summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2017-11-08 13:13:31 +0100
committerNikos Mavrogiannopoulos <nmav@redhat.com>2018-02-19 15:29:36 +0100
commit1b12320a6938d327b07fc3c1e48ea6fe03d59a9b (patch)
tree9791f6bc4e1c559f949b7d12bdf58ae282bda02d /lib
parentdcf2a8d3bd69ed0b994bed1753fe47a83366786e (diff)
downloadgnutls-1b12320a6938d327b07fc3c1e48ea6fe03d59a9b.tar.gz
session state: TLS1.2 and TLS1.3 state is stored as union
That is, to reduce memory usage as these protocol cannot be used in parallel. Relates: #281 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/constate.c36
-rw-r--r--lib/ext/key_share.c96
-rw-r--r--lib/gnutls_int.h18
-rw-r--r--lib/handshake-tls13.c12
-rw-r--r--lib/handshake.c8
-rw-r--r--lib/prf.c2
-rw-r--r--lib/secrets.c10
-rw-r--r--lib/state.c61
-rw-r--r--lib/tls13/finished.c8
-rw-r--r--lib/tls13/key_update.c4
10 files changed, 136 insertions, 119 deletions
diff --git a/lib/constate.c b/lib/constate.c
index a1a1d96221..a773d55ecf 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -252,32 +252,32 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE,
sizeof(APPLICATION_TRAFFIC_UPDATE)-1,
NULL, 0,
- session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.hs_ckey);
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.hs_ckey);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, key_block);
+ ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_ckey, key_size, key_block);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, iv_block);
+ ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_ckey, iv_size, iv_block);
if (ret < 0)
return gnutls_assert_val(ret);
} else {
ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE,
sizeof(APPLICATION_TRAFFIC_UPDATE)-1,
NULL, 0,
- session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.hs_skey);
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.hs_skey);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, key_block);
+ ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_skey, key_size, key_block);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, iv_block);
+ ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_skey, iv_size, iv_block);
if (ret < 0)
return gnutls_assert_val(ret);
}
@@ -344,21 +344,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
ret = _tls13_derive_secret(session, label, label_size,
session->internals.handshake_hash_buffer.data,
hsk_len,
- session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.hs_ckey);
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.hs_ckey);
if (ret < 0)
return gnutls_assert_val(ret);
_gnutls_nss_keylog_write(session, keylog_label,
- session->key.proto.kshare.hs_ckey,
+ session->key.proto.tls13.hs_ckey,
session->security_parameters.prf->output_size);
/* client keys */
- ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_ckey, key_size, ckey_block);
+ ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_ckey, key_size, ckey_block);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_ckey, iv_size, civ_block);
+ ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_ckey, iv_size, civ_block);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -376,21 +376,21 @@ _tls13_set_keys(gnutls_session_t session, hs_stage_t stage,
ret = _tls13_derive_secret(session, label, label_size,
session->internals.handshake_hash_buffer.data,
hsk_len,
- session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.hs_skey);
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.hs_skey);
if (ret < 0)
return gnutls_assert_val(ret);
_gnutls_nss_keylog_write(session, keylog_label,
- session->key.proto.kshare.hs_skey,
+ session->key.proto.tls13.hs_skey,
session->security_parameters.prf->output_size);
- ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.kshare.hs_skey, key_size, skey_block);
+ ret = _tls13_expand_secret(session, "key", 3, NULL, 0, session->key.proto.tls13.hs_skey, key_size, skey_block);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.kshare.hs_skey, iv_size, siv_block);
+ ret = _tls13_expand_secret(session, "iv", 2, NULL, 0, session->key.proto.tls13.hs_skey, iv_size, siv_block);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index c7d5d8cc37..d4cf9b78c8 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -87,17 +87,17 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
return gnutls_assert_val(ret);
if (group->pk == GNUTLS_PK_EC) {
- gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params);
- gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params);
+ gnutls_pk_params_release(&session->key.kshare.ecdh_params);
+ gnutls_pk_params_init(&session->key.kshare.ecdh_params);
ret = _gnutls_pk_generate_keys(group->pk, group->curve,
- &session->key.proto.kshare.ecdh_params, 1);
+ &session->key.kshare.ecdh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
ret = _gnutls_ecc_ansi_x962_export(group->curve,
- session->key.proto.kshare.ecdh_params.params[ECC_X],
- session->key.proto.kshare.ecdh_params.params[ECC_Y],
+ session->key.kshare.ecdh_params.params[ECC_X],
+ session->key.kshare.ecdh_params.params[ECC_Y],
&tmp);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -109,54 +109,54 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
goto cleanup;
}
- session->key.proto.kshare.ecdh_params.algo = group->pk;
- session->key.proto.kshare.ecdh_params.curve = group->curve;
+ session->key.kshare.ecdh_params.algo = group->pk;
+ session->key.kshare.ecdh_params.curve = group->curve;
ret = 0;
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
- gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params);
- gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params);
+ gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
+ gnutls_pk_params_init(&session->key.kshare.ecdhx_params);
ret = _gnutls_pk_generate_keys(group->pk, group->curve,
- &session->key.proto.kshare.ecdhx_params, 1);
+ &session->key.kshare.ecdhx_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
_gnutls_buffer_append_data_prefix(extdata, 16,
- session->key.proto.kshare.ecdhx_params.raw_pub.data,
- session->key.proto.kshare.ecdhx_params.raw_pub.size);
+ session->key.kshare.ecdhx_params.raw_pub.data,
+ session->key.kshare.ecdhx_params.raw_pub.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
- session->key.proto.kshare.ecdhx_params.algo = group->pk;
- session->key.proto.kshare.ecdhx_params.curve = group->curve;
+ session->key.kshare.ecdhx_params.algo = group->pk;
+ session->key.kshare.ecdhx_params.curve = group->curve;
ret = 0;
} else if (group->pk == GNUTLS_PK_DH) {
/* we need to initialize the group parameters first */
- gnutls_pk_params_release(&session->key.proto.kshare.dh_params);
- gnutls_pk_params_init(&session->key.proto.kshare.dh_params);
+ gnutls_pk_params_release(&session->key.kshare.dh_params);
+ gnutls_pk_params_init(&session->key.kshare.dh_params);
- ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G],
+ ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G],
group->generator->data, group->generator->size);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P],
+ ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P],
group->prime->data, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
- session->key.proto.kshare.dh_params.algo = group->pk;
- session->key.proto.kshare.dh_params.qbits = *group->q_bits;
- session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */
+ session->key.kshare.dh_params.algo = group->pk;
+ session->key.kshare.dh_params.qbits = *group->q_bits;
+ session->key.kshare.dh_params.params_nr = 3; /* empty q */
- ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1);
+ ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -165,7 +165,7 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y],
+ ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y],
group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -202,8 +202,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent
if (group->pk == GNUTLS_PK_EC) {
ret = _gnutls_ecc_ansi_x962_export(group->curve,
- session->key.proto.kshare.ecdh_params.params[ECC_X],
- session->key.proto.kshare.ecdh_params.params[ECC_Y],
+ session->key.kshare.ecdh_params.params[ECC_X],
+ session->key.kshare.ecdh_params.params[ECC_Y],
&tmp);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -220,8 +220,8 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
ret =
_gnutls_buffer_append_data_prefix(extdata, 16,
- session->key.proto.kshare.ecdhx_params.raw_pub.data,
- session->key.proto.kshare.ecdhx_params.raw_pub.size);
+ session->key.kshare.ecdhx_params.raw_pub.data,
+ session->key.kshare.ecdhx_params.raw_pub.size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -233,7 +233,7 @@ static int server_gen_key_share(gnutls_session_t session, const gnutls_group_ent
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.proto.kshare.dh_params.params[DH_Y],
+ ret = _gnutls_buffer_append_fixed_mpi(extdata, session->key.kshare.dh_params.params[DH_Y],
group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -258,8 +258,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
if (group->pk == GNUTLS_PK_EC) {
gnutls_pk_params_st pub;
- gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params);
- gnutls_pk_params_init(&session->key.proto.kshare.ecdh_params);
+ gnutls_pk_params_release(&session->key.kshare.ecdh_params);
+ gnutls_pk_params_init(&session->key.kshare.ecdh_params);
curve = _gnutls_ecc_curve_get_params(group->curve);
@@ -269,7 +269,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* generate our key */
- ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdh_params, 1);
+ ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -285,7 +285,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
pub.params_nr = 2;
/* generate shared */
- ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub);
+ ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub);
gnutls_pk_params_release(&pub);
if (ret < 0) {
return gnutls_assert_val(ret);
@@ -296,8 +296,8 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
} else if (group->pk == GNUTLS_PK_ECDH_X25519) {
gnutls_pk_params_st pub;
- gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params);
- gnutls_pk_params_init(&session->key.proto.kshare.ecdhx_params);
+ gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
+ gnutls_pk_params_init(&session->key.kshare.ecdhx_params);
curve = _gnutls_ecc_curve_get_params(group->curve);
@@ -305,7 +305,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* generate our key */
- ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.proto.kshare.ecdhx_params, 1);
+ ret = _gnutls_pk_generate_keys(curve->pk, curve->id, &session->key.kshare.ecdhx_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -321,7 +321,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
/* We don't mask the MSB in the final byte as required
* by RFC7748. This will be done internally by nettle 3.3 or later.
*/
- ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub);
+ ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
@@ -332,29 +332,29 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
gnutls_pk_params_st pub;
/* we need to initialize the group parameters first */
- gnutls_pk_params_release(&session->key.proto.kshare.dh_params);
- gnutls_pk_params_init(&session->key.proto.kshare.dh_params);
+ gnutls_pk_params_release(&session->key.kshare.dh_params);
+ gnutls_pk_params_init(&session->key.kshare.dh_params);
if (data_size != group->prime->size)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
/* set group params */
- ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_G],
+ ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G],
group->generator->data, group->generator->size);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_mpi_init_scan_nz(&session->key.proto.kshare.dh_params.params[DH_P],
+ ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P],
group->prime->data, group->prime->size);
if (ret < 0)
return gnutls_assert_val(ret);
- session->key.proto.kshare.dh_params.algo = GNUTLS_PK_DH;
- session->key.proto.kshare.dh_params.qbits = *group->q_bits;
- session->key.proto.kshare.dh_params.params_nr = 3; /* empty q */
+ session->key.kshare.dh_params.algo = GNUTLS_PK_DH;
+ session->key.kshare.dh_params.qbits = *group->q_bits;
+ session->key.kshare.dh_params.params_nr = 3; /* empty q */
/* generate our keys */
- ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.proto.kshare.dh_params, 1);
+ ret = _gnutls_pk_generate_keys(group->pk, 0, &session->key.kshare.dh_params, 1);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -369,7 +369,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
pub.algo = group->pk;
/* generate shared key */
- ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub);
+ ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub);
_gnutls_mpi_release(&pub.params[DH_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -415,7 +415,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
pub.params_nr = 2;
/* generate shared key */
- ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdh_params, &pub);
+ ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdh_params, &pub);
gnutls_pk_params_release(&pub);
if (ret < 0) {
return gnutls_assert_val(ret);
@@ -443,7 +443,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
/* We don't mask the MSB in the final byte as required
* by RFC7748. This will be done internally by nettle 3.3 or later.
*/
- ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.proto.kshare.ecdhx_params, &pub);
+ ret = _gnutls_pk_derive_tls13(curve->pk, &session->key.key, &session->key.kshare.ecdhx_params, &pub);
if (ret < 0) {
return gnutls_assert_val(ret);
}
@@ -467,7 +467,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
pub.algo = group->pk;
/* generate shared key */
- ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.proto.kshare.dh_params, &pub);
+ ret = _gnutls_pk_derive_tls13(GNUTLS_PK_DH, &session->key.key, &session->key.kshare.dh_params, &pub);
_gnutls_mpi_release(&pub.params[DH_Y]);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 648168c4c7..d8de3a5903 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -441,13 +441,16 @@ typedef struct auth_cred_st {
} auth_cred_st;
struct gnutls_key_st {
- struct {
- /* TLS 1.3 key share exchange */
+ struct { /* These are kept outside the TLS1.3 union as they are
+ * negotiated via extension, even before protocol is negotiated */
+ gnutls_pk_params_st ecdh_params;
+ gnutls_pk_params_st ecdhx_params;
+ gnutls_pk_params_st dh_params;
+ } kshare;
+
+ /* The union contents depend on the negotiated protocol */
+ union {
struct {
- gnutls_pk_params_st ecdh_params;
- gnutls_pk_params_st ecdhx_params;
- gnutls_pk_params_st dh_params;
-
/* the current (depending on state) secret, can be
* early_secret, client_early_traffic_secret, ... */
uint8_t temp_secret[MAX_HASH_SIZE];
@@ -455,10 +458,9 @@ struct gnutls_key_st {
uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */
uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */
uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */
- } kshare; /* tls1.3 */
+ } tls13; /* tls1.3 */
/* Folow the SSL3.0 and TLS1.2 key exchanges */
-
struct {
/* For ECDH KX */
struct {
diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
index f39aff24d8..721f334eca 100644
--- a/lib/handshake-tls13.c
+++ b/lib/handshake-tls13.c
@@ -157,8 +157,8 @@ static int generate_ap_traffic_keys(gnutls_session_t session)
uint8_t zero[MAX_HASH_SIZE];
ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1,
- NULL, 0, session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.temp_secret);
+ NULL, 0, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -170,13 +170,13 @@ static int generate_ap_traffic_keys(gnutls_session_t session)
ret = _tls13_derive_secret(session, EXPORTER_MASTER_LABEL, sizeof(EXPORTER_MASTER_LABEL)-1,
session->internals.handshake_hash_buffer.data,
session->internals.handshake_hash_buffer_server_finished_len,
- session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.ap_expkey);
+ session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.ap_expkey);
if (ret < 0)
return gnutls_assert_val(ret);
_gnutls_nss_keylog_write(session, "EXPORTER_SECRET",
- session->key.proto.kshare.ap_expkey,
+ session->key.proto.tls13.ap_expkey,
session->security_parameters.prf->output_size);
_gnutls_epoch_bump(session);
@@ -195,7 +195,7 @@ static int generate_hs_traffic_keys(gnutls_session_t session)
{
int ret;
- if (unlikely(session->key.key.size == 0 || session->key.proto.kshare.temp_secret_size == 0))
+ if (unlikely(session->key.key.size == 0 || session->key.proto.tls13.temp_secret_size == 0))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
ret = _tls13_update_secret(session, session->key.key.data, session->key.key.size);
diff --git a/lib/handshake.c b/lib/handshake.c
index 9b7c776cb8..179fcb8009 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -1714,8 +1714,8 @@ read_server_hello(gnutls_session_t session,
return gnutls_assert_val(ret);
ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1,
- NULL, 0, session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.temp_secret);
+ NULL, 0, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret);
if (ret < 0)
return gnutls_assert_val(ret);
@@ -2076,8 +2076,8 @@ int _gnutls_send_server_hello(gnutls_session_t session, int again)
if (vers->tls13_sem) {
ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1,
- NULL, 0, session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.temp_secret);
+ NULL, 0, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret);
if (ret < 0) {
gnutls_assert();
goto fail;
diff --git a/lib/prf.c b/lib/prf.c
index bbd021d317..b7e926febf 100644
--- a/lib/prf.c
+++ b/lib/prf.c
@@ -149,7 +149,7 @@ gnutls_prf_rfc5705(gnutls_session_t session,
}
ret = _tls13_derive_secret(session, label, label_size, NULL, 0,
- session->key.proto.kshare.ap_expkey, secret);
+ session->key.proto.tls13.ap_expkey, secret);
if (ret < 0)
return gnutls_assert_val(ret);
diff --git a/lib/secrets.c b/lib/secrets.c
index 08c6e55686..73402f9e60 100644
--- a/lib/secrets.c
+++ b/lib/secrets.c
@@ -34,11 +34,11 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_
{
char buf[128];
- session->key.proto.kshare.temp_secret_size = session->security_parameters.prf->output_size;
+ session->key.proto.tls13.temp_secret_size = session->security_parameters.prf->output_size;
/* when no PSK, use the zero-value */
if (psk == NULL) {
- psk_size = session->key.proto.kshare.temp_secret_size;
+ psk_size = session->key.proto.tls13.temp_secret_size;
if (unlikely(psk_size >= sizeof(buf)))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
@@ -49,16 +49,16 @@ int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_
return gnutls_hmac_fast(session->security_parameters.prf->id,
"", 0,
psk, psk_size,
- session->key.proto.kshare.temp_secret);
+ session->key.proto.tls13.temp_secret);
}
/* HKDF-Extract(Prev-Secret, key) */
int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t key_size)
{
return gnutls_hmac_fast(session->security_parameters.prf->id,
- session->key.proto.kshare.temp_secret, session->key.proto.kshare.temp_secret_size,
+ session->key.proto.tls13.temp_secret, session->key.proto.tls13.temp_secret_size,
key, key_size,
- session->key.proto.kshare.temp_secret);
+ session->key.proto.tls13.temp_secret);
}
/* Derive-Secret(Secret, Label, Messages) */
diff --git a/lib/state.c b/lib/state.c
index 79353b5c87..708f7649c7 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -169,33 +169,45 @@ gnutls_compression_get(gnutls_session_t session)
static void deinit_keys(gnutls_session_t session)
{
- gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
- gnutls_pk_params_release(&session->key.proto.tls12.dh.params);
+ const version_entry_st *vers = get_version(session);
- gnutls_pk_params_release(&session->key.proto.kshare.ecdhx_params);
- gnutls_pk_params_release(&session->key.proto.kshare.ecdh_params);
- gnutls_pk_params_release(&session->key.proto.kshare.dh_params);
-
- zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x);
- zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y);
- _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw);
-
- zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y);
-
- /* SRP */
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key);
+ if (vers == NULL)
+ return;
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B);
- zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b);
+ gnutls_pk_params_release(&session->key.kshare.ecdhx_params);
+ gnutls_pk_params_release(&session->key.kshare.ecdh_params);
+ gnutls_pk_params_release(&session->key.kshare.dh_params);
+
+ if (!vers->tls13_sem) {
+ gnutls_pk_params_release(&session->key.proto.tls12.ecdh.params);
+ gnutls_pk_params_release(&session->key.proto.tls12.dh.params);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.x);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.ecdh.y);
+ _gnutls_free_temp_key_datum(&session->key.proto.tls12.ecdh.raw);
+
+ zrelease_temp_mpi_key(&session->key.proto.tls12.dh.client_Y);
+
+ /* SRP */
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_p);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_g);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.srp_key);
+
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.u);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.a);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.x);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.A);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.B);
+ zrelease_temp_mpi_key(&session->key.proto.tls12.srp.b);
+ } else {
+ gnutls_memset(session->key.proto.tls13.temp_secret, 0,
+ sizeof(session->key.proto.tls13.temp_secret));
+ gnutls_memset(session->key.proto.tls13.hs_ckey, 0,
+ sizeof(session->key.proto.tls13.hs_ckey));
+ gnutls_memset(session->key.proto.tls13.hs_skey, 0,
+ sizeof(session->key.proto.tls13.hs_skey));
+ }
_gnutls_free_temp_key_datum(&session->key.key);
- _gnutls_free_temp_key_datum(&session->key.key);
}
/* An internal version of _gnutls_handshake_internal_state_clear(),
@@ -435,6 +447,9 @@ void gnutls_deinit(gnutls_session_t session)
/* we rely on priorities' internal reference counting */
gnutls_priority_deinit(session->internals.priorities);
+ /* overwrite any temp TLS1.3 keys */
+ gnutls_memset(&session->key.proto, 0, sizeof(session->key.proto));
+
gnutls_free(session);
}
diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c
index a203b36881..9286f328f6 100644
--- a/lib/tls13/finished.c
+++ b/lib/tls13/finished.c
@@ -39,9 +39,9 @@ int _gnutls13_recv_finished(gnutls_session_t session)
unsigned hash_size = session->security_parameters.prf->output_size;
if (session->security_parameters.entity == GNUTLS_CLIENT)
- base_key = session->key.proto.kshare.hs_skey;
+ base_key = session->key.proto.tls13.hs_skey;
else
- base_key = session->key.proto.kshare.hs_ckey;
+ base_key = session->key.proto.tls13.hs_ckey;
ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key,
hash_size, fkey);
@@ -105,9 +105,9 @@ int _gnutls13_send_finished(gnutls_session_t session, unsigned again)
if (again == 0) {
if (session->security_parameters.entity == GNUTLS_CLIENT)
- base_key = session->key.proto.kshare.hs_ckey;
+ base_key = session->key.proto.tls13.hs_ckey;
else
- base_key = session->key.proto.kshare.hs_skey;
+ base_key = session->key.proto.tls13.hs_skey;
ret = _tls13_expand_secret(session, "finished", 8, NULL, 0, base_key,
hash_size, fkey);
diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c
index e1e6ca3abb..9b62e4c817 100644
--- a/lib/tls13/key_update.c
+++ b/lib/tls13/key_update.c
@@ -34,8 +34,8 @@ static int update_keys(gnutls_session_t session, hs_stage_t stage)
{
int ret;
- ret = _tls13_update_secret(session, session->key.proto.kshare.temp_secret,
- session->key.proto.kshare.temp_secret_size);
+ ret = _tls13_update_secret(session, session->key.proto.tls13.temp_secret,
+ session->key.proto.tls13.temp_secret_size);
if (ret < 0)
return gnutls_assert_val(ret);