diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-08 13:08:02 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:36 +0100 |
| commit | dcf2a8d3bd69ed0b994bed1753fe47a83366786e (patch) | |
| tree | 26580c38aeb0885204502169032df04521793d54 | |
| parent | 62ea232f180b980a0d4b6462c468706db6cc4700 (diff) | |
| download | gnutls-dcf2a8d3bd69ed0b994bed1753fe47a83366786e.tar.gz | |
session state: organized key exchange keys into structures
That is, with the view of separating the data needed for
TLS1.2 and earlier and TLS1.3.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/auth/dh_common.c | 66 | ||||
| -rw-r--r-- | lib/auth/ecdhe.c | 66 | ||||
| -rw-r--r-- | lib/auth/srp_kx.c | 42 | ||||
| -rw-r--r-- | lib/constate.c | 36 | ||||
| -rw-r--r-- | lib/dh.c | 20 | ||||
| -rw-r--r-- | lib/ext/key_share.c | 96 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 93 | ||||
| -rw-r--r-- | lib/handshake-tls13.c | 12 | ||||
| -rw-r--r-- | lib/handshake.c | 8 | ||||
| -rw-r--r-- | lib/prf.c | 2 | ||||
| -rw-r--r-- | lib/secrets.c | 10 | ||||
| -rw-r--r-- | lib/state.c | 38 | ||||
| -rw-r--r-- | lib/tls13/finished.c | 8 | ||||
| -rw-r--r-- | lib/tls13/key_update.c | 4 |
14 files changed, 257 insertions, 244 deletions
diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c index 6e11d9ff7d..6a97b3827b 100644 --- a/lib/auth/dh_common.c +++ b/lib/auth/dh_common.c @@ -74,17 +74,17 @@ _gnutls_proc_dh_common_client_kx(gnutls_session_t session, if (data_size != 0) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - if (_gnutls_mpi_init_scan_nz(&session->key.client_Y, &data[2], _n_Y)) { + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.dh.client_Y, &data[2], _n_Y)) { gnutls_assert(); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; /* most likely zero or illegal size */ } - _gnutls_dh_set_peer_public(session, session->key.client_Y); + _gnutls_dh_set_peer_public(session, session->key.proto.tls12.dh.client_Y); - peer_pub.params[DH_Y] = session->key.client_Y; + peer_pub.params[DH_Y] = session->key.proto.tls12.dh.client_Y; /* calculate the key after calculating the message */ - ret = _gnutls_pk_derive(GNUTLS_PK_DH, &tmp_dh_key, &session->key.dh_params, &peer_pub); + ret = _gnutls_pk_derive(GNUTLS_PK_DH, &tmp_dh_key, &session->key.proto.tls12.dh.params, &peer_pub); if (ret < 0) { gnutls_assert(); goto error; @@ -107,8 +107,8 @@ _gnutls_proc_dh_common_client_kx(gnutls_session_t session, ret = 0; error: - _gnutls_mpi_release(&session->key.client_Y); - gnutls_pk_params_clear(&session->key.dh_params); + _gnutls_mpi_release(&session->key.proto.tls12.dh.client_Y); + gnutls_pk_params_clear(&session->key.proto.tls12.dh.params); return ret; } @@ -133,22 +133,22 @@ _gnutls_gen_dh_common_client_kx_int(gnutls_session_t session, ret = _gnutls_pk_generate_keys(GNUTLS_PK_DH, 0, - &session->key.dh_params, 1); + &session->key.proto.tls12.dh.params, 1); if (ret < 0) return gnutls_assert_val(ret); - _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(session->key.dh_params.params[DH_X])); + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(session->key.proto.tls12.dh.params.params[DH_X])); - ret = _gnutls_buffer_append_mpi(data, 16, session->key.dh_params.params[DH_Y], 0); + ret = _gnutls_buffer_append_mpi(data, 16, session->key.proto.tls12.dh.params.params[DH_Y], 0); if (ret < 0) { gnutls_assert(); goto error; } - peer_pub.params[DH_Y] = session->key.client_Y; + peer_pub.params[DH_Y] = session->key.proto.tls12.dh.client_Y; /* calculate the key after calculating the message */ - ret = _gnutls_pk_derive(GNUTLS_PK_DH, &tmp_dh_key, &session->key.dh_params, &peer_pub); + ret = _gnutls_pk_derive(GNUTLS_PK_DH, &tmp_dh_key, &session->key.proto.tls12.dh.params, &peer_pub); if (ret < 0) { gnutls_assert(); goto error; @@ -172,7 +172,7 @@ _gnutls_gen_dh_common_client_kx_int(gnutls_session_t session, ret = data->length - init_pos; error: - gnutls_pk_params_clear(&session->key.dh_params); + gnutls_pk_params_clear(&session->key.proto.tls12.dh.params); return ret; } @@ -191,9 +191,9 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, ssize_t data_size = _data_size; /* just in case we are resuming a session */ - gnutls_pk_params_release(&session->key.dh_params); + gnutls_pk_params_release(&session->key.proto.tls12.dh.params); - gnutls_pk_params_init(&session->key.dh_params); + gnutls_pk_params_init(&session->key.proto.tls12.dh.params); i = 0; @@ -224,7 +224,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, _n_g = n_g; _n_p = n_p; - if (_gnutls_mpi_init_scan_nz(&session->key.client_Y, data_Y, _n_Y) != 0) { + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.dh.client_Y, data_Y, _n_Y) != 0) { gnutls_assert(); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } @@ -244,7 +244,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, session->internals.hsk_flags |= HSK_USED_FFDHE; _gnutls_session_group_set(session, session->internals.priorities->groups.entry[j]); - session->key.dh_params.qbits = *session->internals.priorities->groups.entry[j]->q_bits; + session->key.proto.tls12.dh.params.qbits = *session->internals.priorities->groups.entry[j]->q_bits; break; } } @@ -254,20 +254,20 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, } } - if (_gnutls_mpi_init_scan_nz(&session->key.dh_params.params[DH_G], data_g, _n_g) != 0) { + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.dh.params.params[DH_G], data_g, _n_g) != 0) { gnutls_assert(); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - if (_gnutls_mpi_init_scan_nz(&session->key.dh_params.params[DH_P], data_p, _n_p) != 0) { + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.dh.params.params[DH_P], data_p, _n_p) != 0) { gnutls_assert(); - /* we release now because session->key.dh_params.params_nr is not yet set */ - _gnutls_mpi_release(&session->key.dh_params.params[DH_G]); + /* we release now because session->key.proto.tls12.dh.params.params_nr is not yet set */ + _gnutls_mpi_release(&session->key.proto.tls12.dh.params.params[DH_G]); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } - session->key.dh_params.params_nr = 3; /* include empty q */ - session->key.dh_params.algo = GNUTLS_PK_DH; + session->key.proto.tls12.dh.params.params_nr = 3; /* include empty q */ + session->key.proto.tls12.dh.params.algo = GNUTLS_PK_DH; if (!(session->internals.hsk_flags & HSK_USED_FFDHE)) { bits = _gnutls_dh_get_min_prime_bits(session); @@ -276,14 +276,14 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, return bits; } - p_bits = _gnutls_mpi_get_nbits(session->key.dh_params.params[DH_P]); + p_bits = _gnutls_mpi_get_nbits(session->key.proto.tls12.dh.params.params[DH_P]); if (p_bits < bits) { /* the prime used by the peer is not acceptable */ gnutls_assert(); _gnutls_debug_log ("Received a prime of %u bits, limit is %u\n", - (unsigned) _gnutls_mpi_get_nbits(session->key.dh_params.params[DH_P]), + (unsigned) _gnutls_mpi_get_nbits(session->key.proto.tls12.dh.params.params[DH_P]), (unsigned) bits); return GNUTLS_E_DH_PRIME_UNACCEPTABLE; } @@ -298,9 +298,9 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, } } - _gnutls_dh_save_group(session, session->key.dh_params.params[DH_G], - session->key.dh_params.params[DH_P]); - _gnutls_dh_set_peer_public(session, session->key.client_Y); + _gnutls_dh_save_group(session, session->key.proto.tls12.dh.params.params[DH_G], + session->key.proto.tls12.dh.params.params[DH_P]); + _gnutls_dh_set_peer_public(session, session->key.proto.tls12.dh.client_Y); ret = n_Y + n_p + n_g + 6; @@ -312,7 +312,7 @@ _gnutls_dh_common_print_server_kx(gnutls_session_t session, gnutls_buffer_st * data) { int ret; - unsigned q_bits = session->key.dh_params.qbits; + unsigned q_bits = session->key.proto.tls12.dh.params.qbits; unsigned init_pos = data->length; if (q_bits < 192 && q_bits != 0) { @@ -324,25 +324,25 @@ _gnutls_dh_common_print_server_kx(gnutls_session_t session, /* Y=g^x mod p */ ret = _gnutls_pk_generate_keys(GNUTLS_PK_DH, q_bits, - &session->key.dh_params, 1); + &session->key.proto.tls12.dh.params, 1); if (ret < 0) return gnutls_assert_val(ret); - _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(session->key.dh_params.params[DH_X])); + _gnutls_dh_set_secret_bits(session, _gnutls_mpi_get_nbits(session->key.proto.tls12.dh.params.params[DH_X])); - ret = _gnutls_buffer_append_mpi(data, 16, session->key.dh_params.params[DH_P], 0); + ret = _gnutls_buffer_append_mpi(data, 16, session->key.proto.tls12.dh.params.params[DH_P], 0); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = _gnutls_buffer_append_mpi(data, 16, session->key.dh_params.params[DH_G], 0); + ret = _gnutls_buffer_append_mpi(data, 16, session->key.proto.tls12.dh.params.params[DH_G], 0); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = _gnutls_buffer_append_mpi(data, 16, session->key.dh_params.params[DH_Y], 0); + ret = _gnutls_buffer_append_mpi(data, 16, session->key.proto.tls12.dh.params.params[DH_Y], 0); if (ret < 0) { gnutls_assert(); goto cleanup; diff --git a/lib/auth/ecdhe.c b/lib/auth/ecdhe.c index c1d88add37..c9369619dc 100644 --- a/lib/auth/ecdhe.c +++ b/lib/auth/ecdhe.c @@ -95,15 +95,15 @@ static int calc_ecdh_key(gnutls_session_t session, gnutls_datum_t tmp_dh_key; gnutls_pk_params_init(&pub); - pub.params[ECC_X] = session->key.ecdh_x; - pub.params[ECC_Y] = session->key.ecdh_y; - pub.raw_pub.data = session->key.ecdhx.data; - pub.raw_pub.size = session->key.ecdhx.size; + pub.params[ECC_X] = session->key.proto.tls12.ecdh.x; + pub.params[ECC_Y] = session->key.proto.tls12.ecdh.y; + pub.raw_pub.data = session->key.proto.tls12.ecdh.raw.data; + pub.raw_pub.size = session->key.proto.tls12.ecdh.raw.size; pub.curve = ecurve->id; ret = _gnutls_pk_derive(ecurve->pk, &tmp_dh_key, - &session->key.ecdh_params, &pub); + &session->key.proto.tls12.ecdh.params, &pub); if (ret < 0) { ret = gnutls_assert_val(ret); goto cleanup; @@ -128,10 +128,10 @@ static int calc_ecdh_key(gnutls_session_t session, cleanup: /* no longer needed */ - _gnutls_mpi_release(&session->key.ecdh_x); - _gnutls_mpi_release(&session->key.ecdh_y); - _gnutls_free_datum(&session->key.ecdhx); - gnutls_pk_params_release(&session->key.ecdh_params); + _gnutls_mpi_release(&session->key.proto.tls12.ecdh.x); + _gnutls_mpi_release(&session->key.proto.tls12.ecdh.y); + _gnutls_free_datum(&session->key.proto.tls12.ecdh.raw); + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); return ret; } @@ -166,8 +166,8 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, if (ecurve->pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_import(&data[i], point_size, - &session->key.ecdh_x, - &session->key.ecdh_y); + &session->key.proto.tls12.ecdh.x, + &session->key.proto.tls12.ecdh.y); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -176,7 +176,7 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, if (ecurve->size != point_size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - ret = _gnutls_set_datum(&session->key.ecdhx, + ret = _gnutls_set_datum(&session->key.proto.tls12.ecdh.raw, &data[i], point_size); if (ret < 0) { gnutls_assert(); @@ -185,7 +185,7 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, /* RFC7748 requires to mask the MSB in the final byte */ if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { - session->key.ecdhx.data[point_size-1] &= 0x7f; + session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; } } else { return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); @@ -202,7 +202,7 @@ int _gnutls_proc_ecdh_common_client_kx(gnutls_session_t session, } cleanup: - gnutls_pk_params_clear(&session->key.ecdh_params); + gnutls_pk_params_clear(&session->key.proto.tls12.ecdh.params); return ret; } @@ -256,16 +256,16 @@ _gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session, /* generate temporal key */ ret = _gnutls_pk_generate_keys(pk, ecurve->id, - &session->key.ecdh_params, 1); + &session->key.proto.tls12.ecdh.params, 1); if (ret < 0) return gnutls_assert_val(ret); if (pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_export(ecurve->id, - session->key.ecdh_params. + session->key.proto.tls12.ecdh.params. params[ECC_X] /* x */ , - session->key.ecdh_params. + session->key.proto.tls12.ecdh.params. params[ECC_Y] /* y */ , &out); if (ret < 0) { @@ -285,8 +285,8 @@ _gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session, } else if (pk == GNUTLS_PK_ECDH_X25519) { ret = _gnutls_buffer_append_data_prefix(data, 8, - session->key.ecdh_params.raw_pub.data, - session->key.ecdh_params.raw_pub.size); + session->key.proto.tls12.ecdh.params.raw_pub.data, + session->key.proto.tls12.ecdh.params.raw_pub.size); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -302,7 +302,7 @@ _gnutls_gen_ecdh_common_client_kx_int(gnutls_session_t session, ret = data->length - init_pos; cleanup: - gnutls_pk_params_clear(&session->key.ecdh_params); + gnutls_pk_params_clear(&session->key.proto.tls12.ecdh.params); return ret; } @@ -336,9 +336,9 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session, const gnutls_ecc_curve_entry_st *ecurve; /* just in case we are resuming a session */ - gnutls_pk_params_release(&session->key.ecdh_params); + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); - gnutls_pk_params_init(&session->key.ecdh_params); + gnutls_pk_params_init(&session->key.proto.tls12.ecdh.params); i = 0; DECR_LEN(data_size, 1); @@ -377,8 +377,8 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session, if (ecurve->pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_import(&data[i], point_size, - &session->key.ecdh_x, - &session->key.ecdh_y); + &session->key.proto.tls12.ecdh.x, + &session->key.proto.tls12.ecdh.y); if (ret < 0) return gnutls_assert_val(ret); @@ -386,14 +386,14 @@ _gnutls_proc_ecdh_common_server_kx(gnutls_session_t session, if (ecurve->size != point_size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - ret = _gnutls_set_datum(&session->key.ecdhx, + ret = _gnutls_set_datum(&session->key.proto.tls12.ecdh.raw, &data[i], point_size); if (ret < 0) return gnutls_assert_val(ret); /* RFC7748 requires to mask the MSB in the final byte */ if (ecurve->id == GNUTLS_ECC_CURVE_X25519) { - session->key.ecdhx.data[point_size-1] &= 0x7f; + session->key.proto.tls12.ecdh.raw.data[point_size-1] &= 0x7f; } } else { return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); @@ -419,9 +419,9 @@ int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session, return gnutls_assert_val(GNUTLS_E_ECC_NO_SUPPORTED_CURVES); /* just in case we are resuming a session */ - gnutls_pk_params_release(&session->key.ecdh_params); + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); - gnutls_pk_params_init(&session->key.ecdh_params); + gnutls_pk_params_init(&session->key.proto.tls12.ecdh.params); /* curve type */ p = 3; @@ -440,16 +440,16 @@ int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session, /* generate temporal key */ ret = _gnutls_pk_generate_keys(group->pk, group->curve, - &session->key.ecdh_params, 1); + &session->key.proto.tls12.ecdh.params, 1); if (ret < 0) return gnutls_assert_val(ret); if (group->pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_export(group->curve, - session->key.ecdh_params. + session->key.proto.tls12.ecdh.params. params[ECC_X] /* x */ , - session->key.ecdh_params. + session->key.proto.tls12.ecdh.params. params[ECC_Y] /* y */ , &out); if (ret < 0) return gnutls_assert_val(ret); @@ -465,8 +465,8 @@ int _gnutls_ecdh_common_print_server_kx(gnutls_session_t session, } else if (group->pk == GNUTLS_PK_ECDH_X25519) { ret = _gnutls_buffer_append_data_prefix(data, 8, - session->key.ecdh_params.raw_pub.data, - session->key.ecdh_params.raw_pub.size); + session->key.proto.tls12.ecdh.params.raw_pub.data, + session->key.proto.tls12.ecdh.params.raw_pub.size); if (ret < 0) return gnutls_assert_val(ret); } else { diff --git a/lib/auth/srp_kx.c b/lib/auth/srp_kx.c index 34cfe87361..ef0c0e68a9 100644 --- a/lib/auth/srp_kx.c +++ b/lib/auth/srp_kx.c @@ -52,14 +52,14 @@ const mod_auth_st srp_auth_struct = { }; -#define _b session->key.b -#define B session->key.B -#define _a session->key.a -#define A session->key.A -#define N session->key.srp_p -#define G session->key.srp_g -#define V session->key.x -#define S session->key.srp_key +#define _b session->key.proto.tls12.srp.b +#define B session->key.proto.tls12.srp.B +#define _a session->key.proto.tls12.srp.a +#define A session->key.proto.tls12.srp.A +#define N session->key.proto.tls12.srp.srp_p +#define G session->key.proto.tls12.srp.srp_g +#define V session->key.proto.tls12.srp.x +#define S session->key.proto.tls12.srp.srp_key /* Checks if a%n==0,+1,-1%n which is a fatal srp error. * Returns a proper error code in that case, and 0 when @@ -300,16 +300,16 @@ _gnutls_gen_srp_client_kx(gnutls_session_t session, */ /* calculate u */ - session->key.u = _gnutls_calc_srp_u(A, B, N); - if (session->key.u == NULL) { + session->key.proto.tls12.srp.u = _gnutls_calc_srp_u(A, B, N); + if (session->key.proto.tls12.srp.u == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_log("SRP U: ", session->key.u); + _gnutls_mpi_log("SRP U: ", session->key.proto.tls12.srp.u); /* S = (B - g^x) ^ (a + u * x) % N */ - S = _gnutls_calc_srp_S2(B, G, session->key.x, _a, session->key.u, + S = _gnutls_calc_srp_S2(B, G, session->key.proto.tls12.srp.x, _a, session->key.proto.tls12.srp.u, N); if (S == NULL) { gnutls_assert(); @@ -320,10 +320,10 @@ _gnutls_gen_srp_client_kx(gnutls_session_t session, zrelease_temp_mpi_key(&_b); zrelease_temp_mpi_key(&V); - zrelease_temp_mpi_key(&session->key.u); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u); zrelease_temp_mpi_key(&B); - ret = _gnutls_mpi_dprint(session->key.srp_key, &session->key.key); + ret = _gnutls_mpi_dprint(session->key.proto.tls12.srp.srp_key, &session->key.key); zrelease_temp_mpi_key(&S); if (ret < 0) { @@ -374,17 +374,17 @@ _gnutls_proc_srp_client_kx(gnutls_session_t session, uint8_t * data, /* Start the SRP calculations. * - Calculate u */ - session->key.u = _gnutls_calc_srp_u(A, B, N); - if (session->key.u == NULL) { + session->key.proto.tls12.srp.u = _gnutls_calc_srp_u(A, B, N); + if (session->key.proto.tls12.srp.u == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } - _gnutls_mpi_log("SRP U: ", session->key.u); + _gnutls_mpi_log("SRP U: ", session->key.proto.tls12.srp.u); /* S = (A * v^u) ^ b % N */ - S = _gnutls_calc_srp_S1(A, _b, session->key.u, V, N); + S = _gnutls_calc_srp_S1(A, _b, session->key.proto.tls12.srp.u, V, N); if (S == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; @@ -395,10 +395,10 @@ _gnutls_proc_srp_client_kx(gnutls_session_t session, uint8_t * data, _gnutls_mpi_release(&A); zrelease_temp_mpi_key(&_b); zrelease_temp_mpi_key(&V); - zrelease_temp_mpi_key(&session->key.u); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u); zrelease_temp_mpi_key(&B); - ret = _gnutls_mpi_dprint(session->key.srp_key, &session->key.key); + ret = _gnutls_mpi_dprint(session->key.proto.tls12.srp.srp_key, &session->key.key); zrelease_temp_mpi_key(&S); if (ret < 0) { @@ -1004,7 +1004,7 @@ _gnutls_proc_srp_server_kx(gnutls_session_t session, uint8_t * data, return ret; } - if (_gnutls_mpi_init_scan_nz(&session->key.x, hd, _n_g) != 0) { + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.srp.x, hd, _n_g) != 0) { gnutls_assert(); return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; } diff --git a/lib/constate.c b/lib/constate.c index 95e574b1fd..a1a1d96221 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -252,32 +252,32 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, NULL, 0, - session->key.temp_secret, - session->key.hs_ckey); + session->key.proto.kshare.temp_secret, + session->key.proto.kshare.hs_ckey); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.hs_ckey, key_size, key_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, key_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.hs_ckey, iv_size, iv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); } else { ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, NULL, 0, - session->key.temp_secret, - session->key.hs_skey); + session->key.proto.kshare.temp_secret, + session->key.proto.kshare.hs_skey); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.hs_skey, key_size, key_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, key_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.hs_skey, iv_size, iv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); } @@ -344,21 +344,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, label, label_size, session->internals.handshake_hash_buffer.data, hsk_len, - session->key.temp_secret, - session->key.hs_ckey); + session->key.proto.kshare.temp_secret, + session->key.proto.kshare.hs_ckey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, keylog_label, - session->key.hs_ckey, + session->key.proto.kshare.hs_ckey, session->security_parameters.prf->output_size); /* client keys */ - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.hs_ckey, key_size, ckey_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, ckey_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.hs_ckey, iv_size, civ_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, civ_block); if (ret < 0) return gnutls_assert_val(ret); @@ -376,21 +376,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, label, label_size, session->internals.handshake_hash_buffer.data, hsk_len, - session->key.temp_secret, - session->key.hs_skey); + session->key.proto.kshare.temp_secret, + session->key.proto.kshare.hs_skey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, keylog_label, - session->key.hs_skey, + session->key.proto.kshare.hs_skey, session->security_parameters.prf->output_size); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.hs_skey, key_size, skey_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, skey_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.hs_skey, iv_size, siv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, siv_block); if (ret < 0) return gnutls_assert_val(ret); @@ -40,23 +40,23 @@ int set_dh_pk_params(gnutls_session_t session, bigint_t g, bigint_t p, unsigned q_bits) { /* just in case we are resuming a session */ - gnutls_pk_params_release(&session->key.dh_params); + gnutls_pk_params_release(&session->key.proto.tls12.dh.params); - gnutls_pk_params_init(&session->key.dh_params); + gnutls_pk_params_init(&session->key.proto.tls12.dh.params); - session->key.dh_params.params[DH_G] = _gnutls_mpi_copy(g); - if (session->key.dh_params.params[DH_G] == NULL) + session->key.proto.tls12.dh.params.params[DH_G] = _gnutls_mpi_copy(g); + if (session->key.proto.tls12.dh.params.params[DH_G] == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - session->key.dh_params.params[DH_P] = _gnutls_mpi_copy(p); - if (session->key.dh_params.params[DH_P] == NULL) { - _gnutls_mpi_release(&session->key.dh_params.params[DH_G]); + session->key.proto.tls12.dh.params.params[DH_P] = _gnutls_mpi_copy(p); + if (session->key.proto.tls12.dh.params.params[DH_P] == NULL) { + _gnutls_mpi_release(&session->key.proto.tls12.dh.params.params[DH_G]); return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } - session->key.dh_params.params_nr = 3; /* include empty q */ - session->key.dh_params.algo = GNUTLS_PK_DH; - session->key.dh_params.qbits = q_bits; + session->key.proto.tls12.dh.params.params_nr = 3; /* include empty q */ + session->key.proto.tls12.dh.params.algo = GNUTLS_PK_DH; + session->key.proto.tls12.dh.params.qbits = q_bits; return 0; } diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c index 2b31c95b4a..c7d5d8cc37 100644 --- a/lib/ext/key_share.c +++ b/lib/ext/key_share.c @@ -87,17 +87,17 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent return gnutls_assert_val(ret); if (group->pk == GNUTLS_PK_EC) { - gnutls_pk_params_release(&session->key.kshare_ecdh_params); - gnutls_pk_params_init(&session->key.kshare_ecdh_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); + gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params); ret = _gnutls_pk_generate_keys(group->pk, group->curve, - &session->key.kshare_ecdh_params, 1); + &session->key.proto.kshare.ecdh_params, 1); if (ret < 0) return gnutls_assert_val(ret); ret = _gnutls_ecc_ansi_x962_export(group->curve, - session->key.kshare_ecdh_params.params[ECC_X], - session->key.kshare_ecdh_params.params[ECC_Y], + session->key.proto.kshare.ecdh_params.params[ECC_X], + session->key.proto.kshare.ecdh_params.params[ECC_Y], &tmp); if (ret < 0) return gnutls_assert_val(ret); @@ -109,54 +109,54 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent goto cleanup; } - session->key.kshare_ecdh_params.algo = group->pk; - session->key.kshare_ecdh_params.curve = group->curve; + session->key.proto.kshare.ecdh_params.algo = group->pk; + session->key.proto.kshare.ecdh_params.curve = group->curve; ret = 0; } else if (group->pk == GNUTLS_PK_ECDH_X25519) { - gnutls_pk_params_release(&session->key.kshare_ecdhx_params); - gnutls_pk_params_init(&session->key.kshare_ecdhx_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); + gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params); ret = _gnutls_pk_generate_keys(group->pk, group->curve, - &session->key.kshare_ecdhx_params, 1); + &session->key.proto.kshare.ecdhx_params, 1); if (ret < 0) return gnutls_assert_val(ret); ret = _gnutls_buffer_append_data_prefix(extdata, 16, - session->key.kshare_ecdhx_params.raw_pub.data, - session->key.kshare_ecdhx_params.raw_pub.size); + session->key.proto.kshare.ecdhx_params.raw_pub.data, + session->key.proto.kshare.ecdhx_params.raw_pub.size); if (ret < 0) { gnutls_assert(); goto cleanup; } - session->key.kshare_ecdhx_params.algo = group->pk; - session->key.kshare_ecdhx_params.curve = group->curve; + session->key.proto.kshare.ecdhx_params.algo = group->pk; + session->key.proto.kshare.ecdhx_params.curve = group->curve; ret = 0; } else if (group->pk == GNUTLS_PK_DH) { /* we need to initialize the group parameters first */ - gnutls_pk_params_release(&session->key.kshare_dh_params); - gnutls_pk_params_init(&session->key.kshare_dh_params); + gnutls_pk_params_release(&session->key.proto.kshare.dh_params); + gnutls_pk_params_init(&session->key.proto.kshare.dh_params); - ret = _gnutls_mpi_init_scan_nz(&session->key.kshare_dh_params.params[DH_G], + ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_init_scan_nz(&session->key.kshare_dh_params.params[DH_P], + ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) return gnutls_assert_val(ret); - session->key.kshare_dh_params.algo = group->pk; - session->key.kshare_dh_params.qbits = *group->q_bits; - session->key.kshare_dh_params.params_nr = 3; /* empty q */ + session->key.proto.kshare.dh_params.algo = group->pk; + session->key.proto.kshare.dh_params.qbits = *group->q_bits; + session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */ - ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare_dh_params, 1); + ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -165,7 +165,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare_dh_params.params[DH_Y], + ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y], group->prime->size); if (ret < 0) return gnutls_assert_val(ret); @@ -202,8 +202,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (group->pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_export(group->curve, - session->key.kshare_ecdh_params.params[ECC_X], - session->key.kshare_ecdh_params.params[ECC_Y], + session->key.proto.kshare.ecdh_params.params[ECC_X], + session->key.proto.kshare.ecdh_params.params[ECC_Y], &tmp); if (ret < 0) return gnutls_assert_val(ret); @@ -220,8 +220,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent } else if (group->pk == GNUTLS_PK_ECDH_X25519) { ret = _gnutls_buffer_append_data_prefix(extdata, 16, - session->key.kshare_ecdhx_params.raw_pub.data, - session->key.kshare_ecdhx_params.raw_pub.size); + session->key.proto.kshare.ecdhx_params.raw_pub.data, + session->key.proto.kshare.ecdhx_params.raw_pub.size); if (ret < 0) return gnutls_assert_val(ret); @@ -233,7 +233,7 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare_dh_params.params[DH_Y], + ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y], group->prime->size); if (ret < 0) return gnutls_assert_val(ret); @@ -258,8 +258,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou if (group->pk == GNUTLS_PK_EC) { gnutls_pk_params_st pub; - gnutls_pk_params_release(&session->key.kshare_ecdh_params); - gnutls_pk_params_init(&session->key.kshare_ecdh_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); + gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params); curve = _gnutls_ecc_curve_get_params(group->curve); @@ -269,7 +269,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* generate our key */ - ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare_ecdh_params, 1); + ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -285,7 +285,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.params_nr = 2; /* generate shared */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare_ecdh_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub); gnutls_pk_params_release(&pub); if (ret < 0) { return gnutls_assert_val(ret); @@ -296,8 +296,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou } else if (group->pk == GNUTLS_PK_ECDH_X25519) { gnutls_pk_params_st pub; - gnutls_pk_params_release(&session->key.kshare_ecdhx_params); - gnutls_pk_params_init(&session->key.kshare_ecdhx_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); + gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params); curve = _gnutls_ecc_curve_get_params(group->curve); @@ -305,7 +305,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* generate our key */ - ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare_ecdhx_params, 1); + ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdhx_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -321,7 +321,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou /* We don't mask the MSB in the final byte as required * by RFC7748. This will be done internally by nettle 3.3 or later. */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare_ecdhx_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub); if (ret < 0) { return gnutls_assert_val(ret); } @@ -332,29 +332,29 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou gnutls_pk_params_st pub; /* we need to initialize the group parameters first */ - gnutls_pk_params_release(&session->key.kshare_dh_params); - gnutls_pk_params_init(&session->key.kshare_dh_params); + gnutls_pk_params_release(&session->key.proto.kshare.dh_params); + gnutls_pk_params_init(&session->key.proto.kshare.dh_params); if (data_size != group->prime->size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* set group params */ - ret = _gnutls_mpi_init_scan_nz(&session->key.kshare_dh_params.params[DH_G], + ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_init_scan_nz(&session->key.kshare_dh_params.params[DH_P], + ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) return gnutls_assert_val(ret); - session->key.kshare_dh_params.algo = GNUTLS_PK_DH; - session->key.kshare_dh_params.qbits = *group->q_bits; - session->key.kshare_dh_params.params_nr = 3; /* empty q */ + session->key.proto.kshare.dh_params.algo = GNUTLS_PK_DH; + session->key.proto.kshare.dh_params.qbits = *group->q_bits; + session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */ /* generate our keys */ - ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare_dh_params, 1); + ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -369,7 +369,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.algo = group->pk; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare_dh_params, &pub); + ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub); _gnutls_mpi_release(&pub.params[DH_Y]); if (ret < 0) return gnutls_assert_val(ret); @@ -415,7 +415,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.params_nr = 2; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare_ecdh_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub); gnutls_pk_params_release(&pub); if (ret < 0) { return gnutls_assert_val(ret); @@ -443,7 +443,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou /* We don't mask the MSB in the final byte as required * by RFC7748. This will be done internally by nettle 3.3 or later. */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare_ecdhx_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub); if (ret < 0) { return gnutls_assert_val(ret); } @@ -467,7 +467,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.algo = group->pk; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare_dh_params, &pub); + ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub); _gnutls_mpi_release(&pub.params[DH_Y]); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index f7ad918c81..648168c4c7 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -119,6 +119,7 @@ typedef struct { */ #define MAX_FILENAME 512 #define MAX_HASH_SIZE 64 + #define MAX_CIPHER_BLOCK_SIZE 16 #define MAX_CIPHER_KEY_SIZE 32 @@ -440,44 +441,57 @@ typedef struct auth_cred_st { } auth_cred_st; struct gnutls_key_st { - /* TLS 1.3 key share exchange */ - gnutls_pk_params_st kshare_ecdh_params; - gnutls_pk_params_st kshare_ecdhx_params; - gnutls_pk_params_st kshare_dh_params; - - /* the current (depending on state) secret, can be - * early_secret, client_early_traffic_secret, ... */ - uint8_t temp_secret[MAX_HASH_SIZE]; - unsigned temp_secret_size; /* depends on negotiated PRF size */ - uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */ - uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */ - uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */ - - /* For ECDH KX */ - gnutls_pk_params_st ecdh_params; /* private part */ - - /* public part */ - bigint_t ecdh_x; - bigint_t ecdh_y; - gnutls_datum_t ecdhx; /* public key used in ECDHX (point) */ - - /* For DH KX */ + struct { + /* TLS 1.3 key share exchange */ + struct { + gnutls_pk_params_st ecdh_params; + gnutls_pk_params_st ecdhx_params; + gnutls_pk_params_st dh_params; + + /* the current (depending on state) secret, can be + * early_secret, client_early_traffic_secret, ... */ + uint8_t temp_secret[MAX_HASH_SIZE]; + unsigned temp_secret_size; /* depends on negotiated PRF size */ + uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */ + uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */ + uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */ + } kshare; /* tls1.3 */ + + /* Folow the SSL3.0 and TLS1.2 key exchanges */ + + struct { + /* For ECDH KX */ + struct { + gnutls_pk_params_st params; /* private part */ + /* public part */ + bigint_t x; + bigint_t y; + gnutls_datum_t raw; /* public key used in ECDHX (point) */ + } ecdh; + + /* For DH KX */ + struct { + gnutls_pk_params_st params; + bigint_t client_Y; + } dh; + + /* for SRP KX */ + struct { + bigint_t srp_key; + bigint_t srp_g; + bigint_t srp_p; + bigint_t A; + bigint_t B; + bigint_t u; + bigint_t b; + bigint_t a; + bigint_t x; + } srp; + } tls12; /* from ssl3.0 to tls12 */ + } proto; + + /* TLS pre-master key; applies to 1.2 and 1.3 */ gnutls_datum_t key; - - /* For DH KX */ - gnutls_pk_params_st dh_params; - bigint_t client_Y; - /* for SRP */ - - bigint_t srp_key; - bigint_t srp_g; - bigint_t srp_p; - bigint_t A; - bigint_t B; - bigint_t u; - bigint_t b; - bigint_t a; - bigint_t x; /* this is used to hold the peers authentication data */ @@ -489,8 +503,6 @@ struct gnutls_key_st { gnutls_credentials_type_t auth_info_type; int auth_info_size; /* needed in order to store to db for restoring */ - uint8_t crypt_algo; - auth_cred_st *cred; /* used to specify keys/certificates etc */ }; @@ -704,7 +716,8 @@ typedef struct api_aead_cipher_hd_st { } api_aead_cipher_hd_st; struct record_state_st { - uint8_t mac_key[MAX_CIPHER_KEY_SIZE]; + /* mac keys can be as long as the hash size */ + uint8_t mac_key[MAX_HASH_SIZE]; unsigned mac_key_size; uint8_t iv[MAX_CIPHER_IV_SIZE]; diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index 03b08285da..f39aff24d8 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -157,8 +157,8 @@ static int generate_ap_traffic_keys(gnutls_session_t session) uint8_t zero[MAX_HASH_SIZE]; ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.temp_secret, - session->key.temp_secret); + NULL, 0, session->key.proto.kshare.temp_secret, + session->key.proto.kshare.temp_secret); if (ret < 0) return gnutls_assert_val(ret); @@ -170,13 +170,13 @@ static int generate_ap_traffic_keys(gnutls_session_t session) ret = _tls13_derive_secret(session, EXPORTER_MASTER_LABEL, sizeof(EXPORTER_MASTER_LABEL)-1, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_server_finished_len, - session->key.temp_secret, - session->key.ap_expkey); + session->key.proto.kshare.temp_secret, + session->key.proto.kshare.ap_expkey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, "EXPORTER_SECRET", - session->key.ap_expkey, + session->key.proto.kshare.ap_expkey, session->security_parameters.prf->output_size); _gnutls_epoch_bump(session); @@ -195,7 +195,7 @@ static int generate_hs_traffic_keys(gnutls_session_t session) { int ret; - if (unlikely(session->key.key.size == 0 || session->key.temp_secret_size == 0)) + if (unlikely(session->key.key.size == 0 || session->key.proto.kshare.temp_secret_size == 0)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ret = _tls13_update_secret(session, session->key.key.data, session->key.key.size); diff --git a/lib/handshake.c b/lib/handshake.c index d1a249f30b..9b7c776cb8 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1714,8 +1714,8 @@ read_server_hello(gnutls_session_t session, return gnutls_assert_val(ret); ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.temp_secret, - session->key.temp_secret); + NULL, 0, session->key.proto.kshare.temp_secret, + session->key.proto.kshare.temp_secret); if (ret < 0) return gnutls_assert_val(ret); @@ -2076,8 +2076,8 @@ int _gnutls_send_server_hello(gnutls_session_t session, int again) if (vers->tls13_sem) { ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.temp_secret, - session->key.temp_secret); + NULL, 0, session->key.proto.kshare.temp_secret, + session->key.proto.kshare.temp_secret); if (ret < 0) { gnutls_assert(); goto fail; @@ -149,7 +149,7 @@ gnutls_prf_rfc5705(gnutls_session_t session, } ret = _tls13_derive_secret(session, label, label_size, NULL, 0, - session->key.ap_expkey, secret); + session->key.proto.kshare.ap_expkey, secret); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/secrets.c b/lib/secrets.c index 1042fba2c5..08c6e55686 100644 --- a/lib/secrets.c +++ b/lib/secrets.c @@ -34,11 +34,11 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_ { char buf[128]; - session->key.temp_secret_size = session->security_parameters.prf->output_size; + session->key.proto.kshare.temp_secret_size = session->security_parameters.prf->output_size; /* when no PSK, use the zero-value */ if (psk == NULL) { - psk_size = session->key.temp_secret_size; + psk_size = session->key.proto.kshare.temp_secret_size; if (unlikely(psk_size >= sizeof(buf))) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); @@ -49,16 +49,16 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_ return gnutls_hmac_fast(session->security_parameters.prf->id, "", 0, psk, psk_size, - session->key.temp_secret); + session->key.proto.kshare.temp_secret); } /* HKDF-Extract(Prev-Secret, key) */ int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t key_size) { return gnutls_hmac_fast(session->security_parameters.prf->id, - session->key.temp_secret, session->key.temp_secret_size, + session->key.proto.kshare.temp_secret, session->key.proto.kshare.temp_secret_size, key, key_size, - session->key.temp_secret); + session->key.proto.kshare.temp_secret); } /* Derive-Secret(Secret, Label, Messages) */ diff --git a/lib/state.c b/lib/state.c index b4e539e45b..79353b5c87 100644 --- a/lib/state.c +++ b/lib/state.c @@ -169,30 +169,30 @@ gnutls_compression_get(gnutls_session_t session) static void deinit_keys(gnutls_session_t session) { - gnutls_pk_params_release(&session->key.ecdh_params); - gnutls_pk_params_release(&session->key.dh_params); + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); + gnutls_pk_params_release(&session->key.proto.tls12.dh.params); - gnutls_pk_params_release(&session->key.kshare_ecdhx_params); - gnutls_pk_params_release(&session->key.kshare_ecdh_params); - gnutls_pk_params_release(&session->key.kshare_dh_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); + gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); + gnutls_pk_params_release(&session->key.proto.kshare.dh_params); - zrelease_temp_mpi_key(&session->key.ecdh_x); - zrelease_temp_mpi_key(&session->key.ecdh_y); - _gnutls_free_temp_key_datum(&session->key.ecdhx); + zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x); + zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y); + _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw); - zrelease_temp_mpi_key(&session->key.client_Y); + zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y); /* SRP */ - zrelease_temp_mpi_key(&session->key.srp_p); - zrelease_temp_mpi_key(&session->key.srp_g); - zrelease_temp_mpi_key(&session->key.srp_key); - - zrelease_temp_mpi_key(&session->key.u); - zrelease_temp_mpi_key(&session->key.a); - zrelease_temp_mpi_key(&session->key.x); - zrelease_temp_mpi_key(&session->key.A); - zrelease_temp_mpi_key(&session->key.B); - zrelease_temp_mpi_key(&session->key.b); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key); + + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b); _gnutls_free_temp_key_datum(&session->key.key); _gnutls_free_temp_key_datum(&session->key.key); diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c index 8d9975cefa..a203b36881 100644 --- a/lib/tls13/finished.c +++ b/lib/tls13/finished.c @@ -39,9 +39,9 @@ int _gnutls13_recv_finished(gnutls_session_t session) unsigned hash_size = session->security_parameters.prf->output_size; if (session->security_parameters.entity == GNUTLS_CLIENT) - base_key = session->key.hs_skey; + base_key = session->key.proto.kshare.hs_skey; else - base_key = session->key.hs_ckey; + base_key = session->key.proto.kshare.hs_ckey; ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key, hash_size, fkey); @@ -105,9 +105,9 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again) if (again == 0) { if (session->security_parameters.entity == GNUTLS_CLIENT) - base_key = session->key.hs_ckey; + base_key = session->key.proto.kshare.hs_ckey; else - base_key = session->key.hs_skey; + base_key = session->key.proto.kshare.hs_skey; ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key, hash_size, fkey); diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c index b93f1c289a..e1e6ca3abb 100644 --- a/lib/tls13/key_update.c +++ b/lib/tls13/key_update.c @@ -34,8 +34,8 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) { int ret; - ret = _tls13_update_secret(session, session->key.temp_secret, - session->key.temp_secret_size); + ret = _tls13_update_secret(session, session->key.proto.kshare.temp_secret, + session->key.proto.kshare.temp_secret_size); if (ret < 0) return gnutls_assert_val(ret); |