Update state machine to be closer to TLS1.3 (92760c21) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

include/openssl/ssl.h

+3 −1

Original line number	Diff line number	Diff line
		@@ -2242,7 +2242,8 @@ int ERR_load_SSL_strings(void);
		# define SSL_F_SSL_WRITE_EX 433
		# define SSL_F_STATE_MACHINE 353
		# define SSL_F_TLS12_CHECK_PEER_SIGALG 333
		# define SSL_F_TLS13_CHANGE_CIPHER_STATE 435
		# define SSL_F_TLS13_CHANGE_CIPHER_STATE 440
		# define SSL_F_TLS13_SETUP_KEY_BLOCK 441
		# define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
		# define SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS 341
		# define SSL_F_TLS1_ENC 401
		@@ -2336,6 +2337,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_R_BIO_NOT_SET 128
		# define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
		# define SSL_R_BN_LIB 130
		# define SSL_R_CANNOT_CHANGE_CIPHER 109
		# define SSL_R_CA_DN_LENGTH_MISMATCH 131
		# define SSL_R_CA_KEY_TOO_SMALL 397
		# define SSL_R_CA_MD_TOO_WEAK 398

ssl/s3_lib.c

+16 −5

Original line number	Diff line number	Diff line
		@@ -4067,8 +4067,8 @@ EVP_PKEY *ssl_generate_pkey_curve(int id)
		}
		#endif

		/* Derive premaster or master secret for ECDH/DH */
		int ssl_derive(SSL s, EVP_PKEY privkey, EVP_PKEY *pubkey, int genmaster)
		/* Derive secrets for ECDH/DH */
		int ssl_derive(SSL s, EVP_PKEY privkey, EVP_PKEY *pubkey, int gensecret)
		{
		int rv = 0;
		unsigned char *pms = NULL;
		@@ -4093,9 +4093,20 @@ int ssl_derive(SSL s, EVP_PKEY privkey, EVP_PKEY *pubkey, int genmaster)
		if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0)
		goto err;

		if (genmaster) {
		if (gensecret) {
		if (SSL_IS_TLS13(s)) {
		/*
		* TODO(TLS1.3): For now we just use the default early_secret, this
		* will need to change later when other early_secrets will be
		* possible.
		*/
		rv = tls13_generate_early_secret(s, NULL, 0)
		&& tls13_generate_handshake_secret(s, pms, pmslen);
		OPENSSL_free(pms);
		} else {
		/* Generate master secret and discard premaster */
		rv = ssl_generate_master_secret(s, pms, pmslen, 1);
		}
		pms = NULL;
		} else {
		/* Save premaster secret */

ssl/ssl_err.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -239,6 +239,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
		{ERR_FUNC(SSL_F_STATE_MACHINE), "state_machine"},
		{ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
		{ERR_FUNC(SSL_F_TLS13_CHANGE_CIPHER_STATE), "tls13_change_cipher_state"},
		{ERR_FUNC(SSL_F_TLS13_SETUP_KEY_BLOCK), "tls13_setup_key_block"},
		{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"},
		{ERR_FUNC(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS),
		"tls1_check_duplicate_extensions"},
		@@ -368,6 +369,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
		{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
		"block cipher pad is wrong"},
		{ERR_REASON(SSL_R_BN_LIB), "bn lib"},
		{ERR_REASON(SSL_R_CANNOT_CHANGE_CIPHER), "cannot change cipher"},
		{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"},
		{ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
		{ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},

ssl/ssl_locl.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -2003,6 +2003,9 @@ __owur size_t tls1_final_finish_mac(SSL s, const char str, size_t slen,
		__owur int tls1_generate_master_secret(SSL s, unsigned char out,
		unsigned char *p, size_t len,
		size_t *secret_size);
		__owur int tls13_setup_key_block(SSL *s);
		__owur size_t tls13_final_finish_mac(SSL s, const char str, size_t slen,
		unsigned char *p);
		__owur int tls13_change_cipher_state(SSL *s, int which);
		__owur int tls13_derive_secret(SSL s, const unsigned char insecret,
		const unsigned char *label, size_t labellen,

ssl/statem/statem_clnt.c

+38 −47

Original line number	Diff line number	Diff line
		@@ -136,18 +136,28 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt)

		case TLS_ST_CR_SRVR_HELLO:
		if (s->hit) {
		if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
		st->hand_state = TLS_ST_CR_CHANGE;
		if (mt == SSL3_MT_FINISHED) {
		st->hand_state = TLS_ST_CR_FINISHED;
		return 1;
		}
		} else {
		if (mt == SSL3_MT_CERTIFICATE) {
		if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
		st->hand_state = TLS_ST_CR_CERT_REQ;
		return 1;
		} else if (mt == SSL3_MT_CERTIFICATE) {
		st->hand_state = TLS_ST_CR_CERT;
		return 1;
		}
		}
		break;

		case TLS_ST_CR_CERT_REQ:
		if (mt == SSL3_MT_CERTIFICATE) {
		st->hand_state = TLS_ST_CR_CERT;
		return 1;
		}
		break;

		case TLS_ST_CR_CERT:
		/*
		* The CertificateStatus message is optional even if
		@@ -160,38 +170,14 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt)
		/* Fall through */

		case TLS_ST_CR_CERT_STATUS:
		if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
		if (cert_req_allowed(s)) {
		st->hand_state = TLS_ST_CR_CERT_REQ;
		return 1;
		}
		goto err;
		}
		/* Fall through */

		case TLS_ST_CR_CERT_REQ:
		if (mt == SSL3_MT_SERVER_DONE) {
		st->hand_state = TLS_ST_CR_SRVR_DONE;
		return 1;
		}
		break;

		case TLS_ST_CW_FINISHED:
		if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
		st->hand_state = TLS_ST_CR_CHANGE;
		return 1;
		}
		break;

		case TLS_ST_CR_CHANGE:
		if (mt == SSL3_MT_FINISHED) {
		st->hand_state = TLS_ST_CR_FINISHED;
		return 1;
		}
		break;

		}

		err:
		/* No valid transition found */
		ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
		SSLerr(SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION,
		@@ -393,38 +379,22 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
		/* Shouldn't happen */
		return WRITE_TRAN_ERROR;

		case TLS_ST_CR_SRVR_DONE:
		case TLS_ST_CR_FINISHED:
		st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
		: TLS_ST_CW_CHANGE;
		: TLS_ST_CW_FINISHED;
		return WRITE_TRAN_CONTINUE;

		case TLS_ST_CW_CERT:
		/* If a non-empty Certificate we also send CertificateVerify */
		st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
		: TLS_ST_CW_CHANGE;
		: TLS_ST_CW_FINISHED;
		return WRITE_TRAN_CONTINUE;

		case TLS_ST_CW_CERT_VRFY:
		st->hand_state = TLS_ST_CW_CHANGE;
		return WRITE_TRAN_CONTINUE;

		case TLS_ST_CW_CHANGE:
		st->hand_state = TLS_ST_CW_FINISHED;
		return WRITE_TRAN_CONTINUE;

		case TLS_ST_CW_FINISHED:
		if (s->hit) {
		st->hand_state = TLS_ST_OK;
		ossl_statem_set_in_init(s, 0);
		return WRITE_TRAN_CONTINUE;
		}
		return WRITE_TRAN_FINISHED;

		case TLS_ST_CR_FINISHED:
		if (s->hit) {
		st->hand_state = TLS_ST_CW_CHANGE;
		return WRITE_TRAN_CONTINUE;
		}
		st->hand_state = TLS_ST_OK;
		ossl_statem_set_in_init(s, 0);
		return WRITE_TRAN_CONTINUE;
		@@ -666,6 +636,12 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
		#endif
		if (statem_flush(s) != 1)
		return WORK_MORE_B;

		if (SSL_IS_TLS13(s)) {
		if (!s->method->ssl3_enc->change_cipher_state(s,
		SSL3_CC_APPLICATION \| SSL3_CHANGE_CIPHER_CLIENT_WRITE))
		return WORK_ERROR;
		}
		break;
		}

		@@ -1343,6 +1319,21 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL s, PACKET pkt)
		}
		#endif

		/*
		* In TLSv1.3 we have some post-processing to change cipher state, otherwise
		* we're done with this message
		*/
		if (SSL_IS_TLS13(s)
		&& (!s->method->ssl3_enc->setup_key_block(s)
		\|\| !s->method->ssl3_enc->change_cipher_state(s,
		SSL3_CC_HANDSHAKE \| SSL3_CHANGE_CIPHER_CLIENT_WRITE)
		\|\| !s->method->ssl3_enc->change_cipher_state(s,
		SSL3_CC_HANDSHAKE \| SSL3_CHANGE_CIPHER_CLIENT_READ))) {
		al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER);
		goto f_err;
		}

		return MSG_PROCESS_CONTINUE_READING;
		f_err:
		ssl3_send_alert(s, SSL3_AL_FATAL, al);