summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2021-03-21 18:36:35 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2021-03-21 18:36:35 +0000
commit523dc6d6c25a49ca140870da4b0b67f6a5878688 (patch)
tree72aea6b0fc1668fa5e8b37d25d9f9eeafcbeef39
parent582ddfc3b5bb3c0f2a9d1460b89e904dbfa4fbd2 (diff)
Move the TLSv1.3 handshake struct inside the shared handshake struct.
There are currently three different handshake structs that are in use - the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct (as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous 'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)). This is the first step towards cleaning up the handshake structs so that shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2 and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code to access the shared handshake data without needing the SSL struct. ok inoguchi@ tb@
-rw-r--r--lib/libssl/s3_lib.c30
-rw-r--r--lib/libssl/ssl_locl.h81
-rw-r--r--lib/libssl/ssl_tlsext.c60
-rw-r--r--lib/libssl/tls13_client.c112
-rw-r--r--lib/libssl/tls13_handshake.c12
-rw-r--r--lib/libssl/tls13_internal.h4
-rw-r--r--lib/libssl/tls13_legacy.c18
-rw-r--r--lib/libssl/tls13_lib.c44
-rw-r--r--lib/libssl/tls13_server.c92
9 files changed, 227 insertions, 226 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 75f71c4c7d3..5e39907d9c6 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.204 2021/02/07 15:26:32 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.205 2021/03/21 18:36:34 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1565,10 +1565,10 @@ ssl3_free(SSL *s)
EC_KEY_free(S3I(s)->tmp.ecdh);
freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH);
- tls13_key_share_free(S3I(s)->hs_tls13.key_share);
- tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
- freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
- tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+ tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+ tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+ freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+ tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
@@ -1605,15 +1605,15 @@ ssl3_clear(SSL *s)
S3I(s)->hs.sigalgs = NULL;
S3I(s)->hs.sigalgs_len = 0;
- tls13_key_share_free(S3I(s)->hs_tls13.key_share);
- S3I(s)->hs_tls13.key_share = NULL;
+ tls13_key_share_free(S3I(s)->hs.tls13.key_share);
+ S3I(s)->hs.tls13.key_share = NULL;
- tls13_secrets_destroy(S3I(s)->hs_tls13.secrets);
- S3I(s)->hs_tls13.secrets = NULL;
- freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len);
- S3I(s)->hs_tls13.cookie = NULL;
- S3I(s)->hs_tls13.cookie_len = 0;
- tls13_clienthello_hash_clear(&S3I(s)->hs_tls13);
+ tls13_secrets_destroy(S3I(s)->hs.tls13.secrets);
+ S3I(s)->hs.tls13.secrets = NULL;
+ freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
+ S3I(s)->hs.tls13.cookie = NULL;
+ S3I(s)->hs.tls13.cookie_len = 0;
+ tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
S3I(s)->hs.extensions_seen = 0;
@@ -1678,8 +1678,8 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key)
} else if (sc->peer_x25519_tmp != NULL) {
if (!ssl_kex_dummy_ecdhe_x25519(pkey))
goto err;
- } else if (S3I(s)->hs_tls13.key_share != NULL) {
- if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share,
+ } else if (S3I(s)->hs.tls13.key_share != NULL) {
+ if (!tls13_key_share_peer_pkey(S3I(s)->hs.tls13.key_share,
pkey))
goto err;
} else {
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 99b72cc65e9..33eb3bba7df 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.327 2021/03/17 17:42:53 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -410,6 +410,44 @@ typedef struct ssl_session_internal_st {
} SSL_SESSION_INTERNAL;
#define SSI(s) (s->session->internal)
+typedef struct cert_pkey_st {
+ X509 *x509;
+ EVP_PKEY *privatekey;
+ STACK_OF(X509) *chain;
+} CERT_PKEY;
+
+typedef struct ssl_handshake_tls13_st {
+ int use_legacy;
+ int hrr;
+
+ /* Certificate and sigalg selected for use (static pointers). */
+ const CERT_PKEY *cpk;
+ const struct ssl_sigalg *sigalg;
+
+ /* Version proposed by peer server. */
+ uint16_t server_version;
+
+ uint16_t server_group;
+ struct tls13_key_share *key_share;
+ struct tls13_secrets *secrets;
+
+ uint8_t *cookie;
+ size_t cookie_len;
+
+ /* Preserved transcript hash. */
+ uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+ size_t transcript_hash_len;
+
+ /* Legacy session ID. */
+ uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+ size_t legacy_session_id_len;
+
+ /* ClientHello hash, used to validate following HelloRetryRequest */
+ EVP_MD_CTX *clienthello_md_ctx;
+ unsigned char *clienthello_hash;
+ unsigned int clienthello_hash_len;
+} SSL_HANDSHAKE_TLS13;
+
typedef struct ssl_handshake_st {
/*
* Minimum and maximum versions supported for this handshake. These are
@@ -428,6 +466,8 @@ typedef struct ssl_handshake_st {
*/
uint16_t negotiated_tls_version;
+ SSL_HANDSHAKE_TLS13 tls13;
+
/* state contains one of the SSL3_ST_* values. */
int state;
@@ -449,44 +489,6 @@ typedef struct ssl_handshake_st {
uint8_t *sigalgs;
} SSL_HANDSHAKE;
-typedef struct cert_pkey_st {
- X509 *x509;
- EVP_PKEY *privatekey;
- STACK_OF(X509) *chain;
-} CERT_PKEY;
-
-typedef struct ssl_handshake_tls13_st {
- int use_legacy;
- int hrr;
-
- /* Certificate and sigalg selected for use (static pointers). */
- const CERT_PKEY *cpk;
- const struct ssl_sigalg *sigalg;
-
- /* Version proposed by peer server. */
- uint16_t server_version;
-
- uint16_t server_group;
- struct tls13_key_share *key_share;
- struct tls13_secrets *secrets;
-
- uint8_t *cookie;
- size_t cookie_len;
-
- /* Preserved transcript hash. */
- uint8_t transcript_hash[EVP_MAX_MD_SIZE];
- size_t transcript_hash_len;
-
- /* Legacy session ID. */
- uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
- size_t legacy_session_id_len;
-
- /* ClientHello hash, used to validate following HelloRetryRequest */
- EVP_MD_CTX *clienthello_md_ctx;
- unsigned char *clienthello_hash;
- unsigned int clienthello_hash_len;
-} SSL_HANDSHAKE_TLS13;
-
struct tls12_record_layer;
struct tls12_record_layer *tls12_record_layer_new(void);
@@ -907,7 +909,6 @@ typedef struct ssl3_state_internal_st {
int in_read_app_data;
SSL_HANDSHAKE hs;
- SSL_HANDSHAKE_TLS13 hs_tls13;
struct {
unsigned char cert_verify_md[EVP_MAX_MD_SIZE];
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 4f4a39d4bb5..5ffab919a2d 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.87 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.88 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -226,7 +226,7 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
uint16_t *groups;
int i;
- if (S3I(s)->hs_tls13.hrr) {
+ if (S3I(s)->hs.tls13.hrr) {
if (SSI(s)->tlsext_supportedgroups == NULL) {
*alert = SSL_AD_HANDSHAKE_FAILURE;
return 0;
@@ -759,7 +759,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
goto err;
}
- if (s->internal->hit || S3I(s)->hs_tls13.hrr) {
+ if (s->internal->hit || S3I(s)->hs.tls13.hrr) {
if (s->session->tlsext_hostname == NULL) {
*alert = TLS1_AD_UNRECOGNIZED_NAME;
goto err;
@@ -1416,7 +1416,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
return 0;
- if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share,
&client_shares))
return 0;
@@ -1454,7 +1454,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
*/
if (S3I(s)->hs.our_max_tls_version < TLS1_3_VERSION)
continue;
- if (S3I(s)->hs_tls13.key_share != NULL)
+ if (S3I(s)->hs.tls13.key_share != NULL)
continue;
/* XXX - consider implementing server preference. */
@@ -1462,10 +1462,10 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
continue;
/* Decode and store the selected key share. */
- S3I(s)->hs_tls13.key_share = tls13_key_share_new(group);
- if (S3I(s)->hs_tls13.key_share == NULL)
+ S3I(s)->hs.tls13.key_share = tls13_key_share_new(group);
+ if (S3I(s)->hs.tls13.key_share == NULL)
goto err;
- if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
group, &key_exchange))
goto err;
}
@@ -1488,16 +1488,16 @@ int
tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
{
/* In the case of a HRR, we only send the server selected group. */
- if (S3I(s)->hs_tls13.hrr) {
- if (S3I(s)->hs_tls13.server_group == 0)
+ if (S3I(s)->hs.tls13.hrr) {
+ if (S3I(s)->hs.tls13.server_group == 0)
return 0;
- return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group);
+ return CBB_add_u16(cbb, S3I(s)->hs.tls13.server_group);
}
- if (S3I(s)->hs_tls13.key_share == NULL)
+ if (S3I(s)->hs.tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb))
+ if (!tls13_key_share_public(S3I(s)->hs.tls13.key_share, cbb))
return 0;
return 1;
@@ -1516,17 +1516,17 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
if (CBS_len(cbs) == 0) {
/* HRR does not include an actual key share. */
/* XXX - we should know that we are in a HRR... */
- S3I(s)->hs_tls13.server_group = group;
+ S3I(s)->hs.tls13.server_group = group;
return 1;
}
if (!CBS_get_u16_length_prefixed(cbs, &key_exchange))
return 0;
- if (S3I(s)->hs_tls13.key_share == NULL)
+ if (S3I(s)->hs.tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share,
+ if (!tls13_key_share_peer_public(S3I(s)->hs.tls13.key_share,
group, &key_exchange))
goto err;
@@ -1639,7 +1639,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
}
/* XXX test between min and max once initialization code goes in */
- S3I(s)->hs_tls13.server_version = selected_version;
+ S3I(s)->hs.tls13.server_version = selected_version;
return 1;
}
@@ -1653,7 +1653,7 @@ int
tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
{
return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
- S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+ S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
}
int
@@ -1664,8 +1664,8 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
if (!CBB_add_u16_length_prefixed(cbb, &cookie))
return 0;
- if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len))
+ if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len))
return 0;
if (!CBB_flush(cbb))
@@ -1682,7 +1682,7 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
if (!CBS_get_u16_length_prefixed(cbs, &cookie))
goto err;
- if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len)
+ if (CBS_len(&cookie) != S3I(s)->hs.tls13.cookie_len)
goto err;
/*
@@ -1690,8 +1690,8 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
* sent - client *MUST* send the same cookie with new CR after
* a cookie is sent by the server with an HRR.
*/
- if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len)) {
+ if (!CBS_mem_equal(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len)) {
/* XXX special cookie mismatch alert? */
*alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -1712,7 +1712,7 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
* in order to send one, should only be sent with HRR.
*/
return (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION &&
- S3I(s)->hs_tls13.cookie_len > 0 && S3I(s)->hs_tls13.cookie != NULL);
+ S3I(s)->hs.tls13.cookie_len > 0 && S3I(s)->hs.tls13.cookie != NULL);
}
int
@@ -1725,8 +1725,8 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
if (!CBB_add_u16_length_prefixed(cbb, &cookie))
return 0;
- if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie,
- S3I(s)->hs_tls13.cookie_len))
+ if (!CBB_add_bytes(&cookie, S3I(s)->hs.tls13.cookie,
+ S3I(s)->hs.tls13.cookie_len))
return 0;
if (!CBB_flush(cbb))
@@ -1745,8 +1745,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
* HRR from a server with a cookie to process after accepting
* one from the server in the same handshake
*/
- if (S3I(s)->hs_tls13.cookie != NULL ||
- S3I(s)->hs_tls13.cookie_len != 0) {
+ if (S3I(s)->hs.tls13.cookie != NULL ||
+ S3I(s)->hs.tls13.cookie_len != 0) {
*alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
}
@@ -1754,8 +1754,8 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
if (!CBS_get_u16_length_prefixed(cbs, &cookie))
goto err;
- if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie,
- &S3I(s)->hs_tls13.cookie_len))
+ if (!CBS_stow(&cookie, &S3I(s)->hs.tls13.cookie,
+ &S3I(s)->hs.tls13.cookie_len))
goto err;
return 1;
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 4de3d3693bb..0f3d435c949 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.75 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
size_t groups_len;
SSL *s = ctx->ssl;
- if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
- &S3I(s)->hs.our_max_tls_version)) {
+ if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+ &ctx->hs->our_max_tls_version)) {
SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
return 0;
}
- s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
+ s->client_version = s->version = ctx->hs->our_max_tls_version;
tls13_record_layer_set_retry_after_phh(ctx->rl,
(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -51,9 +51,9 @@ tls13_client_init(struct tls13_ctx *ctx)
tls1_get_group_list(s, 0, &groups, &groups_len);
if (groups_len < 1)
return 0;
- if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL)
+ if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -65,11 +65,11 @@ tls13_client_init(struct tls13_ctx *ctx)
* Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
*/
if (ctx->middlebox_compat &&
- S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
- arc4random_buf(ctx->hs->legacy_session_id,
- sizeof(ctx->hs->legacy_session_id));
- ctx->hs->legacy_session_id_len =
- sizeof(ctx->hs->legacy_session_id);
+ ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
+ arc4random_buf(ctx->hs->tls13.legacy_session_id,
+ sizeof(ctx->hs->tls13.legacy_session_id));
+ ctx->hs->tls13.legacy_session_id_len =
+ sizeof(ctx->hs->tls13.legacy_session_id);
}
return 1;
@@ -92,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
SSL *s = ctx->ssl;
/* Legacy client version is capped at TLS 1.2. */
- client_version = S3I(s)->hs.our_max_tls_version;
+ client_version = ctx->hs->our_max_tls_version;
if (client_version > TLS1_2_VERSION)
client_version = TLS1_2_VERSION;
@@ -103,8 +103,8 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
if (!CBB_add_u8_length_prefixed(cbb, &session_id))
goto err;
- if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len))
+ if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len))
goto err;
if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
@@ -134,9 +134,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
{
- SSL *s = ctx->ssl;
-
- if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
+ if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
/* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -231,7 +229,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
goto err;
if (tls13_server_hello_is_legacy(cbs)) {
- if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
+ if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
/*
* RFC 8446 section 4.1.3: we must not downgrade if
* the server random value contains the TLS 1.2 or 1.1
@@ -252,7 +250,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
if (!CBS_skip(cbs, CBS_len(cbs)))
goto err;
- ctx->hs->use_legacy = 1;
+ ctx->hs->tls13.use_legacy = 1;
return 1;
}
@@ -265,7 +263,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
sizeof(tls13_hello_retry_request_hash))) {
tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
- ctx->hs->hrr = 1;
+ ctx->hs->tls13.hrr = 1;
}
if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
@@ -278,16 +276,16 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
* Ensure that it was 0x0304 and that legacy version is set to 0x0303
* (RFC 8446 section 4.2.1).
*/
- if (ctx->hs->server_version != TLS1_3_VERSION ||
+ if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
legacy_version != TLS1_2_VERSION) {
ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
goto err;
}
- S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
+ ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
/* The session_id must match. */
- if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len)) {
+ if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len)) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
@@ -305,8 +303,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- /* XXX - move this to hs_tls13? */
- S3I(s)->hs.new_cipher = cipher;
+ /* XXX - move this to hs.tls13? */
+ ctx->hs->new_cipher = cipher;
if (compression_method != 0) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
@@ -336,21 +334,21 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
/* Derive the shared key and engage record protection. */
- if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key,
+ if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key,
&shared_key_len))
goto err;
- s->session->cipher = S3I(s)->hs.new_cipher;
- s->session->ssl_version = ctx->hs->server_version;
+ s->session->cipher = ctx->hs->new_cipher;
+ s->session->ssl_version = ctx->hs->tls13.server_version;
- if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
goto err;
- if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
goto err;
if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
goto err;
- ctx->hs->secrets = secrets;
+ ctx->hs->tls13.secrets = secrets;
/* XXX - pass in hash. */
if (!tls1_transcript_hash_init(s))
@@ -367,7 +365,7 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx)
goto err;
/* Handshake secrets. */
- if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+ if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
shared_key_len, &context))
goto err;
@@ -409,10 +407,10 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
* This may have been a TLSv1.2 or earlier ServerHello that just happened
* to have matching server random...
*/
- if (ctx->hs->use_legacy)
+ if (ctx->hs->tls13.use_legacy)
return tls13_use_legacy_client(ctx);
- if (!ctx->hs->hrr)
+ if (!ctx->hs->tls13.hrr)
return 0;
if (!tls13_synthetic_handshake_message(ctx))
@@ -420,7 +418,7 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!tls13_handshake_msg_record(ctx))
return 0;
- ctx->hs->hrr = 0;
+ ctx->hs->tls13.hrr = 0;
return 1;
}
@@ -433,17 +431,17 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
* supported groups and is not the same as the key share we previously
* offered.
*/
- if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
+ if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
return 0; /* XXX alert */
- if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
+ if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share))
return 0; /* XXX alert */
/* Switch to new key share. */
- tls13_key_share_free(ctx->hs->key_share);
- if ((ctx->hs->key_share =
- tls13_key_share_new(ctx->hs->server_group)) == NULL)
+ tls13_key_share_free(ctx->hs->tls13.key_share);
+ if ((ctx->hs->tls13.key_share =
+ tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
if (!tls13_client_hello_build(ctx, cbb))
@@ -470,13 +468,13 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
return 0;
}
- if (ctx->hs->use_legacy) {
+ if (ctx->hs->tls13.use_legacy) {
if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
return 0;
return tls13_use_legacy_client(ctx);
}
- if (ctx->hs->hrr) {
+ if (ctx->hs->tls13.hrr) {
/* The server has sent two HelloRetryRequests. */
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
return 0;
@@ -687,8 +685,8 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
goto err;
if (!CBB_add_u8(&cbb, 0))
goto err;
- if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
goto err;
@@ -738,7 +736,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
int
tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -767,8 +765,8 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
ctx->hash, NULL))
goto err;
- if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
verify_data_len = HMAC_size(hmac_ctx);
if ((verify_data = calloc(1, verify_data_len)) == NULL)
@@ -900,8 +898,8 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
goto err;
- ctx->hs->cpk = cpk;
- ctx->hs->sigalg = sigalg;
+ ctx->hs->tls13.cpk = cpk;
+ ctx->hs->tls13.sigalg = sigalg;
if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
goto err;
@@ -950,9 +948,9 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
memset(&sig_cbb, 0, sizeof(sig_cbb));
- if ((cpk = ctx->hs->cpk) == NULL)
+ if ((cpk = ctx->hs->tls13.cpk) == NULL)
goto err;
- if ((sigalg = ctx->hs->sigalg) == NULL)
+ if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
goto err;
pkey = cpk->privatekey;
@@ -966,8 +964,8 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
if (!CBB_add_u8(&sig_cbb, 0))
goto err;
- if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
goto err;
@@ -1024,7 +1022,7 @@ tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key = { .data = NULL, .len = 0 };
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -1082,7 +1080,7 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_client_finished_sent(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
/*
* Any records following the client finished message must be encrypted
diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c
index b3cecc77efd..c18a2dfe062 100644
--- a/lib/libssl/tls13_handshake.c
+++ b/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */
+/* $OpenBSD: tls13_handshake.c,v 1.65 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -428,8 +428,9 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
if (action->send_preserve_transcript_hash) {
if (!tls1_transcript_hash_value(ctx->ssl,
- ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
- &ctx->hs->transcript_hash_len))
+ ctx->hs->tls13.transcript_hash,
+ sizeof(ctx->hs->tls13.transcript_hash),
+ &ctx->hs->tls13.transcript_hash_len))
return TLS13_IO_FAILURE;
}
@@ -471,8 +472,9 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
if (action->recv_preserve_transcript_hash) {
if (!tls1_transcript_hash_value(ctx->ssl,
- ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash),
- &ctx->hs->transcript_hash_len))
+ ctx->hs->tls13.transcript_hash,
+ sizeof(ctx->hs->tls13.transcript_hash),
+ &ctx->hs->tls13.transcript_hash_len))
return TLS13_IO_FAILURE;
}
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index c339a8ef102..973661acc9b 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.88 2021/01/05 17:40:11 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.89 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -274,7 +274,7 @@ struct tls13_ctx {
struct tls13_error error;
SSL *ssl;
- struct ssl_handshake_tls13_st *hs;
+ struct ssl_handshake_st *hs;
uint8_t mode;
struct tls13_handshake_stage handshake_stage;
int handshake_started;
diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c
index f611aa061d0..19271ef7874 100644
--- a/lib/libssl/tls13_legacy.c
+++ b/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
+/* $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -361,7 +361,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
s->internal->handshake_func = s->method->internal->ssl_connect;
s->client_version = s->version = s->method->internal->max_tls_version;
- S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
+ ctx->hs->state = SSL3_ST_CR_SRVR_HELLO_A;
return 1;
}
@@ -378,7 +378,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
s->client_version = s->version = s->method->internal->max_tls_version;
s->server = 1;
- S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
+ ctx->hs->state = SSL3_ST_SR_CLNT_HELLO_A;
return 1;
}
@@ -396,7 +396,7 @@ tls13_legacy_accept(SSL *ssl)
}
ssl->internal->tls13 = ctx;
ctx->ssl = ssl;
- ctx->hs = &S3I(ssl)->hs_tls13;
+ ctx->hs = &S3I(ssl)->hs;
if (!tls13_server_init(ctx)) {
if (ERR_peek_error() == 0)
@@ -406,13 +406,13 @@ tls13_legacy_accept(SSL *ssl)
}
ERR_clear_error();
- S3I(ssl)->hs.state = SSL_ST_ACCEPT;
+ ctx->hs->state = SSL_ST_ACCEPT;
ret = tls13_server_accept(ctx);
if (ret == TLS13_IO_USE_LEGACY)
return ssl->method->internal->ssl_accept(ssl);
if (ret == TLS13_IO_SUCCESS)
- S3I(ssl)->hs.state = SSL_ST_OK;
+ ctx->hs->state = SSL_ST_OK;
return tls13_legacy_return_code(ssl, ret);
}
@@ -438,7 +438,7 @@ tls13_legacy_connect(SSL *ssl)
}
ssl->internal->tls13 = ctx;
ctx->ssl = ssl;
- ctx->hs = &S3I(ssl)->hs_tls13;
+ ctx->hs = &S3I(ssl)->hs;
if (!tls13_client_init(ctx)) {
if (ERR_peek_error() == 0)
@@ -448,13 +448,13 @@ tls13_legacy_connect(SSL *ssl)
}
ERR_clear_error();
- S3I(ssl)->hs.state = SSL_ST_CONNECT;
+ ctx->hs->state = SSL_ST_CONNECT;
ret = tls13_client_connect(ctx);
if (ret == TLS13_IO_USE_LEGACY)
return ssl->method->internal->ssl_connect(ssl);
if (ret == TLS13_IO_SUCCESS)
- S3I(ssl)->hs.state = SSL_ST_OK;
+ ctx->hs->state = SSL_ST_OK;
return tls13_legacy_return_code(ssl, ret);
}
diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index 0b3f636b930..9dbb7d64303 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_lib.c,v 1.57 2021/03/21 16:56:42 jsing Exp $ */
+/* $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -223,7 +223,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg)
static int
tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
if (ctx->mode == TLS13_HS_CLIENT)
return (tls13_update_client_traffic_secret(secrets) &&
@@ -237,7 +237,7 @@ tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx)
static int
tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
if (ctx->mode == TLS13_HS_CLIENT)
return (tls13_update_server_traffic_secret(secrets) &&
@@ -503,16 +503,16 @@ tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
int
tls13_clienthello_hash_init(struct tls13_ctx *ctx)
{
- if (ctx->hs->clienthello_md_ctx != NULL)
+ if (ctx->hs->tls13.clienthello_md_ctx != NULL)
return 0;
- if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
+ if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
return 0;
- if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx,
+ if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
EVP_sha256(), NULL))
return 0;
- if ((ctx->hs->clienthello_hash == NULL) &&
- (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
+ if ((ctx->hs->tls13.clienthello_hash == NULL) &&
+ (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
NULL)
return 0;
@@ -520,7 +520,7 @@ tls13_clienthello_hash_init(struct tls13_ctx *ctx)
}
void
-tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs)
+tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
{
EVP_MD_CTX_free(hs->clienthello_md_ctx);
hs->clienthello_md_ctx = NULL;
@@ -532,7 +532,7 @@ int
tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
size_t len)
{
- return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len);
+ return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
}
int
@@ -545,12 +545,12 @@ tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
int
tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
{
- if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
- ctx->hs->clienthello_hash,
- &ctx->hs->clienthello_hash_len))
+ if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
+ ctx->hs->tls13.clienthello_hash,
+ &ctx->hs->tls13.clienthello_hash_len))
return 0;
- EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
- ctx->hs->clienthello_md_ctx = NULL;
+ EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+ ctx->hs->tls13.clienthello_md_ctx = NULL;
return 1;
}
@@ -560,18 +560,18 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
unsigned int new_ch_hash_len;
- if (ctx->hs->clienthello_hash == NULL)
+ if (ctx->hs->tls13.clienthello_hash == NULL)
return 0;
- if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx,
+ if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
new_ch_hash, &new_ch_hash_len))
return 0;
- EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx);
- ctx->hs->clienthello_md_ctx = NULL;
+ EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
+ ctx->hs->tls13.clienthello_md_ctx = NULL;
- if (ctx->hs->clienthello_hash_len != new_ch_hash_len)
+ if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
return 0;
- if (memcmp(ctx->hs->clienthello_hash, new_ch_hash,
+ if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
new_ch_hash_len) != 0)
return 0;
@@ -584,7 +584,7 @@ tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
size_t out_len)
{
struct tls13_secret context, export_out, export_secret;
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
EVP_MD_CTX *md_ctx = NULL;
unsigned int md_out_len;
int md_len;
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 29c63bcd06b..658aef2cfee 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.71 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.72 2021/03/21 18:36:34 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
{
SSL *s = ctx->ssl;
- if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
- &S3I(s)->hs.our_max_tls_version)) {
+ if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
+ &ctx->hs->our_max_tls_version)) {
SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
return 0;
}
- s->version = S3I(s)->hs.our_max_tls_version;
+ s->version = ctx->hs->our_max_tls_version;
tls13_record_layer_set_retry_after_phh(ctx->rl,
(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -163,7 +163,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
goto err;
return tls13_use_legacy_server(ctx);
}
- S3I(s)->hs.negotiated_tls_version = TLS1_3_VERSION;
+ ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
/* Add decoded values to the current ClientHello hash */
if (!tls13_clienthello_hash_init(ctx)) {
@@ -198,7 +198,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
}
/* Finalize first ClientHello hash, or validate against it */
- if (!ctx->hs->hrr) {
+ if (!ctx->hs->tls13.hrr) {
if (!tls13_clienthello_hash_finalize(ctx)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
@@ -208,7 +208,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- tls13_clienthello_hash_clear(ctx->hs);
+ tls13_clienthello_hash_clear(&ctx->hs->tls13);
}
if (!tls13_client_hello_required_extensions(ctx)) {
@@ -226,13 +226,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
}
/* Store legacy session identifier so we can echo it. */
- if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
+ if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
- if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
- sizeof(ctx->hs->legacy_session_id),
- &ctx->hs->legacy_session_id_len)) {
+ if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ sizeof(ctx->hs->tls13.legacy_session_id),
+ &ctx->hs->tls13.legacy_session_id_len)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
}
@@ -249,7 +249,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
goto err;
}
- S3I(s)->hs.new_cipher = cipher;
+ ctx->hs->new_cipher = cipher;
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
@@ -293,7 +293,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
* has been enabled. This would probably mean using either an
* INITIAL | WITHOUT_HRR state, or another intermediate state.
*/
- if (ctx->hs->key_share != NULL)
+ if (ctx->hs->tls13.key_share != NULL)
ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
/* XXX - check this is the correct point */
@@ -314,7 +314,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
SSL *s = ctx->ssl;
uint16_t cipher;
- cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
+ cipher = SSL_CIPHER_get_value(ctx->hs->new_cipher);
server_random = s->s3->server_random;
if (hrr) {
@@ -328,8 +328,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
goto err;
if (!CBB_add_u8_length_prefixed(cbb, &session_id))
goto err;
- if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
- ctx->hs->legacy_session_id_len))
+ if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
+ ctx->hs->tls13.legacy_session_id_len))
goto err;
if (!CBB_add_u16(cbb, cipher))
goto err;
@@ -358,20 +358,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
SSL *s = ctx->ssl;
int ret = 0;
- if (!tls13_key_share_derive(ctx->hs->key_share,
+ if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
&shared_key, &shared_key_len))
goto err;
- s->session->cipher = S3I(s)->hs.new_cipher;
+ s->session->cipher = ctx->hs->new_cipher;
- if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->aead = tls13_cipher_aead(ctx->hs->new_cipher)) == NULL)
goto err;
- if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
+ if ((ctx->hash = tls13_cipher_hash(ctx->hs->new_cipher)) == NULL)
goto err;
if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
goto err;
- ctx->hs->secrets = secrets;
+ ctx->hs->tls13.secrets = secrets;
/* XXX - pass in hash. */
if (!tls1_transcript_hash_init(s))
@@ -388,7 +388,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
goto err;
/* Handshake secrets. */
- if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
+ if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
shared_key_len, &context))
goto err;
@@ -418,16 +418,16 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
{
int nid;
- ctx->hs->hrr = 1;
+ ctx->hs->tls13.hrr = 1;
if (!tls13_synthetic_handshake_message(ctx))
return 0;
- if (ctx->hs->key_share != NULL)
+ if (ctx->hs->tls13.key_share != NULL)
return 0;
if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
return 0;
- if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
+ if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
return 0;
if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -444,7 +444,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
* we MUST send a dummy CCS following our first handshake message.
* See RFC 8446 Appendix D.4.
*/
- if (ctx->hs->legacy_session_id_len > 0)
+ if (ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return 1;
@@ -462,7 +462,7 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
if (s->method->internal->version < TLS1_3_VERSION)
return 0;
- ctx->hs->hrr = 0;
+ ctx->hs->tls13.hrr = 0;
return 1;
}
@@ -483,14 +483,14 @@ tls13_servername_process(struct tls13_ctx *ctx)
int
tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
{
- if (ctx->hs->key_share == NULL)
+ if (ctx->hs->tls13.key_share == NULL)
return 0;
- if (!tls13_key_share_generate(ctx->hs->key_share))
+ if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
return 0;
if (!tls13_servername_process(ctx))
return 0;
- ctx->hs->server_group = 0;
+ ctx->hs->tls13.server_group = 0;
if (!tls13_server_hello_build(ctx, cbb, 0))
return 0;
@@ -507,7 +507,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
* See RFC 8446 Appendix D.4.
*/
if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
- ctx->hs->legacy_session_id_len > 0)
+ ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return tls13_server_engage_record_protection(ctx);
@@ -633,8 +633,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
}
- ctx->hs->cpk = cpk;
- ctx->hs->sigalg = sigalg;
+ ctx->hs->tls13.cpk = cpk;
+ ctx->hs->tls13.sigalg = sigalg;
if ((chain = cpk->chain) == NULL)
chain = s->ctx->extra_certs;
@@ -705,9 +705,9 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
memset(&sig_cbb, 0, sizeof(sig_cbb));
- if ((cpk = ctx->hs->cpk) == NULL)
+ if ((cpk = ctx->hs->tls13.cpk) == NULL)
goto err;
- if ((sigalg = ctx->hs->sigalg) == NULL)
+ if ((sigalg = ctx->hs->tls13.sigalg) == NULL)
goto err;
pkey = cpk->privatekey;
@@ -721,8 +721,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
if (!CBB_add_u8(&sig_cbb, 0))
goto err;
- if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
goto err;
@@ -773,7 +773,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
@@ -831,14 +831,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_server_finished_sent(struct tls13_ctx *ctx)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
/*
* Derive application traffic keys.
*/
- context.data = ctx->hs->transcript_hash;
- context.len = ctx->hs->transcript_hash_len;
+ context.data = ctx->hs->tls13.transcript_hash;
+ context.len = ctx->hs->tls13.transcript_hash_len;
if (!tls13_derive_application_secrets(secrets, &context))
return 0;
@@ -984,8 +984,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
goto err;
if (!CBB_add_u8(&cbb, 0))
goto err;
- if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
goto err;
@@ -1042,7 +1042,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
int
tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
{
- struct tls13_secrets *secrets = ctx->hs->secrets;
+ struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
uint8_t *verify_data = NULL;
@@ -1069,8 +1069,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
ctx->hash, NULL))
goto err;
- if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
- ctx->hs->transcript_hash_len))
+ if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
+ ctx->hs->tls13.transcript_hash_len))
goto err;
verify_data_len = HMAC_size(hmac_ctx);
if ((verify_data = calloc(1, verify_data_len)) == NULL)