shithub: riscv

Download patch

ref: ad6b99359d4bc513e9a24f865bd310743b75e259
parent: 54c49284e03e46f6e3a5d41bfc9fbc98c6f0b214
author: cinap_lenrek <[email protected]>
date: Sun Apr 17 03:20:54 EDT 2016

libsec: massive cleanup of tlshand.c

don't pass or generate sessionID's. this was never used nor
actually implemented and leaks the process pid.

get rid of version and random field duplications, move TlsSec
structure into TlsConnection.

make msgRecv() clear the message first, get rid of unneccesary
msgClear() calls.

--- a/sys/src/libsec/port/tlshand.c
+++ b/sys/src/libsec/port/tlshand.c
@@ -20,14 +20,11 @@
 	MaxChunk = 1<<15,
 	MAXdlen = SHA2_512dlen,
 	RandomSize = 32,
-	SidSize = 32,
 	MasterSecretSize = 48,
 	AQueue = 0,
 	AFlush = 1,
 };
 
-typedef struct TlsSec TlsSec;
-
 typedef struct Bytes{
 	int len;
 	uchar data[1];  // [len]
@@ -62,21 +59,39 @@
 	SHA2_256state	sha2_256;
 } HandshakeHash;
 
+typedef struct TlsSec TlsSec;
+struct TlsSec {
+	RSApub *rsapub;
+	AuthRpc *rpc;	// factotum for rsa private key
+	uchar *psk;	// pre-shared key
+	int psklen;
+	int clientVers;			// version in ClientHello
+	uchar sec[MasterSecretSize];	// master secret
+	uchar crandom[RandomSize];	// client random
+	uchar srandom[RandomSize];	// server random
+	// byte generation and handshake checksum
+	void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
+	void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
+	int nfin;
+};
+
 typedef struct TlsConnection{
-	TlsSec *sec;	// security management goo
+	TlsSec sec[1];	// security management goo
 	int hand, ctl;	// record layer file descriptors
 	int erred;		// set when tlsError called
 	int (*trace)(char*fmt, ...); // for debugging
 	int version;	// protocol we are speaking
-	int verset;		// version has been set
-	int ver2hi;		// server got a version 2 hello
-	int isClient;	// is this the client or server?
-	Bytes *sid;		// SessionID
 	Bytes *cert;	// server certificate; only last - no chain
 
-	Lock statelk;
-	int state;		// must be set using setstate
+	int cipher;
+	int nsecret;	// amount of secret data to init keys
+	char *digest;	// name of digest algorithm to use
+	char *enc;		// name of encryption algorithm to use
 
+	// for finished messages
+	HandshakeHash	handhash;
+	Finished	finished;
+
 	// input buffer for handshake messages
 	uchar recvbuf[MaxChunk];
 	uchar *rp, *ep;
@@ -84,18 +99,6 @@
 	// output buffer
 	uchar sendbuf[MaxChunk];
 	uchar *sendp;
-
-	uchar crandom[RandomSize];	// client random
-	uchar srandom[RandomSize];	// server random
-	int clientVersion;	// version in ClientHello
-	int cipher;
-	char *digest;	// name of digest algorithm to use
-	char *enc;		// name of encryption algorithm to use
-	int nsecret;	// amount of secret data to init keys
-
-	// for finished messages
-	HandshakeHash	handhash;
-	Finished	finished;
 } TlsConnection;
 
 typedef struct Msg{
@@ -149,25 +152,7 @@
 	} u;
 } Msg;
 
-typedef struct TlsSec{
-	char *server;	// name of remote; nil for server
-	int ok;	// <0 killed; == 0 in progress; >0 reusable
-	RSApub *rsapub;
-	AuthRpc *rpc;	// factotum for rsa private key
-	uchar *psk;	// pre-shared key
-	int psklen;
-	uchar sec[MasterSecretSize];	// master secret
-	uchar crandom[RandomSize];	// client random
-	uchar srandom[RandomSize];	// server random
-	int clientVers;		// version in ClientHello
-	int vers;			// final version
-	// byte generation and handshake checksum
-	void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
-	void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
-	int nfin;
-} TlsSec;
 
-
 enum {
 	SSL3Version	= 0x0300,
 	TLS10Version	= 0x0301,
@@ -386,7 +371,6 @@
 	char *pskid, uchar *psk, int psklen,
 	int (*trace)(char*fmt, ...), PEMChain *chain);
 static TlsConnection *tlsClient2(int ctl, int hand,
-	uchar *csid, int ncsid,
 	uchar *cert, int certlen,
 	char *pskid, uchar *psk, int psklen,
 	uchar *ext, int extlen, int (*trace)(char*fmt, ...));
@@ -397,6 +381,7 @@
 static void	tlsError(TlsConnection *c, int err, char *msg, ...);
 #pragma	varargck argpos	tlsError 3
 static int setVersion(TlsConnection *c, int version);
+static int setSecrets(TlsConnection *c, int isclient);
 static int finishedMatch(TlsConnection *c, Finished *f);
 static void tlsConnectionFree(TlsConnection *c);
 
@@ -406,27 +391,19 @@
 static int initCiphers(void);
 static Ints* makeciphers(int ispsk);
 
-static TlsSec*	tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
-static int	tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
-static int	tlsSecPSKs(TlsSec *sec, int vers);
-static TlsSec*	tlsSecInitc(int cvers, uchar *crandom);
-static Bytes*	tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
-static int	tlsSecPSKc(TlsSec *sec, uchar *srandom, int vers);
-static Bytes*	tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
-static Bytes*	tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
+static void	tlsSecInits(TlsSec *sec, int cvers, uchar *crandom);
+static int	tlsSecRSAs(TlsSec *sec, Bytes *epm);
+static void	tlsSecPSKs(TlsSec *sec);
+static void	tlsSecInitc(TlsSec *sec, int cvers);
+static Bytes*	tlsSecRSAc(TlsSec *sec, uchar *cert, int ncert);
+static void	tlsSecPSKc(TlsSec *sec);
+static Bytes*	tlsSecDHEc(TlsSec *sec, Bytes *p, Bytes *g, Bytes *Ys);
+static Bytes*	tlsSecECDHEc(TlsSec *sec, int curve, Bytes *Ys);
+static void	tlsSecVers(TlsSec *sec, int v);
 static int	tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
-static void	tlsSecOk(TlsSec *sec);
-static void	tlsSecClose(TlsSec *sec);
 static void	setMasterSecret(TlsSec *sec, Bytes *pm);
-static void	setSecrets(TlsSec *sec, uchar *kd, int nkd);
 static Bytes*	pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
 static Bytes*	pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
-static void	tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
-static void	tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
-static void	sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
-static void	sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
-			uchar *seed0, int nseed0, uchar *seed1, int nseed1);
-static int setVers(TlsSec *sec, int version);
 
 static AuthRpc* factotum_rsa_open(RSApub *rsapub);
 static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher);
@@ -482,26 +459,27 @@
 		close(ctl);
 		return -1;
 	}
+	data = -1;
 	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
 	tls = tlsServer2(ctl, hand,
 		conn->cert, conn->certlen,
 		conn->pskID, conn->psk, conn->psklen,
 		conn->trace, conn->chain);
-	snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
-	data = open(dname, ORDWR);
+	if(tls != nil){
+		snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
+		data = open(dname, ORDWR);
+	}
 	close(hand);
 	close(ctl);
-	if(data < 0 || tls == nil){
-		if(tls != nil)
-			tlsConnectionFree(tls);
+	if(data < 0){
+		tlsConnectionFree(tls);
 		return -1;
 	}
 	free(conn->cert);
 	conn->cert = nil;  // client certificates are not yet implemented
 	conn->certlen = 0;
-	conn->sessionIDlen = tls->sid->len;
-	conn->sessionID = emalloc(conn->sessionIDlen);
-	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+	conn->sessionIDlen = 0;
+	conn->sessionID = nil;
 	if(conn->sessionKey != nil
 	&& conn->sessionType != nil
 	&& strcmp(conn->sessionType, "ttls") == 0)
@@ -624,7 +602,6 @@
 	fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
 	ext = tlsClientExtensions(conn, &n);
 	tls = tlsClient2(ctl, hand,
-		conn->sessionID, conn->sessionIDlen,
 		conn->cert, conn->certlen, 
 		conn->pskID, conn->psk, conn->psklen,
 		ext, n, conn->trace);
@@ -635,6 +612,7 @@
 		close(data);
 		return -1;
 	}
+	free(conn->cert);
 	if(tls->cert != nil){
 		conn->certlen = tls->cert->len;
 		conn->cert = emalloc(conn->certlen);
@@ -643,9 +621,8 @@
 		conn->certlen = 0;
 		conn->cert = nil;
 	}
-	conn->sessionIDlen = tls->sid->len;
-	conn->sessionID = emalloc(conn->sessionIDlen);
-	memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+	conn->sessionIDlen = 0;
+	conn->sessionID = nil;
 	if(conn->sessionKey != nil
 	&& conn->sessionType != nil
 	&& strcmp(conn->sessionType, "ttls") == 0)
@@ -680,15 +657,13 @@
 {
 	TlsConnection *c;
 	Msg m;
-	Bytes *csid;
-	uchar sid[SidSize], kd[MaxKeyData];
-	char *secrets;
-	int cipher, compressor, nsid, rv, numcerts, i;
+	int cipher, compressor, numcerts, i;
 
 	if(trace)
 		trace("tlsServer2\n");
 	if(!initCiphers())
 		return nil;
+
 	c = emalloc(sizeof(TlsConnection));
 	c->ctl = ctl;
 	c->hand = hand;
@@ -705,15 +680,13 @@
 		tlsError(c, EUnexpectedMessage, "expected a client hello");
 		goto Err;
 	}
-	c->clientVersion = m.u.clientHello.version;
 	if(trace)
-		trace("ClientHello version %x\n", c->clientVersion);
-	if(setVersion(c, c->clientVersion) < 0) {
+		trace("ClientHello version %x\n", m.u.clientHello.version);
+	if(setVersion(c, m.u.clientHello.version) < 0) {
 		tlsError(c, EIllegalParameter, "incompatible version");
 		goto Err;
 	}
 
-	memmove(c->crandom, m.u.clientHello.random, RandomSize);
 	cipher = okCipher(m.u.clientHello.ciphers, psklen > 0);
 	if(cipher < 0 || !setAlgs(c, cipher)) {
 		tlsError(c, EHandshakeFailure, "no matching cipher suite");
@@ -724,11 +697,11 @@
 		tlsError(c, EHandshakeFailure, "no matching compressor");
 		goto Err;
 	}
-
-	csid = m.u.clientHello.sid;
 	if(trace)
-		trace("  cipher %x, compressor %x, csidlen %d\n", cipher, compressor, csid->len);
-	c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
+		trace("  cipher %x, compressor %x\n", cipher, compressor);
+
+	tlsSecInits(c->sec, m.u.clientHello.version, m.u.clientHello.random);
+	tlsSecVers(c->sec, c->version);
 	if(psklen > 0){
 		c->sec->psk = psk;
 		c->sec->psklen = psklen;
@@ -750,14 +723,12 @@
 
 	m.tag = HServerHello;
 	m.u.serverHello.version = c->version;
-	memmove(m.u.serverHello.random, c->srandom, RandomSize);
+	memmove(m.u.serverHello.random, c->sec->srandom, RandomSize);
 	m.u.serverHello.cipher = cipher;
 	m.u.serverHello.compressor = compressor;
-	c->sid = makebytes(sid, nsid);
-	m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len);
+	m.u.serverHello.sid = makebytes(nil, 0);
 	if(!msgSend(c, &m, AQueue))
 		goto Err;
-	msgClear(&m);
 
 	if(certlen > 0){
 		m.tag = HCertificate;
@@ -769,13 +740,11 @@
 			m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
 		if(!msgSend(c, &m, AQueue))
 			goto Err;
-		msgClear(&m);
 	}
 
 	m.tag = HServerHelloDone;
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 
 	if(!msgRecv(c, &m))
 		goto Err;
@@ -792,34 +761,23 @@
 		}
 	}
 	if(certlen > 0){
-		if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
-			tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
+		if(tlsSecRSAs(c->sec, m.u.clientKeyExchange.key) < 0){
+			tlsError(c, EHandshakeFailure, "couldn't set keys: %r");
 			goto Err;
 		}
 	} else if(psklen > 0){
-		if(tlsSecPSKs(c->sec, c->version) < 0){
-			tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
-			goto Err;
-		}
+		tlsSecPSKs(c->sec);
 	} else {
 		tlsError(c, EInternalError, "no psk or certificate");
 		goto Err;
 	}
 
-	setSecrets(c->sec, kd, c->nsecret);
 	if(trace)
 		trace("tls secrets\n");
-	secrets = (char*)emalloc(2*c->nsecret);
-	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
-	rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets);
-	memset(secrets, 0, 2*c->nsecret);
-	free(secrets);
-	memset(kd, 0, c->nsecret);
-	if(rv < 0){
-		tlsError(c, EHandshakeFailure, "can't set keys: %r");
+	if(setSecrets(c, 0) < 0){
+		tlsError(c, EHandshakeFailure, "can't set secrets: %r");
 		goto Err;
 	}
-	msgClear(&m);
 
 	/* no CertificateVerify; skip to Finished */
 	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
@@ -852,19 +810,17 @@
 	m.u.finished = c->finished;
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 	if(trace)
 		trace("tls finished\n");
 
 	if(fprint(c->ctl, "opened") < 0)
 		goto Err;
-	tlsSecOk(c->sec);
 	return c;
 
 Err:
 	msgClear(&m);
 	tlsConnectionFree(c);
-	return 0;
+	return nil;
 }
 
 static int
@@ -918,8 +874,7 @@
 }
 
 static Bytes*
-tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, 
-	Bytes *p, Bytes *g, Bytes *Ys)
+tlsSecDHEc(TlsSec *sec, Bytes *p, Bytes *g, Bytes *Ys)
 {
 	mpint *G, *P, *Y, *K;
 	Bytes *epm;
@@ -928,10 +883,6 @@
 	if(p == nil || g == nil || Ys == nil)
 		return nil;
 
-	memmove(sec->srandom, srandom, RandomSize);
-	if(setVers(sec, vers) < 0)
-		return nil;
-
 	epm = nil;
 	P = bytestomp(p);
 	G = bytestomp(g);
@@ -959,7 +910,7 @@
 }
 
 static Bytes*
-tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
+tlsSecECDHEc(TlsSec *sec, int curve, Bytes *Ys)
 {
 	Namedcurve *nc, *enc;
 	Bytes *epm;
@@ -978,10 +929,6 @@
 
 	if(nc == enc)
 		return nil;
-		
-	memmove(sec->srandom, srandom, RandomSize);
-	if(setVers(sec, vers) < 0)
-		return nil;
 	
 	ecdominit(&dom, nc->init);
 	pub = ecdecodepub(&dom, Ys->data, Ys->len);
@@ -1031,7 +978,7 @@
 	char *err;
 
 	if(par == nil || par->len <= 0)
-		return "no dh parameters";
+		return "no DH parameters";
 
 	if(sig == nil || sig->len <= 0){
 		if(c->sec->psklen > 0)
@@ -1043,8 +990,8 @@
 		return "no certificate";
 
 	blob = newbytes(2*RandomSize + par->len);
-	memmove(blob->data+0*RandomSize, c->crandom, RandomSize);
-	memmove(blob->data+1*RandomSize, c->srandom, RandomSize);
+	memmove(blob->data+0*RandomSize, c->sec->crandom, RandomSize);
+	memmove(blob->data+1*RandomSize, c->sec->srandom, RandomSize);
 	memmove(blob->data+2*RandomSize, par->data, par->len);
 	if(c->version < TLS12Version){
 		digestlen = MD5dlen + SHA1dlen;
@@ -1089,7 +1036,6 @@
 
 static TlsConnection *
 tlsClient2(int ctl, int hand,
-	uchar *csid, int ncsid, 
 	uchar *cert, int certlen,
 	char *pskid, uchar *psk, int psklen,
 	uchar *ext, int extlen,
@@ -1097,25 +1043,23 @@
 {
 	TlsConnection *c;
 	Msg m;
-	uchar kd[MaxKeyData];
-	char *secrets;
-	int creq, dhx, rv, cipher;
+	int creq, dhx, cipher;
 	Bytes *epm;
 
 	if(!initCiphers())
 		return nil;
+
 	epm = nil;
+	memset(&m, 0, sizeof(m));
 	c = emalloc(sizeof(TlsConnection));
-	c->version = ProtocolVersion;
 
 	c->ctl = ctl;
 	c->hand = hand;
 	c->trace = trace;
-	c->isClient = 1;
-	c->clientVersion = c->version;
 	c->cert = nil;
 
-	c->sec = tlsSecInitc(c->clientVersion, c->crandom);
+	c->version = ProtocolVersion;
+	tlsSecInitc(c->sec, c->version);
 	if(psklen > 0){
 		c->sec->psk = psk;
 		c->sec->psklen = psklen;
@@ -1124,28 +1068,26 @@
 		/* client certificate */
 		c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
 		if(c->sec->rsapub == nil){
-			tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
+			tlsError(c, EInternalError, "invalid X509/rsa certificate");
 			goto Err;
 		}
 		c->sec->rpc = factotum_rsa_open(c->sec->rsapub);
 		if(c->sec->rpc == nil){
-			tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
+			tlsError(c, EInternalError, "factotum_rsa_open: %r");
 			goto Err;
 		}
 	}
 
 	/* client hello */
-	memset(&m, 0, sizeof(m));
 	m.tag = HClientHello;
-	m.u.clientHello.version = c->clientVersion;
-	memmove(m.u.clientHello.random, c->crandom, RandomSize);
-	m.u.clientHello.sid = makebytes(csid, ncsid);
+	m.u.clientHello.version = c->version;
+	memmove(m.u.clientHello.random, c->sec->crandom, RandomSize);
+	m.u.clientHello.sid = makebytes(nil, 0);
 	m.u.clientHello.ciphers = makeciphers(psklen > 0);
 	m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
 	m.u.clientHello.extensions = makebytes(ext, extlen);
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 
 	/* server hello */
 	if(!msgRecv(c, &m))
@@ -1158,12 +1100,9 @@
 		tlsError(c, EIllegalParameter, "incompatible version: %r");
 		goto Err;
 	}
-	memmove(c->srandom, m.u.serverHello.random, RandomSize);
-	c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len);
-	if(c->sid->len != 0 && c->sid->len != SidSize) {
-		tlsError(c, EIllegalParameter, "invalid server session identifier");
-		goto Err;
-	}
+	tlsSecVers(c->sec, c->version);
+	memmove(c->sec->srandom, m.u.serverHello.random, RandomSize);
+
 	cipher = m.u.serverHello.cipher;
 	if((psklen > 0) != isPSK(cipher) || !setAlgs(c, cipher)) {
 		tlsError(c, EIllegalParameter, "invalid cipher suite");
@@ -1173,7 +1112,6 @@
 		tlsError(c, EIllegalParameter, "invalid compression");
 		goto Err;
 	}
-	msgClear(&m);
 
 	dhx = isDHE(cipher) || isECDHE(cipher);
 	if(!msgRecv(c, &m))
@@ -1184,7 +1122,6 @@
 			goto Err;
 		}
 		c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
-		msgClear(&m);
 		if(!msgRecv(c, &m))
 			goto Err;
 	} else if(psklen == 0) {
@@ -1198,25 +1135,26 @@
 				m.u.serverKeyExchange.dh_signature,
 				m.u.serverKeyExchange.sigalg);
 			if(err != nil){
-				tlsError(c, EBadCertificate, "can't verify dh parameters: %s", err);
+				tlsError(c, EBadCertificate, "can't verify DH parameters: %s", err);
 				goto Err;
 			}
 			if(isECDHE(cipher))
-				epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
+				epm = tlsSecECDHEc(c->sec,
 					m.u.serverKeyExchange.curve,
 					m.u.serverKeyExchange.dh_Ys);
 			else
-				epm = tlsSecDHEc(c->sec, c->srandom, c->version,
+				epm = tlsSecDHEc(c->sec,
 					m.u.serverKeyExchange.dh_p, 
 					m.u.serverKeyExchange.dh_g,
 					m.u.serverKeyExchange.dh_Ys);
-			if(epm == nil)
-				goto Badcert;
+			if(epm == nil){
+				tlsError(c, EHandshakeFailure, "bad DH parameters");
+				goto Err;
+			}
 		} else if(psklen == 0){
 			tlsError(c, EUnexpectedMessage, "got an server key exchange");
 			goto Err;
 		}
-		msgClear(&m);
 		if(!msgRecv(c, &m))
 			goto Err;
 	} else if(dhx){
@@ -1228,7 +1166,6 @@
 	creq = 0;
 	if(m.tag == HCertificateRequest) {
 		creq = 1;
-		msgClear(&m);
 		if(!msgRecv(c, &m))
 			goto Err;
 	}
@@ -1241,16 +1178,13 @@
 
 	if(!dhx){
 		if(c->cert != nil){
-			epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
-				c->cert->data, c->cert->len, c->version);
+			epm = tlsSecRSAc(c->sec, c->cert->data, c->cert->len);
 			if(epm == nil){
-			Badcert:
 				tlsError(c, EBadCertificate, "bad certificate: %r");
 				goto Err;
 			}
-		} else if(psklen > 0) {
-			if(tlsSecPSKc(c->sec, c->srandom, c->version) < 0)
-				goto Badcert;
+		} else if(psklen > 0){
+			tlsSecPSKc(c->sec);
 		} else {
 			tlsError(c, EInternalError, "no psk or certificate");
 			goto Err;
@@ -1257,28 +1191,22 @@
 		}
 	}
 
-	setSecrets(c->sec, kd, c->nsecret);
-	secrets = (char*)emalloc(2*c->nsecret);
-	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
-	rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
-	memset(secrets, 0, 2*c->nsecret);
-	free(secrets);
-	memset(kd, 0, c->nsecret);
-	if(rv < 0){
-		tlsError(c, EHandshakeFailure, "can't set keys: %r");
+	if(trace)
+		trace("tls secrets\n");
+	if(setSecrets(c, 1) < 0){
+		tlsError(c, EHandshakeFailure, "can't set secrets: %r");
 		goto Err;
 	}
 
 	if(creq) {
+		m.tag = HCertificate;
 		if(certlen > 0){
 			m.u.certificate.ncert = 1;
 			m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
 			m.u.certificate.certs[0] = makebytes(cert, certlen);
 		}		
-		m.tag = HCertificate;
 		if(!msgSend(c, &m, AFlush))
 			goto Err;
-		msgClear(&m);
 	}
 
 	/* client key exchange */
@@ -1293,7 +1221,6 @@
 	 
 	if(!msgSend(c, &m, AFlush))
 		goto Err;
-	msgClear(&m);
 
 	/* certificate verify */
 	if(creq && certlen > 0) {
@@ -1334,7 +1261,6 @@
 		m.tag = HCertificateVerify;
 		if(!msgSend(c, &m, AFlush))
 			goto Err;
-		msgClear(&m);
 	} 
 
 	/* change cipher spec */
@@ -1355,7 +1281,6 @@
 		tlsError(c, EInternalError, "can't flush after client Finished: %r");
 		goto Err;
 	}
-	msgClear(&m);
 
 	if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
 		tlsError(c, EInternalError, "can't set finished 0: %r");
@@ -1381,7 +1306,6 @@
 			trace("unable to do final open: %r\n");
 		goto Err;
 	}
-	tlsSecOk(c->sec);
 	return c;
 
 Err:
@@ -1433,13 +1357,11 @@
 
 		// sid
 		n = m->u.clientHello.sid->len;
-		assert(n < 256);
 		p[0] = n;
 		memmove(p+1, m->u.clientHello.sid->data, n);
 		p += n+1;
 
 		n = m->u.clientHello.ciphers->len;
-		assert(n > 0 && n < 200);
 		put16(p, n*2);
 		p += 2;
 		for(i=0; i<n; i++) {
@@ -1448,7 +1370,6 @@
 		}
 
 		n = m->u.clientHello.compressors->len;
-		assert(n > 0);
 		p[0] = n;
 		memmove(p+1, m->u.clientHello.compressors->data, n);
 		p += n+1;
@@ -1472,7 +1393,6 @@
 
 		// sid
 		n = m->u.serverHello.sid->len;
-		assert(n < 256);
 		p[0] = n;
 		memmove(p+1, m->u.serverHello.sid->data, n);
 		p += n+1;
@@ -1548,7 +1468,7 @@
 
 	// go back and fill in size
 	n = p - c->sendp;
-	assert(p <= c->sendbuf + sizeof(c->sendbuf));
+	assert(n <= sizeof(c->sendbuf));
 	put24(c->sendp+1, n-4);
 
 	// remember hash of Handshake messages
@@ -1599,8 +1519,9 @@
 msgRecv(TlsConnection *c, Msg *m)
 {
 	uchar *p, *s;
-	int type, n, nn, i, nsid, nrandom, nciph;
+	int type, n, nn, i;
 
+	msgClear(m);
 	for(;;) {
 		p = tlsReadN(c, 4);
 		if(p == nil)
@@ -1625,6 +1546,8 @@
 		/* Cope with an SSL3 ClientHello expressed in SSL2 record format.
 			This is sent by some clients that we must interoperate
 			with, such as Java's JSSE and Microsoft's Internet Explorer. */
+		int nsid, nrandom, nciph;
+
 		p = tlsReadN(c, n);
 		if(p == nil)
 			return 0;
@@ -1683,14 +1606,12 @@
 		if(n < 2)
 			goto Short;
 		m->u.clientHello.version = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 
 		if(n < RandomSize)
 			goto Short;
 		memmove(m->u.clientHello.random, p, RandomSize);
-		p += RandomSize;
-		n -= RandomSize;
+		p += RandomSize, n -= RandomSize;
 		if(n < 1 || n < p[0]+1)
 			goto Short;
 		m->u.clientHello.sid = makebytes(p+1, p[0]);
@@ -1700,8 +1621,7 @@
 		if(n < 2)
 			goto Short;
 		nn = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 
 		if((nn & 1) || n < nn || nn < 2)
 			goto Short;
@@ -1708,15 +1628,13 @@
 		m->u.clientHello.ciphers = newints(nn >> 1);
 		for(i = 0; i < nn; i += 2)
 			m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]);
-		p += nn;
-		n -= nn;
+		p += nn, n -= nn;
 
 		if(n < 1 || n < p[0]+1 || p[0] == 0)
 			goto Short;
 		nn = p[0];
 		m->u.clientHello.compressors = makebytes(p+1, nn);
-		p += nn + 1;
-		n -= nn + 1;
+		p += nn + 1, n -= nn + 1;
 
 		if(n < 2)
 			break;
@@ -1730,14 +1648,12 @@
 		if(n < 2)
 			goto Short;
 		m->u.serverHello.version = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 
 		if(n < RandomSize)
 			goto Short;
 		memmove(m->u.serverHello.random, p, RandomSize);
-		p += RandomSize;
-		n -= RandomSize;
+		p += RandomSize, n -= RandomSize;
 
 		if(n < 1 || n < p[0]+1)
 			goto Short;
@@ -1749,8 +1665,7 @@
 			goto Short;
 		m->u.serverHello.cipher = get16(p);
 		m->u.serverHello.compressor = p[2];
-		p += 3;
-		n -= 3;
+		p += 3, n -= 3;
 
 		if(n < 2)
 			break;
@@ -1764,8 +1679,7 @@
 		if(n < 3)
 			goto Short;
 		nn = get24(p);
-		p += 3;
-		n -= 3;
+		p += 3, n -= 3;
 		if(nn == 0 && n > 0)
 			goto Short;
 		/* certs */
@@ -1774,15 +1688,13 @@
 			if(n < 3)
 				goto Short;
 			nn = get24(p);
-			p += 3;
-			n -= 3;
+			p += 3, n -= 3;
 			if(nn > n)
 				goto Short;
 			m->u.certificate.ncert = i+1;
 			m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
 			m->u.certificate.certs[i] = makebytes(p, nn);
-			p += nn;
-			n -= nn;
+			p += nn, n -= nn;
 			i++;
 		}
 		break;
@@ -1790,33 +1702,28 @@
 		if(n < 1)
 			goto Short;
 		nn = p[0];
-		p += 1;
-		n -= 1;
+		p++, n--;
 		if(nn > n)
 			goto Short;
 		m->u.certificateRequest.types = makebytes(p, nn);
-		p += nn;
-		n -= nn;
+		p += nn, n -= nn;
 		if(c->version >= TLS12Version){
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
-			p += 2;
-			n -= 2;
+			p += 2, n -= 2;
 			if(nn & 1)
 				goto Short;
 			m->u.certificateRequest.sigalgs = newints(nn>>1);
 			for(i = 0; i < nn; i += 2)
 				m->u.certificateRequest.sigalgs->data[i >> 1] = get16(&p[i]);
-			p += nn;
-			n -= nn;
+			p += nn, n -= nn;
 
 		}
 		if(n < 2)
 			goto Short;
 		nn = get16(p);
-		p += 2;
-		n -= 2;
+		p += 2, n -= 2;
 		/* nn == 0 can happen; yahoo's servers do it */
 		if(nn != n)
 			goto Short;
@@ -1826,8 +1733,7 @@
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
-			p += 2;
-			n -= 2;
+			p += 2, n -= 2;
 			if(nn < 1 || nn > n)
 				goto Short;
 			m->u.certificateRequest.nca = i+1;
@@ -1834,8 +1740,7 @@
 			m->u.certificateRequest.cas = erealloc(
 				m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
 			m->u.certificateRequest.cas[i] = makebytes(p, nn);
-			p += nn;
-			n -= nn;
+			p += nn, n -= nn;
 			i++;
 		}
 		break;
@@ -1940,8 +1845,7 @@
 			if(n < 2)
 				goto Short;
 			nn = get16(p);
-			p += 2;
-			n -= 2;
+			p += 2, n -= 2;
 		}
 		if(n < nn)
 			goto Short;
@@ -1980,8 +1884,6 @@
 	int i;
 
 	switch(m->tag) {
-	default:
-		sysfatal("msgClear: unknown message type: %d", m->tag);
 	case HHelloRequest:
 		break;
 	case HClientHello:
@@ -2186,7 +2088,7 @@
 static int
 setVersion(TlsConnection *c, int version)
 {
-	if(c->verset || version > MaxProtoVersion || version < MinProtoVersion)
+	if(version > MaxProtoVersion || version < MinProtoVersion)
 		return -1;
 	if(version > c->version)
 		version = c->version;
@@ -2197,7 +2099,6 @@
 		c->version = version;
 		c->finished.n = TLSFinishedLen;
 	}
-	c->verset = 1;
 	return fprint(c->ctl, "version 0x%x", version);
 }
 
@@ -2213,8 +2114,10 @@
 static void
 tlsConnectionFree(TlsConnection *c)
 {
-	tlsSecClose(c->sec);
-	freebytes(c->sid);
+	if(c == nil)
+		return;
+	factotum_rsa_close(c->sec->rpc);
+	rsapubfree(c->sec->rsapub);
 	freebytes(c->cert);
 	memset(c, 0, sizeof(*c));
 	free(c);
@@ -2528,57 +2431,129 @@
 	p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
 }
 
-/*
- * for setting server session id's
- */
-static Lock	sidLock;
-static long	maxSid = 1;
+static void
+sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
+	uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
+	DigestState *s;
+	int i, n, len;
 
-/* the keys are verified to have the same public components
- * and to function correctly with pkcs 1 encryption and decryption. */
-static TlsSec*
-tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom)
+	USED(label);
+	len = 1;
+	while(nbuf > 0){
+		if(len > 26)
+			return;
+		for(i = 0; i < len; i++)
+			tmp[i] = 'A' - 1 + len;
+		s = sha1(tmp, len, nil, nil);
+		s = sha1(key, nkey, nil, s);
+		s = sha1(seed0, nseed0, nil, s);
+		sha1(seed1, nseed1, sha1dig, s);
+		s = md5(key, nkey, nil, nil);
+		md5(sha1dig, SHA1dlen, md5dig, s);
+		n = MD5dlen;
+		if(n > nbuf)
+			n = nbuf;
+		memmove(buf, md5dig, n);
+		buf += n;
+		nbuf -= n;
+		len++;
+	}
+}
+
+static void
+sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isclient)
 {
-	TlsSec *sec = emalloc(sizeof(*sec));
+	DigestState *s;
+	uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
+	char *label;
 
-	USED(csid); USED(ncsid);  // ignore csid for now
+	if(isclient)
+		label = "CLNT";
+	else
+		label = "SRVR";
 
-	memmove(sec->crandom, crandom, RandomSize);
+	md5((uchar*)label, 4, nil, &hsh.md5);
+	md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
+	memset(pad, 0x36, 48);
+	md5(pad, 48, nil, &hsh.md5);
+	md5(nil, 0, h0, &hsh.md5);
+	memset(pad, 0x5C, 48);
+	s = md5(sec->sec, MasterSecretSize, nil, nil);
+	s = md5(pad, 48, nil, s);
+	md5(h0, MD5dlen, finished, s);
+
+	sha1((uchar*)label, 4, nil, &hsh.sha1);
+	sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
+	memset(pad, 0x36, 40);
+	sha1(pad, 40, nil, &hsh.sha1);
+	sha1(nil, 0, h1, &hsh.sha1);
+	memset(pad, 0x5C, 40);
+	s = sha1(sec->sec, MasterSecretSize, nil, nil);
+	s = sha1(pad, 40, nil, s);
+	sha1(h1, SHA1dlen, finished + MD5dlen, s);
+}
+
+// fill "finished" arg with md5(args)^sha1(args)
+static void
+tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isclient)
+{
+	uchar h0[MD5dlen], h1[SHA1dlen];
+	char *label;
+
+	// get current hash value, but allow further messages to be hashed in
+	md5(nil, 0, h0, &hsh.md5);
+	sha1(nil, 0, h1, &hsh.sha1);
+
+	if(isclient)
+		label = "client finished";
+	else
+		label = "server finished";
+	tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
+}
+
+static void
+tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isclient)
+{
+	uchar seed[SHA2_256dlen];
+	char *label;
+
+	// get current hash value, but allow further messages to be hashed in
+	sha2_256(nil, 0, seed, &hsh.sha2_256);
+
+	if(isclient)
+		label = "client finished";
+	else
+		label = "server finished";
+	p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
+}
+
+/* the keys are verified to have the same public components
+ * and to function correctly with pkcs 1 encryption and decryption. */
+static void
+tlsSecInits(TlsSec *sec, int cvers, uchar *crandom)
+{
+	memset(sec, 0, sizeof(*sec));
 	sec->clientVers = cvers;
+	memmove(sec->crandom, crandom, RandomSize);
 
 	put32(sec->srandom, time(nil));
 	genrandom(sec->srandom+4, RandomSize-4);
-	memmove(srandom, sec->srandom, RandomSize);
-
-	/*
-	 * make up a unique sid: use our pid, and and incrementing id
-	 * can signal no sid by setting nssid to 0.
-	 */
-	memset(ssid, 0, SidSize);
-	put32(ssid, getpid());
-	lock(&sidLock);
-	put32(ssid+4, maxSid++);
-	unlock(&sidLock);
-	*nssid = SidSize;
-	return sec;
 }
 
 static int
-tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
+tlsSecRSAs(TlsSec *sec, Bytes *epm)
 {
 	Bytes *pm;
 
-	if(setVers(sec, vers) < 0)
-		goto Err;
 	if(epm == nil){
 		werrstr("no encrypted premaster secret");
-		goto Err;
+		return -1;
 	}
 	// if the client messed up, just continue as if everything is ok,
 	// to prevent attacks to check for correctly formatted messages.
 	pm = pkcs1_decrypt(sec, epm);
-	if(sec->ok < 0 || pm == nil || pm->len != MasterSecretSize || get16(pm->data) != sec->clientVers){
-		sec->ok = -1;
+	if(pm == nil || pm->len != MasterSecretSize || get16(pm->data) != sec->clientVers){
 		freebytes(pm);
 		pm = newbytes(MasterSecretSize);
 		genrandom(pm->data, pm->len);
@@ -2585,61 +2560,39 @@
 	}
 	setMasterSecret(sec, pm);
 	return 0;
-Err:
-	sec->ok = -1;
-	return -1;
 }
 
-static int
-tlsSecPSKs(TlsSec *sec, int vers)
+static void
+tlsSecPSKs(TlsSec *sec)
 {
-	if(setVers(sec, vers) < 0){
-		sec->ok = -1;
-		return -1;
-	}
 	setMasterSecret(sec, newbytes(sec->psklen));
-	return 0;
 }
 
-static TlsSec*
-tlsSecInitc(int cvers, uchar *crandom)
+static void
+tlsSecInitc(TlsSec *sec, int cvers)
 {
-	TlsSec *sec = emalloc(sizeof(*sec));
+	memset(sec, 0, sizeof(*sec));
 	sec->clientVers = cvers;
 	put32(sec->crandom, time(nil));
 	genrandom(sec->crandom+4, RandomSize-4);
-	memmove(crandom, sec->crandom, RandomSize);
-	return sec;
 }
 
-static int
-tlsSecPSKc(TlsSec *sec, uchar *srandom, int vers)
+static void
+tlsSecPSKc(TlsSec *sec)
 {
-	memmove(sec->srandom, srandom, RandomSize);
-	if(setVers(sec, vers) < 0){
-		sec->ok = -1;
-		return -1;
-	}
 	setMasterSecret(sec, newbytes(sec->psklen));
-	return 0;
 }
 
 static Bytes*
-tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
+tlsSecRSAc(TlsSec *sec, uchar *cert, int ncert)
 {
 	RSApub *pub;
 	Bytes *pm, *epm;
 
-	USED(sid);
-	USED(nsid);
-	
-	memmove(sec->srandom, srandom, RandomSize);
-	if(setVers(sec, vers) < 0)
-		goto Err;
 	pub = X509toRSApub(cert, ncert, nil, 0);
 	if(pub == nil){
 		werrstr("invalid x509/rsa certificate");
-		goto Err;
+		return nil;
 	}
 	pm = newbytes(MasterSecretSize);
 	put16(pm->data, sec->clientVers);
@@ -2647,11 +2600,7 @@
 	epm = pkcs1_encrypt(pm, pub, 2);
 	setMasterSecret(sec, pm);
 	rsapubfree(pub);
-	if(epm != nil)
-		return epm;
-Err:
-	sec->ok = -1;
-	return nil;
+	return epm;
 }
 
 static int
@@ -2658,7 +2607,6 @@
 tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient)
 {
 	if(sec->nfin != nfin){
-		sec->ok = -1;
 		werrstr("invalid finished exchange");
 		return -1;
 	}
@@ -2666,30 +2614,12 @@
 	hsh.sha1.malloced = 0;
 	hsh.sha2_256.malloced = 0;
 	(*sec->setFinished)(sec, hsh, fin, isclient);
-	return 1;
+	return 0;
 }
 
 static void
-tlsSecOk(TlsSec *sec)
+tlsSecVers(TlsSec *sec, int v)
 {
-	if(sec->ok == 0)
-		sec->ok = 1;
-}
-
-static void
-tlsSecClose(TlsSec *sec)
-{
-	if(sec == nil)
-		return;
-	factotum_rsa_close(sec->rpc);
-	rsapubfree(sec->rsapub);
-	free(sec->server);
-	free(sec);
-}
-
-static int
-setVers(TlsSec *sec, int v)
-{
 	if(v == SSL3Version){
 		sec->setFinished = sslSetFinished;
 		sec->nfin = SSL3FinishedLen;
@@ -2703,22 +2633,36 @@
 		sec->nfin = TLSFinishedLen;
 		sec->prf = tls12PRF;
 	}
-	sec->vers = v;
-	return 0;
 }
 
-/*
- * generate secret keys from the master secret.
- *
- * different crypto selections will require different amounts
- * of key expansion and use of key expansion data,
- * but it's all generated using the same function.
- */
-static void
-setSecrets(TlsSec *sec, uchar *kd, int nkd)
+static int
+setSecrets(TlsConnection *c, int isclient)
 {
-	(*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion",
-			sec->srandom, RandomSize, sec->crandom, RandomSize);
+	uchar kd[MaxKeyData];
+	char *secrets;
+	int rv;
+
+	assert(c->nsecret <= sizeof(kd));
+	secrets = emalloc(2*c->nsecret);
+
+	/*
+	 * generate secret keys from the master secret.
+	 *
+	 * different cipher selections will require different amounts
+	 * of key expansion and use of key expansion data,
+	 * but it's all generated using the same function.
+	 */
+	(*c->sec->prf)(kd, c->nsecret, c->sec->sec, MasterSecretSize, "key expansion",
+			c->sec->srandom, RandomSize, c->sec->crandom, RandomSize);
+
+	enc64(secrets, 2*c->nsecret, kd, c->nsecret);
+	memset(kd, 0, c->nsecret);
+
+	rv = fprint(c->ctl, "secret %s %s %d %s", c->digest, c->enc, isclient, secrets);
+	memset(secrets, 0, 2*c->nsecret);
+	free(secrets);
+
+	return rv;
 }
 
 /*
@@ -2749,103 +2693,6 @@
 
 	memset(pm->data, 0, pm->len);	
 	freebytes(pm);
-}
-
-static void
-sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
-{
-	DigestState *s;
-	uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
-	char *label;
-
-	if(isClient)
-		label = "CLNT";
-	else
-		label = "SRVR";
-
-	md5((uchar*)label, 4, nil, &hsh.md5);
-	md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
-	memset(pad, 0x36, 48);
-	md5(pad, 48, nil, &hsh.md5);
-	md5(nil, 0, h0, &hsh.md5);
-	memset(pad, 0x5C, 48);
-	s = md5(sec->sec, MasterSecretSize, nil, nil);
-	s = md5(pad, 48, nil, s);
-	md5(h0, MD5dlen, finished, s);
-
-	sha1((uchar*)label, 4, nil, &hsh.sha1);
-	sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
-	memset(pad, 0x36, 40);
-	sha1(pad, 40, nil, &hsh.sha1);
-	sha1(nil, 0, h1, &hsh.sha1);
-	memset(pad, 0x5C, 40);
-	s = sha1(sec->sec, MasterSecretSize, nil, nil);
-	s = sha1(pad, 40, nil, s);
-	sha1(h1, SHA1dlen, finished + MD5dlen, s);
-}
-
-// fill "finished" arg with md5(args)^sha1(args)
-static void
-tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
-{
-	uchar h0[MD5dlen], h1[SHA1dlen];
-	char *label;
-
-	// get current hash value, but allow further messages to be hashed in
-	md5(nil, 0, h0, &hsh.md5);
-	sha1(nil, 0, h1, &hsh.sha1);
-
-	if(isClient)
-		label = "client finished";
-	else
-		label = "server finished";
-	tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
-}
-
-static void
-tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
-{
-	uchar seed[SHA2_256dlen];
-	char *label;
-
-	// get current hash value, but allow further messages to be hashed in
-	sha2_256(nil, 0, seed, &hsh.sha2_256);
-
-	if(isClient)
-		label = "client finished";
-	else
-		label = "server finished";
-	p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
-}
-
-static void
-sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
-{
-	uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
-	DigestState *s;
-	int i, n, len;
-
-	USED(label);
-	len = 1;
-	while(nbuf > 0){
-		if(len > 26)
-			return;
-		for(i = 0; i < len; i++)
-			tmp[i] = 'A' - 1 + len;
-		s = sha1(tmp, len, nil, nil);
-		s = sha1(key, nkey, nil, s);
-		s = sha1(seed0, nseed0, nil, s);
-		sha1(seed1, nseed1, sha1dig, s);
-		s = md5(key, nkey, nil, nil);
-		md5(sha1dig, SHA1dlen, md5dig, s);
-		n = MD5dlen;
-		if(n > nbuf)
-			n = nbuf;
-		memmove(buf, md5dig, n);
-		buf += n;
-		nbuf -= n;
-		len++;
-	}
 }
 
 static mpint*