diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-08 13:13:31 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-02-19 15:29:36 +0100 |
commit | 1b12320a6938d327b07fc3c1e48ea6fe03d59a9b (patch) | |
tree | 9791f6bc4e1c559f949b7d12bdf58ae282bda02d /lib | |
parent | dcf2a8d3bd69ed0b994bed1753fe47a83366786e (diff) | |
download | gnutls-1b12320a6938d327b07fc3c1e48ea6fe03d59a9b.tar.gz |
session state: TLS1.2 and TLS1.3 state is stored as union
That is, to reduce memory usage as these protocol cannot be used
in parallel.
Relates: #281
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/constate.c | 36 | ||||
-rw-r--r-- | lib/ext/key_share.c | 96 | ||||
-rw-r--r-- | lib/gnutls_int.h | 18 | ||||
-rw-r--r-- | lib/handshake-tls13.c | 12 | ||||
-rw-r--r-- | lib/handshake.c | 8 | ||||
-rw-r--r-- | lib/prf.c | 2 | ||||
-rw-r--r-- | lib/secrets.c | 10 | ||||
-rw-r--r-- | lib/state.c | 61 | ||||
-rw-r--r-- | lib/tls13/finished.c | 8 | ||||
-rw-r--r-- | lib/tls13/key_update.c | 4 |
10 files changed, 136 insertions, 119 deletions
diff --git a/lib/constate.c b/lib/constate.c index a1a1d96221..a773d55ecf 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -252,32 +252,32 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, NULL, 0, - session->key.proto.kshare.temp_secret, - session->key.proto.kshare.hs_ckey); + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.hs_ckey); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, key_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_ckey, key_size, key_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, iv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_ckey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); } else { ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE, sizeof(APPLICATION_TRAFFIC_UPDATE)-1, NULL, 0, - session->key.proto.kshare.temp_secret, - session->key.proto.kshare.hs_skey); + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.hs_skey); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, key_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_skey, key_size, key_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, iv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_skey, iv_size, iv_block); if (ret < 0) return gnutls_assert_val(ret); } @@ -344,21 +344,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, label, label_size, session->internals.handshake_hash_buffer.data, hsk_len, - session->key.proto.kshare.temp_secret, - session->key.proto.kshare.hs_ckey); + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.hs_ckey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, keylog_label, - session->key.proto.kshare.hs_ckey, + session->key.proto.tls13.hs_ckey, session->security_parameters.prf->output_size); /* client keys */ - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, ckey_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_ckey, key_size, ckey_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, civ_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_ckey, iv_size, civ_block); if (ret < 0) return gnutls_assert_val(ret); @@ -376,21 +376,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage, ret = _tls13_derive_secret(session, label, label_size, session->internals.handshake_hash_buffer.data, hsk_len, - session->key.proto.kshare.temp_secret, - session->key.proto.kshare.hs_skey); + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.hs_skey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, keylog_label, - session->key.proto.kshare.hs_skey, + session->key.proto.tls13.hs_skey, session->security_parameters.prf->output_size); - ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, skey_block); + ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_skey, key_size, skey_block); if (ret < 0) return gnutls_assert_val(ret); - ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, siv_block); + ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_skey, iv_size, siv_block); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c index c7d5d8cc37..d4cf9b78c8 100644 --- a/lib/ext/key_share.c +++ b/lib/ext/key_share.c @@ -87,17 +87,17 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent return gnutls_assert_val(ret); if (group->pk == GNUTLS_PK_EC) { - gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); - gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params); + gnutls_pk_params_release(&session->key.kshare.ecdh_params); + gnutls_pk_params_init(&session->key.kshare.ecdh_params); ret = _gnutls_pk_generate_keys(group->pk, group->curve, - &session->key.proto.kshare.ecdh_params, 1); + &session->key.kshare.ecdh_params, 1); if (ret < 0) return gnutls_assert_val(ret); ret = _gnutls_ecc_ansi_x962_export(group->curve, - session->key.proto.kshare.ecdh_params.params[ECC_X], - session->key.proto.kshare.ecdh_params.params[ECC_Y], + session->key.kshare.ecdh_params.params[ECC_X], + session->key.kshare.ecdh_params.params[ECC_Y], &tmp); if (ret < 0) return gnutls_assert_val(ret); @@ -109,54 +109,54 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent goto cleanup; } - session->key.proto.kshare.ecdh_params.algo = group->pk; - session->key.proto.kshare.ecdh_params.curve = group->curve; + session->key.kshare.ecdh_params.algo = group->pk; + session->key.kshare.ecdh_params.curve = group->curve; ret = 0; } else if (group->pk == GNUTLS_PK_ECDH_X25519) { - gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); - gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params); + gnutls_pk_params_release(&session->key.kshare.ecdhx_params); + gnutls_pk_params_init(&session->key.kshare.ecdhx_params); ret = _gnutls_pk_generate_keys(group->pk, group->curve, - &session->key.proto.kshare.ecdhx_params, 1); + &session->key.kshare.ecdhx_params, 1); if (ret < 0) return gnutls_assert_val(ret); ret = _gnutls_buffer_append_data_prefix(extdata, 16, - session->key.proto.kshare.ecdhx_params.raw_pub.data, - session->key.proto.kshare.ecdhx_params.raw_pub.size); + session->key.kshare.ecdhx_params.raw_pub.data, + session->key.kshare.ecdhx_params.raw_pub.size); if (ret < 0) { gnutls_assert(); goto cleanup; } - session->key.proto.kshare.ecdhx_params.algo = group->pk; - session->key.proto.kshare.ecdhx_params.curve = group->curve; + session->key.kshare.ecdhx_params.algo = group->pk; + session->key.kshare.ecdhx_params.curve = group->curve; ret = 0; } else if (group->pk == GNUTLS_PK_DH) { /* we need to initialize the group parameters first */ - gnutls_pk_params_release(&session->key.proto.kshare.dh_params); - gnutls_pk_params_init(&session->key.proto.kshare.dh_params); + gnutls_pk_params_release(&session->key.kshare.dh_params); + gnutls_pk_params_init(&session->key.kshare.dh_params); - ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G], + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P], + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) return gnutls_assert_val(ret); - session->key.proto.kshare.dh_params.algo = group->pk; - session->key.proto.kshare.dh_params.qbits = *group->q_bits; - session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */ + session->key.kshare.dh_params.algo = group->pk; + session->key.kshare.dh_params.qbits = *group->q_bits; + session->key.kshare.dh_params.params_nr = 3; /* empty q */ - ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1); + ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -165,7 +165,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y], + ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y], group->prime->size); if (ret < 0) return gnutls_assert_val(ret); @@ -202,8 +202,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (group->pk == GNUTLS_PK_EC) { ret = _gnutls_ecc_ansi_x962_export(group->curve, - session->key.proto.kshare.ecdh_params.params[ECC_X], - session->key.proto.kshare.ecdh_params.params[ECC_Y], + session->key.kshare.ecdh_params.params[ECC_X], + session->key.kshare.ecdh_params.params[ECC_Y], &tmp); if (ret < 0) return gnutls_assert_val(ret); @@ -220,8 +220,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent } else if (group->pk == GNUTLS_PK_ECDH_X25519) { ret = _gnutls_buffer_append_data_prefix(extdata, 16, - session->key.proto.kshare.ecdhx_params.raw_pub.data, - session->key.proto.kshare.ecdhx_params.raw_pub.size); + session->key.kshare.ecdhx_params.raw_pub.data, + session->key.kshare.ecdhx_params.raw_pub.size); if (ret < 0) return gnutls_assert_val(ret); @@ -233,7 +233,7 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y], + ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y], group->prime->size); if (ret < 0) return gnutls_assert_val(ret); @@ -258,8 +258,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou if (group->pk == GNUTLS_PK_EC) { gnutls_pk_params_st pub; - gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); - gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params); + gnutls_pk_params_release(&session->key.kshare.ecdh_params); + gnutls_pk_params_init(&session->key.kshare.ecdh_params); curve = _gnutls_ecc_curve_get_params(group->curve); @@ -269,7 +269,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* generate our key */ - ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdh_params, 1); + ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -285,7 +285,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.params_nr = 2; /* generate shared */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub); gnutls_pk_params_release(&pub); if (ret < 0) { return gnutls_assert_val(ret); @@ -296,8 +296,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou } else if (group->pk == GNUTLS_PK_ECDH_X25519) { gnutls_pk_params_st pub; - gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); - gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params); + gnutls_pk_params_release(&session->key.kshare.ecdhx_params); + gnutls_pk_params_init(&session->key.kshare.ecdhx_params); curve = _gnutls_ecc_curve_get_params(group->curve); @@ -305,7 +305,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* generate our key */ - ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdhx_params, 1); + ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdhx_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -321,7 +321,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou /* We don't mask the MSB in the final byte as required * by RFC7748. This will be done internally by nettle 3.3 or later. */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub); if (ret < 0) { return gnutls_assert_val(ret); } @@ -332,29 +332,29 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou gnutls_pk_params_st pub; /* we need to initialize the group parameters first */ - gnutls_pk_params_release(&session->key.proto.kshare.dh_params); - gnutls_pk_params_init(&session->key.proto.kshare.dh_params); + gnutls_pk_params_release(&session->key.kshare.dh_params); + gnutls_pk_params_init(&session->key.kshare.dh_params); if (data_size != group->prime->size) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); /* set group params */ - ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G], + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P], + ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) return gnutls_assert_val(ret); - session->key.proto.kshare.dh_params.algo = GNUTLS_PK_DH; - session->key.proto.kshare.dh_params.qbits = *group->q_bits; - session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */ + session->key.kshare.dh_params.algo = GNUTLS_PK_DH; + session->key.kshare.dh_params.qbits = *group->q_bits; + session->key.kshare.dh_params.params_nr = 3; /* empty q */ /* generate our keys */ - ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1); + ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1); if (ret < 0) return gnutls_assert_val(ret); @@ -369,7 +369,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.algo = group->pk; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub); + ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub); _gnutls_mpi_release(&pub.params[DH_Y]); if (ret < 0) return gnutls_assert_val(ret); @@ -415,7 +415,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.params_nr = 2; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub); gnutls_pk_params_release(&pub); if (ret < 0) { return gnutls_assert_val(ret); @@ -443,7 +443,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou /* We don't mask the MSB in the final byte as required * by RFC7748. This will be done internally by nettle 3.3 or later. */ - ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub); + ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub); if (ret < 0) { return gnutls_assert_val(ret); } @@ -467,7 +467,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou pub.algo = group->pk; /* generate shared key */ - ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub); + ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub); _gnutls_mpi_release(&pub.params[DH_Y]); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 648168c4c7..d8de3a5903 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -441,13 +441,16 @@ typedef struct auth_cred_st { } auth_cred_st; struct gnutls_key_st { - struct { - /* TLS 1.3 key share exchange */ + struct { /* These are kept outside the TLS1.3 union as they are + * negotiated via extension, even before protocol is negotiated */ + gnutls_pk_params_st ecdh_params; + gnutls_pk_params_st ecdhx_params; + gnutls_pk_params_st dh_params; + } kshare; + + /* The union contents depend on the negotiated protocol */ + union { struct { - gnutls_pk_params_st ecdh_params; - gnutls_pk_params_st ecdhx_params; - gnutls_pk_params_st dh_params; - /* the current (depending on state) secret, can be * early_secret, client_early_traffic_secret, ... */ uint8_t temp_secret[MAX_HASH_SIZE]; @@ -455,10 +458,9 @@ struct gnutls_key_st { uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */ uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */ uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */ - } kshare; /* tls1.3 */ + } tls13; /* tls1.3 */ /* Folow the SSL3.0 and TLS1.2 key exchanges */ - struct { /* For ECDH KX */ struct { diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c index f39aff24d8..721f334eca 100644 --- a/lib/handshake-tls13.c +++ b/lib/handshake-tls13.c @@ -157,8 +157,8 @@ static int generate_ap_traffic_keys(gnutls_session_t session) uint8_t zero[MAX_HASH_SIZE]; ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.proto.kshare.temp_secret, - session->key.proto.kshare.temp_secret); + NULL, 0, session->key.proto.tls13.temp_secret, + session->key.proto.tls13.temp_secret); if (ret < 0) return gnutls_assert_val(ret); @@ -170,13 +170,13 @@ static int generate_ap_traffic_keys(gnutls_session_t session) ret = _tls13_derive_secret(session, EXPORTER_MASTER_LABEL, sizeof(EXPORTER_MASTER_LABEL)-1, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer_server_finished_len, - session->key.proto.kshare.temp_secret, - session->key.proto.kshare.ap_expkey); + session->key.proto.tls13.temp_secret, + session->key.proto.tls13.ap_expkey); if (ret < 0) return gnutls_assert_val(ret); _gnutls_nss_keylog_write(session, "EXPORTER_SECRET", - session->key.proto.kshare.ap_expkey, + session->key.proto.tls13.ap_expkey, session->security_parameters.prf->output_size); _gnutls_epoch_bump(session); @@ -195,7 +195,7 @@ static int generate_hs_traffic_keys(gnutls_session_t session) { int ret; - if (unlikely(session->key.key.size == 0 || session->key.proto.kshare.temp_secret_size == 0)) + if (unlikely(session->key.key.size == 0 || session->key.proto.tls13.temp_secret_size == 0)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ret = _tls13_update_secret(session, session->key.key.data, session->key.key.size); diff --git a/lib/handshake.c b/lib/handshake.c index 9b7c776cb8..179fcb8009 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1714,8 +1714,8 @@ read_server_hello(gnutls_session_t session, return gnutls_assert_val(ret); ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.proto.kshare.temp_secret, - session->key.proto.kshare.temp_secret); + NULL, 0, session->key.proto.tls13.temp_secret, + session->key.proto.tls13.temp_secret); if (ret < 0) return gnutls_assert_val(ret); @@ -2076,8 +2076,8 @@ int _gnutls_send_server_hello(gnutls_session_t session, int again) if (vers->tls13_sem) { ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.proto.kshare.temp_secret, - session->key.proto.kshare.temp_secret); + NULL, 0, session->key.proto.tls13.temp_secret, + session->key.proto.tls13.temp_secret); if (ret < 0) { gnutls_assert(); goto fail; @@ -149,7 +149,7 @@ gnutls_prf_rfc5705(gnutls_session_t session, } ret = _tls13_derive_secret(session, label, label_size, NULL, 0, - session->key.proto.kshare.ap_expkey, secret); + session->key.proto.tls13.ap_expkey, secret); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/secrets.c b/lib/secrets.c index 08c6e55686..73402f9e60 100644 --- a/lib/secrets.c +++ b/lib/secrets.c @@ -34,11 +34,11 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_ { char buf[128]; - session->key.proto.kshare.temp_secret_size = session->security_parameters.prf->output_size; + session->key.proto.tls13.temp_secret_size = session->security_parameters.prf->output_size; /* when no PSK, use the zero-value */ if (psk == NULL) { - psk_size = session->key.proto.kshare.temp_secret_size; + psk_size = session->key.proto.tls13.temp_secret_size; if (unlikely(psk_size >= sizeof(buf))) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); @@ -49,16 +49,16 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_ return gnutls_hmac_fast(session->security_parameters.prf->id, "", 0, psk, psk_size, - session->key.proto.kshare.temp_secret); + session->key.proto.tls13.temp_secret); } /* HKDF-Extract(Prev-Secret, key) */ int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t key_size) { return gnutls_hmac_fast(session->security_parameters.prf->id, - session->key.proto.kshare.temp_secret, session->key.proto.kshare.temp_secret_size, + session->key.proto.tls13.temp_secret, session->key.proto.tls13.temp_secret_size, key, key_size, - session->key.proto.kshare.temp_secret); + session->key.proto.tls13.temp_secret); } /* Derive-Secret(Secret, Label, Messages) */ diff --git a/lib/state.c b/lib/state.c index 79353b5c87..708f7649c7 100644 --- a/lib/state.c +++ b/lib/state.c @@ -169,33 +169,45 @@ gnutls_compression_get(gnutls_session_t session) static void deinit_keys(gnutls_session_t session) { - gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); - gnutls_pk_params_release(&session->key.proto.tls12.dh.params); + const version_entry_st *vers = get_version(session); - gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params); - gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params); - gnutls_pk_params_release(&session->key.proto.kshare.dh_params); - - zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x); - zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y); - _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw); - - zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y); - - /* SRP */ - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key); + if (vers == NULL) + return; - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B); - zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b); + gnutls_pk_params_release(&session->key.kshare.ecdhx_params); + gnutls_pk_params_release(&session->key.kshare.ecdh_params); + gnutls_pk_params_release(&session->key.kshare.dh_params); + + if (!vers->tls13_sem) { + gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params); + gnutls_pk_params_release(&session->key.proto.tls12.dh.params); + zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x); + zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y); + _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw); + + zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y); + + /* SRP */ + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key); + + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B); + zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b); + } else { + gnutls_memset(session->key.proto.tls13.temp_secret, 0, + sizeof(session->key.proto.tls13.temp_secret)); + gnutls_memset(session->key.proto.tls13.hs_ckey, 0, + sizeof(session->key.proto.tls13.hs_ckey)); + gnutls_memset(session->key.proto.tls13.hs_skey, 0, + sizeof(session->key.proto.tls13.hs_skey)); + } _gnutls_free_temp_key_datum(&session->key.key); - _gnutls_free_temp_key_datum(&session->key.key); } /* An internal version of _gnutls_handshake_internal_state_clear(), @@ -435,6 +447,9 @@ void gnutls_deinit(gnutls_session_t session) /* we rely on priorities' internal reference counting */ gnutls_priority_deinit(session->internals.priorities); + /* overwrite any temp TLS1.3 keys */ + gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto)); + gnutls_free(session); } diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c index a203b36881..9286f328f6 100644 --- a/lib/tls13/finished.c +++ b/lib/tls13/finished.c @@ -39,9 +39,9 @@ int _gnutls13_recv_finished(gnutls_session_t session) unsigned hash_size = session->security_parameters.prf->output_size; if (session->security_parameters.entity == GNUTLS_CLIENT) - base_key = session->key.proto.kshare.hs_skey; + base_key = session->key.proto.tls13.hs_skey; else - base_key = session->key.proto.kshare.hs_ckey; + base_key = session->key.proto.tls13.hs_ckey; ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key, hash_size, fkey); @@ -105,9 +105,9 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again) if (again == 0) { if (session->security_parameters.entity == GNUTLS_CLIENT) - base_key = session->key.proto.kshare.hs_ckey; + base_key = session->key.proto.tls13.hs_ckey; else - base_key = session->key.proto.kshare.hs_skey; + base_key = session->key.proto.tls13.hs_skey; ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key, hash_size, fkey); diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c index e1e6ca3abb..9b62e4c817 100644 --- a/lib/tls13/key_update.c +++ b/lib/tls13/key_update.c @@ -34,8 +34,8 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage) { int ret; - ret = _tls13_update_secret(session, session->key.proto.kshare.temp_secret, - session->key.proto.kshare.temp_secret_size); + ret = _tls13_update_secret(session, session->key.proto.tls13.temp_secret, + session->key.proto.tls13.temp_secret_size); if (ret < 0) return gnutls_assert_val(ret); |