diff options
| author | jsing <> | 2022-07-24 14:16:29 +0000 |
|---|---|---|
| committer | jsing <> | 2022-07-24 14:16:29 +0000 |
| commit | d82a186f8c966e9a7dddbe974f3492a8d6fc42c8 (patch) | |
| tree | 513bd66d8a8e45ea9b3a80cfdde2155254f69204 | |
| parent | d7c47c20d5f183b9417a79c956e0563e69e243cc (diff) | |
| download | openbsd-d82a186f8c966e9a7dddbe974f3492a8d6fc42c8.tar.gz openbsd-d82a186f8c966e9a7dddbe974f3492a8d6fc42c8.tar.bz2 openbsd-d82a186f8c966e9a7dddbe974f3492a8d6fc42c8.zip | |
Provide QUIC encryption levels.
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
| -rw-r--r-- | src/lib/libssl/ssl.h | 13 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_internal.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_lib.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_record_layer.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 10 |
6 files changed, 33 insertions, 20 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 03e30441e0..14fb094e71 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.221 2022/07/17 14:49:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.222 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1577,6 +1577,17 @@ void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); | |||
| 1577 | int SSL_CTX_get_security_level(const SSL_CTX *ctx); | 1577 | int SSL_CTX_get_security_level(const SSL_CTX *ctx); |
| 1578 | 1578 | ||
| 1579 | #if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL) | 1579 | #if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL) |
| 1580 | /* | ||
| 1581 | * ssl_encryption_level_t specifies the QUIC encryption level used to transmit | ||
| 1582 | * handshake messages. | ||
| 1583 | */ | ||
| 1584 | typedef enum ssl_encryption_level_t { | ||
| 1585 | ssl_encryption_initial = 0, | ||
| 1586 | ssl_encryption_early_data, | ||
| 1587 | ssl_encryption_handshake, | ||
| 1588 | ssl_encryption_application, | ||
| 1589 | } OSSL_ENCRYPTION_LEVEL; | ||
| 1590 | |||
| 1580 | int SSL_is_quic(const SSL *ssl); | 1591 | int SSL_is_quic(const SSL *ssl); |
| 1581 | 1592 | ||
| 1582 | /* | 1593 | /* |
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index cc01329e51..b1efafdfdd 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.96 2022/07/22 14:53:07 tb Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.97 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -382,10 +382,10 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) | |||
| 382 | tls13_record_layer_set_hash(ctx->rl, ctx->hash); | 382 | tls13_record_layer_set_hash(ctx->rl, ctx->hash); |
| 383 | 383 | ||
| 384 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, | 384 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
| 385 | &secrets->server_handshake_traffic)) | 385 | &secrets->server_handshake_traffic, ssl_encryption_handshake)) |
| 386 | goto err; | 386 | goto err; |
| 387 | if (!tls13_record_layer_set_write_traffic_key(ctx->rl, | 387 | if (!tls13_record_layer_set_write_traffic_key(ctx->rl, |
| 388 | &secrets->client_handshake_traffic)) | 388 | &secrets->client_handshake_traffic, ssl_encryption_handshake)) |
| 389 | goto err; | 389 | goto err; |
| 390 | 390 | ||
| 391 | ret = 1; | 391 | ret = 1; |
| @@ -801,7 +801,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 801 | * using the server application traffic keys. | 801 | * using the server application traffic keys. |
| 802 | */ | 802 | */ |
| 803 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, | 803 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
| 804 | &secrets->server_application_traffic)) | 804 | &secrets->server_application_traffic, ssl_encryption_application)) |
| 805 | goto err; | 805 | goto err; |
| 806 | 806 | ||
| 807 | tls13_record_layer_allow_ccs(ctx->rl, 0); | 807 | tls13_record_layer_allow_ccs(ctx->rl, 0); |
| @@ -1080,5 +1080,5 @@ tls13_client_finished_sent(struct tls13_ctx *ctx) | |||
| 1080 | * using the client application traffic keys. | 1080 | * using the client application traffic keys. |
| 1081 | */ | 1081 | */ |
| 1082 | return tls13_record_layer_set_write_traffic_key(ctx->rl, | 1082 | return tls13_record_layer_set_write_traffic_key(ctx->rl, |
| 1083 | &secrets->client_application_traffic); | 1083 | &secrets->client_application_traffic, ssl_encryption_application); |
| 1084 | } | 1084 | } |
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 599eb200cb..6382f8b048 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_internal.h,v 1.99 2022/07/20 06:32:24 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_internal.h,v 1.100 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> | 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> |
| @@ -199,9 +199,9 @@ void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, | |||
| 199 | void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); | 199 | void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); |
| 200 | void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); | 200 | void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); |
| 201 | int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, | 201 | int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, |
| 202 | struct tls13_secret *read_key); | 202 | struct tls13_secret *read_key, enum ssl_encryption_level_t read_level); |
| 203 | int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, | 203 | int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, |
| 204 | struct tls13_secret *write_key); | 204 | struct tls13_secret *write_key, enum ssl_encryption_level_t write_level); |
| 205 | ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); | 205 | ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); |
| 206 | ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); | 206 | ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); |
| 207 | ssize_t tls13_record_layer_flush(struct tls13_record_layer *rl); | 207 | ssize_t tls13_record_layer_flush(struct tls13_record_layer *rl); |
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 8d0e030b5a..9d62479f15 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_lib.c,v 1.67 2022/07/20 06:32:24 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_lib.c,v 1.68 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> |
| @@ -230,7 +230,8 @@ tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx) | |||
| 230 | return 0; | 230 | return 0; |
| 231 | } | 231 | } |
| 232 | 232 | ||
| 233 | return tls13_record_layer_set_read_traffic_key(ctx->rl, secret); | 233 | return tls13_record_layer_set_read_traffic_key(ctx->rl, |
| 234 | secret, ssl_encryption_application); | ||
| 234 | } | 235 | } |
| 235 | 236 | ||
| 236 | static int | 237 | static int |
| @@ -249,7 +250,8 @@ tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx) | |||
| 249 | return 0; | 250 | return 0; |
| 250 | } | 251 | } |
| 251 | 252 | ||
| 252 | return tls13_record_layer_set_write_traffic_key(ctx->rl, secret); | 253 | return tls13_record_layer_set_write_traffic_key(ctx->rl, |
| 254 | secret, ssl_encryption_application); | ||
| 253 | } | 255 | } |
| 254 | 256 | ||
| 255 | /* | 257 | /* |
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 2b7052c30e..c92fd8d193 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_record_layer.c,v 1.68 2022/07/20 06:32:24 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_record_layer.c,v 1.69 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -487,7 +487,7 @@ tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, | |||
| 487 | 487 | ||
| 488 | int | 488 | int |
| 489 | tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, | 489 | tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, |
| 490 | struct tls13_secret *read_key) | 490 | struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) |
| 491 | { | 491 | { |
| 492 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, | 492 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, |
| 493 | rl->read, read_key); | 493 | rl->read, read_key); |
| @@ -495,7 +495,7 @@ tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, | |||
| 495 | 495 | ||
| 496 | int | 496 | int |
| 497 | tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, | 497 | tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, |
| 498 | struct tls13_secret *write_key) | 498 | struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) |
| 499 | { | 499 | { |
| 500 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, | 500 | return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, |
| 501 | rl->write, write_key); | 501 | rl->write, write_key); |
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index c5c86ab95f..5aee5f1a93 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.99 2022/07/02 16:00:12 tb Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.100 2022/07/24 14:16:29 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -403,10 +403,10 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) | |||
| 403 | tls13_record_layer_set_hash(ctx->rl, ctx->hash); | 403 | tls13_record_layer_set_hash(ctx->rl, ctx->hash); |
| 404 | 404 | ||
| 405 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, | 405 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
| 406 | &secrets->client_handshake_traffic)) | 406 | &secrets->client_handshake_traffic, ssl_encryption_handshake)) |
| 407 | goto err; | 407 | goto err; |
| 408 | if (!tls13_record_layer_set_write_traffic_key(ctx->rl, | 408 | if (!tls13_record_layer_set_write_traffic_key(ctx->rl, |
| 409 | &secrets->server_handshake_traffic)) | 409 | &secrets->server_handshake_traffic, ssl_encryption_handshake)) |
| 410 | goto err; | 410 | goto err; |
| 411 | 411 | ||
| 412 | ctx->handshake_stage.hs_type |= NEGOTIATED; | 412 | ctx->handshake_stage.hs_type |= NEGOTIATED; |
| @@ -850,7 +850,7 @@ tls13_server_finished_sent(struct tls13_ctx *ctx) | |||
| 850 | * using the server application traffic keys. | 850 | * using the server application traffic keys. |
| 851 | */ | 851 | */ |
| 852 | return tls13_record_layer_set_write_traffic_key(ctx->rl, | 852 | return tls13_record_layer_set_write_traffic_key(ctx->rl, |
| 853 | &secrets->server_application_traffic); | 853 | &secrets->server_application_traffic, ssl_encryption_application); |
| 854 | } | 854 | } |
| 855 | 855 | ||
| 856 | int | 856 | int |
| @@ -1094,7 +1094,7 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 1094 | * using the client application traffic keys. | 1094 | * using the client application traffic keys. |
| 1095 | */ | 1095 | */ |
| 1096 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, | 1096 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
| 1097 | &secrets->client_application_traffic)) | 1097 | &secrets->client_application_traffic, ssl_encryption_application)) |
| 1098 | goto err; | 1098 | goto err; |
| 1099 | 1099 | ||
| 1100 | tls13_record_layer_allow_ccs(ctx->rl, 0); | 1100 | tls13_record_layer_allow_ccs(ctx->rl, 0); |