Wire up the TLSv1.3 server.

This currently only has enough code to handle fallback to the legacy TLS
stack for TLSv1.2 or earlier, however allows for further development and
testing.

ok beck@

3 files changed, 182 insertions, 6 deletions

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 7936378213a..1c60f106841 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.251 2020/01/22 13:06:20 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.252 2020/01/22 15:47:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1078,6 +1078,7 @@ int ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver,
     uint16_t max_ver);
 
 const SSL_METHOD *tls_legacy_client_method(void);
+const SSL_METHOD *tls_legacy_server_method(void);
 
 const SSL_METHOD *dtls1_get_client_method(int ver);
 const SSL_METHOD *dtls1_get_server_method(int ver);
diff --git a/lib/libssl/ssl_methods.c b/lib/libssl/ssl_methods.c
index 8e544f6e936..30838f7407c 100644
--- a/lib/libssl/ssl_methods.c
+++ b/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.7 2020/01/22 02:34:39 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.8 2020/01/22 15:47:22 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -579,7 +579,39 @@ TLSv1_2_method(void)
 	return (&TLSv1_2_method_data);
 }
 
+#ifdef LIBRESSL_HAS_TLS1_3_SERVER
 static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = {
+	.version = TLS1_3_VERSION,
+	.min_version = TLS1_VERSION,
+	.max_version = TLS1_3_VERSION,
+	.ssl_new = tls1_new,
+	.ssl_clear = tls1_clear,
+	.ssl_free = tls1_free,
+	.ssl_accept = tls13_legacy_accept,
+	.ssl_connect = ssl_undefined_function,
+	.ssl_shutdown = tls13_legacy_shutdown,
+	.get_ssl_method = tls1_get_server_method,
+	.get_timeout = tls1_default_timeout,
+	.ssl_version = ssl_undefined_void_function,
+	.ssl_renegotiate = ssl_undefined_function,
+	.ssl_renegotiate_check = ssl_ok,
+	.ssl_get_message = ssl3_get_message,
+	.ssl_read_bytes = tls13_legacy_read_bytes,
+	.ssl_write_bytes = tls13_legacy_write_bytes,
+	.ssl3_enc = &TLSv1_2_enc_data,
+};
+
+static const SSL_METHOD TLS_server_method_data = {
+	.ssl_dispatch_alert = ssl3_dispatch_alert,
+	.num_ciphers = ssl3_num_ciphers,
+	.get_cipher = ssl3_get_cipher,
+	.get_cipher_by_char = ssl3_get_cipher_by_char,
+	.put_cipher_by_char = ssl3_put_cipher_by_char,
+	.internal = &TLS_server_method_internal_data,
+};
+#endif
+
+static const SSL_METHOD_INTERNAL TLS_legacy_server_method_internal_data = {
 	.version = TLS1_2_VERSION,
 	.min_version = TLS1_VERSION,
 	.max_version = TLS1_2_VERSION,
@@ -600,13 +632,13 @@ static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = {
 	.ssl3_enc = &TLSv1_2_enc_data,
 };
 
-static const SSL_METHOD TLS_server_method_data = {
+static const SSL_METHOD TLS_legacy_server_method_data = {
 	.ssl_dispatch_alert = ssl3_dispatch_alert,
 	.num_ciphers = ssl3_num_ciphers,
 	.get_cipher = ssl3_get_cipher,
 	.get_cipher_by_char = ssl3_get_cipher_by_char,
 	.put_cipher_by_char = ssl3_put_cipher_by_char,
-	.internal = &TLS_server_method_internal_data,
+	.internal = &TLS_legacy_server_method_internal_data,
 };
 
 static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = {
@@ -720,7 +752,17 @@ SSLv23_server_method(void)
 const SSL_METHOD *
 TLS_server_method(void)
 {
+#ifdef LIBRESSL_HAS_TLS1_3_SERVER
 	return (&TLS_server_method_data);
+#else
+	return tls_legacy_server_method();
+#endif
+}
+
+const SSL_METHOD *
+tls_legacy_server_method(void)
+{
+	return (&TLS_legacy_server_method_data);
 }
 
 const SSL_METHOD *
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 90a339dc612..ee7b92b9a3c 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.6 2020/01/22 13:10:51 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.7 2020/01/22 15:47:22 jsing Exp $ */
 /*
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -16,6 +16,7 @@
  */
 
 #include "ssl_locl.h"
+#include "ssl_tlsext.h"
 
 #include "tls13_handshake.h"
 #include "tls13_internal.h"
@@ -40,7 +41,8 @@ tls13_server_init(struct tls13_ctx *ctx)
 		return 0;
 	}
 
-	/* XXX implement. */
+	if (!tls1_transcript_init(s))
+		return 0;
 
 	return 1;
 }
@@ -79,10 +81,141 @@ tls13_legacy_accept(SSL *ssl)
 }
 
 int
+tls13_use_legacy_server(struct tls13_ctx *ctx)
+{
+	SSL *s = ctx->ssl;
+	CBS cbs;
+
+	s->method = tls_legacy_server_method();
+	s->client_version = s->version = s->method->internal->max_version;
+	s->server = 1;
+
+	if (!ssl3_setup_init_buffer(s))
+		goto err;
+	if (!ssl3_setup_buffers(s))
+		goto err;
+	if (!ssl_init_wbio_buffer(s, 0))
+		goto err;
+
+	if (s->bbio != s->wbio)
+		s->wbio = BIO_push(s->bbio, s->wbio);
+
+	/* Stash any unprocessed data from the last record. */
+	tls13_record_layer_rbuf(ctx->rl, &cbs);
+	if (CBS_len(&cbs) > 0) {
+		if (!CBS_write_bytes(&cbs,
+		    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
+		    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
+			goto err;
+
+		S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
+		S3I(s)->rbuf.left = CBS_len(&cbs);
+		S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
+		S3I(s)->rrec.length = CBS_len(&cbs);
+		s->internal->rstate = SSL_ST_READ_BODY;
+		s->internal->packet = S3I(s)->rbuf.buf;
+		s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
+		s->internal->mac_packet = 1;
+	}
+
+	/* Stash the current handshake message. */
+	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
+	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
+	    s->internal->init_buf->length, NULL))
+		goto err;
+
+	S3I(s)->tmp.reuse_message = 1;
+	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
+	S3I(s)->tmp.message_size = CBS_len(&cbs);
+
+	S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+
+	return 1;
+
+ err:
+	return 0;
+}
+
+static int
+tls13_client_hello_is_legacy(CBS *cbs)
+{
+	CBS extensions_block, extensions, extension_data;
+	uint16_t selected_version = 0;
+	uint16_t type;
+
+	CBS_dup(cbs, &extensions_block);
+
+	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
+		return 1;
+
+	while (CBS_len(&extensions) > 0) {
+		if (!CBS_get_u16(&extensions, &type))
+			return 1;
+		if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
+			return 1;
+
+		if (type != TLSEXT_TYPE_supported_versions)
+			continue;
+		if (!CBS_get_u16(&extension_data, &selected_version))
+			return 1;
+		if (CBS_len(&extension_data) != 0)
+			return 1;
+	}
+
+	return (selected_version < TLS1_3_VERSION);
+}
+
+static int
+tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
+{
+	CBS cipher_suites, client_random, compression_methods, session_id;
+	uint16_t legacy_version;
+	SSL *s = ctx->ssl;
+	int alert;
+
+	if (!CBS_get_u16(cbs, &legacy_version))
+		goto err;
+	if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
+		goto err;
+	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
+		goto err;
+	if (!CBS_get_u8_length_prefixed(cbs, &cipher_suites))
+		goto err;
+	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
+		goto err;
+
+	if (tls13_client_hello_is_legacy(cbs)) {
+		if (!CBS_skip(cbs, CBS_len(cbs)))
+			goto err;
+		return tls13_use_legacy_server(ctx);
+	}
+
+	if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
+		goto err;
+
+	/* XXX - implement. */
+
+ err:
+	return 0;
+}
+
+int
 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
+	SSL *s = ctx->ssl;
+
+	if (!tls13_client_hello_process(ctx, cbs))
+		goto err;
+
+	/* See if we switched back to the legacy client method. */
+	if (s->method->internal->version < TLS1_3_VERSION)
+		return 1;
+
 	tls13_record_layer_allow_ccs(ctx->rl, 1);
 
+	return 1;
+
+ err:
 	return 0;
 }