diff options
| author | jsing <> | 2020-01-24 06:45:09 +0000 |
|---|---|---|
| committer | jsing <> | 2020-01-24 06:45:09 +0000 |
| commit | 79b127f70a38c4ebb13fe6c972a30467c4162485 (patch) | |
| tree | f83b9bcc6c5ec99ef34c952c276aaf32b2a8b569 /src/lib | |
| parent | 2b0a9bd64bdbe258eeda63a772f157dcdd937e83 (diff) | |
| download | openbsd-79b127f70a38c4ebb13fe6c972a30467c4162485.tar.gz openbsd-79b127f70a38c4ebb13fe6c972a30467c4162485.tar.bz2 openbsd-79b127f70a38c4ebb13fe6c972a30467c4162485.zip | |
Preserve the TLS transcript at additional points.
This is needed for the TLSv1.3 server and will also be needed for client
certificate authentication. Note that we preserve on receive but before
recording the new handshake message, whereas we preserve on send after
recording the new handshake message.
ok tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/tls13_handshake.c | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 518073f4a1..2c5b72a912 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_handshake.c,v 1.42 2020/01/24 04:43:09 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_handshake.c,v 1.43 2020/01/24 06:45:09 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> | 3 | * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> |
| 4 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> |
| @@ -25,10 +25,11 @@ | |||
| 25 | /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ | 25 | /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ |
| 26 | 26 | ||
| 27 | struct tls13_handshake_action { | 27 | struct tls13_handshake_action { |
| 28 | uint8_t handshake_type; | 28 | uint8_t handshake_type; |
| 29 | uint8_t sender; | 29 | uint8_t sender; |
| 30 | uint8_t handshake_complete; | 30 | uint8_t handshake_complete; |
| 31 | uint8_t preserve_transcript_hash; | 31 | uint8_t send_preserve_transcript_hash; |
| 32 | uint8_t recv_preserve_transcript_hash; | ||
| 32 | 33 | ||
| 33 | int (*send)(struct tls13_ctx *ctx, CBB *cbb); | 34 | int (*send)(struct tls13_ctx *ctx, CBB *cbb); |
| 34 | int (*sent)(struct tls13_ctx *ctx); | 35 | int (*sent)(struct tls13_ctx *ctx); |
| @@ -71,12 +72,14 @@ struct tls13_handshake_action state_machine[] = { | |||
| 71 | [CLIENT_CERTIFICATE] = { | 72 | [CLIENT_CERTIFICATE] = { |
| 72 | .handshake_type = TLS13_MT_CERTIFICATE, | 73 | .handshake_type = TLS13_MT_CERTIFICATE, |
| 73 | .sender = TLS13_HS_CLIENT, | 74 | .sender = TLS13_HS_CLIENT, |
| 75 | .send_preserve_transcript_hash = 1, | ||
| 74 | .send = tls13_client_certificate_send, | 76 | .send = tls13_client_certificate_send, |
| 75 | .recv = tls13_client_certificate_recv, | 77 | .recv = tls13_client_certificate_recv, |
| 76 | }, | 78 | }, |
| 77 | [CLIENT_CERTIFICATE_VERIFY] = { | 79 | [CLIENT_CERTIFICATE_VERIFY] = { |
| 78 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, | 80 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
| 79 | .sender = TLS13_HS_CLIENT, | 81 | .sender = TLS13_HS_CLIENT, |
| 82 | .recv_preserve_transcript_hash = 1, | ||
| 80 | .send = tls13_client_certificate_verify_send, | 83 | .send = tls13_client_certificate_verify_send, |
| 81 | .recv = tls13_client_certificate_verify_recv, | 84 | .recv = tls13_client_certificate_verify_recv, |
| 82 | }, | 85 | }, |
| @@ -115,6 +118,7 @@ struct tls13_handshake_action state_machine[] = { | |||
| 115 | [SERVER_CERTIFICATE] = { | 118 | [SERVER_CERTIFICATE] = { |
| 116 | .handshake_type = TLS13_MT_CERTIFICATE, | 119 | .handshake_type = TLS13_MT_CERTIFICATE, |
| 117 | .sender = TLS13_HS_SERVER, | 120 | .sender = TLS13_HS_SERVER, |
| 121 | .send_preserve_transcript_hash = 1, | ||
| 118 | .send = tls13_server_certificate_send, | 122 | .send = tls13_server_certificate_send, |
| 119 | .recv = tls13_server_certificate_recv, | 123 | .recv = tls13_server_certificate_recv, |
| 120 | }, | 124 | }, |
| @@ -127,14 +131,15 @@ struct tls13_handshake_action state_machine[] = { | |||
| 127 | [SERVER_CERTIFICATE_VERIFY] = { | 131 | [SERVER_CERTIFICATE_VERIFY] = { |
| 128 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, | 132 | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
| 129 | .sender = TLS13_HS_SERVER, | 133 | .sender = TLS13_HS_SERVER, |
| 130 | .preserve_transcript_hash = 1, | 134 | .recv_preserve_transcript_hash = 1, |
| 131 | .send = tls13_server_certificate_verify_send, | 135 | .send = tls13_server_certificate_verify_send, |
| 132 | .recv = tls13_server_certificate_verify_recv, | 136 | .recv = tls13_server_certificate_verify_recv, |
| 133 | }, | 137 | }, |
| 134 | [SERVER_FINISHED] = { | 138 | [SERVER_FINISHED] = { |
| 135 | .handshake_type = TLS13_MT_FINISHED, | 139 | .handshake_type = TLS13_MT_FINISHED, |
| 136 | .sender = TLS13_HS_SERVER, | 140 | .sender = TLS13_HS_SERVER, |
| 137 | .preserve_transcript_hash = 1, | 141 | .recv_preserve_transcript_hash = 1, |
| 142 | .send_preserve_transcript_hash = 1, | ||
| 138 | .send = tls13_server_finished_send, | 143 | .send = tls13_server_finished_send, |
| 139 | .recv = tls13_server_finished_recv, | 144 | .recv = tls13_server_finished_recv, |
| 140 | }, | 145 | }, |
| @@ -293,7 +298,9 @@ tls13_handshake_perform(struct tls13_ctx *ctx) | |||
| 293 | ctx->handshake_completed = 1; | 298 | ctx->handshake_completed = 1; |
| 294 | tls13_record_layer_handshake_completed(ctx->rl); | 299 | tls13_record_layer_handshake_completed(ctx->rl); |
| 295 | return TLS13_IO_SUCCESS; | 300 | return TLS13_IO_SUCCESS; |
| 296 | } else if (ctx->alert) | 301 | } |
| 302 | |||
| 303 | if (ctx->alert) | ||
| 297 | return tls13_send_alert(ctx->rl, ctx->alert); | 304 | return tls13_send_alert(ctx->rl, ctx->alert); |
| 298 | 305 | ||
| 299 | if (action->sender == ctx->mode) { | 306 | if (action->sender == ctx->mode) { |
| @@ -348,6 +355,13 @@ tls13_handshake_send_action(struct tls13_ctx *ctx, | |||
| 348 | if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) | 355 | if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) |
| 349 | return TLS13_IO_FAILURE; | 356 | return TLS13_IO_FAILURE; |
| 350 | 357 | ||
| 358 | if (action->send_preserve_transcript_hash) { | ||
| 359 | if (!tls1_transcript_hash_value(ctx->ssl, | ||
| 360 | ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), | ||
| 361 | &ctx->hs->transcript_hash_len)) | ||
| 362 | return TLS13_IO_FAILURE; | ||
| 363 | } | ||
| 364 | |||
| 351 | tls13_handshake_msg_free(ctx->hs_msg); | 365 | tls13_handshake_msg_free(ctx->hs_msg); |
| 352 | ctx->hs_msg = NULL; | 366 | ctx->hs_msg = NULL; |
| 353 | 367 | ||
| @@ -373,7 +387,7 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx, | |||
| 373 | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) | 387 | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) |
| 374 | return ret; | 388 | return ret; |
| 375 | 389 | ||
| 376 | if (action->preserve_transcript_hash) { | 390 | if (action->recv_preserve_transcript_hash) { |
| 377 | if (!tls1_transcript_hash_value(ctx->ssl, | 391 | if (!tls1_transcript_hash_value(ctx->ssl, |
| 378 | ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), | 392 | ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), |
| 379 | &ctx->hs->transcript_hash_len)) | 393 | &ctx->hs->transcript_hash_len)) |