From 964a70381982bd3478237eede73feae9fa32b0e6 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 24 Jan 2020 04:43:09 +0000
Subject: Switch to encrypted records in the TLSv1.3 server.

This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.

ok beck@ tb@
---
 src/lib/libssl/tls13_server.c | 76 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 74 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl/tls13_server.c')

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index b64fec8edc..aeeea599bc 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.14 2020/01/24 04:43:09 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -16,6 +16,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <openssl/curve25519.h>
+
 #include "ssl_locl.h"
 #include "ssl_tlsext.h"
 
@@ -41,6 +43,7 @@ tls13_server_init(struct tls13_ctx *ctx)
 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
 		return 0;
 	}
+	s->version = ctx->hs->max_version;
 
 	if (!tls1_transcript_init(s))
 		return 0;
@@ -382,10 +385,79 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 	if (!tls13_server_hello_build(ctx, cbb))
 		return 0;
 
- 	ctx->handshake_stage.hs_type |= NEGOTIATED;
 	return 1;
 }
 
+int
+tls13_server_hello_sent(struct tls13_ctx *ctx)
+{
+	struct tls13_secrets *secrets;
+	struct tls13_secret context;
+	unsigned char buf[EVP_MAX_MD_SIZE];
+	uint8_t *shared_key = NULL;
+	size_t hash_len;
+	SSL *s = ctx->ssl;
+	int ret = 0;
+
+	/* XXX - handle other key share types. */
+	if (ctx->hs->x25519_peer_public == NULL) {
+		/* XXX - alert. */
+		goto err;
+	}
+	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
+		goto err;
+	if (!X25519(shared_key, ctx->hs->x25519_private,
+	    ctx->hs->x25519_peer_public))
+		goto err;
+
+	s->session->cipher = S3I(s)->hs.new_cipher;
+	s->session->ssl_version = ctx->hs->server_version;
+
+	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+		goto err;
+	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+		goto err;
+
+	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
+		goto err;
+	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
+
+	/* XXX - pass in hash. */
+	if (!tls1_transcript_hash_init(s))
+		goto err;
+	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
+		goto err;
+	context.data = buf;
+	context.len = hash_len;
+
+	/* Early secrets. */
+	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
+	    secrets->zeros.len, &context))
+		goto err;
+
+	/* Handshake secrets. */
+	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+	    X25519_KEY_LENGTH, &context))
+		goto err;
+
+	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
+	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
+
+	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
+	    &secrets->client_handshake_traffic))
+		goto err;
+	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
+	    &secrets->server_handshake_traffic))
+		goto err;
+
+ 	ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR;
+	ret = 1;
+
+ err:
+	freezero(shared_key, X25519_KEY_LENGTH);
+	return ret;
+}
+
 int
 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-- 
cgit v1.2.3-55-g6feb