diff options
author | Matt Caswell <matt@openssl.org> | 2016-11-09 14:06:12 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-11-23 15:31:21 +0000 |
commit | 92760c21e62c6e5ef172fa110cf47a509cd50f2f (patch) | |
tree | a1aa35edbe72218b6897221e9427456199ef5e95 /ssl/s3_lib.c | |
parent | 0d9824c1712b6cacd9b0ecfba26fb66ae4badfb4 (diff) |
Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.
After this commit we have:
ClientHello
+ key_share ---->
ServerHello
+key_share
{CertificateRequest*}
{Certificate*}
{CertificateStatus*}
<---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished} ---->
[ApplicationData] <---> [Application Data]
Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r-- | ssl/s3_lib.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index bcc0f9e5fd..524f5308f3 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4067,8 +4067,8 @@ EVP_PKEY *ssl_generate_pkey_curve(int id) } #endif -/* Derive premaster or master secret for ECDH/DH */ -int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int genmaster) +/* Derive secrets for ECDH/DH */ +int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) { int rv = 0; unsigned char *pms = NULL; @@ -4093,9 +4093,20 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int genmaster) if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) goto err; - if (genmaster) { - /* Generate master secret and discard premaster */ - rv = ssl_generate_master_secret(s, pms, pmslen, 1); + if (gensecret) { + if (SSL_IS_TLS13(s)) { + /* + * TODO(TLS1.3): For now we just use the default early_secret, this + * will need to change later when other early_secrets will be + * possible. + */ + rv = tls13_generate_early_secret(s, NULL, 0) + && tls13_generate_handshake_secret(s, pms, pmslen); + OPENSSL_free(pms); + } else { + /* Generate master secret and discard premaster */ + rv = ssl_generate_master_secret(s, pms, pmslen, 1); + } pms = NULL; } else { /* Save premaster secret */ |