-/* $OpenBSD: s3_lib.c,v 1.204 2021/02/07 15:26:32 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.205 2021/03/21 18:36:34 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
EC_KEY_free(S3I(s)->tmp.ecdh);
freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
- tls13_key_share_free(S3I(s)->hs_tls13.key_share);
- tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
- freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
- tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+ tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+ tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+ freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+ tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
S3I(s)->hs.sigalgs = NULL;
S3I(s)->hs.sigalgs_len = 0;
- tls13_key_share_free(S3I(s)->hs_tls13.key_share);
- S3I(s)->hs_tls13.key_share = NULL;
+ tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+ S3I(s)->hs.tls13.key_share = NULL;
- tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
- S3I(s)->hs_tls13.secrets = NULL;
- freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
- S3I(s)->hs_tls13.cookie = NULL;
- S3I(s)->hs_tls13.cookie_len = 0;
- tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+ tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+ S3I(s)->hs.tls13.secrets = NULL;
+ freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+ S3I(s)->hs.tls13.cookie = NULL;
+ S3I(s)->hs.tls13.cookie_len = 0;
+ tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
S3I(s)->hs.extensions_seen = 0;
} else if (sc->peer_x25519_tmp != NULL) {
if (!ssl_kex_dummy_ecdhe_x25519(pkey))
goto err;
- } else if (S3I(s)->hs_tls13.key_share != NULL) {
- if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
+ } else if (S3I(s)->hs.tls13.key_share != NULL) {
+ if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share,
pkey))
goto err;
} else {
-/* $OpenBSD: ssl_locl.h,v 1.327 2021/03/17 17:42:53 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
} SSL_SESSION_INTERNAL;
#define SSI(s) (s->session->internal)
+typedef struct cert_pkey_st {
+ X509 *x509;
+ EVP_PKEY *privatekey;
+ STACK_OF(X509) *chain;
+} CERT_PKEY;
+
+typedef struct ssl_handshake_tls13_st {
+ int use_legacy;
+ int hrr;
+
+ /* Certificate and sigalg selected for use (static pointers). */
+ const CERT_PKEY *cpk;
+ const struct ssl_sigalg *sigalg;
+
+ /* Version proposed by peer server. */
+ uint16_t server_version;
+
+ uint16_t server_group;
+ struct tls13_key_share *key_share;
+ struct tls13_secrets *secrets;
+
+ uint8_t *cookie;
+ size_t cookie_len;
+
+ /* Preserved transcript hash. */
+ uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+ size_t transcript_hash_len;
+
+ /* Legacy session ID. */
+ uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+ size_t legacy_session_id_len;
+
+ /* ClientHello hash, used to validate following HelloRetryRequest */
+ EVP_MD_CTX *clienthello_md_ctx;
+ unsigned char *clienthello_hash;
+ unsigned int clienthello_hash_len;
+} SSL_HANDSHAKE_TLS13;
+
typedef struct ssl_handshake_st {
/*
* Minimum and maximum versions supported for this handshake. These are
*/
uint16_t negotiated_tls_version;
+ SSL_HANDSHAKE_TLS13 tls13;
+
/* state contains one of the SSL3_ST_* values. */
int state;
uint8_t *sigalgs;
} SSL_HANDSHAKE;
-typedef struct cert_pkey_st {
- X509 *x509;
- EVP_PKEY *privatekey;
- STACK_OF(X509) *chain;
-} CERT_PKEY;
-
-typedef struct ssl_handshake_tls13_st {
- int use_legacy;
- int hrr;
-
- /* Certificate and sigalg selected for use (static pointers). */
- const CERT_PKEY *cpk;
- const struct ssl_sigalg *sigalg;
-
- /* Version proposed by peer server. */
- uint16_t server_version;
-
- uint16_t server_group;
- struct tls13_key_share *key_share;
- struct tls13_secrets *secrets;
-
- uint8_t *cookie;
- size_t cookie_len;
-
- /* Preserved transcript hash. */
- uint8_t transcript_hash[EVP_MAX_MD_SIZE];
- size_t transcript_hash_len;
-
- /* Legacy session ID. */
- uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
- size_t legacy_session_id_len;
-
- /* ClientHello hash, used to validate following HelloRetryRequest */
- EVP_MD_CTX *clienthello_md_ctx;
- unsigned char *clienthello_hash;
- unsigned int clienthello_hash_len;
-} SSL_HANDSHAKE_TLS13;
-
struct tls12_record_layer;
struct tls12_record_layer *tls12_record_layer_new(void);
int in_read_app_data;
SSL_HANDSHAKE hs;
- SSL_HANDSHAKE_TLS13 hs_tls13;
struct {
unsigned char cert_verify_md[EVP_MAX_MD_SIZE];
-/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.88 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
uint16_t *groups;
int i;
- if (S3I(s)->hs_tls13.hrr) {
+ if (S3I(s)->hs.tls13.hrr) {
if (SSI(s)->tlsext_supportedgroups == NULL) {
*alert = SSL_AD_HANDSHAKE_FAILURE;
return 0;
goto err;
}
- if (s->internal->hit || S3I(s)->hs_tls13.hrr) {
+ if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
if (s->session->tlsext_hostname == NULL) {
*alert = TLS1_AD_UNRECOGNIZED_NAME;
goto err;
if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
return 0;
- if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
&client_shares))
return 0;
*/
if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
continue;
- if (S3I(s)->hs_tls13.key_share != NULL)
+ if (S3I(s)->hs.tls13.key_share != NULL)
continue;
/* XXX - consider implementing server preference. */
continue;
/* Decode and store the selected key share. */
- S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
- if (S3I(s)->hs_tls13.key_share == NULL)
+ S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
+ if (S3I(s)->hs.tls13.key_share == NULL)
goto err;
- if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
group, &key_exchange))
goto err;
}
tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
{
/* In the case of a HRR, we only send the server selected group. */
- if (S3I(s)->hs_tls13.hrr) {
- if (S3I(s)->hs_tls13.server_group == 0)
+ if (S3I(s)->hs.tls13.hrr) {
+ if (S3I(s)->hs.tls13.server_group == 0)
return 0;
- return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group);
+ return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
}
- if (S3I(s)->hs_tls13.key_share == NULL)
+ if (S3I(s)->hs.tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb))
+ if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
return 0;
return 1;
if (CBS_len(cbs) == 0) {
/* HRR does not include an actual key share. */
/* XXX - we should know that we are in a HRR... */
- S3I(s)->hs_tls13.server_group = group;
+ S3I(s)->hs.tls13.server_group = group;
return 1;
}
if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
return 0;
- if (S3I(s)->hs_tls13.key_share == NULL)
+ if (S3I(s)->hs.tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
group, &key_exchange))
goto err;
}
/* XXX test between min and max once initialization code goes in */
- S3I(s)->hs_tls13.server_version = selected_version;
+ S3I(s)->hs.tls13.server_version = selected_version;
return 1;
}
tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
{
return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
- S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+ S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
}
int
if (!CBB_add_u16_length_prefixed(cbb, &cookie))
return 0;
- if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len))
+ if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len))
return 0;
if (!CBB_flush(cbb))
if (!CBS_get_u16_length_prefixed(cbs, &cookie))
goto err;
- if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+ if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
goto err;
/*
* sent - client *MUST* send the same cookie with new CR after
* a cookie is sent by the server with an HRR.
*/
- if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len)) {
+ if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len)) {
/* XXX special cookie mismatch alert? */
*alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
* in order to send one, should only be sent with HRR.
*/
return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
- S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+ S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
}
int
if (!CBB_add_u16_length_prefixed(cbb, &cookie))
return 0;
- if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len))
+ if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len))
return 0;
if (!CBB_flush(cbb))
* HRR from a server with a cookie to process after accepting
* one from the server in the same handshake
*/
- if (S3I(s)->hs_tls13.cookie != NULL ||
- S3I(s)->hs_tls13.cookie_len != 0) {
+ if (S3I(s)->hs.tls13.cookie != NULL ||
+ S3I(s)->hs.tls13.cookie_len != 0) {
*alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
if (!CBS_get_u16_length_prefixed(cbs, &cookie))
goto err;
- if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie,
- &S3I(s)->hs_tls13.cookie_len))
+ if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
+ &S3I(s)->hs.tls13.cookie_len))
goto err;
return 1;
-/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
size_t groups_len;
SSL *s = ctx->ssl;
- if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
- &S3I(s)->hs.our_max_tls_version)) {
+ if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+ &ctx->hs->our_max_tls_version)) {
SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
return 0;
}
- s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
+ s->client_version = s->version = ctx->hs->our_max_tls_version;
tls13_record_layer_set_retry_after_phh(ctx->rl,
(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
tls1_get_group_list(s, 0, &groups, &groups_len);
if (groups_len < 1)
return 0;
- if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL)
+ if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
* Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
*/
if (ctx->middlebox_compat &&
- S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
- arc4random_buf(ctx->hs->legacy_session_id,
- sizeof(ctx->hs->legacy_session_id));
- ctx->hs->legacy_session_id_len =
- sizeof(ctx->hs->legacy_session_id);
+ ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
+ arc4random_buf(ctx->hs->tls13.legacy_session_id,
+ sizeof(ctx->hs->tls13.legacy_session_id));
+ ctx->hs->tls13.legacy_session_id_len =
+ sizeof(ctx->hs->tls13.legacy_session_id);
}
return 1;
SSL *s = ctx->ssl;
/* Legacy client version is capped at TLS 1.2. */
- client_version = S3I(s)->hs.our_max_tls_version;
+ client_version = ctx->hs->our_max_tls_version;
if (client_version > TLS1_2_VERSION)
client_version = TLS1_2_VERSION;
if (!CBB_add_u8_length_prefixed(cbb, &session_id))
goto err;
- if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len))
+ if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len))
goto err;
if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
int
tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
{
- SSL *s = ctx->ssl;
-
- if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
+ if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
/* We may receive a pre-TLSv1.3 alert in response to the client hello. */
goto err;
if (tls13_server_hello_is_legacy(cbs)) {
- if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
+ if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
/*
* RFC 8446 section 4.1.3: we must not downgrade if
* the server random value contains the TLS 1.2 or 1.1
if (!CBS_skip(cbs, CBS_len(cbs)))
goto err;
- ctx->hs->use_legacy = 1;
+ ctx->hs->tls13.use_legacy = 1;
return 1;
}
if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
sizeof(tls13_hello_retry_request_hash))) {
tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
- ctx->hs->hrr = 1;
+ ctx->hs->tls13.hrr = 1;
}
if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
* Ensure that it was 0x0304 and that legacy version is set to 0x0303
* (RFC 8446 section 4.2.1).
*/
- if (ctx->hs->server_version != TLS1_3_VERSION ||
+ if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
legacy_version != TLS1_2_VERSION) {
ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
goto err;
}
- S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
+ ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
/* The session_id must match. */
- if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len)) {
+ if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len)) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- /* XXX - move this to hs_tls13? */
- S3I(s)->hs.new_cipher = cipher;
+ /* XXX - move this to hs.tls13? */
+ ctx->hs->new_cipher = cipher;
if (compression_method != 0) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
/* Derive the shared key and engage record protection. */
- if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key,
+ if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key,
&shared_key_len))
goto err;
- s->session->cipher = S3I(s)->hs.new_cipher;
- s->session->ssl_version = ctx->hs->server_version;
+ s->session->cipher = ctx->hs->new_cipher;
+ s->session->ssl_version = ctx->hs->tls13.server_version;
- if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
goto err;
- if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
goto err;
if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
goto err;
- ctx->hs->secrets = secrets;
+ ctx->hs->tls13.secrets = secrets;
/* XXX - pass in hash. */
if (!tls1_transcript_hash_init(s))
goto err;
/* Handshake secrets. */
- if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+ if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
shared_key_len, &context))
goto err;
* This may have been a TLSv1.2 or earlier ServerHello that just happened
* to have matching server random...
*/
- if (ctx->hs->use_legacy)
+ if (ctx->hs->tls13.use_legacy)
return tls13_use_legacy_client(ctx);
- if (!ctx->hs->hrr)
+ if (!ctx->hs->tls13.hrr)
return 0;
if (!tls13_synthetic_handshake_message(ctx))
if (!tls13_handshake_msg_record(ctx))
return 0;
- ctx->hs->hrr = 0;
+ ctx->hs->tls13.hrr = 0;
return 1;
}
* supported groups and is not the same as the key share we previously
* offered.
*/
- if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
+ if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
return 0; /* XXX alert */
- if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+ if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share))
return 0; /* XXX alert */
/* Switch to new key share. */
- tls13_key_share_free(ctx->hs->key_share);
- if ((ctx->hs->key_share =
- tls13_key_share_new(ctx->hs->server_group)) == NULL)
+ tls13_key_share_free(ctx->hs->tls13.key_share);
+ if ((ctx->hs->tls13.key_share =
+ tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
if (!tls13_client_hello_build(ctx, cbb))
return 0;
}
- if (ctx->hs->use_legacy) {
+ if (ctx->hs->tls13.use_legacy) {
if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
return 0;
return tls13_use_legacy_client(ctx);
}
- if (ctx->hs->hrr) {
+ if (ctx->hs->tls13.hrr) {
/* The server has sent two HelloRetryRequests. */
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
return 0;
goto err;
if (!CBB_add_u8(&cbb, 0))
goto err;
- if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
goto err;
int
tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
ctx->hash, NULL))
goto err;
- if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
verify_data_len = HMAC_size(hmac_ctx);
if ((verify_data = calloc(1, verify_data_len)) == NULL)
if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
goto err;
- ctx->hs->cpk = cpk;
- ctx->hs->sigalg = sigalg;
+ ctx->hs->tls13.cpk = cpk;
+ ctx->hs->tls13.sigalg = sigalg;
if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
goto err;
memset(&sig_cbb, 0, sizeof(sig_cbb));
- if ((cpk = ctx->hs->cpk) == NULL)
+ if ((cpk = ctx->hs->tls13.cpk) == NULL)
goto err;
- if ((sigalg = ctx->hs->sigalg) == NULL)
+ if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
goto err;
pkey = cpk->privatekey;
goto err;
if (!CBB_add_u8(&sig_cbb, 0))
goto err;
- if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
goto err;
int
tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key = { .data = NULL, .len = 0 };
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
int
tls13_client_finished_sent(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
/*
* Any records following the client finished message must be encrypted
-/* $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */
+/* $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
if (action->send_preserve_transcript_hash) {
if (!tls1_transcript_hash_value(ctx->ssl,
- ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
- &ctx->hs->transcript_hash_len))
+ ctx->hs->tls13.transcript_hash,
+ sizeof(ctx->hs->tls13.transcript_hash),
+ &ctx->hs->tls13.transcript_hash_len))
return TLS13_IO_FAILURE;
}
if (action->recv_preserve_transcript_hash) {
if (!tls1_transcript_hash_value(ctx->ssl,
- ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
- &ctx->hs->transcript_hash_len))
+ ctx->hs->tls13.transcript_hash,
+ sizeof(ctx->hs->tls13.transcript_hash),
+ &ctx->hs->tls13.transcript_hash_len))
return TLS13_IO_FAILURE;
}
-/* $OpenBSD: tls13_internal.h,v 1.88 2021/01/05 17:40:11 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
struct tls13_error error;
SSL *ssl;
- struct ssl_handshake_tls13_st *hs;
+ struct ssl_handshake_st *hs;
uint8_t mode;
struct tls13_handshake_stage handshake_stage;
int handshake_started;
-/* $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
s->internal->handshake_func = s->method->internal->ssl_connect;
s->client_version = s->version = s->method->internal->max_tls_version;
- S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
+ ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A;
return 1;
}
s->client_version = s->version = s->method->internal->max_tls_version;
s->server = 1;
- S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+ ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A;
return 1;
}
}
ssl->internal->tls13 = ctx;
ctx->ssl = ssl;
- ctx->hs = &S3I(ssl)->hs_tls13;
+ ctx->hs = &S3I(ssl)->hs;
if (!tls13_server_init(ctx)) {
if (ERR_peek_error() == 0)
}
ERR_clear_error();
- S3I(ssl)->hs.state = SSL_ST_ACCEPT;
+ ctx->hs->state = SSL_ST_ACCEPT;
ret = tls13_server_accept(ctx);
if (ret == TLS13_IO_USE_LEGACY)
return ssl->method->internal->ssl_accept(ssl);
if (ret == TLS13_IO_SUCCESS)
- S3I(ssl)->hs.state = SSL_ST_OK;
+ ctx->hs->state = SSL_ST_OK;
return tls13_legacy_return_code(ssl, ret);
}
}
ssl->internal->tls13 = ctx;
ctx->ssl = ssl;
- ctx->hs = &S3I(ssl)->hs_tls13;
+ ctx->hs = &S3I(ssl)->hs;
if (!tls13_client_init(ctx)) {
if (ERR_peek_error() == 0)
}
ERR_clear_error();
- S3I(ssl)->hs.state = SSL_ST_CONNECT;
+ ctx->hs->state = SSL_ST_CONNECT;
ret = tls13_client_connect(ctx);
if (ret == TLS13_IO_USE_LEGACY)
return ssl->method->internal->ssl_connect(ssl);
if (ret == TLS13_IO_SUCCESS)
- S3I(ssl)->hs.state = SSL_ST_OK;
+ ctx->hs->state = SSL_ST_OK;
return tls13_legacy_return_code(ssl, ret);
}
-/* $OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */
+/* $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
static int
tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
if (ctx->mode == TLS13_HS_CLIENT)
return (tls13_update_client_traffic_secret(secrets) &&
static int
tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
if (ctx->mode == TLS13_HS_CLIENT)
return (tls13_update_server_traffic_secret(secrets) &&
int
tls13_clienthello_hash_init(struct tls13_ctx *ctx)
{
- if (ctx->hs->clienthello_md_ctx != NULL)
+ if (ctx->hs->tls13.clienthello_md_ctx != NULL)
return 0;
- if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
+ if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
return 0;
- if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
+ if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
EVP_sha256(), NULL))
return 0;
- if ((ctx->hs->clienthello_hash == NULL) &&
- (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
+ if ((ctx->hs->tls13.clienthello_hash == NULL) &&
+ (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
NULL)
return 0;
}
void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
+tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
{
EVP_MD_CTX_free(hs->clienthello_md_ctx);
hs->clienthello_md_ctx = NULL;
tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
size_t len)
{
- return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
+ return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
}
int
int
tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
{
- if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
- ctx->hs->clienthello_hash,
- &ctx->hs->clienthello_hash_len))
+ if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
+ ctx->hs->tls13.clienthello_hash,
+ &ctx->hs->tls13.clienthello_hash_len))
return 0;
- EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
- ctx->hs->clienthello_md_ctx = NULL;
+ EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+ ctx->hs->tls13.clienthello_md_ctx = NULL;
return 1;
}
unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
unsigned int new_ch_hash_len;
- if (ctx->hs->clienthello_hash == NULL)
+ if (ctx->hs->tls13.clienthello_hash == NULL)
return 0;
- if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+ if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
new_ch_hash, &new_ch_hash_len))
return 0;
- EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
- ctx->hs->clienthello_md_ctx = NULL;
+ EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+ ctx->hs->tls13.clienthello_md_ctx = NULL;
- if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
+ if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
return 0;
- if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
+ if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
new_ch_hash_len) != 0)
return 0;
size_t out_len)
{
struct tls13_secret context, export_out, export_secret;
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
EVP_MD_CTX *md_ctx = NULL;
unsigned int md_out_len;
int md_len;
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
{
SSL *s = ctx->ssl;
- if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
- &S3I(s)->hs.our_max_tls_version)) {
+ if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+ &ctx->hs->our_max_tls_version)) {
SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
return 0;
}
- s->version = S3I(s)->hs.our_max_tls_version;
+ s->version = ctx->hs->our_max_tls_version;
tls13_record_layer_set_retry_after_phh(ctx->rl,
(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
goto err;
return tls13_use_legacy_server(ctx);
}
- S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+ ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
/* Add decoded values to the current ClientHello hash */
if (!tls13_clienthello_hash_init(ctx)) {
}
/* Finalize first ClientHello hash, or validate against it */
- if (!ctx->hs->hrr) {
+ if (!ctx->hs->tls13.hrr) {
if (!tls13_clienthello_hash_finalize(ctx)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- tls13_clienthello_hash_clear(ctx->hs);
+ tls13_clienthello_hash_clear(&ctx->hs->tls13);
}
if (!tls13_client_hello_required_extensions(ctx)) {
}
/* Store legacy session identifier so we can echo it. */
- if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+ if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
- sizeof(ctx->hs->legacy_session_id),
- &ctx->hs->legacy_session_id_len)) {
+ if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ sizeof(ctx->hs->tls13.legacy_session_id),
+ &ctx->hs->tls13.legacy_session_id_len)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
}
ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
goto err;
}
- S3I(s)->hs.new_cipher = cipher;
+ ctx->hs->new_cipher = cipher;
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
* has been enabled. This would probably mean using either an
* INITIAL | WITHOUT_HRR state, or another intermediate state.
*/
- if (ctx->hs->key_share != NULL)
+ if (ctx->hs->tls13.key_share != NULL)
ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
/* XXX - check this is the correct point */
SSL *s = ctx->ssl;
uint16_t cipher;
- cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+ cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
server_random = s->s3->server_random;
if (hrr) {
goto err;
if (!CBB_add_u8_length_prefixed(cbb, &session_id))
goto err;
- if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len))
+ if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len))
goto err;
if (!CBB_add_u16(cbb, cipher))
goto err;
SSL *s = ctx->ssl;
int ret = 0;
- if (!tls13_key_share_derive(ctx->hs->key_share,
+ if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
&shared_key, &shared_key_len))
goto err;
- s->session->cipher = S3I(s)->hs.new_cipher;
+ s->session->cipher = ctx->hs->new_cipher;
- if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
goto err;
- if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
goto err;
if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
goto err;
- ctx->hs->secrets = secrets;
+ ctx->hs->tls13.secrets = secrets;
/* XXX - pass in hash. */
if (!tls1_transcript_hash_init(s))
goto err;
/* Handshake secrets. */
- if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+ if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
shared_key_len, &context))
goto err;
{
int nid;
- ctx->hs->hrr = 1;
+ ctx->hs->tls13.hrr = 1;
if (!tls13_synthetic_handshake_message(ctx))
return 0;
- if (ctx->hs->key_share != NULL)
+ if (ctx->hs->tls13.key_share != NULL)
return 0;
if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
return 0;
- if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+ if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
return 0;
if (!tls13_server_hello_build(ctx, cbb, 1))
* we MUST send a dummy CCS following our first handshake message.
* See RFC 8446 Appendix D.4.
*/
- if (ctx->hs->legacy_session_id_len > 0)
+ if (ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return 1;
if (s->method->internal->version < TLS1_3_VERSION)
return 0;
- ctx->hs->hrr = 0;
+ ctx->hs->tls13.hrr = 0;
return 1;
}
int
tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
{
- if (ctx->hs->key_share == NULL)
+ if (ctx->hs->tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
if (!tls13_servername_process(ctx))
return 0;
- ctx->hs->server_group = 0;
+ ctx->hs->tls13.server_group = 0;
if (!tls13_server_hello_build(ctx, cbb, 0))
return 0;
* See RFC 8446 Appendix D.4.
*/
if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
- ctx->hs->legacy_session_id_len > 0)
+ ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return tls13_server_engage_record_protection(ctx);
goto err;
}
- ctx->hs->cpk = cpk;
- ctx->hs->sigalg = sigalg;
+ ctx->hs->tls13.cpk = cpk;
+ ctx->hs->tls13.sigalg = sigalg;
if ((chain = cpk->chain) == NULL)
chain = s->ctx->extra_certs;
memset(&sig_cbb, 0, sizeof(sig_cbb));
- if ((cpk = ctx->hs->cpk) == NULL)
+ if ((cpk = ctx->hs->tls13.cpk) == NULL)
goto err;
- if ((sigalg = ctx->hs->sigalg) == NULL)
+ if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
goto err;
pkey = cpk->privatekey;
goto err;
if (!CBB_add_u8(&sig_cbb, 0))
goto err;
- if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
goto err;
int
tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
int
tls13_server_finished_sent(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
/*
* Derive application traffic keys.
*/
- context.data = ctx->hs->transcript_hash;
- context.len = ctx->hs->transcript_hash_len;
+ context.data = ctx->hs->tls13.transcript_hash;
+ context.len = ctx->hs->tls13.transcript_hash_len;
if (!tls13_derive_application_secrets(secrets, &context))
return 0;
goto err;
if (!CBB_add_u8(&cbb, 0))
goto err;
- if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
goto err;
int
tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
uint8_t *verify_data = NULL;
if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
ctx->hash, NULL))
goto err;
- if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
verify_data_len = HMAC_size(hmac_ctx);
if ((verify_data = calloc(1, verify_data_len)) == NULL)
projects / openbsd / commitdiff