narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[tls] Generate master secret at point of sending ClientKeyExchange 

The master secret is currently constructed upon receiving the
ServerHello message.  This precludes the use of key exchange
mechanisms such as Ephemeral Diffie-Hellman (DHE), which require a
ServerKeyExchange message to exchange additional key material before
the pre-master secret and master secret can be constructed.

Allow for the use of such cipher suites by deferring generation of the
master secret until the point of sending the ClientKeyExchange
message.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/785/head
Michael Brown 2022-10-06 16:06:44 +01:00
parent 18b861024a
commit 1a7317e7d4
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/net/tls.c
View File

@ -1220,6 +1220,16 @@ static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
int len;
int rc;
/* Generate master secret */
tls_generate_master_secret ( tls );
/* Generate keys */
if ( ( rc = tls_generate_keys ( tls ) ) != 0 ) {
DBGC ( tls, "TLS %p could not generate keys: %s\n",
tls, strerror ( rc ) );
return rc;
}
/* Encrypt pre-master secret using server's public key */
memset ( &key_xchg, 0, sizeof ( key_xchg ) );
len = pubkey_encrypt ( pubkey, cipherspec->pubkey_ctx,
@ -1622,7 +1632,7 @@ static int tls_new_server_hello ( struct tls_connection *tls,
if ( ( rc = tls_select_cipher ( tls, hello_b->cipher_suite ) ) != 0 )
return rc;
/* Reuse or generate master secret */
/* Check session ID */
if ( hello_a->session_id_len &&
( hello_a->session_id_len == tls->session_id_len ) &&
( memcmp ( session_id, tls->session_id,
@ -1631,12 +1641,11 @@ static int tls_new_server_hello ( struct tls_connection *tls,
/* Session ID match: reuse master secret */
DBGC ( tls, "TLS %p resuming session ID:\n", tls );
DBGC_HDA ( tls, 0, tls->session_id, tls->session_id_len );
if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
return rc;
} else {
/* Generate new master secret */
tls_generate_master_secret ( tls );
/* Record new session ID, if present */
if ( hello_a->session_id_len &&
( hello_a->session_id_len <= sizeof ( tls->session_id ))){
@ -1649,10 +1658,6 @@ static int tls_new_server_hello ( struct tls_connection *tls,
}
}
/* Generate keys */
if ( ( rc = tls_generate_keys ( tls ) ) != 0 )
return rc;
/* Handle secure renegotiation */
if ( tls->secure_renegotiation ) {