv(struct tls13_ctx ctx, CBS cbs);


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index b64fec8edc..aeeea599bc 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/	17	*/
18		18
		19	#include <openssl/curve25519.h>
		20
19	#include "ssl_locl.h"	21	#include "ssl_locl.h"
20	#include "ssl_tlsext.h"	22	#include "ssl_tlsext.h"
21		23
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
41	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);	43	SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
42	return 0;	44	return 0;
43	}	45	}
		46	s->version = ctx->hs->max_version;
44		47
45	if (!tls1_transcript_init(s))	48	if (!tls1_transcript_init(s))
46	return 0;	49	return 0;
@@ -382,11 +385,80 @@ tls13_server_hello_send(struct tls13_ctx ctx, CBB cbb)
382	if (!tls13_server_hello_build(ctx, cbb))	385	if (!tls13_server_hello_build(ctx, cbb))
383	return 0;	386	return 0;
384		387
385	ctx->handshake_stage.hs_type \|= NEGOTIATED;
386	return 1;	388	return 1;
387	}	389	}
388		390
389	int	391	int
		392	tls13_server_hello_sent(struct tls13_ctx *ctx)
		393	{
		394	struct tls13_secrets *secrets;
		395	struct tls13_secret context;
		396	unsigned char buf[EVP_MAX_MD_SIZE];
		397	uint8_t *shared_key = NULL;
		398	size_t hash_len;
		399	SSL *s = ctx->ssl;
		400	int ret = 0;
		401
		402	/* XXX - handle other key share types. */
		403	if (ctx->hs->x25519_peer_public == NULL) {
		404	/* XXX - alert. */
		405	goto err;
		406	}
		407	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
		408	goto err;
		409	if (!X25519(shared_key, ctx->hs->x25519_private,
		410	ctx->hs->x25519_peer_public))
		411	goto err;
		412
		413	s->session->cipher = S3I(s)->hs.new_cipher;
		414	s->session->ssl_version = ctx->hs->server_version;
		415
		416	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
		417	goto err;
		418	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
		419	goto err;
		420
		421	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
		422	goto err;
		423	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
		424
		425	/* XXX - pass in hash. */
		426	if (!tls1_transcript_hash_init(s))
		427	goto err;
		428	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
		429	goto err;
		430	context.data = buf;
		431	context.len = hash_len;
		432
		433	/* Early secrets. */
		434	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
		435	secrets->zeros.len, &context))
		436	goto err;
		437
		438	/* Handshake secrets. */
		439	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
		440	X25519_KEY_LENGTH, &context))
		441	goto err;
		442
		443	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
		444	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
		445
		446	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
		447	&secrets->client_handshake_traffic))
		448	goto err;
		449	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
		450	&secrets->server_handshake_traffic))
		451	goto err;
		452
		453	ctx->handshake_stage.hs_type \|= NEGOTIATED \| WITHOUT_CR;
		454	ret = 1;
		455
		456	err:
		457	freezero(shared_key, X25519_KEY_LENGTH);
		458	return ret;
		459	}
		460
		461	int
390	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)	462	tls13_server_hello_retry_send(struct tls13_ctx ctx, CBB cbb)
391	{	463	{
392	return 0;	464	return 0;