aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/internal/recordmethod.h3
-rw-r--r--ssl/d1_lib.c4
-rw-r--r--ssl/record/methods/dtls_meth.c6
-rw-r--r--ssl/record/methods/ktls_meth.c6
-rw-r--r--ssl/record/methods/tls_common.c6
-rw-r--r--ssl/record/rec_layer_s3.c14
-rw-r--r--ssl/record/record.h8
-rw-r--r--ssl/s3_enc.c4
-rw-r--r--ssl/ssl_lib.c9
-rw-r--r--ssl/statem/statem_clnt.c9
-rw-r--r--ssl/t1_enc.c4
-rw-r--r--ssl/tls13_enc.c9
-rw-r--r--test/tls13encryptiontest.c14
-rw-r--r--test/tls13secretstest.c5
14 files changed, 60 insertions, 41 deletions
diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h
index d6d432413a..fda3549590 100644
--- a/include/internal/recordmethod.h
+++ b/include/internal/recordmethod.h
@@ -124,6 +124,8 @@ struct ossl_record_method_st {
int role, int direction,
int level,
uint16_t epoch,
+ unsigned char *secret,
+ size_t secretlen,
unsigned char *key,
size_t keylen,
unsigned char *iv,
@@ -135,6 +137,7 @@ struct ossl_record_method_st {
int mactype,
const EVP_MD *md,
COMP_METHOD *comp,
+ const EVP_MD *kdfdigest,
BIO *prev,
BIO *transport,
BIO *next,
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 83ef67275e..3e644b3098 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -820,9 +820,9 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
if (!ssl_set_new_record_layer(s,
DTLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_READ,
- OSSL_RECORD_PROTECTION_LEVEL_NONE,
+ OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL)) {
+ NID_undef, NULL, NULL, NULL)) {
/* SSLfatal already called */
ret = -1;
goto end;
diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c
index 55e49188cd..2dae86b44c 100644
--- a/ssl/record/methods/dtls_meth.c
+++ b/ssl/record/methods/dtls_meth.c
@@ -624,12 +624,14 @@ static int dtls_free(OSSL_RECORD_LAYER *rl)
static int
dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
+ unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
- const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
- BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
+ const EVP_MD *md, COMP_METHOD *comp,
+ const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
+ BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)
diff --git a/ssl/record/methods/ktls_meth.c b/ssl/record/methods/ktls_meth.c
index 21f7c41b44..5cd833d070 100644
--- a/ssl/record/methods/ktls_meth.c
+++ b/ssl/record/methods/ktls_meth.c
@@ -402,12 +402,14 @@ static int ktls_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
static int
ktls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
+ unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
- const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
- BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
+ const EVP_MD *md, COMP_METHOD *comp,
+ const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
+ BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 9fca10c50e..91d1545085 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -1324,12 +1324,14 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
static int
tls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
int role, int direction, int level, uint16_t epoch,
+ unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen, unsigned char *iv,
size_t ivlen, unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype,
- const EVP_MD *md, COMP_METHOD *comp, BIO *prev,
- BIO *transport, BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
+ const EVP_MD *md, COMP_METHOD *comp,
+ const EVP_MD *kdfdigest, BIO *prev, BIO *transport,
+ BIO *next, BIO_ADDR *local, BIO_ADDR *peer,
const OSSL_PARAM *settings, const OSSL_PARAM *options,
const OSSL_DISPATCH *fns, void *cbarg, void *rlarg,
OSSL_RECORD_LAYER **retrl)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 7fa22bb02b..fadac90e52 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1155,12 +1155,13 @@ static int ssl_post_record_layer_select(SSL_CONNECTION *s, int direction)
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
int direction, int level,
+ unsigned char *secret, size_t secretlen,
unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
- const SSL_COMP *comp)
+ const SSL_COMP *comp, const EVP_MD *kdfdigest)
{
OSSL_PARAM options[5], *opts = options;
OSSL_PARAM settings[6], *set = settings;
@@ -1330,11 +1331,12 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
rlret = meth->new_record_layer(sctx->libctx, sctx->propq, version,
s->server, direction, level, epoch,
- key, keylen, iv, ivlen, mackey,
- mackeylen, ciph, taglen, mactype, md,
- compm, prev, thisbio, next, NULL, NULL,
- settings, options, rlayer_dispatch_tmp,
- s, s->rlayer.rlarg, &newrl);
+ secret, secretlen, key, keylen, iv,
+ ivlen, mackey, mackeylen, ciph, taglen,
+ mactype, md, compm, kdfdigest, prev,
+ thisbio, next, NULL, NULL, settings,
+ options, rlayer_dispatch_tmp, s,
+ s->rlayer.rlarg, &newrl);
BIO_free(prev);
switch (rlret) {
case OSSL_RECORD_RETURN_FATAL:
diff --git a/ssl/record/record.h b/ssl/record/record.h
index e2fdd05f0c..cd2b78698d 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -173,13 +173,15 @@ void ssl_release_record(SSL_CONNECTION *s, TLS_RECORD *rr);
int ossl_tls_handle_rlayer_return(SSL_CONNECTION *s, int writing, int ret,
char *file, int line);
-int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
- int level, unsigned char *key, size_t keylen,
+int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
+ int direction, int level,
+ unsigned char *secret, size_t secretlen,
+ unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
- const SSL_COMP *comp);
+ const SSL_COMP *comp, const EVP_MD *kdfdigest);
int ssl_set_record_protocol_version(SSL_CONNECTION *s, int vers);
# define OSSL_FUNC_RLAYER_SKIP_EARLY_DATA 1
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 67123c7372..d13a28697e 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -146,8 +146,8 @@ int ssl3_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, SSL3_VERSION,
direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
- key, key_len, iv, iv_len, mac_secret,
- md_len, ciph, 0, NID_undef, md, comp)) {
+ NULL, 0, key, key_len, iv, iv_len, mac_secret,
+ md_len, ciph, 0, NID_undef, md, comp, NULL)) {
/* SSLfatal already called */
goto err;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1a5bc6d3e4..ffae69bc38 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -553,17 +553,18 @@ static int clear_record_layer(SSL_CONNECTION *s)
SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
: TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_READ,
- OSSL_RECORD_PROTECTION_LEVEL_NONE,
+ OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL);
+ NID_undef, NULL, NULL, NULL);
ret &= ssl_set_new_record_layer(s,
SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
: TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
- OSSL_RECORD_PROTECTION_LEVEL_NONE,
+ OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL);
+ NID_undef, NULL, NULL, NULL);
+
/* SSLfatal already called in the event of failure */
return ret;
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index a1b7954a66..f1ed43abd3 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -720,8 +720,9 @@ WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst)
TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
- NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL)) {
+ NULL, 0, NULL, 0, NULL, 0, NULL, 0,
+ NULL, 0, NID_undef, NULL, NULL,
+ NULL)) {
/* SSLfatal already called */
return WORK_ERROR;
}
@@ -1793,8 +1794,8 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
TLS_ANY_VERSION,
OSSL_RECORD_DIRECTION_WRITE,
OSSL_RECORD_PROTECTION_LEVEL_NONE,
- NULL, 0, NULL, 0, NULL, 0, NULL, 0,
- NID_undef, NULL, NULL)) {
+ NULL, 0, NULL, 0, NULL, 0, NULL, 0,
+ NULL, 0, NID_undef, NULL, NULL, NULL)) {
/* SSLfatal already called */
goto err;
}
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 0265210524..712a784a0d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -268,9 +268,9 @@ int tls1_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, s->version, direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
- key, cl, iv, (size_t)k, mac_secret,
+ NULL, 0, key, cl, iv, (size_t)k, mac_secret,
mac_secret_size, c, taglen, mac_type,
- m, comp)) {
+ m, comp, NULL)) {
/* SSLfatal already called */
goto err;
}
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 6d2f46441a..30ef3a8410 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -678,8 +678,9 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which)
if (!ssl_set_new_record_layer(s, s->version,
direction,
- level, key, keylen, iv, ivlen, NULL, 0,
- cipher, taglen, NID_undef, NULL, NULL)) {
+ level, insecret, hashlen, key, keylen, iv,
+ ivlen, NULL, 0, cipher, taglen, NID_undef,
+ NULL, NULL, md)) {
/* SSLfatal already called */
goto err;
}
@@ -736,9 +737,9 @@ int tls13_update_key(SSL_CONNECTION *s, int sending)
if (!ssl_set_new_record_layer(s, s->version,
direction,
OSSL_RECORD_PROTECTION_LEVEL_APPLICATION,
- key, keylen, iv, ivlen, NULL, 0,
+ insecret, hashlen, key, keylen, iv, ivlen, NULL, 0,
s->s3.tmp.new_sym_enc, taglen, NID_undef, NULL,
- NULL)) {
+ NULL, md)) {
/* SSLfatal already called */
goto err;
}
diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c
index 1529e1b1ba..cecbb4296b 100644
--- a/test/tls13encryptiontest.c
+++ b/test/tls13encryptiontest.c
@@ -335,10 +335,11 @@ static int test_tls13_encryption(void)
if (!TEST_true(ossl_tls_record_method.new_record_layer(
NULL, NULL, TLS1_3_VERSION, OSSL_RECORD_ROLE_SERVER,
OSSL_RECORD_DIRECTION_WRITE,
- OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
- iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
+ OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, NULL, 0,
+ key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, &wrl)))
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ &wrl)))
goto err;
memcpy(wrl->sequence, seqbuf, sizeof(seqbuf));
@@ -357,10 +358,11 @@ static int test_tls13_encryption(void)
if (!TEST_true(ossl_tls_record_method.new_record_layer(
NULL, NULL, TLS1_3_VERSION, OSSL_RECORD_ROLE_SERVER,
OSSL_RECORD_DIRECTION_READ,
- OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16,
- iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
+ OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, NULL, 0,
+ key, 16, iv, ivlen, NULL, 0, EVP_aes_128_gcm(),
EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, &rrl)))
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ &rrl)))
goto err;
memcpy(rrl->sequence, seqbuf, sizeof(seqbuf));
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index 923e713c00..f51dd9e9db 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -218,12 +218,13 @@ void ssl_evp_md_free(const EVP_MD *md)
}
int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
- int level, unsigned char *key, size_t keylen,
+ int level, unsigned char *secret, size_t secretlen,
+ unsigned char *key, size_t keylen,
unsigned char *iv, size_t ivlen,
unsigned char *mackey, size_t mackeylen,
const EVP_CIPHER *ciph, size_t taglen,
int mactype, const EVP_MD *md,
- const SSL_COMP *comp)
+ const SSL_COMP *comp, const EVP_MD *kdfdigest)
{
return 0;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-07 10:40:43 +0000