Move the TLSv1.3 handshake struct inside the shared handshake struct.

There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).

This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.

ok inoguchi@ tb@

1 files changed, 46 insertions, 46 deletions

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 29c63bcd06b..658aef2cfee 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
 {
 	SSL *s = ctx->ssl;
 
-	if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
-	    &S3I(s)->hs.our_max_tls_version)) {
+	if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+	    &ctx->hs->our_max_tls_version)) {
 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
 		return 0;
 	}
-	s->version = S3I(s)->hs.our_max_tls_version;
+	s->version = ctx->hs->our_max_tls_version;
 
 	tls13_record_layer_set_retry_after_phh(ctx->rl,
 	    (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 			goto err;
 		return tls13_use_legacy_server(ctx);
 	}
-	S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+	ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
 
 	/* Add decoded values to the current ClientHello hash */
 	if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	}
 
 	/* Finalize first ClientHello hash, or validate against it */
-	if (!ctx->hs->hrr) {
+	if (!ctx->hs->tls13.hrr) {
 		if (!tls13_clienthello_hash_finalize(ctx)) {
 			ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
 			goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 			ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
 			goto err;
 		}
-		tls13_clienthello_hash_clear(ctx->hs);
+		tls13_clienthello_hash_clear(&ctx->hs->tls13);
 	}
 
 	if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	}
 
 	/* Store legacy session identifier so we can echo it. */
-	if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+	if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
 		ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
 		goto err;
 	}
-	if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
-	    sizeof(ctx->hs->legacy_session_id),
-	    &ctx->hs->legacy_session_id_len)) {
+	if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+	    sizeof(ctx->hs->tls13.legacy_session_id),
+	    &ctx->hs->tls13.legacy_session_id_len)) {
 		ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
 		goto err;
 	}
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
 		goto err;
 	}
-	S3I(s)->hs.new_cipher = cipher;
+	ctx->hs->new_cipher = cipher;
 
 	sk_SSL_CIPHER_free(s->session->ciphers);
 	s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 	 * has been enabled. This would probably mean using either an
 	 * INITIAL | WITHOUT_HRR state, or another intermediate state.
 	 */
-	if (ctx->hs->key_share != NULL)
+	if (ctx->hs->tls13.key_share != NULL)
 		ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
 
 	/* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
 	SSL *s = ctx->ssl;
 	uint16_t cipher;
 
-	cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+	cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
 	server_random = s->s3->server_random;
 
 	if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
 		goto err;
 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
 		goto err;
-	if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
-	    ctx->hs->legacy_session_id_len))
+	if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+	    ctx->hs->tls13.legacy_session_id_len))
 		goto err;
 	if (!CBB_add_u16(cbb, cipher))
 		goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 	SSL *s = ctx->ssl;
 	int ret = 0;
 
-	if (!tls13_key_share_derive(ctx->hs->key_share,
+	if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
 	    &shared_key, &shared_key_len))
 		goto err;
 
-	s->session->cipher = S3I(s)->hs.new_cipher;
+	s->session->cipher = ctx->hs->new_cipher;
 
-	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+	if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
 		goto err;
-	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+	if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
 		goto err;
 
 	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
 		goto err;
-	ctx->hs->secrets = secrets;
+	ctx->hs->tls13.secrets = secrets;
 
 	/* XXX - pass in hash. */
 	if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 		goto err;
 
 	/* Handshake secrets. */
-	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+	if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
 	    shared_key_len, &context))
 		goto err;
 
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
 	int nid;
 
-	ctx->hs->hrr = 1;
+	ctx->hs->tls13.hrr = 1;
 
 	if (!tls13_synthetic_handshake_message(ctx))
 		return 0;
 
-	if (ctx->hs->key_share != NULL)
+	if (ctx->hs->tls13.key_share != NULL)
 		return 0;
 	if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
 		return 0;
-	if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+	if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
 		return 0;
 
 	if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
 	 * we MUST send a dummy CCS following our first handshake message.
 	 * See RFC 8446 Appendix D.4.
 	 */
-	if (ctx->hs->legacy_session_id_len > 0)
+	if (ctx->hs->tls13.legacy_session_id_len > 0)
 		ctx->send_dummy_ccs_after = 1;
 
 	return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
 	if (s->method->internal->version < TLS1_3_VERSION)
 		return 0;
 
-	ctx->hs->hrr = 0;
+	ctx->hs->tls13.hrr = 0;
 
 	return 1;
 }
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
 int
 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-	if (ctx->hs->key_share == NULL)
+	if (ctx->hs->tls13.key_share == NULL)
 		return 0;
-	if (!tls13_key_share_generate(ctx->hs->key_share))
+	if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
 		return 0;
 	if (!tls13_servername_process(ctx))
 		return 0;
 
-	ctx->hs->server_group = 0;
+	ctx->hs->tls13.server_group = 0;
 
 	if (!tls13_server_hello_build(ctx, cbb, 0))
 		return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
 	 * See RFC 8446 Appendix D.4.
 	 */
 	if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
-	    ctx->hs->legacy_session_id_len > 0)
+	    ctx->hs->tls13.legacy_session_id_len > 0)
 		ctx->send_dummy_ccs_after = 1;
 
 	return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 		goto err;
 	}
 
-	ctx->hs->cpk = cpk;
-	ctx->hs->sigalg = sigalg;
+	ctx->hs->tls13.cpk = cpk;
+	ctx->hs->tls13.sigalg = sigalg;
 
 	if ((chain = cpk->chain) == NULL)
 		chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 
 	memset(&sig_cbb, 0, sizeof(sig_cbb));
 
-	if ((cpk = ctx->hs->cpk) == NULL)
+	if ((cpk = ctx->hs->tls13.cpk) == NULL)
 		goto err;
-	if ((sigalg = ctx->hs->sigalg) == NULL)
+	if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
 		goto err;
 	pkey = cpk->privatekey;
 
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 		goto err;
 	if (!CBB_add_u8(&sig_cbb, 0))
 		goto err;
-	if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
-	    ctx->hs->transcript_hash_len))
+	if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+	    ctx->hs->tls13.transcript_hash_len))
 		goto err;
 	if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
 		goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-	struct tls13_secrets *secrets = ctx->hs->secrets;
+	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 	struct tls13_secret context = { .data = "", .len = 0 };
 	struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_finished_sent(struct tls13_ctx *ctx)
 {
-	struct tls13_secrets *secrets = ctx->hs->secrets;
+	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 	struct tls13_secret context = { .data = "", .len = 0 };
 
 	/*
 	 * Derive application traffic keys.
 	 */
-	context.data = ctx->hs->transcript_hash;
-	context.len = ctx->hs->transcript_hash_len;
+	context.data = ctx->hs->tls13.transcript_hash;
+	context.len = ctx->hs->tls13.transcript_hash_len;
 
 	if (!tls13_derive_application_secrets(secrets, &context))
 		return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 		goto err;
 	if (!CBB_add_u8(&cbb, 0))
 		goto err;
-	if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
-	    ctx->hs->transcript_hash_len))
+	if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+	    ctx->hs->tls13.transcript_hash_len))
 		goto err;
 	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
 		goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-	struct tls13_secrets *secrets = ctx->hs->secrets;
+	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
 	struct tls13_secret context = { .data = "", .len = 0 };
 	struct tls13_secret finished_key;
 	uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
 	    ctx->hash, NULL))
 		goto err;
-	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
-	    ctx->hs->transcript_hash_len))
+	if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+	    ctx->hs->tls13.transcript_hash_len))
 		goto err;
 	verify_data_len = HMAC_size(hmac_ctx);
 	if ((verify_data = calloc(1, verify_data_len)) == NULL)