diff options
| author | jsing <> | 2019-02-10 13:04:29 +0000 |
|---|---|---|
| committer | jsing <> | 2019-02-10 13:04:29 +0000 |
| commit | 6d4aaf1f9ff309085dbf415f1fe769f3165381f6 (patch) | |
| tree | ef8327c4dc4c5c054c766173772e66fa6e75b623 | |
| parent | b3b102c1f413c950892ae663eb251b656a781b0e (diff) | |
| download | openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.gz openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.tar.bz2 openbsd-6d4aaf1f9ff309085dbf415f1fe769f3165381f6.zip | |
Preserve the transcript hash at specific stages of the TLSv1.3 handshake.
There are various points where we need the hash of all messages prior to
the current message. Support this by having the handshake code preserve
the transcript hash prior to recording the current message, which avoids
the need to sprinkle this throughout multiple handlers.
ok inoguchi@ tb@
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_handshake.c | 12 |
2 files changed, 16 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index a26b91976e..65429a3925 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.234 2019/02/09 15:26:15 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.235 2019/02/10 13:04:29 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -451,6 +451,10 @@ typedef struct ssl_handshake_tls13_st { | |||
| 451 | 451 | ||
| 452 | uint8_t *cookie; | 452 | uint8_t *cookie; |
| 453 | size_t cookie_len; | 453 | size_t cookie_len; |
| 454 | |||
| 455 | /* Preserved transcript hash. */ | ||
| 456 | uint8_t transcript_hash[EVP_MAX_MD_SIZE]; | ||
| 457 | size_t transcript_hash_len; | ||
| 454 | } SSL_HANDSHAKE_TLS13; | 458 | } SSL_HANDSHAKE_TLS13; |
| 455 | 459 | ||
| 456 | typedef struct ssl_ctx_internal_st { | 460 | typedef struct ssl_ctx_internal_st { |
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 68d6a9d444..8d5b0e3516 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_handshake.c,v 1.24 2019/02/07 15:54:18 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_handshake.c,v 1.25 2019/02/10 13:04:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> | 3 | * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> |
| 4 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> |
| @@ -33,6 +33,7 @@ struct tls13_handshake_action { | |||
| 33 | uint8_t handshake_type; | 33 | uint8_t handshake_type; |
| 34 | uint8_t sender; | 34 | uint8_t sender; |
| 35 | uint8_t handshake_complete; | 35 | uint8_t handshake_complete; |
| 36 | uint8_t preserve_transcript_hash; | ||
| 36 | 37 | ||
| 37 | int (*send)(struct tls13_ctx *ctx); | 38 | int (*send)(struct tls13_ctx *ctx); |
| 38 | int (*recv)(struct tls13_ctx *ctx); | 39 | int (*recv)(struct tls13_ctx *ctx); |
| @@ -133,6 +134,7 @@ struct tls13_handshake_action state_machine[] = { | |||
| 133 | .record_type = TLS13_HANDSHAKE, | 134 | .record_type = TLS13_HANDSHAKE, |
| 134 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, | 135 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
| 135 | .sender = TLS13_HS_SERVER, | 136 | .sender = TLS13_HS_SERVER, |
| 137 | .preserve_transcript_hash = 1, | ||
| 136 | .send = tls13_server_certificate_verify_send, | 138 | .send = tls13_server_certificate_verify_send, |
| 137 | .recv = tls13_server_certificate_verify_recv, | 139 | .recv = tls13_server_certificate_verify_recv, |
| 138 | }, | 140 | }, |
| @@ -140,6 +142,7 @@ struct tls13_handshake_action state_machine[] = { | |||
| 140 | .record_type = TLS13_HANDSHAKE, | 142 | .record_type = TLS13_HANDSHAKE, |
| 141 | .handshake_type = TLS13_MT_FINISHED, | 143 | .handshake_type = TLS13_MT_FINISHED, |
| 142 | .sender = TLS13_HS_SERVER, | 144 | .sender = TLS13_HS_SERVER, |
| 145 | .preserve_transcript_hash = 1, | ||
| 143 | .send = tls13_server_finished_send, | 146 | .send = tls13_server_finished_send, |
| 144 | .recv = tls13_server_finished_recv, | 147 | .recv = tls13_server_finished_recv, |
| 145 | }, | 148 | }, |
| @@ -361,6 +364,13 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, | |||
| 361 | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) | 364 | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) |
| 362 | return ret; | 365 | return ret; |
| 363 | 366 | ||
| 367 | if (action->preserve_transcript_hash) { | ||
| 368 | if (!tls1_transcript_hash_value(ctx->ssl, | ||
| 369 | ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), | ||
| 370 | &ctx->hs->transcript_hash_len)) | ||
| 371 | return TLS13_IO_FAILURE; | ||
| 372 | } | ||
| 373 | |||
| 364 | tls13_handshake_msg_data(ctx->hs_msg, &cbs); | 374 | tls13_handshake_msg_data(ctx->hs_msg, &cbs); |
| 365 | if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) | 375 | if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) |
| 366 | return TLS13_IO_FAILURE; | 376 | return TLS13_IO_FAILURE; |