Implement client hello processing in the TLSv1.3 server.

ok beck@

3 files changed, 58 insertions, 10 deletions

diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index f11d96f2ea2..e9f629f3873 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.49 2020/01/23 07:30:55 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.50 2020/01/23 11:57:20 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -38,9 +38,10 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_IO_WANT_POLLOUT	-4
 #define TLS13_IO_USE_LEGACY	-5
 
-#define TLS13_ERR_VERIFY_FAILED	16
-#define TLS13_ERR_HRR_FAILED	17
-#define TLS13_ERR_TRAILING_DATA	18
+#define TLS13_ERR_VERIFY_FAILED		16
+#define TLS13_ERR_HRR_FAILED		17
+#define TLS13_ERR_TRAILING_DATA		18
+#define TLS13_ERR_NO_SHARED_CIPHER	19
 
 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
 typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *cbs);
diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index 91dd566864f..473163ee76c 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.25 2020/01/23 10:40:59 jsing Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.26 2020/01/23 11:57:20 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -376,6 +376,9 @@ tls13_legacy_error(SSL *ssl)
 	case TLS13_ERR_TRAILING_DATA:
 		reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
 		break;
+	case TLS13_ERR_NO_SHARED_CIPHER:
+		reason = SSL_R_NO_SHARED_CIPHER;
+		break;
 	}
 
 	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 3c832aec65a..b64fec8edcc 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.12 2020/01/23 11:47:13 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.13 2020/01/23 11:57:20 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -181,9 +181,13 @@ static int
 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 {
 	CBS cipher_suites, client_random, compression_methods, session_id;
+	STACK_OF(SSL_CIPHER) *ciphers = NULL;
+	const SSL_CIPHER *cipher;
 	uint16_t legacy_version;
+	uint8_t compression_method;
+	int alert_desc, comp_null;
 	SSL *s = ctx->ssl;
-	int alert;
+	int ret = 0;
 
 	if (!CBS_get_u16(cbs, &legacy_version))
 		goto err;
@@ -202,13 +206,53 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		return tls13_use_legacy_server(ctx);
 	}
 
-	if (!tlsext_server_parse(s, cbs, &alert, SSL_TLSEXT_MSG_CH))
+	if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {
+		ctx->alert = alert_desc;
 		goto err;
+	}
+
+	/*
+	 * If we got this far we have a supported versions extension that offers
+	 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
+	 */
+	if (legacy_version != TLS1_2_VERSION) {
+		ctx->alert = SSL_AD_PROTOCOL_VERSION;
+		goto err;
+	}
+
+	/* Parse cipher suites list and select preferred cipher. */
+	if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+		goto err;
+	}
+	cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
+	if (cipher == NULL) {
+		tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
+		    "no shared cipher found", NULL);
+		ctx->alert = SSL_AD_HANDSHAKE_FAILURE;
+		goto err;
+	}
+	S3I(s)->hs.new_cipher = cipher;
+
+	/* Ensure they advertise the NULL compression method. */
+	comp_null = 0;
+	while (CBS_len(&compression_methods) > 0) {
+		if (!CBS_get_u8(&compression_methods, &compression_method))
+			goto err;
+		if (compression_method == 0)
+			comp_null = 1;
+	}
+	if (!comp_null) {
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+		goto err;
+	}
 
-	/* XXX - implement. */
+	ret = 1;
 
  err:
-	return 0;
+	sk_SSL_CIPHER_free(ciphers);
+
+	return ret;
 }
 
 int