summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_client.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/tls13_client.c')
-rw-r--r--src/lib/libssl/tls13_client.c112
1 files changed, 55 insertions, 57 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 4de3d3693b..0f3d435c94 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
31 size_t groups_len; 31 size_t groups_len;
32 SSL *s = ctx->ssl; 32 SSL *s = ctx->ssl;
33 33
34 if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version, 34 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
35 &S3I(s)->hs.our_max_tls_version)) { 35 &ctx->hs->our_max_tls_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0; 37 return 0;
38 } 38 }
39 s->client_version = s->version = S3I(s)->hs.our_max_tls_version; 39 s->client_version = s->version = ctx->hs->our_max_tls_version;
40 40
41 tls13_record_layer_set_retry_after_phh(ctx->rl, 41 tls13_record_layer_set_retry_after_phh(ctx->rl,
42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx)
51 tls1_get_group_list(s, 0, &groups, &groups_len); 51 tls1_get_group_list(s, 0, &groups, &groups_len);
52 if (groups_len < 1) 52 if (groups_len < 1)
53 return 0; 53 return 0;
54 if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) 54 if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL)
55 return 0; 55 return 0;
56 if (!tls13_key_share_generate(ctx->hs->key_share)) 56 if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
57 return 0; 57 return 0;
58 58
59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -65,11 +65,11 @@ tls13_client_init(struct tls13_ctx *ctx)
65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
66 */ 66 */
67 if (ctx->middlebox_compat && 67 if (ctx->middlebox_compat &&
68 S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) { 68 ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
69 arc4random_buf(ctx->hs->legacy_session_id, 69 arc4random_buf(ctx->hs->tls13.legacy_session_id,
70 sizeof(ctx->hs->legacy_session_id)); 70 sizeof(ctx->hs->tls13.legacy_session_id));
71 ctx->hs->legacy_session_id_len = 71 ctx->hs->tls13.legacy_session_id_len =
72 sizeof(ctx->hs->legacy_session_id); 72 sizeof(ctx->hs->tls13.legacy_session_id);
73 } 73 }
74 74
75 return 1; 75 return 1;
@@ -92,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
92 SSL *s = ctx->ssl; 92 SSL *s = ctx->ssl;
93 93
94 /* Legacy client version is capped at TLS 1.2. */ 94 /* Legacy client version is capped at TLS 1.2. */
95 client_version = S3I(s)->hs.our_max_tls_version; 95 client_version = ctx->hs->our_max_tls_version;
96 if (client_version > TLS1_2_VERSION) 96 if (client_version > TLS1_2_VERSION)
97 client_version = TLS1_2_VERSION; 97 client_version = TLS1_2_VERSION;
98 98
@@ -103,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
103 103
104 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 104 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
105 goto err; 105 goto err;
106 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 106 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
107 ctx->hs->legacy_session_id_len)) 107 ctx->hs->tls13.legacy_session_id_len))
108 goto err; 108 goto err;
109 109
110 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 110 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
@@ -134,9 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
134int 134int
135tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 135tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
136{ 136{
137 SSL *s = ctx->ssl; 137 if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
138
139 if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
140 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 138 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
141 139
142 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 140 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -231,7 +229,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
231 goto err; 229 goto err;
232 230
233 if (tls13_server_hello_is_legacy(cbs)) { 231 if (tls13_server_hello_is_legacy(cbs)) {
234 if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) { 232 if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
235 /* 233 /*
236 * RFC 8446 section 4.1.3: we must not downgrade if 234 * RFC 8446 section 4.1.3: we must not downgrade if
237 * the server random value contains the TLS 1.2 or 1.1 235 * the server random value contains the TLS 1.2 or 1.1
@@ -252,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
252 if (!CBS_skip(cbs, CBS_len(cbs))) 250 if (!CBS_skip(cbs, CBS_len(cbs)))
253 goto err; 251 goto err;
254 252
255 ctx->hs->use_legacy = 1; 253 ctx->hs->tls13.use_legacy = 1;
256 return 1; 254 return 1;
257 } 255 }
258 256
@@ -265,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
265 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 263 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
266 sizeof(tls13_hello_retry_request_hash))) { 264 sizeof(tls13_hello_retry_request_hash))) {
267 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 265 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
268 ctx->hs->hrr = 1; 266 ctx->hs->tls13.hrr = 1;
269 } 267 }
270 268
271 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { 269 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
@@ -278,16 +276,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
278 * Ensure that it was 0x0304 and that legacy version is set to 0x0303 276 * Ensure that it was 0x0304 and that legacy version is set to 0x0303
279 * (RFC 8446 section 4.2.1). 277 * (RFC 8446 section 4.2.1).
280 */ 278 */
281 if (ctx->hs->server_version != TLS1_3_VERSION || 279 if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
282 legacy_version != TLS1_2_VERSION) { 280 legacy_version != TLS1_2_VERSION) {
283 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 281 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
284 goto err; 282 goto err;
285 } 283 }
286 S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version; 284 ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
287 285
288 /* The session_id must match. */ 286 /* The session_id must match. */
289 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, 287 if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
290 ctx->hs->legacy_session_id_len)) { 288 ctx->hs->tls13.legacy_session_id_len)) {
291 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 289 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
292 goto err; 290 goto err;
293 } 291 }
@@ -305,8 +303,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
305 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 303 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
306 goto err; 304 goto err;
307 } 305 }
308 /* XXX - move this to hs_tls13? */ 306 /* XXX - move this to hs.tls13? */
309 S3I(s)->hs.new_cipher = cipher; 307 ctx->hs->new_cipher = cipher;
310 308
311 if (compression_method != 0) { 309 if (compression_method != 0) {
312 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 310 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
@@ -336,21 +334,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
336 334
337 /* Derive the shared key and engage record protection. */ 335 /* Derive the shared key and engage record protection. */
338 336
339 if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, 337 if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key,
340 &shared_key_len)) 338 &shared_key_len))
341 goto err; 339 goto err;
342 340
343 s->session->cipher = S3I(s)->hs.new_cipher; 341 s->session->cipher = ctx->hs->new_cipher;
344 s->session->ssl_version = ctx->hs->server_version; 342 s->session->ssl_version = ctx->hs->tls13.server_version;
345 343
346 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 344 if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
347 goto err; 345 goto err;
348 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 346 if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
349 goto err; 347 goto err;
350 348
351 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 349 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
352 goto err; 350 goto err;
353 ctx->hs->secrets = secrets; 351 ctx->hs->tls13.secrets = secrets;
354 352
355 /* XXX - pass in hash. */ 353 /* XXX - pass in hash. */
356 if (!tls1_transcript_hash_init(s)) 354 if (!tls1_transcript_hash_init(s))
@@ -367,7 +365,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
367 goto err; 365 goto err;
368 366
369 /* Handshake secrets. */ 367 /* Handshake secrets. */
370 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 368 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
371 shared_key_len, &context)) 369 shared_key_len, &context))
372 goto err; 370 goto err;
373 371
@@ -409,10 +407,10 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
409 * This may have been a TLSv1.2 or earlier ServerHello that just happened 407 * This may have been a TLSv1.2 or earlier ServerHello that just happened
410 * to have matching server random... 408 * to have matching server random...
411 */ 409 */
412 if (ctx->hs->use_legacy) 410 if (ctx->hs->tls13.use_legacy)
413 return tls13_use_legacy_client(ctx); 411 return tls13_use_legacy_client(ctx);
414 412
415 if (!ctx->hs->hrr) 413 if (!ctx->hs->tls13.hrr)
416 return 0; 414 return 0;
417 415
418 if (!tls13_synthetic_handshake_message(ctx)) 416 if (!tls13_synthetic_handshake_message(ctx))
@@ -420,7 +418,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
420 if (!tls13_handshake_msg_record(ctx)) 418 if (!tls13_handshake_msg_record(ctx))
421 return 0; 419 return 0;
422 420
423 ctx->hs->hrr = 0; 421 ctx->hs->tls13.hrr = 0;
424 422
425 return 1; 423 return 1;
426} 424}
@@ -433,17 +431,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
433 * supported groups and is not the same as the key share we previously 431 * supported groups and is not the same as the key share we previously
434 * offered. 432 * offered.
435 */ 433 */
436 if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) 434 if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
437 return 0; /* XXX alert */ 435 return 0; /* XXX alert */
438 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) 436 if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share))
439 return 0; /* XXX alert */ 437 return 0; /* XXX alert */
440 438
441 /* Switch to new key share. */ 439 /* Switch to new key share. */
442 tls13_key_share_free(ctx->hs->key_share); 440 tls13_key_share_free(ctx->hs->tls13.key_share);
443 if ((ctx->hs->key_share = 441 if ((ctx->hs->tls13.key_share =
444 tls13_key_share_new(ctx->hs->server_group)) == NULL) 442 tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL)
445 return 0; 443 return 0;
446 if (!tls13_key_share_generate(ctx->hs->key_share)) 444 if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
447 return 0; 445 return 0;
448 446
449 if (!tls13_client_hello_build(ctx, cbb)) 447 if (!tls13_client_hello_build(ctx, cbb))
@@ -470,13 +468,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
470 return 0; 468 return 0;
471 } 469 }
472 470
473 if (ctx->hs->use_legacy) { 471 if (ctx->hs->tls13.use_legacy) {
474 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) 472 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
475 return 0; 473 return 0;
476 return tls13_use_legacy_client(ctx); 474 return tls13_use_legacy_client(ctx);
477 } 475 }
478 476
479 if (ctx->hs->hrr) { 477 if (ctx->hs->tls13.hrr) {
480 /* The server has sent two HelloRetryRequests. */ 478 /* The server has sent two HelloRetryRequests. */
481 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 479 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
482 return 0; 480 return 0;
@@ -687,8 +685,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
687 goto err; 685 goto err;
688 if (!CBB_add_u8(&cbb, 0)) 686 if (!CBB_add_u8(&cbb, 0))
689 goto err; 687 goto err;
690 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 688 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
691 ctx->hs->transcript_hash_len)) 689 ctx->hs->tls13.transcript_hash_len))
692 goto err; 690 goto err;
693 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 691 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
694 goto err; 692 goto err;
@@ -738,7 +736,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
738int 736int
739tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 737tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
740{ 738{
741 struct tls13_secrets *secrets = ctx->hs->secrets; 739 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
742 struct tls13_secret context = { .data = "", .len = 0 }; 740 struct tls13_secret context = { .data = "", .len = 0 };
743 struct tls13_secret finished_key; 741 struct tls13_secret finished_key;
744 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 742 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -767,8 +765,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
767 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 765 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
768 ctx->hash, NULL)) 766 ctx->hash, NULL))
769 goto err; 767 goto err;
770 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 768 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
771 ctx->hs->transcript_hash_len)) 769 ctx->hs->tls13.transcript_hash_len))
772 goto err; 770 goto err;
773 verify_data_len = HMAC_size(hmac_ctx); 771 verify_data_len = HMAC_size(hmac_ctx);
774 if ((verify_data = calloc(1, verify_data_len)) == NULL) 772 if ((verify_data = calloc(1, verify_data_len)) == NULL)
@@ -900,8 +898,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
900 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) 898 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
901 goto err; 899 goto err;
902 900
903 ctx->hs->cpk = cpk; 901 ctx->hs->tls13.cpk = cpk;
904 ctx->hs->sigalg = sigalg; 902 ctx->hs->tls13.sigalg = sigalg;
905 903
906 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 904 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
907 goto err; 905 goto err;
@@ -950,9 +948,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
950 948
951 memset(&sig_cbb, 0, sizeof(sig_cbb)); 949 memset(&sig_cbb, 0, sizeof(sig_cbb));
952 950
953 if ((cpk = ctx->hs->cpk) == NULL) 951 if ((cpk = ctx->hs->tls13.cpk) == NULL)
954 goto err; 952 goto err;
955 if ((sigalg = ctx->hs->sigalg) == NULL) 953 if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
956 goto err; 954 goto err;
957 pkey = cpk->privatekey; 955 pkey = cpk->privatekey;
958 956
@@ -966,8 +964,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
966 goto err; 964 goto err;
967 if (!CBB_add_u8(&sig_cbb, 0)) 965 if (!CBB_add_u8(&sig_cbb, 0))
968 goto err; 966 goto err;
969 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 967 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
970 ctx->hs->transcript_hash_len)) 968 ctx->hs->tls13.transcript_hash_len))
971 goto err; 969 goto err;
972 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 970 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
973 goto err; 971 goto err;
@@ -1024,7 +1022,7 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
1024int 1022int
1025tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 1023tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
1026{ 1024{
1027 struct tls13_secrets *secrets = ctx->hs->secrets; 1025 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1028 struct tls13_secret context = { .data = "", .len = 0 }; 1026 struct tls13_secret context = { .data = "", .len = 0 };
1029 struct tls13_secret finished_key = { .data = NULL, .len = 0 }; 1027 struct tls13_secret finished_key = { .data = NULL, .len = 0 };
1030 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 1028 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -1082,7 +1080,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
1082int 1080int
1083tls13_client_finished_sent(struct tls13_ctx *ctx) 1081tls13_client_finished_sent(struct tls13_ctx *ctx)
1084{ 1082{
1085 struct tls13_secrets *secrets = ctx->hs->secrets; 1083 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1086 1084
1087 /* 1085 /*
1088 * Any records following the client finished message must be encrypted 1086 * Any records following the client finished message must be encrypted
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 22:01:27 +0000