diff options
| author |   jsing <jsing@openbsd.org> | 2021-03-21 18:36:34 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2021-03-21 18:36:34 +0000 |
| commit | d4edc922de00e0977a67ceb1c4b74ab035533c7e (patch) | |
| tree | 3197dd6f6f75325215a27d268f794d3633bf34ac /lib | |
| parent | Use new terminology of RFC 8981 and (mechanically) replace "privacy" (diff) | |
| download | wireguard-openbsd-d4edc922de00e0977a67ceb1c4b74ab035533c7e.tar.xz wireguard-openbsd-d4edc922de00e0977a67ceb1c4b74ab035533c7e.zip | |
Move the TLSv1.3 handshake struct inside the shared handshake struct.
There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/s3_lib.c | 30 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 81 | ||||
| -rw-r--r-- | lib/libssl/ssl_tlsext.c | 60 | ||||
| -rw-r--r-- | lib/libssl/tls13_client.c | 112 | ||||
| -rw-r--r-- | lib/libssl/tls13_handshake.c | 12 | ||||
| -rw-r--r-- | lib/libssl/tls13_internal.h | 4 | ||||
| -rw-r--r-- | lib/libssl/tls13_legacy.c | 18 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 44 | ||||
| -rw-r--r-- | lib/libssl/tls13_server.c | 92 |
9 files changed, 227 insertions, 226 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 75f71c4c7d3..5e39907d9c6 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.204 2021/02/07 15:26:32 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.205 2021/03/21 18:36:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1565,10 +1565,10 @@ ssl3_free(SSL *s) EC_KEY_free(S3I(s)->tmp.ecdh); freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); - tls13_key_share_free(S3I(s)->hs_tls13.key_share); - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); - tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); @@ -1605,15 +1605,15 @@ ssl3_clear(SSL *s) S3I(s)->hs.sigalgs = NULL; S3I(s)->hs.sigalgs_len = 0; - tls13_key_share_free(S3I(s)->hs_tls13.key_share); - S3I(s)->hs_tls13.key_share = NULL; + tls13_key_share_free(S3I(s)->hs.tls13.key_share); + S3I(s)->hs.tls13.key_share = NULL; - tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); - S3I(s)->hs_tls13.secrets = NULL; - freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); - S3I(s)->hs_tls13.cookie = NULL; - S3I(s)->hs_tls13.cookie_len = 0; - tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + tls13_secrets_destroy(S3I(s)->hs.tls13.secrets); + S3I(s)->hs.tls13.secrets = NULL; + freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len); + S3I(s)->hs.tls13.cookie = NULL; + S3I(s)->hs.tls13.cookie_len = 0; + tls13_clienthello_hash_clear(&S3I(s)->hs.tls13); S3I(s)->hs.extensions_seen = 0; @@ -1678,8 +1678,8 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) } else if (sc->peer_x25519_tmp != NULL) { if (!ssl_kex_dummy_ecdhe_x25519(pkey)) goto err; - } else if (S3I(s)->hs_tls13.key_share != NULL) { - if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share, + } else if (S3I(s)->hs.tls13.key_share != NULL) { + if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share, pkey)) goto err; } else { diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 99b72cc65e9..33eb3bba7df 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.327 2021/03/17 17:42:53 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -410,6 +410,44 @@ typedef struct ssl_session_internal_st { } SSL_SESSION_INTERNAL; #define SSI(s) (s->session->internal) +typedef struct cert_pkey_st { + X509 *x509; + EVP_PKEY *privatekey; + STACK_OF(X509) *chain; +} CERT_PKEY; + +typedef struct ssl_handshake_tls13_st { + int use_legacy; + int hrr; + + /* Certificate and sigalg selected for use (static pointers). */ + const CERT_PKEY *cpk; + const struct ssl_sigalg *sigalg; + + /* Version proposed by peer server. */ + uint16_t server_version; + + uint16_t server_group; + struct tls13_key_share *key_share; + struct tls13_secrets *secrets; + + uint8_t *cookie; + size_t cookie_len; + + /* Preserved transcript hash. */ + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + + /* Legacy session ID. */ + uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + size_t legacy_session_id_len; + + /* ClientHello hash, used to validate following HelloRetryRequest */ + EVP_MD_CTX *clienthello_md_ctx; + unsigned char *clienthello_hash; + unsigned int clienthello_hash_len; +} SSL_HANDSHAKE_TLS13; + typedef struct ssl_handshake_st { /* * Minimum and maximum versions supported for this handshake. These are @@ -428,6 +466,8 @@ typedef struct ssl_handshake_st { */ uint16_t negotiated_tls_version; + SSL_HANDSHAKE_TLS13 tls13; + /* state contains one of the SSL3_ST_* values. */ int state; @@ -449,44 +489,6 @@ typedef struct ssl_handshake_st { uint8_t *sigalgs; } SSL_HANDSHAKE; -typedef struct cert_pkey_st { - X509 *x509; - EVP_PKEY *privatekey; - STACK_OF(X509) *chain; -} CERT_PKEY; - -typedef struct ssl_handshake_tls13_st { - int use_legacy; - int hrr; - - /* Certificate and sigalg selected for use (static pointers). */ - const CERT_PKEY *cpk; - const struct ssl_sigalg *sigalg; - - /* Version proposed by peer server. */ - uint16_t server_version; - - uint16_t server_group; - struct tls13_key_share *key_share; - struct tls13_secrets *secrets; - - uint8_t *cookie; - size_t cookie_len; - - /* Preserved transcript hash. */ - uint8_t transcript_hash[EVP_MAX_MD_SIZE]; - size_t transcript_hash_len; - - /* Legacy session ID. */ - uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; - size_t legacy_session_id_len; - - /* ClientHello hash, used to validate following HelloRetryRequest */ - EVP_MD_CTX *clienthello_md_ctx; - unsigned char *clienthello_hash; - unsigned int clienthello_hash_len; -} SSL_HANDSHAKE_TLS13; - struct tls12_record_layer; struct tls12_record_layer *tls12_record_layer_new(void); @@ -907,7 +909,6 @@ typedef struct ssl3_state_internal_st { int in_read_app_data; SSL_HANDSHAKE hs; - SSL_HANDSHAKE_TLS13 hs_tls13; struct { unsigned char cert_verify_md[EVP_MAX_MD_SIZE]; diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 4f4a39d4bb5..5ffab919a2d 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.88 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -226,7 +226,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, uint16_t *groups; int i; - if (S3I(s)->hs_tls13.hrr) { + if (S3I(s)->hs.tls13.hrr) { if (SSI(s)->tlsext_supportedgroups == NULL) { *alert = SSL_AD_HANDSHAKE_FAILURE; return 0; @@ -759,7 +759,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; } - if (s->internal->hit || S3I(s)->hs_tls13.hrr) { + if (s->internal->hit || S3I(s)->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { *alert = TLS1_AD_UNRECOGNIZED_NAME; goto err; @@ -1416,7 +1416,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) return 0; - if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, &client_shares)) return 0; @@ -1454,7 +1454,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) */ if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION) continue; - if (S3I(s)->hs_tls13.key_share != NULL) + if (S3I(s)->hs.tls13.key_share != NULL) continue; /* XXX - consider implementing server preference. */ @@ -1462,10 +1462,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) continue; /* Decode and store the selected key share. */ - S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); - if (S3I(s)->hs_tls13.key_share == NULL) + S3I(s)->hs.tls13.key_share = tls13_key_share_new(group); + if (S3I(s)->hs.tls13.key_share == NULL) goto err; - if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, group, &key_exchange)) goto err; } @@ -1488,16 +1488,16 @@ int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* In the case of a HRR, we only send the server selected group. */ - if (S3I(s)->hs_tls13.hrr) { - if (S3I(s)->hs_tls13.server_group == 0) + if (S3I(s)->hs.tls13.hrr) { + if (S3I(s)->hs.tls13.server_group == 0) return 0; - return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); + return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group); } - if (S3I(s)->hs_tls13.key_share == NULL) + if (S3I(s)->hs.tls13.key_share == NULL) return 0; - if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) + if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb)) return 0; return 1; @@ -1516,17 +1516,17 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (CBS_len(cbs) == 0) { /* HRR does not include an actual key share. */ /* XXX - we should know that we are in a HRR... */ - S3I(s)->hs_tls13.server_group = group; + S3I(s)->hs.tls13.server_group = group; return 1; } if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) return 0; - if (S3I(s)->hs_tls13.key_share == NULL) + if (S3I(s)->hs.tls13.key_share == NULL) return 0; - if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share, group, &key_exchange)) goto err; @@ -1639,7 +1639,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } /* XXX test between min and max once initialization code goes in */ - S3I(s)->hs_tls13.server_version = selected_version; + S3I(s)->hs.tls13.server_version = selected_version; return 1; } @@ -1653,7 +1653,7 @@ int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) { return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && - S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL); + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int @@ -1664,8 +1664,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1682,7 +1682,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) + if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len) goto err; /* @@ -1690,8 +1690,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * sent - client *MUST* send the same cookie with new CR after * a cookie is sent by the server with an HRR. */ - if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) { + if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) { /* XXX special cookie mismatch alert? */ *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; @@ -1712,7 +1712,7 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) * in order to send one, should only be sent with HRR. */ return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION && - S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL); + S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL); } int @@ -1725,8 +1725,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &cookie)) return 0; - if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, - S3I(s)->hs_tls13.cookie_len)) + if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie, + S3I(s)->hs.tls13.cookie_len)) return 0; if (!CBB_flush(cbb)) @@ -1745,8 +1745,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * HRR from a server with a cookie to process after accepting * one from the server in the same handshake */ - if (S3I(s)->hs_tls13.cookie != NULL || - S3I(s)->hs_tls13.cookie_len != 0) { + if (S3I(s)->hs.tls13.cookie != NULL || + S3I(s)->hs.tls13.cookie_len != 0) { *alert = SSL_AD_ILLEGAL_PARAMETER; return 0; } @@ -1754,8 +1754,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &cookie)) goto err; - if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, - &S3I(s)->hs_tls13.cookie_len)) + if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie, + &S3I(s)->hs.tls13.cookie_len)) goto err; return 1; diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 4de3d3693bb..0f3d435c949 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx) size_t groups_len; SSL *s = ctx->ssl; - if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version, - &S3I(s)->hs.our_max_tls_version)) { + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } - s->client_version = s->version = S3I(s)->hs.our_max_tls_version; + s->client_version = s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); @@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx) tls1_get_group_list(s, 0, &groups, &groups_len); if (groups_len < 1) return 0; - if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) + if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); @@ -65,11 +65,11 @@ tls13_client_init(struct tls13_ctx *ctx) * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. */ if (ctx->middlebox_compat && - S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) { - arc4random_buf(ctx->hs->legacy_session_id, - sizeof(ctx->hs->legacy_session_id)); - ctx->hs->legacy_session_id_len = - sizeof(ctx->hs->legacy_session_id); + ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { + arc4random_buf(ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id)); + ctx->hs->tls13.legacy_session_id_len = + sizeof(ctx->hs->tls13.legacy_session_id); } return 1; @@ -92,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) SSL *s = ctx->ssl; /* Legacy client version is capped at TLS 1.2. */ - client_version = S3I(s)->hs.our_max_tls_version; + client_version = ctx->hs->our_max_tls_version; if (client_version > TLS1_2_VERSION) client_version = TLS1_2_VERSION; @@ -103,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; - if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) goto err; if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) @@ -134,9 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) { - SSL *s = ctx->ssl; - - if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION) + if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ @@ -231,7 +229,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) goto err; if (tls13_server_hello_is_legacy(cbs)) { - if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) { + if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { /* * RFC 8446 section 4.1.3: we must not downgrade if * the server random value contains the TLS 1.2 or 1.1 @@ -252,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (!CBS_skip(cbs, CBS_len(cbs))) goto err; - ctx->hs->use_legacy = 1; + ctx->hs->tls13.use_legacy = 1; return 1; } @@ -265,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, sizeof(tls13_hello_retry_request_hash))) { tlsext_msg_type = SSL_TLSEXT_MSG_HRR; - ctx->hs->hrr = 1; + ctx->hs->tls13.hrr = 1; } if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { @@ -278,16 +276,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) * Ensure that it was 0x0304 and that legacy version is set to 0x0303 * (RFC 8446 section 4.2.1). */ - if (ctx->hs->server_version != TLS1_3_VERSION || + if (ctx->hs->tls13.server_version != TLS1_3_VERSION || legacy_version != TLS1_2_VERSION) { ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; goto err; } - S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version; + ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; /* The session_id must match. */ - if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) { + if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } @@ -305,8 +303,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - /* XXX - move this to hs_tls13? */ - S3I(s)->hs.new_cipher = cipher; + /* XXX - move this to hs.tls13? */ + ctx->hs->new_cipher = cipher; if (compression_method != 0) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; @@ -336,21 +334,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) /* Derive the shared key and engage record protection. */ - if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, &shared_key_len)) goto err; - s->session->cipher = S3I(s)->hs.new_cipher; - s->session->ssl_version = ctx->hs->server_version; + s->session->cipher = ctx->hs->new_cipher; + s->session->ssl_version = ctx->hs->tls13.server_version; - if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL) goto err; - if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL) goto err; if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) goto err; - ctx->hs->secrets = secrets; + ctx->hs->tls13.secrets = secrets; /* XXX - pass in hash. */ if (!tls1_transcript_hash_init(s)) @@ -367,7 +365,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) goto err; /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, shared_key_len, &context)) goto err; @@ -409,10 +407,10 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) * This may have been a TLSv1.2 or earlier ServerHello that just happened * to have matching server random... */ - if (ctx->hs->use_legacy) + if (ctx->hs->tls13.use_legacy) return tls13_use_legacy_client(ctx); - if (!ctx->hs->hrr) + if (!ctx->hs->tls13.hrr) return 0; if (!tls13_synthetic_handshake_message(ctx)) @@ -420,7 +418,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) if (!tls13_handshake_msg_record(ctx)) return 0; - ctx->hs->hrr = 0; + ctx->hs->tls13.hrr = 0; return 1; } @@ -433,17 +431,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) * supported groups and is not the same as the key share we previously * offered. */ - if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) + if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) return 0; /* XXX alert */ - if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) + if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share)) return 0; /* XXX alert */ /* Switch to new key share. */ - tls13_key_share_free(ctx->hs->key_share); - if ((ctx->hs->key_share = - tls13_key_share_new(ctx->hs->server_group)) == NULL) + tls13_key_share_free(ctx->hs->tls13.key_share); + if ((ctx->hs->tls13.key_share = + tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; if (!tls13_client_hello_build(ctx, cbb)) @@ -470,13 +468,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) return 0; } - if (ctx->hs->use_legacy) { + if (ctx->hs->tls13.use_legacy) { if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) return 0; return tls13_use_legacy_client(ctx); } - if (ctx->hs->hrr) { + if (ctx->hs->tls13.hrr) { /* The server has sent two HelloRetryRequests. */ ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; return 0; @@ -687,8 +685,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; @@ -738,7 +736,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; @@ -767,8 +765,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, ctx->hash, NULL)) goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; verify_data_len = HMAC_size(hmac_ctx); if ((verify_data = calloc(1, verify_data_len)) == NULL) @@ -900,8 +898,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) goto err; - ctx->hs->cpk = cpk; - ctx->hs->sigalg = sigalg; + ctx->hs->tls13.cpk = cpk; + ctx->hs->tls13.sigalg = sigalg; if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) goto err; @@ -950,9 +948,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) memset(&sig_cbb, 0, sizeof(sig_cbb)); - if ((cpk = ctx->hs->cpk) == NULL) + if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->sigalg) == NULL) + if ((sigalg = ctx->hs->tls13.sigalg) == NULL) goto err; pkey = cpk->privatekey; @@ -966,8 +964,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; - if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) goto err; @@ -1024,7 +1022,7 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key = { .data = NULL, .len = 0 }; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; @@ -1082,7 +1080,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_finished_sent(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; /* * Any records following the client finished message must be encrypted diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c index b3cecc77efd..c18a2dfe062 100644 --- a/lib/libssl/tls13_handshake.c +++ b/lib/libssl/tls13_handshake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */ +/* $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> @@ -428,8 +428,9 @@ tls13_handshake_send_action(struct tls13_ctx *ctx, if (action->send_preserve_transcript_hash) { if (!tls1_transcript_hash_value(ctx->ssl, - ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), - &ctx->hs->transcript_hash_len)) + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) return TLS13_IO_FAILURE; } @@ -471,8 +472,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, if (action->recv_preserve_transcript_hash) { if (!tls1_transcript_hash_value(ctx->ssl, - ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), - &ctx->hs->transcript_hash_len)) + ctx->hs->tls13.transcript_hash, + sizeof(ctx->hs->tls13.transcript_hash), + &ctx->hs->tls13.transcript_hash_len)) return TLS13_IO_FAILURE; } diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index c339a8ef102..973661acc9b 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.88 2021/01/05 17:40:11 tb Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> @@ -274,7 +274,7 @@ struct tls13_ctx { struct tls13_error error; SSL *ssl; - struct ssl_handshake_tls13_st *hs; + struct ssl_handshake_st *hs; uint8_t mode; struct tls13_handshake_stage handshake_stage; int handshake_started; diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c index f611aa061d0..19271ef7874 100644 --- a/lib/libssl/tls13_legacy.c +++ b/lib/libssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -361,7 +361,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx) s->internal->handshake_func = s->method->internal->ssl_connect; s->client_version = s->version = s->method->internal->max_tls_version; - S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; + ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A; return 1; } @@ -378,7 +378,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) s->client_version = s->version = s->method->internal->max_tls_version; s->server = 1; - S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; + ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A; return 1; } @@ -396,7 +396,7 @@ tls13_legacy_accept(SSL *ssl) } ssl->internal->tls13 = ctx; ctx->ssl = ssl; - ctx->hs = &S3I(ssl)->hs_tls13; + ctx->hs = &S3I(ssl)->hs; if (!tls13_server_init(ctx)) { if (ERR_peek_error() == 0) @@ -406,13 +406,13 @@ tls13_legacy_accept(SSL *ssl) } ERR_clear_error(); - S3I(ssl)->hs.state = SSL_ST_ACCEPT; + ctx->hs->state = SSL_ST_ACCEPT; ret = tls13_server_accept(ctx); if (ret == TLS13_IO_USE_LEGACY) return ssl->method->internal->ssl_accept(ssl); if (ret == TLS13_IO_SUCCESS) - S3I(ssl)->hs.state = SSL_ST_OK; + ctx->hs->state = SSL_ST_OK; return tls13_legacy_return_code(ssl, ret); } @@ -438,7 +438,7 @@ tls13_legacy_connect(SSL *ssl) } ssl->internal->tls13 = ctx; ctx->ssl = ssl; - ctx->hs = &S3I(ssl)->hs_tls13; + ctx->hs = &S3I(ssl)->hs; if (!tls13_client_init(ctx)) { if (ERR_peek_error() == 0) @@ -448,13 +448,13 @@ tls13_legacy_connect(SSL *ssl) } ERR_clear_error(); - S3I(ssl)->hs.state = SSL_ST_CONNECT; + ctx->hs->state = SSL_ST_CONNECT; ret = tls13_client_connect(ctx); if (ret == TLS13_IO_USE_LEGACY) return ssl->method->internal->ssl_connect(ssl); if (ret == TLS13_IO_SUCCESS) - S3I(ssl)->hs.state = SSL_ST_OK; + ctx->hs->state = SSL_ST_OK; return tls13_legacy_return_code(ssl, ret); } diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 0b3f636b930..9dbb7d64303 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -223,7 +223,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) static int tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; if (ctx->mode == TLS13_HS_CLIENT) return (tls13_update_client_traffic_secret(secrets) && @@ -237,7 +237,7 @@ tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) static int tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; if (ctx->mode == TLS13_HS_CLIENT) return (tls13_update_server_traffic_secret(secrets) && @@ -503,16 +503,16 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx) int tls13_clienthello_hash_init(struct tls13_ctx *ctx) { - if (ctx->hs->clienthello_md_ctx != NULL) + if (ctx->hs->tls13.clienthello_md_ctx != NULL) return 0; - if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) + if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) return 0; - if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx, + if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, EVP_sha256(), NULL)) return 0; - if ((ctx->hs->clienthello_hash == NULL) && - (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == + if ((ctx->hs->tls13.clienthello_hash == NULL) && + (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == NULL) return 0; @@ -520,7 +520,7 @@ tls13_clienthello_hash_init(struct tls13_ctx *ctx) } void -tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) +tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ { EVP_MD_CTX_free(hs->clienthello_md_ctx); hs->clienthello_md_ctx = NULL; @@ -532,7 +532,7 @@ int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, size_t len) { - return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len); + return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); } int @@ -545,12 +545,12 @@ tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) { - if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, - ctx->hs->clienthello_hash, - &ctx->hs->clienthello_hash_len)) + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, + ctx->hs->tls13.clienthello_hash, + &ctx->hs->tls13.clienthello_hash_len)) return 0; - EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); - ctx->hs->clienthello_md_ctx = NULL; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; return 1; } @@ -560,18 +560,18 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx) unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; unsigned int new_ch_hash_len; - if (ctx->hs->clienthello_hash == NULL) + if (ctx->hs->tls13.clienthello_hash == NULL) return 0; - if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, + if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, new_ch_hash, &new_ch_hash_len)) return 0; - EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); - ctx->hs->clienthello_md_ctx = NULL; + EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); + ctx->hs->tls13.clienthello_md_ctx = NULL; - if (ctx->hs->clienthello_hash_len != new_ch_hash_len) + if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) return 0; - if (memcmp(ctx->hs->clienthello_hash, new_ch_hash, + if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, new_ch_hash_len) != 0) return 0; @@ -584,7 +584,7 @@ tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, size_t out_len) { struct tls13_secret context, export_out, export_secret; - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; EVP_MD_CTX *md_ctx = NULL; unsigned int md_out_len; int md_len; diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index 29c63bcd06b..658aef2cfee 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx) { SSL *s = ctx->ssl; - if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version, - &S3I(s)->hs.our_max_tls_version)) { + if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, + &ctx->hs->our_max_tls_version)) { SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); return 0; } - s->version = S3I(s)->hs.our_max_tls_version; + s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); @@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) goto err; return tls13_use_legacy_server(ctx); } - S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION; + ctx->hs->negotiated_tls_version = TLS1_3_VERSION; /* Add decoded values to the current ClientHello hash */ if (!tls13_clienthello_hash_init(ctx)) { @@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* Finalize first ClientHello hash, or validate against it */ - if (!ctx->hs->hrr) { + if (!ctx->hs->tls13.hrr) { if (!tls13_clienthello_hash_finalize(ctx)) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; goto err; @@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - tls13_clienthello_hash_clear(ctx->hs); + tls13_clienthello_hash_clear(&ctx->hs->tls13); } if (!tls13_client_hello_required_extensions(ctx)) { @@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* Store legacy session identifier so we can echo it. */ - if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { + if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, - sizeof(ctx->hs->legacy_session_id), - &ctx->hs->legacy_session_id_len)) { + if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + sizeof(ctx->hs->tls13.legacy_session_id), + &ctx->hs->tls13.legacy_session_id_len)) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; goto err; } @@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; goto err; } - S3I(s)->hs.new_cipher = cipher; + ctx->hs->new_cipher = cipher; sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; @@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) * has been enabled. This would probably mean using either an * INITIAL | WITHOUT_HRR state, or another intermediate state. */ - if (ctx->hs->key_share != NULL) + if (ctx->hs->tls13.key_share != NULL) ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; /* XXX - check this is the correct point */ @@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) SSL *s = ctx->ssl; uint16_t cipher; - cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); + cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher); server_random = s->s3->server_random; if (hrr) { @@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) goto err; if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; - if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, - ctx->hs->legacy_session_id_len)) + if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, + ctx->hs->tls13.legacy_session_id_len)) goto err; if (!CBB_add_u16(cbb, cipher)) goto err; @@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) SSL *s = ctx->ssl; int ret = 0; - if (!tls13_key_share_derive(ctx->hs->key_share, + if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, &shared_key_len)) goto err; - s->session->cipher = S3I(s)->hs.new_cipher; + s->session->cipher = ctx->hs->new_cipher; - if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL) goto err; - if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL) goto err; if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) goto err; - ctx->hs->secrets = secrets; + ctx->hs->tls13.secrets = secrets; /* XXX - pass in hash. */ if (!tls1_transcript_hash_init(s)) @@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) goto err; /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, shared_key_len, &context)) goto err; @@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) { int nid; - ctx->hs->hrr = 1; + ctx->hs->tls13.hrr = 1; if (!tls13_synthetic_handshake_message(ctx)) return 0; - if (ctx->hs->key_share != NULL) + if (ctx->hs->tls13.key_share != NULL) return 0; if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) return 0; - if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) + if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) return 0; if (!tls13_server_hello_build(ctx, cbb, 1)) @@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) * we MUST send a dummy CCS following our first handshake message. * See RFC 8446 Appendix D.4. */ - if (ctx->hs->legacy_session_id_len > 0) + if (ctx->hs->tls13.legacy_session_id_len > 0) ctx->send_dummy_ccs_after = 1; return 1; @@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) if (s->method->internal->version < TLS1_3_VERSION) return 0; - ctx->hs->hrr = 0; + ctx->hs->tls13.hrr = 0; return 1; } @@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx) int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) { - if (ctx->hs->key_share == NULL) + if (ctx->hs->tls13.key_share == NULL) return 0; - if (!tls13_key_share_generate(ctx->hs->key_share)) + if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) return 0; if (!tls13_servername_process(ctx)) return 0; - ctx->hs->server_group = 0; + ctx->hs->tls13.server_group = 0; if (!tls13_server_hello_build(ctx, cbb, 0)) return 0; @@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx) * See RFC 8446 Appendix D.4. */ if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && - ctx->hs->legacy_session_id_len > 0) + ctx->hs->tls13.legacy_session_id_len > 0) ctx->send_dummy_ccs_after = 1; return tls13_server_engage_record_protection(ctx); @@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) goto err; } - ctx->hs->cpk = cpk; - ctx->hs->sigalg = sigalg; + ctx->hs->tls13.cpk = cpk; + ctx->hs->tls13.sigalg = sigalg; if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; @@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) memset(&sig_cbb, 0, sizeof(sig_cbb)); - if ((cpk = ctx->hs->cpk) == NULL) + if ((cpk = ctx->hs->tls13.cpk) == NULL) goto err; - if ((sigalg = ctx->hs->sigalg) == NULL) + if ((sigalg = ctx->hs->tls13.sigalg) == NULL) goto err; pkey = cpk->privatekey; @@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) goto err; if (!CBB_add_u8(&sig_cbb, 0)) goto err; - if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) goto err; @@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; uint8_t transcript_hash[EVP_MAX_MD_SIZE]; @@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_server_finished_sent(struct tls13_ctx *ctx) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; /* * Derive application traffic keys. */ - context.data = ctx->hs->transcript_hash; - context.len = ctx->hs->transcript_hash_len; + context.data = ctx->hs->tls13.transcript_hash; + context.len = ctx->hs->tls13.transcript_hash_len; if (!tls13_derive_application_secrets(secrets, &context)) return 0; @@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (!CBB_add_u8(&cbb, 0)) goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; @@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) int tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; struct tls13_secret context = { .data = "", .len = 0 }; struct tls13_secret finished_key; uint8_t *verify_data = NULL; @@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, ctx->hash, NULL)) goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, - ctx->hs->transcript_hash_len)) + if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, + ctx->hs->tls13.transcript_hash_len)) goto err; verify_data_len = HMAC_size(hmac_ctx); if ((verify_data = calloc(1, verify_data_len)) == NULL) |