diff options
| author | jsing <> | 2020-02-05 17:30:30 +0000 |
|---|---|---|
| committer | jsing <> | 2020-02-05 17:30:30 +0000 |
| commit | b4766dc0b43a58fb924f86b32ea9dc519e138f45 (patch) | |
| tree | 24698e90dd97dec3b0a0fe94f34f034aa56498f6 | |
| parent | 30522d799b56c01cbca3fedc09dfe8c5f5692a43 (diff) | |
| download | openbsd-b4766dc0b43a58fb924f86b32ea9dc519e138f45.tar.gz openbsd-b4766dc0b43a58fb924f86b32ea9dc519e138f45.tar.bz2 openbsd-b4766dc0b43a58fb924f86b32ea9dc519e138f45.zip | |
Refactor the server hello processing code in the TLSv1.3 client.
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 5 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 63 |
2 files changed, 46 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index fc2528db16..7f3e8a63a8 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.261 2020/02/05 16:47:34 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.262 2020/02/05 17:30:30 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -457,6 +457,9 @@ typedef struct ssl_handshake_tls13_st { | |||
| 457 | uint16_t max_version; | 457 | uint16_t max_version; |
| 458 | uint16_t version; | 458 | uint16_t version; |
| 459 | 459 | ||
| 460 | int use_legacy; | ||
| 461 | int hrr; | ||
| 462 | |||
| 460 | /* Version proposed by peer server. */ | 463 | /* Version proposed by peer server. */ |
| 461 | uint16_t server_version; | 464 | uint16_t server_version; |
| 462 | 465 | ||
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 62ed600de3..d9ef85753e 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.41 2020/02/05 17:01:43 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.42 2020/02/05 17:30:30 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -279,6 +279,7 @@ static int | |||
| 279 | tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) | 279 | tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) |
| 280 | { | 280 | { |
| 281 | CBS server_random, session_id; | 281 | CBS server_random, session_id; |
| 282 | uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; | ||
| 282 | uint16_t cipher_suite, legacy_version; | 283 | uint16_t cipher_suite, legacy_version; |
| 283 | uint8_t compression_method; | 284 | uint8_t compression_method; |
| 284 | const SSL_CIPHER *cipher; | 285 | const SSL_CIPHER *cipher; |
| @@ -317,13 +318,22 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) | |||
| 317 | 318 | ||
| 318 | if (!CBS_skip(cbs, CBS_len(cbs))) | 319 | if (!CBS_skip(cbs, CBS_len(cbs))) |
| 319 | goto err; | 320 | goto err; |
| 320 | return tls13_use_legacy_client(ctx); | 321 | |
| 322 | ctx->hs->use_legacy = 1; | ||
| 323 | return 1; | ||
| 321 | } | 324 | } |
| 322 | 325 | ||
| 323 | /* From here on in we know we are doing TLSv1.3. */ | 326 | /* From here on in we know we are doing TLSv1.3. */ |
| 324 | tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); | 327 | tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); |
| 325 | 328 | ||
| 326 | if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) { | 329 | /* See if this is a Hello Retry Request. */ |
| 330 | if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, | ||
| 331 | sizeof(tls13_hello_retry_request_hash))) { | ||
| 332 | tlsext_msg_type = SSL_TLSEXT_MSG_HRR; | ||
| 333 | ctx->hs->hrr = 1; | ||
| 334 | } | ||
| 335 | |||
| 336 | if (!tlsext_client_parse(s, cbs, &alert_desc, tlsext_msg_type)) { | ||
| 327 | ctx->alert = alert_desc; | 337 | ctx->alert = alert_desc; |
| 328 | goto err; | 338 | goto err; |
| 329 | } | 339 | } |
| @@ -380,20 +390,17 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) | |||
| 380 | goto err; | 390 | goto err; |
| 381 | } | 391 | } |
| 382 | 392 | ||
| 383 | if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, | ||
| 384 | sizeof(tls13_hello_retry_request_hash))) | ||
| 385 | ctx->handshake_stage.hs_type |= WITH_HRR; | ||
| 386 | |||
| 387 | return 1; | 393 | return 1; |
| 388 | 394 | ||
| 389 | err: | 395 | err: |
| 390 | if (ctx->alert == 0) | 396 | if (ctx->alert == 0) |
| 391 | ctx->alert = TLS1_AD_DECODE_ERROR; | 397 | ctx->alert = TLS1_AD_DECODE_ERROR; |
| 398 | |||
| 392 | return 0; | 399 | return 0; |
| 393 | } | 400 | } |
| 394 | 401 | ||
| 395 | int | 402 | static int |
| 396 | tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | 403 | tls13_client_engage_record_protection(struct tls13_ctx *ctx) |
| 397 | { | 404 | { |
| 398 | struct tls13_secrets *secrets; | 405 | struct tls13_secrets *secrets; |
| 399 | struct tls13_secret context; | 406 | struct tls13_secret context; |
| @@ -404,18 +411,8 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 404 | SSL *s = ctx->ssl; | 411 | SSL *s = ctx->ssl; |
| 405 | int ret = 0; | 412 | int ret = 0; |
| 406 | 413 | ||
| 407 | if (!tls13_server_hello_process(ctx, cbs)) | 414 | /* Derive the shared key and engage record protection. */ |
| 408 | goto err; | ||
| 409 | |||
| 410 | /* See if we switched back to the legacy client method. */ | ||
| 411 | if (s->method->internal->version < TLS1_3_VERSION) | ||
| 412 | return 1; | ||
| 413 | 415 | ||
| 414 | /* XXX - handle other key share types. */ | ||
| 415 | if (ctx->hs->key_share == NULL) { | ||
| 416 | /* XXX - alert. */ | ||
| 417 | goto err; | ||
| 418 | } | ||
| 419 | if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, | 416 | if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, |
| 420 | &shared_key_len)) | 417 | &shared_key_len)) |
| 421 | goto err; | 418 | goto err; |
| @@ -461,7 +458,6 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 461 | &secrets->client_handshake_traffic)) | 458 | &secrets->client_handshake_traffic)) |
| 462 | goto err; | 459 | goto err; |
| 463 | 460 | ||
| 464 | ctx->handshake_stage.hs_type |= NEGOTIATED; | ||
| 465 | ret = 1; | 461 | ret = 1; |
| 466 | 462 | ||
| 467 | err: | 463 | err: |
| @@ -471,6 +467,31 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 471 | } | 467 | } |
| 472 | 468 | ||
| 473 | int | 469 | int |
| 470 | tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | ||
| 471 | { | ||
| 472 | /* | ||
| 473 | * We may have received a legacy (pre-TLSv1.3) server hello, | ||
| 474 | * a TLSv1.3 server hello or a TLSv1.3 hello retry request. | ||
| 475 | */ | ||
| 476 | if (!tls13_server_hello_process(ctx, cbs)) | ||
| 477 | return 0; | ||
| 478 | |||
| 479 | if (ctx->hs->use_legacy) | ||
| 480 | return tls13_use_legacy_client(ctx); | ||
| 481 | |||
| 482 | if (!tls13_client_engage_record_protection(ctx)) | ||
| 483 | return 0; | ||
| 484 | |||
| 485 | ctx->handshake_stage.hs_type |= NEGOTIATED; | ||
| 486 | if (ctx->hs->hrr) | ||
| 487 | ctx->handshake_stage.hs_type |= WITH_HRR; | ||
| 488 | |||
| 489 | ctx->hs->hrr = 0; | ||
| 490 | |||
| 491 | return 1; | ||
| 492 | } | ||
| 493 | |||
| 494 | int | ||
| 474 | tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) | 495 | tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) |
| 475 | { | 496 | { |
| 476 | return 0; | 497 | return 0; |