1 files changed, 100 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index d9ef85753e..dd123f867b 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.42 2020/02/05 17:30:30 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.43 2020/02/06 13:19:18 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -233,6 +233,8 @@ tls13_client_hello_sent(struct tls13_ctx *ctx)
        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
        tls13_record_layer_allow_ccs(ctx->rl, 1);
+        tls1_transcript_freeze(ctx->ssl);
        return 1;
 }
@@ -400,6 +402,49 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 }
 static int
+tls13_client_synthetic_handshake_message(struct tls13_ctx *ctx)
+{
+        struct tls13_handshake_msg *hm = NULL;
+        unsigned char buf[EVP_MAX_MD_SIZE];
+        size_t hash_len;
+        CBB cbb;
+        CBS cbs;
+        SSL *s = ctx->ssl;
+        int ret = 0;
+        /*
+         * Replace ClientHello with synthetic handshake message - see
+         * RFC 8446 section 4.4.1.
+         */
+        if (!tls1_transcript_hash_init(s))
+                goto err;
+        if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
+                goto err;
+        if ((hm = tls13_handshake_msg_new()) == NULL)
+                goto err;
+        if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
+                goto err;
+        if (!CBB_add_bytes(&cbb, buf, hash_len))
+                goto err;
+        if (!tls13_handshake_msg_finish(hm))
+                goto err;
+        tls13_handshake_msg_data(hm, &cbs);
+        tls1_transcript_reset(ctx->ssl);
+        if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
+                goto err;
+        ret = 1;
+ err:
+        tls13_handshake_msg_free(hm);
+        return ret;
+}
+static int
 tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 {
        struct tls13_secrets *secrets;
@@ -469,6 +514,8 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
+        SSL *s = ctx->ssl;
        /*
         * We may have received a legacy (pre-TLSv1.3) server hello,
         * a TLSv1.3 server hello or a TLSv1.3 hello retry request.
@@ -476,11 +523,23 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!tls13_server_hello_process(ctx, cbs))
                return 0;
+        tls1_transcript_unfreeze(s);
+        if (ctx->hs->hrr) {
+                if (!tls13_client_synthetic_handshake_message(ctx))
+                        return 0;
+        }
+        if (!tls13_handshake_msg_record(ctx))
+                return 0;
        if (ctx->hs->use_legacy)
                return tls13_use_legacy_client(ctx);
-        if (!tls13_client_engage_record_protection(ctx))
+        if (!ctx->hs->hrr) {
-                return 0;
+                if (!tls13_client_engage_record_protection(ctx))
+                        return 0;
+        }
        ctx->handshake_stage.hs_type |= NEGOTIATED;
        if (ctx->hs->hrr)
@@ -494,13 +553,49 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        return 0;
+        int nid;
+        /*
+         * Ensure that the server supported group is not the same
+         * as the one we previously offered and that it was one that
+         * we listed in our supported groups.
+         */
+        if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+                return 0; /* XXX alert */
+        if ((nid = tls1_ec_curve_id2nid(ctx->hs->server_group)) == 0)
+                return 0;
+        if (nid != NID_X25519 && nid != NID_X9_62_prime256v1 && nid != NID_secp384r1)
+                return 0; /* XXX alert */
+        /* Switch to new key share. */
+        tls13_key_share_free(ctx->hs->key_share);
+        if ((ctx->hs->key_share = tls13_key_share_new(nid)) == NULL)
+                return 0;
+        if (!tls13_key_share_generate(ctx->hs->key_share))
+                return 0;
+        if (!tls13_client_hello_build(ctx, cbb))
+                return 0;
+        return 1;
 }
 int
 tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        return 0;
+        if (!tls13_server_hello_process(ctx, cbs))
+                return 0;
+        if (ctx->hs->use_legacy)
+                return 0; /* XXX alert */
+        if (ctx->hs->hrr)
+                return 0; /* XXX alert */
+        if (!tls13_client_engage_record_protection(ctx))
+                return 0;
+        return 1;
 }
 int

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index d9ef85753e..dd123f867b 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.42 2020/02/05 17:30:30 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.43 2020/02/06 13:19:18 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -233,6 +233,8 @@ tls13_client_hello_sent(struct tls13_ctx *ctx)
233	tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);	233	tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
234	tls13_record_layer_allow_ccs(ctx->rl, 1);	234	tls13_record_layer_allow_ccs(ctx->rl, 1);
235		235
		236	tls1_transcript_freeze(ctx->ssl);
		237
236	return 1;	238	return 1;
237	}	239	}
238		240
@@ -400,6 +402,49 @@ tls13_server_hello_process(struct tls13_ctx ctx, CBS cbs)
400	}	402	}
401		403
402	static int	404	static int
		405	tls13_client_synthetic_handshake_message(struct tls13_ctx *ctx)
		406	{
		407	struct tls13_handshake_msg *hm = NULL;
		408	unsigned char buf[EVP_MAX_MD_SIZE];
		409	size_t hash_len;
		410	CBB cbb;
		411	CBS cbs;
		412	SSL *s = ctx->ssl;
		413	int ret = 0;
		414
		415	/*
		416	* Replace ClientHello with synthetic handshake message - see
		417	* RFC 8446 section 4.4.1.
		418	*/
		419	if (!tls1_transcript_hash_init(s))
		420	goto err;
		421	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
		422	goto err;
		423
		424	if ((hm = tls13_handshake_msg_new()) == NULL)
		425	goto err;
		426	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
		427	goto err;
		428	if (!CBB_add_bytes(&cbb, buf, hash_len))
		429	goto err;
		430	if (!tls13_handshake_msg_finish(hm))
		431	goto err;
		432
		433	tls13_handshake_msg_data(hm, &cbs);
		434
		435	tls1_transcript_reset(ctx->ssl);
		436	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
		437	goto err;
		438
		439	ret = 1;
		440
		441	err:
		442	tls13_handshake_msg_free(hm);
		443
		444	return ret;
		445	}
		446
		447	static int
403	tls13_client_engage_record_protection(struct tls13_ctx *ctx)	448	tls13_client_engage_record_protection(struct tls13_ctx *ctx)
404	{	449	{
405	struct tls13_secrets *secrets;	450	struct tls13_secrets *secrets;
@@ -469,6 +514,8 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
469	int	514	int
470	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)	515	tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)
471	{	516	{
		517	SSL *s = ctx->ssl;
		518
472	/*	519	/*
473	* We may have received a legacy (pre-TLSv1.3) server hello,	520	* We may have received a legacy (pre-TLSv1.3) server hello,
474	* a TLSv1.3 server hello or a TLSv1.3 hello retry request.	521	* a TLSv1.3 server hello or a TLSv1.3 hello retry request.
@@ -476,11 +523,23 @@ tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)
476	if (!tls13_server_hello_process(ctx, cbs))	523	if (!tls13_server_hello_process(ctx, cbs))
477	return 0;	524	return 0;
478		525
		526	tls1_transcript_unfreeze(s);
		527
		528	if (ctx->hs->hrr) {
		529	if (!tls13_client_synthetic_handshake_message(ctx))
		530	return 0;
		531	}
		532
		533	if (!tls13_handshake_msg_record(ctx))
		534	return 0;
		535
479	if (ctx->hs->use_legacy)	536	if (ctx->hs->use_legacy)
480	return tls13_use_legacy_client(ctx);	537	return tls13_use_legacy_client(ctx);
481		538
482	if (!tls13_client_engage_record_protection(ctx))	539	if (!ctx->hs->hrr) {
483	return 0;	540	if (!tls13_client_engage_record_protection(ctx))
		541	return 0;
		542	}
484		543
485	ctx->handshake_stage.hs_type \|= NEGOTIATED;	544	ctx->handshake_stage.hs_type \|= NEGOTIATED;
486	if (ctx->hs->hrr)	545	if (ctx->hs->hrr)
@@ -494,13 +553,49 @@ tls13_server_hello_recv(struct tls13_ctx ctx, CBS cbs)
494	int	553	int
495	tls13_client_hello_retry_send(struct tls13_ctx ctx, CBB cbb)	554	tls13_client_hello_retry_send(struct tls13_ctx ctx, CBB cbb)
496	{	555	{
497	return 0;	556	int nid;
		557
		558	/*
		559	* Ensure that the server supported group is not the same
		560	* as the one we previously offered and that it was one that
		561	* we listed in our supported groups.
		562	*/
		563	if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
		564	return 0; /* XXX alert */
		565	if ((nid = tls1_ec_curve_id2nid(ctx->hs->server_group)) == 0)
		566	return 0;
		567	if (nid != NID_X25519 && nid != NID_X9_62_prime256v1 && nid != NID_secp384r1)
		568	return 0; /* XXX alert */
		569
		570	/* Switch to new key share. */
		571	tls13_key_share_free(ctx->hs->key_share);
		572	if ((ctx->hs->key_share = tls13_key_share_new(nid)) == NULL)
		573	return 0;
		574	if (!tls13_key_share_generate(ctx->hs->key_share))
		575	return 0;
		576
		577	if (!tls13_client_hello_build(ctx, cbb))
		578	return 0;
		579
		580	return 1;
498	}	581	}
499		582
500	int	583	int
501	tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs)	584	tls13_server_hello_retry_recv(struct tls13_ctx ctx, CBS cbs)
502	{	585	{
503	return 0;	586	if (!tls13_server_hello_process(ctx, cbs))
		587	return 0;
		588
		589	if (ctx->hs->use_legacy)
		590	return 0; /* XXX alert */
		591
		592	if (ctx->hs->hrr)
		593	return 0; /* XXX alert */
		594
		595	if (!tls13_client_engage_record_protection(ctx))
		596	return 0;
		597
		598	return 1;
504	}	599	}
505		600
506	int	601	int