diff options
| author |   beck <beck@openbsd.org> | 2020-01-26 02:45:27 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2020-01-26 02:45:27 +0000 |
| commit | 2a0f8bf3aa9a75ff838bb56fc18d914762fb5e8d (patch) | |
| tree | 343db9d30fbb8c9247fec430a961446df27b49b2 /lib | |
| parent | Adjust EVP_chacha20()'s behavior to match OpenSSL's semantics: (diff) | |
| download | wireguard-openbsd-2a0f8bf3aa9a75ff838bb56fc18d914762fb5e8d.tar.xz wireguard-openbsd-2a0f8bf3aa9a75ff838bb56fc18d914762fb5e8d.zip | |
Move pad and verify context into tls13_lib.c
ok jsing@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/tls13_client.c | 25 | ||||
| -rw-r--r-- | lib/libssl/tls13_internal.h | 7 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 45 | ||||
| -rw-r--r-- | lib/libssl/tls13_server.c | 51 |
4 files changed, 60 insertions, 68 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index fb21b54621e..5dffd2d33a5 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.34 2020/01/25 14:23:27 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.35 2020/01/26 02:45:27 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -587,22 +587,6 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) return ret; } -/* - * Certificate Verify padding - RFC 8446 section 4.4.3. - */ -static uint8_t cert_verify_pad[64] = { - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, -}; - -static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify"; - int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) { @@ -631,10 +615,11 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBB_init(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad))) + if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) goto err; - if (!CBB_add_bytes(&cbb, server_cert_verify_context, - strlen(server_cert_verify_context))) + if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index 4cae2ebcce2..ec58525c2bb 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.56 2020/01/25 19:01:43 tb Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.57 2020/01/26 02:45:27 beck Exp $ */ /* * Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> @@ -302,6 +302,8 @@ int tls13_server_finished_sent(struct tls13_ctx *ctx); void tls13_error_clear(struct tls13_error *error); +int tls13_cert_add(CBB *cbb, X509 *cert); + int tls13_error_set(struct tls13_error *error, int code, int subcode, const char *file, int line, const char *fmt, ...); int tls13_error_setx(struct tls13_error *error, int code, int subcode, @@ -316,6 +318,9 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode, extern uint8_t tls13_downgrade_12[8]; extern uint8_t tls13_downgrade_11[8]; +extern uint8_t tls13_cert_verify_pad[64]; +extern uint8_t tls13_cert_client_verify_context[]; +extern uint8_t tls13_cert_server_verify_context[]; __END_HIDDEN_DECLS diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 950b5a4019c..2a13e8f7732 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.30 2020/01/25 13:11:20 tb Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.31 2020/01/26 02:45:27 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -607,3 +607,46 @@ tls13_legacy_shutdown(SSL *ssl) return 0; } + +/* + * Certificate Verify padding - RFC 8446 section 4.4.3. + */ +uint8_t tls13_cert_verify_pad[64] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, +}; + +uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify"; +uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify"; + +int +tls13_cert_add(CBB *cbb, X509 *cert) +{ + CBB cert_data, cert_exts; + uint8_t *data; + int cert_len; + + if ((cert_len = i2d_X509(cert, NULL)) < 0) + return 0; + + if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) + return 0; + if (!CBB_add_space(&cert_data, &data, cert_len)) + return 0; + if (i2d_X509(cert, &data) != cert_len) + return 0; + + if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 628e824313e..8ed2a6ea119 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.16 2020/01/24 08:21:24 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.17 2020/01/26 02:45:27 beck Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -476,32 +476,6 @@ tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) return 0; } -static int -tls13_cert_add(CBB *cbb, X509 *cert) -{ - CBB cert_data, cert_exts; - uint8_t *data; - int cert_len; - - if ((cert_len = i2d_X509(cert, NULL)) < 0) - return 0; - - if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) - return 0; - if (!CBB_add_space(&cert_data, &data, cert_len)) - return 0; - if (i2d_X509(cert, &data) != cert_len) - return 0; - - if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) - return 0; - - if (!CBB_flush(cbb)) - return 0; - - return 1; -} - int tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) { @@ -564,22 +538,6 @@ tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) return 0; } -/* - * Certificate Verify padding - RFC 8446 section 4.4.3. - */ -static uint8_t cert_verify_pad[64] = { - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, - 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, -}; - -static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify"; - int tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) { @@ -607,10 +565,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) if (!CBB_init(&sig_cbb, 0)) goto err; - if (!CBB_add_bytes(&sig_cbb, cert_verify_pad, sizeof(cert_verify_pad))) + if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) goto err; - if (!CBB_add_bytes(&sig_cbb, server_cert_verify_context, - strlen(server_cert_verify_context))) + if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; |