summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/tls13_client.c12
-rw-r--r--lib/libssl/tls13_internal.h13
-rw-r--r--lib/libssl/tls13_lib.c62
3 files changed, 47 insertions, 40 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 5cd588875e1..0da08f62c3b 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.49 2020/04/17 17:16:53 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.50 2020/04/21 16:55:17 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -251,16 +251,6 @@ tls13_client_hello_sent(struct tls13_ctx *ctx)
return 1;
}
-/*
- * HelloRetryRequest hash - RFC 8446 section 4.1.3.
- */
-static const uint8_t tls13_hello_retry_request_hash[] = {
- 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
- 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
- 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
- 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
-};
-
static int
tls13_server_hello_is_legacy(CBS *cbs)
{
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index 6f5f5197d01..c5b893bc16d 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.63 2020/04/18 14:07:56 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.64 2020/04/21 16:55:17 jsing Exp $ */
/*
* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -339,11 +339,12 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
(fmt), __VA_ARGS__)
-extern uint8_t tls13_downgrade_12[8];
-extern uint8_t tls13_downgrade_11[8];
-extern uint8_t tls13_cert_verify_pad[64];
-extern uint8_t tls13_cert_client_verify_context[];
-extern uint8_t tls13_cert_server_verify_context[];
+extern const uint8_t tls13_downgrade_12[8];
+extern const uint8_t tls13_downgrade_11[8];
+extern const uint8_t tls13_hello_retry_request_hash[32];
+extern const uint8_t tls13_cert_verify_pad[64];
+extern const uint8_t tls13_cert_client_verify_context[];
+extern const uint8_t tls13_cert_server_verify_context[];
__END_HIDDEN_DECLS
diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index bdf547c8d9f..044a0c5634e 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_lib.c,v 1.34 2020/02/15 14:40:38 jsing Exp $ */
+/* $OpenBSD: tls13_lib.c,v 1.35 2020/04/21 16:55:17 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -24,12 +24,45 @@
#include "tls13_internal.h"
/*
- * RFC 8446 section 4.1.3, magic values which must be set by the
- * server in server random if it is willing to downgrade but supports
- * tls v1.3
+ * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
+ * by the server in server random if it is willing to downgrade but supports
+ * TLSv1.3
*/
-uint8_t tls13_downgrade_12[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01};
-uint8_t tls13_downgrade_11[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00};
+const uint8_t tls13_downgrade_12[8] = {
+ 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
+};
+const uint8_t tls13_downgrade_11[8] = {
+ 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
+};
+
+/*
+ * HelloRetryRequest hash - RFC 8446 section 4.1.3.
+ */
+const uint8_t tls13_hello_retry_request_hash[32] = {
+ 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
+ 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
+ 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
+ 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
+};
+
+/*
+ * Certificate Verify padding - RFC 8446 section 4.4.3.
+ */
+const uint8_t tls13_cert_verify_pad[64] = {
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+};
+
+const uint8_t tls13_cert_client_verify_context[] =
+ "TLS 1.3, client CertificateVerify";
+const uint8_t tls13_cert_server_verify_context[] =
+ "TLS 1.3, server CertificateVerify";
const EVP_AEAD *
tls13_cipher_aead(const SSL_CIPHER *cipher)
@@ -311,23 +344,6 @@ tls13_ctx_free(struct tls13_ctx *ctx)
freezero(ctx, sizeof(struct tls13_ctx));
}
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-uint8_t tls13_cert_verify_pad[64] = {
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
- 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-
-uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify";
-uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify";
-
int
tls13_cert_add(CBB *cbb, X509 *cert)
{