diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 208 |
1 files changed, 107 insertions, 101 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index dffabf1753..70a33b7131 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.52 2020/04/27 20:15:17 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -25,15 +25,6 @@ | |||
| 25 | #include "tls13_internal.h" | 25 | #include "tls13_internal.h" |
| 26 | 26 | ||
| 27 | static int | 27 | static int |
| 28 | tls13_connect(struct tls13_ctx *ctx) | ||
| 29 | { | ||
| 30 | if (ctx->mode != TLS13_HS_CLIENT) | ||
| 31 | return TLS13_IO_FAILURE; | ||
| 32 | |||
| 33 | return tls13_handshake_perform(ctx); | ||
| 34 | } | ||
| 35 | |||
| 36 | static int | ||
| 37 | tls13_client_init(struct tls13_ctx *ctx) | 28 | tls13_client_init(struct tls13_ctx *ctx) |
| 38 | { | 29 | { |
| 39 | const uint16_t *groups; | 30 | const uint16_t *groups; |
| @@ -80,6 +71,15 @@ tls13_client_init(struct tls13_ctx *ctx) | |||
| 80 | return 1; | 71 | return 1; |
| 81 | } | 72 | } |
| 82 | 73 | ||
| 74 | static int | ||
| 75 | tls13_connect(struct tls13_ctx *ctx) | ||
| 76 | { | ||
| 77 | if (ctx->mode != TLS13_HS_CLIENT) | ||
| 78 | return TLS13_IO_FAILURE; | ||
| 79 | |||
| 80 | return tls13_handshake_perform(ctx); | ||
| 81 | } | ||
| 82 | |||
| 83 | int | 83 | int |
| 84 | tls13_legacy_connect(SSL *ssl) | 84 | tls13_legacy_connect(SSL *ssl) |
| 85 | { | 85 | { |
| @@ -570,6 +570,33 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 570 | } | 570 | } |
| 571 | 571 | ||
| 572 | int | 572 | int |
| 573 | tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) | ||
| 574 | { | ||
| 575 | /* | ||
| 576 | * Ensure that the server supported group is one that we listed in our | ||
| 577 | * supported groups and is not the same as the key share we previously | ||
| 578 | * offered. | ||
| 579 | */ | ||
| 580 | if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) | ||
| 581 | return 0; /* XXX alert */ | ||
| 582 | if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) | ||
| 583 | return 0; /* XXX alert */ | ||
| 584 | |||
| 585 | /* Switch to new key share. */ | ||
| 586 | tls13_key_share_free(ctx->hs->key_share); | ||
| 587 | if ((ctx->hs->key_share = | ||
| 588 | tls13_key_share_new(ctx->hs->server_group)) == NULL) | ||
| 589 | return 0; | ||
| 590 | if (!tls13_key_share_generate(ctx->hs->key_share)) | ||
| 591 | return 0; | ||
| 592 | |||
| 593 | if (!tls13_client_hello_build(ctx, cbb)) | ||
| 594 | return 0; | ||
| 595 | |||
| 596 | return 1; | ||
| 597 | } | ||
| 598 | |||
| 599 | int | ||
| 573 | tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | 600 | tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) |
| 574 | { | 601 | { |
| 575 | SSL *s = ctx->ssl; | 602 | SSL *s = ctx->ssl; |
| @@ -608,33 +635,6 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 608 | } | 635 | } |
| 609 | 636 | ||
| 610 | int | 637 | int |
| 611 | tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) | ||
| 612 | { | ||
| 613 | /* | ||
| 614 | * Ensure that the server supported group is one that we listed in our | ||
| 615 | * supported groups and is not the same as the key share we previously | ||
| 616 | * offered. | ||
| 617 | */ | ||
| 618 | if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) | ||
| 619 | return 0; /* XXX alert */ | ||
| 620 | if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) | ||
| 621 | return 0; /* XXX alert */ | ||
| 622 | |||
| 623 | /* Switch to new key share. */ | ||
| 624 | tls13_key_share_free(ctx->hs->key_share); | ||
| 625 | if ((ctx->hs->key_share = | ||
| 626 | tls13_key_share_new(ctx->hs->server_group)) == NULL) | ||
| 627 | return 0; | ||
| 628 | if (!tls13_key_share_generate(ctx->hs->key_share)) | ||
| 629 | return 0; | ||
| 630 | |||
| 631 | if (!tls13_client_hello_build(ctx, cbb)) | ||
| 632 | return 0; | ||
| 633 | |||
| 634 | return 1; | ||
| 635 | } | ||
| 636 | |||
| 637 | int | ||
| 638 | tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) | 638 | tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) |
| 639 | { | 639 | { |
| 640 | int alert_desc; | 640 | int alert_desc; |
| @@ -945,70 +945,6 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 945 | } | 945 | } |
| 946 | 946 | ||
| 947 | int | 947 | int |
| 948 | tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) | ||
| 949 | { | ||
| 950 | struct tls13_secrets *secrets = ctx->hs->secrets; | ||
| 951 | struct tls13_secret context = { .data = "", .len = 0 }; | ||
| 952 | struct tls13_secret finished_key; | ||
| 953 | uint8_t transcript_hash[EVP_MAX_MD_SIZE]; | ||
| 954 | size_t transcript_hash_len; | ||
| 955 | uint8_t key[EVP_MAX_MD_SIZE]; | ||
| 956 | uint8_t *verify_data; | ||
| 957 | size_t hmac_len; | ||
| 958 | unsigned int hlen; | ||
| 959 | HMAC_CTX *hmac_ctx = NULL; | ||
| 960 | int ret = 0; | ||
| 961 | |||
| 962 | finished_key.data = key; | ||
| 963 | finished_key.len = EVP_MD_size(ctx->hash); | ||
| 964 | |||
| 965 | if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, | ||
| 966 | &secrets->client_handshake_traffic, "finished", | ||
| 967 | &context)) | ||
| 968 | goto err; | ||
| 969 | |||
| 970 | if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, | ||
| 971 | sizeof(transcript_hash), &transcript_hash_len)) | ||
| 972 | goto err; | ||
| 973 | |||
| 974 | if ((hmac_ctx = HMAC_CTX_new()) == NULL) | ||
| 975 | goto err; | ||
| 976 | if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, | ||
| 977 | ctx->hash, NULL)) | ||
| 978 | goto err; | ||
| 979 | if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) | ||
| 980 | goto err; | ||
| 981 | |||
| 982 | hmac_len = HMAC_size(hmac_ctx); | ||
| 983 | if (!CBB_add_space(cbb, &verify_data, hmac_len)) | ||
| 984 | goto err; | ||
| 985 | if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) | ||
| 986 | goto err; | ||
| 987 | if (hlen != hmac_len) | ||
| 988 | goto err; | ||
| 989 | |||
| 990 | ret = 1; | ||
| 991 | |||
| 992 | err: | ||
| 993 | HMAC_CTX_free(hmac_ctx); | ||
| 994 | |||
| 995 | return ret; | ||
| 996 | } | ||
| 997 | |||
| 998 | int | ||
| 999 | tls13_client_finished_sent(struct tls13_ctx *ctx) | ||
| 1000 | { | ||
| 1001 | struct tls13_secrets *secrets = ctx->hs->secrets; | ||
| 1002 | |||
| 1003 | /* | ||
| 1004 | * Any records following the client finished message must be encrypted | ||
| 1005 | * using the client application traffic keys. | ||
| 1006 | */ | ||
| 1007 | return tls13_record_layer_set_write_traffic_key(ctx->rl, | ||
| 1008 | &secrets->client_application_traffic); | ||
| 1009 | } | ||
| 1010 | |||
| 1011 | int | ||
| 1012 | tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | 948 | tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) |
| 1013 | { | 949 | { |
| 1014 | SSL *s = ctx->ssl; | 950 | SSL *s = ctx->ssl; |
| @@ -1135,3 +1071,73 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 1135 | 1071 | ||
| 1136 | return ret; | 1072 | return ret; |
| 1137 | } | 1073 | } |
| 1074 | |||
| 1075 | int | ||
| 1076 | tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) | ||
| 1077 | { | ||
| 1078 | return 0; | ||
| 1079 | } | ||
| 1080 | |||
| 1081 | int | ||
| 1082 | tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) | ||
| 1083 | { | ||
| 1084 | struct tls13_secrets *secrets = ctx->hs->secrets; | ||
| 1085 | struct tls13_secret context = { .data = "", .len = 0 }; | ||
| 1086 | struct tls13_secret finished_key; | ||
| 1087 | uint8_t transcript_hash[EVP_MAX_MD_SIZE]; | ||
| 1088 | size_t transcript_hash_len; | ||
| 1089 | uint8_t key[EVP_MAX_MD_SIZE]; | ||
| 1090 | uint8_t *verify_data; | ||
| 1091 | size_t hmac_len; | ||
| 1092 | unsigned int hlen; | ||
| 1093 | HMAC_CTX *hmac_ctx = NULL; | ||
| 1094 | int ret = 0; | ||
| 1095 | |||
| 1096 | finished_key.data = key; | ||
| 1097 | finished_key.len = EVP_MD_size(ctx->hash); | ||
| 1098 | |||
| 1099 | if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, | ||
| 1100 | &secrets->client_handshake_traffic, "finished", | ||
| 1101 | &context)) | ||
| 1102 | goto err; | ||
| 1103 | |||
| 1104 | if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, | ||
| 1105 | sizeof(transcript_hash), &transcript_hash_len)) | ||
| 1106 | goto err; | ||
| 1107 | |||
| 1108 | if ((hmac_ctx = HMAC_CTX_new()) == NULL) | ||
| 1109 | goto err; | ||
| 1110 | if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, | ||
| 1111 | ctx->hash, NULL)) | ||
| 1112 | goto err; | ||
| 1113 | if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) | ||
| 1114 | goto err; | ||
| 1115 | |||
| 1116 | hmac_len = HMAC_size(hmac_ctx); | ||
| 1117 | if (!CBB_add_space(cbb, &verify_data, hmac_len)) | ||
| 1118 | goto err; | ||
| 1119 | if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) | ||
| 1120 | goto err; | ||
| 1121 | if (hlen != hmac_len) | ||
| 1122 | goto err; | ||
| 1123 | |||
| 1124 | ret = 1; | ||
| 1125 | |||
| 1126 | err: | ||
| 1127 | HMAC_CTX_free(hmac_ctx); | ||
| 1128 | |||
| 1129 | return ret; | ||
| 1130 | } | ||
| 1131 | |||
| 1132 | int | ||
| 1133 | tls13_client_finished_sent(struct tls13_ctx *ctx) | ||
| 1134 | { | ||
| 1135 | struct tls13_secrets *secrets = ctx->hs->secrets; | ||
| 1136 | |||
| 1137 | /* | ||
| 1138 | * Any records following the client finished message must be encrypted | ||
| 1139 | * using the client application traffic keys. | ||
| 1140 | */ | ||
| 1141 | return tls13_record_layer_set_write_traffic_key(ctx->rl, | ||
| 1142 | &secrets->client_application_traffic); | ||
| 1143 | } | ||