Move legacy stack interfacing functions into tls13_legacy.c.

No functional change.

ok inoguchi@ tb@

Shuffle some functions around.

Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c t

Shuffle some functions around.

Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c to tls13_server.c.

No functional change.

ok beck@ tb@

show more ...

Switch to NEGOTIATED when using WITHOUT_HRR.

This ensures that we remain in a valid handshake state in the TLSv1.3
server. Ideally we would not switch to NEGOTIATED until after record
protection has

Switch to NEGOTIATED when using WITHOUT_HRR.

This ensures that we remain in a valid handshake state in the TLSv1.3
server. Ideally we would not switch to NEGOTIATED until after record
protection has been enabled, but we'll revisit this later.

Issue noted by inoguchi@

ok tb@

show more ...

Improve TLSv1.3 state machine for HelloRetryRequest handling.

The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we t

Improve TLSv1.3 state machine for HelloRetryRequest handling.

The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.

The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.

With feedback from tb@

ok tb@

show more ...

Handle TLSv1.3 key shares other than X25519 on the server side.

Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first

Handle TLSv1.3 key shares other than X25519 on the server side.

Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first of the
key shares that matches one of our supported groups.

ok beck@ inoguchi@ tb@

show more ...

Generate client key share using our preferred group.

Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via

Generate client key share using our preferred group.

Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().

ok beck@

show more ...

Use ctx->hs->secrets rather than the S3I(s) version.

ok inoguchi@ tb@

Remove some unnecessary handshake enums/functions.

Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.

ok inoguchi@ tb@

According to RFC 8446, Section 4.4.4, recipients of incorrect Finished
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert

According to RFC 8446, Section 4.4.4, recipients of incorrect Finished
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.

ok beck inoguchi jsing

show more ...

drop unused include <openssl/curve25519.h>

ok inoguchi jsing

Remove the hello retry request processing code that was previously added.

This got added to the wrong functions (server side, not client) - swap the
now unimplemented send/recv functions between cli

Remove the hello retry request processing code that was previously added.

This got added to the wrong functions (server side, not client) - swap the
now unimplemented send/recv functions between client and server.

ok tb@

show more ...

Free the transcript as soon as we initialise the transcript hash.

Unlike TLSv1.2 there is only a single hash in use, hence as soon as we
know what the hash is and have initialised the transcript has

Free the transcript as soon as we initialise the transcript hash.

Unlike TLSv1.2 there is only a single hash in use, hence as soon as we
know what the hash is and have initialised the transcript hash, we can
free the transcript buffers.

ok inoguchi@ tb@

show more ...

Provide struct/functions for handling TLSv1.3 key shares.

Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25

Provide struct/functions for handling TLSv1.3 key shares.

Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.

ok beck@ inoguchi@ tb@

show more ...

If the TLSv1.3 code has not recorded an error and something already exists
on the error stack, refrain from pushing an 'unknown' error on the stack.
This should allow libcrypto errors (including bio)

If the TLSv1.3 code has not recorded an error and something already exists
on the error stack, refrain from pushing an 'unknown' error on the stack.
This should allow libcrypto errors (including bio) to be visible, where we
have nothing better to offer.

ok tb@

show more ...

When switching back to a legacy client or server, ensure we reset the
handshake function pointer.

Fixes an isssue found by jca@ with OpenVPN.

ok beck@ tb@

Add server side support for requesting client certificates in tls 1.3

ok jsing@

Add client certificate support for tls 1.3

ok jsing@

Move pad and verify context into tls13_lib.c

ok jsing@

Complete the initial TLSv1.3 implementation.

ok beck@ tb@

Store the legacy session identifier from the ClientHello so we can actually
echo it.

ok beck@ tb@

Switch to encrypted records in the TLSv1.3 server.

This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.

ok beck@

Switch to encrypted records in the TLSv1.3 server.

This adds code to perform key derivation and set the traffic keys once the
ServerHello message has been sent, enabling encrypted records.

ok beck@ tb@

show more ...

Implement client hello processing in the TLSv1.3 server.

ok beck@

Correct several issues in the current TLSv1.3 server code.

Correct the parsing of the client hello support versions extension. This
has one or more values, rather than just the single selected versi

Correct several issues in the current TLSv1.3 server code.

Correct the parsing of the client hello support versions extension. This
has one or more values, rather than just the single selected version.

Allocate an SSL_SESSION - this is unused currently, but is needed as
soon as we start parsing extensions.

Also, pull the cipher suites list off correctly - this is u16 prefixed,
not u8.

ok beck@

show more ...

Implement sending client certificate requests for 1.3 server

ok jsing@

Build the encrypted extensions for the 1.3 server

ok jsing@