kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Pass explicit hs parameters to ssl_ext_*.

Browse Source 
Change-Id: I84a8ff1d717f3291403f6fc49668c84f89b910da
Reviewed-on: https://boringssl-review.googlesource.com/12342
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-11-17 17:11:16 +09:00 committed by CQ bot account: commit-bot@chromium.org
parent 6773972ff6
commit 8baf963523
4 changed files with 36 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ssl/internal.h
View File

@ -1061,22 +1061,22 @@ enum ssl_private_key_result_t tls13_prepare_certificate_verify(
int tls13_prepare_finished(SSL_HANDSHAKE *hs);
int tls13_process_new_session_ticket(SSL *ssl);
int ssl_ext_key_share_parse_serverhello(SSL *ssl, uint8_t **out_secret,
int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents);
int ssl_ext_key_share_parse_clienthello(SSL *ssl, int *out_found,
int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents);
int ssl_ext_key_share_add_serverhello(SSL *ssl, CBB *out);
int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
int ssl_ext_pre_shared_key_parse_serverhello(SSL *ssl, uint8_t *out_alert,
CBS *contents);
int ssl_ext_pre_shared_key_parse_clienthello(SSL *ssl,
int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
uint8_t *out_alert, CBS *contents);
int ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE *hs,
SSL_SESSION **out_session,
CBS *out_binders,
uint8_t *out_alert, CBS *contents);
int ssl_ext_pre_shared_key_add_serverhello(SSL *ssl, CBB *out);
int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
* returns one iff it's valid. */

45
ssl/t1_lib.c
View File

@ -1990,7 +1990,8 @@ static int ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
return CBB_flush(out);
}
int ssl_ext_pre_shared_key_parse_serverhello(SSL *ssl, uint8_t *out_alert,
int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,
uint8_t *out_alert,
CBS *contents) {
uint16_t psk_id;
if (!CBS_get_u16(contents, &psk_id) ||
@ -2010,11 +2011,12 @@ int ssl_ext_pre_shared_key_parse_serverhello(SSL *ssl, uint8_t *out_alert,
return 1;
}
int ssl_ext_pre_shared_key_parse_clienthello(SSL *ssl,
int ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE *hs,
SSL_SESSION **out_session,
CBS *out_binders,
uint8_t *out_alert,
CBS *contents) {
SSL *const ssl = hs->ssl;
/* We only process the first PSK identity since we don't support pure PSK. */
uint32_t obfuscated_ticket_age;
CBS identities, ticket, binders;
@ -2081,8 +2083,8 @@ int ssl_ext_pre_shared_key_parse_clienthello(SSL *ssl,
return 1;
}
int ssl_ext_pre_shared_key_add_serverhello(SSL *ssl, CBB *out) {
if (!ssl->s3->session_reused) {
int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
if (!hs->ssl->s3->session_reused) {
return 1;
}
@ -2260,9 +2262,10 @@ static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
return CBB_flush(out);
}
int ssl_ext_key_share_parse_serverhello(SSL *ssl, uint8_t **out_secret,
int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents) {
SSL *const ssl = hs->ssl;
CBS peer_key;
uint16_t group_id;
if (!CBS_get_u16(contents, &group_id) ||
@ -2272,28 +2275,28 @@ int ssl_ext_key_share_parse_serverhello(SSL *ssl, uint8_t **out_secret,
return 0;
}
if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->ecdh_ctx) != group_id) {
if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) != group_id) {
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
return 0;
}
if (!SSL_ECDH_CTX_finish(&ssl->s3->hs->ecdh_ctx, out_secret, out_secret_len,
out_alert, CBS_data(&peer_key),
CBS_len(&peer_key))) {
if (!SSL_ECDH_CTX_finish(&hs->ecdh_ctx, out_secret, out_secret_len, out_alert,
CBS_data(&peer_key), CBS_len(&peer_key))) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return 0;
}
ssl->s3->new_session->key_exchange_info = group_id;
SSL_ECDH_CTX_cleanup(&ssl->s3->hs->ecdh_ctx);
SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
return 1;
}
int ssl_ext_key_share_parse_clienthello(SSL *ssl, int *out_found,
int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents) {
SSL *const ssl = hs->ssl;
uint16_t group_id;
CBS key_shares;
if (!tls1_get_shared_group(ssl, &group_id)) {
@ -2348,11 +2351,9 @@ int ssl_ext_key_share_parse_clienthello(SSL *ssl, int *out_found,
CBB public_key;
if (!CBB_init(&public_key, 32) ||
!SSL_ECDH_CTX_init(&group, group_id) ||
!SSL_ECDH_CTX_accept(&group, &public_key, &secret, &secret_len,
out_alert, CBS_data(&peer_key),
CBS_len(&peer_key)) ||
!CBB_finish(&public_key, &ssl->s3->hs->public_key,
&ssl->s3->hs->public_key_len)) {
!SSL_ECDH_CTX_accept(&group, &public_key, &secret, &secret_len, out_alert,
CBS_data(&peer_key), CBS_len(&peer_key)) ||
!CBB_finish(&public_key, &hs->public_key, &hs->public_key_len)) {
OPENSSL_free(secret);
SSL_ECDH_CTX_cleanup(&group);
CBB_cleanup(&public_key);
@ -2368,7 +2369,8 @@ int ssl_ext_key_share_parse_clienthello(SSL *ssl, int *out_found,
return 1;
}
int ssl_ext_key_share_add_serverhello(SSL *ssl, CBB *out) {
int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
uint16_t group_id;
CBB kse_bytes, public_key;
if (!tls1_get_shared_group(ssl, &group_id) ||
@ -2376,15 +2378,14 @@ int ssl_ext_key_share_add_serverhello(SSL *ssl, CBB *out) {
!CBB_add_u16_length_prefixed(out, &kse_bytes) ||
!CBB_add_u16(&kse_bytes, group_id) ||
!CBB_add_u16_length_prefixed(&kse_bytes, &public_key) ||
!CBB_add_bytes(&public_key, ssl->s3->hs->public_key,
ssl->s3->hs->public_key_len) ||
!CBB_add_bytes(&public_key, hs->public_key, hs->public_key_len) ||
!CBB_flush(out)) {
return 0;
}
OPENSSL_free(ssl->s3->hs->public_key);
ssl->s3->hs->public_key = NULL;
ssl->s3->hs->public_key_len = 0;
OPENSSL_free(hs->public_key);
hs->public_key = NULL;
hs->public_key_len = 0;
ssl->s3->new_session->key_exchange_info = group_id;
return 1;

4
ssl/tls13_client.c
View File

@ -230,7 +230,7 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
if (!ssl_ext_pre_shared_key_parse_serverhello(ssl, &alert,
if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
&pre_shared_key)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
@ -293,7 +293,7 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
/* Resolve ECDHE and incorporate it into the secret. */
uint8_t *dhe_secret;
size_t dhe_secret_len;
if (!ssl_ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len,
if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,
&alert, &key_share)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;

8
ssl/tls13_server.c
View File

@ -71,7 +71,7 @@ static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry,
uint8_t *dhe_secret;
size_t dhe_secret_len;
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_ext_key_share_parse_clienthello(ssl, &found_key_share, &dhe_secret,
if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
&dhe_secret_len, &alert,
&key_share)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
@ -223,7 +223,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
if (!ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &binders,
if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
&alert, &pre_shared_key)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
@ -388,8 +388,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl_ext_pre_shared_key_add_serverhello(ssl, &extensions) ||
!ssl_ext_key_share_add_serverhello(ssl, &extensions) ||
!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
!ssl_ext_key_share_add_serverhello(hs, &extensions) ||
!ssl_complete_message(ssl, &cbb)) {
goto err;
}