diff options
| author | jsing <> | 2018-11-08 22:28:52 +0000 |
|---|---|---|
| committer | jsing <> | 2018-11-08 22:28:52 +0000 |
| commit | d1a7f20049bf29c61782397cffb632339b12ba54 (patch) | |
| tree | ea0388ba51cbbc63fa62e563b9694fedd9ef0f74 | |
| parent | 80dc683994dcdda2b01fd893a5c06c06409e703a (diff) | |
| download | openbsd-d1a7f20049bf29c61782397cffb632339b12ba54.tar.gz openbsd-d1a7f20049bf29c61782397cffb632339b12ba54.tar.bz2 openbsd-d1a7f20049bf29c61782397cffb632339b12ba54.zip | |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses
a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/d1_both.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/ssl3.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_both.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 46 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 17 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_packet.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 74 | ||||
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 57 | ||||
| -rw-r--r-- | src/lib/libssl/t1_hash.c | 87 |
10 files changed, 144 insertions, 166 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 95157630f5..f75604ef68 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_both.c,v 1.55 2018/09/05 16:58:59 jsing Exp $ */ | 1 | /* $OpenBSD: d1_both.c,v 1.56 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -360,7 +360,7 @@ dtls1_do_write(SSL *s, int type) | |||
| 360 | xlen = ret - DTLS1_HM_HEADER_LENGTH; | 360 | xlen = ret - DTLS1_HM_HEADER_LENGTH; |
| 361 | } | 361 | } |
| 362 | 362 | ||
| 363 | tls1_finish_mac(s, p, xlen); | 363 | tls1_transcript_record(s, p, xlen); |
| 364 | } | 364 | } |
| 365 | 365 | ||
| 366 | if (ret == s->internal->init_num) { | 366 | if (ret == s->internal->init_num) { |
| @@ -436,7 +436,7 @@ again: | |||
| 436 | 436 | ||
| 437 | msg_len += DTLS1_HM_HEADER_LENGTH; | 437 | msg_len += DTLS1_HM_HEADER_LENGTH; |
| 438 | 438 | ||
| 439 | tls1_finish_mac(s, p, msg_len); | 439 | tls1_transcript_record(s, p, msg_len); |
| 440 | if (s->internal->msg_callback) | 440 | if (s->internal->msg_callback) |
| 441 | s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, | 441 | s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, |
| 442 | s, s->internal->msg_callback_arg); | 442 | s, s->internal->msg_callback_arg); |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 356f43a356..091713d12a 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.175 2018/11/08 20:55:18 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.176 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1567,8 +1567,7 @@ ssl3_free(SSL *s) | |||
| 1567 | 1567 | ||
| 1568 | sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); | 1568 | sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); |
| 1569 | 1569 | ||
| 1570 | BIO_free(S3I(s)->handshake_buffer); | 1570 | tls1_transcript_free(s); |
| 1571 | |||
| 1572 | tls1_handshake_hash_free(s); | 1571 | tls1_handshake_hash_free(s); |
| 1573 | 1572 | ||
| 1574 | free(S3I(s)->alpn_selected); | 1573 | free(S3I(s)->alpn_selected); |
| @@ -1602,9 +1601,7 @@ ssl3_clear(SSL *s) | |||
| 1602 | rlen = S3I(s)->rbuf.len; | 1601 | rlen = S3I(s)->rbuf.len; |
| 1603 | wlen = S3I(s)->wbuf.len; | 1602 | wlen = S3I(s)->wbuf.len; |
| 1604 | 1603 | ||
| 1605 | BIO_free(S3I(s)->handshake_buffer); | 1604 | tls1_transcript_free(s); |
| 1606 | S3I(s)->handshake_buffer = NULL; | ||
| 1607 | |||
| 1608 | tls1_handshake_hash_free(s); | 1605 | tls1_handshake_hash_free(s); |
| 1609 | 1606 | ||
| 1610 | free(S3I(s)->alpn_selected); | 1607 | free(S3I(s)->alpn_selected); |
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 726fb9db0b..cadf7fd387 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl3.h,v 1.48 2018/10/24 18:04:50 jsing Exp $ */ | 1 | /* $OpenBSD: ssl3.h,v 1.49 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -350,7 +350,7 @@ typedef struct ssl3_buffer_st { | |||
| 350 | 350 | ||
| 351 | #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 | 351 | #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 |
| 352 | #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 | 352 | #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 |
| 353 | #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 | 353 | #define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020 |
| 354 | #define SSL3_FLAGS_CCS_OK 0x0080 | 354 | #define SSL3_FLAGS_CCS_OK 0x0080 |
| 355 | 355 | ||
| 356 | #ifndef OPENSSL_NO_SSL_INTERN | 356 | #ifndef OPENSSL_NO_SSL_INTERN |
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index 81fd1f80c5..77ab26e8b5 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_both.c,v 1.13 2018/10/24 18:04:50 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_both.c,v 1.14 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -146,7 +146,7 @@ ssl3_do_write(SSL *s, int type) | |||
| 146 | * Should not be done for 'Hello Request's, but in that case | 146 | * Should not be done for 'Hello Request's, but in that case |
| 147 | * we'll ignore the result anyway. | 147 | * we'll ignore the result anyway. |
| 148 | */ | 148 | */ |
| 149 | tls1_finish_mac(s, | 149 | tls1_transcript_record(s, |
| 150 | (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); | 150 | (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); |
| 151 | 151 | ||
| 152 | if (ret == s->internal->init_num) { | 152 | if (ret == s->internal->init_num) { |
| @@ -557,7 +557,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) | |||
| 557 | 557 | ||
| 558 | /* Feed this message into MAC computation. */ | 558 | /* Feed this message into MAC computation. */ |
| 559 | if (s->internal->mac_packet) { | 559 | if (s->internal->mac_packet) { |
| 560 | tls1_finish_mac(s, (unsigned char *)s->internal->init_buf->data, | 560 | tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data, |
| 561 | s->internal->init_num + 4); | 561 | s->internal->init_num + 4); |
| 562 | 562 | ||
| 563 | if (s->internal->msg_callback) | 563 | if (s->internal->msg_callback) |
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 22e41da953..c2aa7e8190 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.36 2018/11/08 20:55:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.37 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -244,7 +244,7 @@ ssl3_connect(SSL *s) | |||
| 244 | /* don't push the buffering BIO quite yet */ | 244 | /* don't push the buffering BIO quite yet */ |
| 245 | 245 | ||
| 246 | if (!SSL_IS_DTLS(s)) { | 246 | if (!SSL_IS_DTLS(s)) { |
| 247 | if (!tls1_init_finished_mac(s)) { | 247 | if (!tls1_transcript_init(s)) { |
| 248 | ret = -1; | 248 | ret = -1; |
| 249 | goto end; | 249 | goto end; |
| 250 | } | 250 | } |
| @@ -269,7 +269,7 @@ ssl3_connect(SSL *s) | |||
| 269 | 269 | ||
| 270 | if (SSL_IS_DTLS(s)) { | 270 | if (SSL_IS_DTLS(s)) { |
| 271 | /* every DTLS ClientHello resets Finished MAC */ | 271 | /* every DTLS ClientHello resets Finished MAC */ |
| 272 | if (!tls1_init_finished_mac(s)) { | 272 | if (!tls1_transcript_init(s)) { |
| 273 | ret = -1; | 273 | ret = -1; |
| 274 | goto end; | 274 | goto end; |
| 275 | } | 275 | } |
| @@ -583,7 +583,7 @@ ssl3_connect(SSL *s) | |||
| 583 | /* clean a few things up */ | 583 | /* clean a few things up */ |
| 584 | tls1_cleanup_key_block(s); | 584 | tls1_cleanup_key_block(s); |
| 585 | 585 | ||
| 586 | if (S3I(s)->handshake_buffer != NULL) { | 586 | if (S3I(s)->handshake_transcript != NULL) { |
| 587 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 587 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 588 | ret = -1; | 588 | ret = -1; |
| 589 | goto end; | 589 | goto end; |
| @@ -988,11 +988,8 @@ ssl3_get_server_hello(SSL *s) | |||
| 988 | * client authentication. | 988 | * client authentication. |
| 989 | */ | 989 | */ |
| 990 | alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; | 990 | alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; |
| 991 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && | 991 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) |
| 992 | !tls1_digest_cached_records(s)) { | 992 | tls1_transcript_free(s); |
| 993 | al = SSL_AD_INTERNAL_ERROR; | ||
| 994 | goto f_err; | ||
| 995 | } | ||
| 996 | 993 | ||
| 997 | if (!CBS_get_u8(&cbs, &compression_method)) | 994 | if (!CBS_get_u8(&cbs, &compression_method)) |
| 998 | goto truncated; | 995 | goto truncated; |
| @@ -1619,10 +1616,7 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1619 | * If we get here we don't need any cached handshake records | 1616 | * If we get here we don't need any cached handshake records |
| 1620 | * as we wont be doing client auth. | 1617 | * as we wont be doing client auth. |
| 1621 | */ | 1618 | */ |
| 1622 | if (S3I(s)->handshake_buffer) { | 1619 | tls1_transcript_free(s); |
| 1623 | if (!tls1_digest_cached_records(s)) | ||
| 1624 | goto err; | ||
| 1625 | } | ||
| 1626 | return (1); | 1620 | return (1); |
| 1627 | } | 1621 | } |
| 1628 | 1622 | ||
| @@ -2372,12 +2366,12 @@ ssl3_send_client_verify(SSL *s) | |||
| 2372 | unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; | 2366 | unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; |
| 2373 | unsigned char *signature = NULL; | 2367 | unsigned char *signature = NULL; |
| 2374 | unsigned int signature_len; | 2368 | unsigned int signature_len; |
| 2369 | const unsigned char *hdata; | ||
| 2370 | size_t hdatalen; | ||
| 2375 | EVP_PKEY_CTX *pctx = NULL; | 2371 | EVP_PKEY_CTX *pctx = NULL; |
| 2376 | EVP_PKEY *pkey; | 2372 | EVP_PKEY *pkey; |
| 2377 | EVP_MD_CTX mctx; | 2373 | EVP_MD_CTX mctx; |
| 2378 | const EVP_MD *md; | 2374 | const EVP_MD *md; |
| 2379 | long hdatalen; | ||
| 2380 | void *hdata; | ||
| 2381 | 2375 | ||
| 2382 | EVP_MD_CTX_init(&mctx); | 2376 | EVP_MD_CTX_init(&mctx); |
| 2383 | 2377 | ||
| @@ -2404,10 +2398,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2404 | goto err; | 2398 | goto err; |
| 2405 | 2399 | ||
| 2406 | if (!SSL_USE_SIGALGS(s)) { | 2400 | if (!SSL_USE_SIGALGS(s)) { |
| 2407 | if (S3I(s)->handshake_buffer) { | 2401 | tls1_transcript_free(s); |
| 2408 | if (!tls1_digest_cached_records(s)) | ||
| 2409 | goto err; | ||
| 2410 | } | ||
| 2411 | if (!tls1_handshake_hash_value(s, data, sizeof(data), | 2402 | if (!tls1_handshake_hash_value(s, data, sizeof(data), |
| 2412 | NULL)) | 2403 | NULL)) |
| 2413 | goto err; | 2404 | goto err; |
| @@ -2418,10 +2409,9 @@ ssl3_send_client_verify(SSL *s) | |||
| 2418 | * using agreed digest and cached handshake records. | 2409 | * using agreed digest and cached handshake records. |
| 2419 | */ | 2410 | */ |
| 2420 | if (SSL_USE_SIGALGS(s)) { | 2411 | if (SSL_USE_SIGALGS(s)) { |
| 2421 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, | ||
| 2422 | &hdata); | ||
| 2423 | md = s->cert->key->digest; | 2412 | md = s->cert->key->digest; |
| 2424 | if (hdatalen <= 0 || | 2413 | |
| 2414 | if (!tls1_transcript_data(s, &hdata, &hdatalen) || | ||
| 2425 | !tls12_get_hashandsig(&cert_verify, pkey, md)) { | 2415 | !tls12_get_hashandsig(&cert_verify, pkey, md)) { |
| 2426 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2416 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 2427 | goto err; | 2417 | goto err; |
| @@ -2433,8 +2423,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2433 | SSLerror(s, ERR_R_EVP_LIB); | 2423 | SSLerror(s, ERR_R_EVP_LIB); |
| 2434 | goto err; | 2424 | goto err; |
| 2435 | } | 2425 | } |
| 2436 | if (!tls1_digest_cached_records(s)) | 2426 | tls1_transcript_free(s); |
| 2437 | goto err; | ||
| 2438 | } else if (pkey->type == EVP_PKEY_RSA) { | 2427 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 2439 | if (RSA_sign(NID_md5_sha1, data, | 2428 | if (RSA_sign(NID_md5_sha1, data, |
| 2440 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature, | 2429 | MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature, |
| @@ -2457,8 +2446,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2457 | size_t sigsize; | 2446 | size_t sigsize; |
| 2458 | int nid; | 2447 | int nid; |
| 2459 | 2448 | ||
| 2460 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); | 2449 | if (!tls1_transcript_data(s, &hdata, &hdatalen)) { |
| 2461 | if (hdatalen <= 0) { | ||
| 2462 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2450 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 2463 | goto err; | 2451 | goto err; |
| 2464 | } | 2452 | } |
| @@ -2482,8 +2470,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2482 | if (sigsize > UINT_MAX) | 2470 | if (sigsize > UINT_MAX) |
| 2483 | goto err; | 2471 | goto err; |
| 2484 | signature_len = sigsize; | 2472 | signature_len = sigsize; |
| 2485 | if (!tls1_digest_cached_records(s)) | 2473 | tls1_transcript_free(s); |
| 2486 | goto err; | ||
| 2487 | #endif | 2474 | #endif |
| 2488 | } else { | 2475 | } else { |
| 2489 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2476 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| @@ -2563,8 +2550,7 @@ ssl3_send_client_certificate(SSL *s) | |||
| 2563 | S3I(s)->tmp.cert_req = 2; | 2550 | S3I(s)->tmp.cert_req = 2; |
| 2564 | 2551 | ||
| 2565 | /* There is no client certificate to verify. */ | 2552 | /* There is no client certificate to verify. */ |
| 2566 | if (!tls1_digest_cached_records(s)) | 2553 | tls1_transcript_free(s); |
| 2567 | goto err; | ||
| 2568 | } | 2554 | } |
| 2569 | 2555 | ||
| 2570 | /* Ok, we have a cert */ | 2556 | /* Ok, we have a cert */ |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 32766de1cf..3b08f8c772 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.221 2018/11/08 20:55:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.222 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -780,8 +780,8 @@ typedef struct ssl3_state_internal_st { | |||
| 780 | int wpend_ret; /* number of bytes submitted */ | 780 | int wpend_ret; /* number of bytes submitted */ |
| 781 | const unsigned char *wpend_buf; | 781 | const unsigned char *wpend_buf; |
| 782 | 782 | ||
| 783 | /* used during startup, digest all incoming/outgoing packets */ | 783 | /* Transcript of handshake messages that have been sent and received. */ |
| 784 | BIO *handshake_buffer; | 784 | BUF_MEM *handshake_transcript; |
| 785 | 785 | ||
| 786 | /* Rolling hash of handshake messages. */ | 786 | /* Rolling hash of handshake messages. */ |
| 787 | EVP_MD_CTX *handshake_hash; | 787 | EVP_MD_CTX *handshake_hash; |
| @@ -1238,11 +1238,14 @@ int tls1_handshake_hash_value(SSL *s, const unsigned char *out, size_t len, | |||
| 1238 | size_t *outlen); | 1238 | size_t *outlen); |
| 1239 | void tls1_handshake_hash_free(SSL *s); | 1239 | void tls1_handshake_hash_free(SSL *s); |
| 1240 | 1240 | ||
| 1241 | int tls1_init_finished_mac(SSL *s); | 1241 | int tls1_transcript_init(SSL *s); |
| 1242 | int tls1_finish_mac(SSL *s, const unsigned char *buf, int len); | 1242 | void tls1_transcript_free(SSL *s); |
| 1243 | void tls1_free_digest_list(SSL *s); | 1243 | int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len); |
| 1244 | int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len); | ||
| 1245 | void tls1_transcript_freeze(SSL *s); | ||
| 1246 | int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len); | ||
| 1247 | |||
| 1244 | void tls1_cleanup_key_block(SSL *s); | 1248 | void tls1_cleanup_key_block(SSL *s); |
| 1245 | int tls1_digest_cached_records(SSL *s); | ||
| 1246 | int tls1_change_cipher_state(SSL *s, int which); | 1249 | int tls1_change_cipher_state(SSL *s, int which); |
| 1247 | int tls1_setup_key_block(SSL *s); | 1250 | int tls1_setup_key_block(SSL *s); |
| 1248 | int tls1_enc(SSL *s, int snd); | 1251 | int tls1_enc(SSL *s, int snd); |
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c index ca5afb7d93..d8fb409d81 100644 --- a/src/lib/libssl/ssl_packet.c +++ b/src/lib/libssl/ssl_packet.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_packet.c,v 1.7 2018/10/24 18:04:50 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -120,7 +120,7 @@ ssl_convert_sslv2_client_hello(SSL *s) | |||
| 120 | if (n != record_length + 2) | 120 | if (n != record_length + 2) |
| 121 | return n; | 121 | return n; |
| 122 | 122 | ||
| 123 | tls1_finish_mac(s, s->internal->packet + 2, | 123 | tls1_transcript_record(s, s->internal->packet + 2, |
| 124 | s->internal->packet_length - 2); | 124 | s->internal->packet_length - 2); |
| 125 | s->internal->mac_packet = 0; | 125 | s->internal->mac_packet = 0; |
| 126 | 126 | ||
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e7f1f5c9ec..af9152d3de 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.50 2018/11/08 20:55:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -248,7 +248,8 @@ ssl3_accept(SSL *s) | |||
| 248 | ret = -1; | 248 | ret = -1; |
| 249 | goto end; | 249 | goto end; |
| 250 | } | 250 | } |
| 251 | if (!tls1_init_finished_mac(s)) { | 251 | |
| 252 | if (!tls1_transcript_init(s)) { | ||
| 252 | ret = -1; | 253 | ret = -1; |
| 253 | goto end; | 254 | goto end; |
| 254 | } | 255 | } |
| @@ -293,7 +294,7 @@ ssl3_accept(SSL *s) | |||
| 293 | S3I(s)->hs.state = SSL3_ST_SW_FLUSH; | 294 | S3I(s)->hs.state = SSL3_ST_SW_FLUSH; |
| 294 | s->internal->init_num = 0; | 295 | s->internal->init_num = 0; |
| 295 | 296 | ||
| 296 | if (!tls1_init_finished_mac(s)) { | 297 | if (!tls1_transcript_init(s)) { |
| 297 | ret = -1; | 298 | ret = -1; |
| 298 | goto end; | 299 | goto end; |
| 299 | } | 300 | } |
| @@ -366,7 +367,7 @@ ssl3_accept(SSL *s) | |||
| 366 | S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; | 367 | S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; |
| 367 | 368 | ||
| 368 | /* HelloVerifyRequest resets Finished MAC. */ | 369 | /* HelloVerifyRequest resets Finished MAC. */ |
| 369 | if (!tls1_init_finished_mac(s)) { | 370 | if (!tls1_transcript_init(s)) { |
| 370 | ret = -1; | 371 | ret = -1; |
| 371 | goto end; | 372 | goto end; |
| 372 | } | 373 | } |
| @@ -467,12 +468,9 @@ ssl3_accept(SSL *s) | |||
| 467 | skip = 1; | 468 | skip = 1; |
| 468 | S3I(s)->tmp.cert_request = 0; | 469 | S3I(s)->tmp.cert_request = 0; |
| 469 | S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; | 470 | S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; |
| 470 | if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) { | 471 | |
| 471 | if (!tls1_digest_cached_records(s)) { | 472 | if (!SSL_IS_DTLS(s)) |
| 472 | ret = -1; | 473 | tls1_transcript_free(s); |
| 473 | goto end; | ||
| 474 | } | ||
| 475 | } | ||
| 476 | } else { | 474 | } else { |
| 477 | S3I(s)->tmp.cert_request = 1; | 475 | S3I(s)->tmp.cert_request = 1; |
| 478 | if (SSL_IS_DTLS(s)) | 476 | if (SSL_IS_DTLS(s)) |
| @@ -565,33 +563,20 @@ ssl3_accept(SSL *s) | |||
| 565 | if (!s->session->peer) | 563 | if (!s->session->peer) |
| 566 | break; | 564 | break; |
| 567 | /* | 565 | /* |
| 568 | * For sigalgs freeze the handshake buffer | 566 | * Freeze the transcript for use during client |
| 569 | * at this point and digest cached records. | 567 | * certificate verification. |
| 570 | */ | 568 | */ |
| 571 | if (!S3I(s)->handshake_buffer) { | 569 | tls1_transcript_freeze(s); |
| 572 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 573 | ret = -1; | ||
| 574 | goto end; | ||
| 575 | } | ||
| 576 | s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; | ||
| 577 | if (!tls1_digest_cached_records(s)) { | ||
| 578 | ret = -1; | ||
| 579 | goto end; | ||
| 580 | } | ||
| 581 | } else { | 570 | } else { |
| 582 | S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; | 571 | S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; |
| 583 | s->internal->init_num = 0; | 572 | s->internal->init_num = 0; |
| 584 | 573 | ||
| 574 | tls1_transcript_free(s); | ||
| 575 | |||
| 585 | /* | 576 | /* |
| 586 | * We need to get hashes here so if there is | 577 | * We need to get hashes here so if there is |
| 587 | * a client cert, it can be verified. | 578 | * a client cert, it can be verified. |
| 588 | */ | 579 | */ |
| 589 | if (S3I(s)->handshake_buffer) { | ||
| 590 | if (!tls1_digest_cached_records(s)) { | ||
| 591 | ret = -1; | ||
| 592 | goto end; | ||
| 593 | } | ||
| 594 | } | ||
| 595 | if (!tls1_handshake_hash_value(s, | 580 | if (!tls1_handshake_hash_value(s, |
| 596 | S3I(s)->tmp.cert_verify_md, | 581 | S3I(s)->tmp.cert_verify_md, |
| 597 | sizeof(S3I(s)->tmp.cert_verify_md), | 582 | sizeof(S3I(s)->tmp.cert_verify_md), |
| @@ -701,7 +686,7 @@ ssl3_accept(SSL *s) | |||
| 701 | /* clean a few things up */ | 686 | /* clean a few things up */ |
| 702 | tls1_cleanup_key_block(s); | 687 | tls1_cleanup_key_block(s); |
| 703 | 688 | ||
| 704 | if (S3I(s)->handshake_buffer != NULL) { | 689 | if (S3I(s)->handshake_transcript != NULL) { |
| 705 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 690 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 706 | ret = -1; | 691 | ret = -1; |
| 707 | goto end; | 692 | goto end; |
| @@ -1125,12 +1110,8 @@ ssl3_get_client_hello(SSL *s) | |||
| 1125 | 1110 | ||
| 1126 | alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; | 1111 | alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; |
| 1127 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || | 1112 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || |
| 1128 | !(s->verify_mode & SSL_VERIFY_PEER)) { | 1113 | !(s->verify_mode & SSL_VERIFY_PEER)) |
| 1129 | if (!tls1_digest_cached_records(s)) { | 1114 | tls1_transcript_free(s); |
| 1130 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1131 | goto f_err; | ||
| 1132 | } | ||
| 1133 | } | ||
| 1134 | 1115 | ||
| 1135 | /* | 1116 | /* |
| 1136 | * We now have the following setup. | 1117 | * We now have the following setup. |
| @@ -2110,10 +2091,10 @@ ssl3_get_cert_verify(SSL *s) | |||
| 2110 | EVP_MD_CTX mctx; | 2091 | EVP_MD_CTX mctx; |
| 2111 | uint8_t hash_id, sig_id; | 2092 | uint8_t hash_id, sig_id; |
| 2112 | int al, ok, sigalg, verify; | 2093 | int al, ok, sigalg, verify; |
| 2094 | const unsigned char *hdata; | ||
| 2095 | size_t hdatalen; | ||
| 2113 | int type = 0; | 2096 | int type = 0; |
| 2114 | int ret = 0; | 2097 | int ret = 0; |
| 2115 | long hdatalen; | ||
| 2116 | void *hdata; | ||
| 2117 | long n; | 2098 | long n; |
| 2118 | 2099 | ||
| 2119 | EVP_MD_CTX_init(&mctx); | 2100 | EVP_MD_CTX_init(&mctx); |
| @@ -2214,8 +2195,7 @@ ssl3_get_cert_verify(SSL *s) | |||
| 2214 | } | 2195 | } |
| 2215 | 2196 | ||
| 2216 | if (SSL_USE_SIGALGS(s)) { | 2197 | if (SSL_USE_SIGALGS(s)) { |
| 2217 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); | 2198 | if (!tls1_transcript_data(s, &hdata, &hdatalen)) { |
| 2218 | if (hdatalen <= 0) { | ||
| 2219 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2199 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 2220 | al = SSL_AD_INTERNAL_ERROR; | 2200 | al = SSL_AD_INTERNAL_ERROR; |
| 2221 | goto f_err; | 2201 | goto f_err; |
| @@ -2265,8 +2245,7 @@ ssl3_get_cert_verify(SSL *s) | |||
| 2265 | EVP_PKEY_CTX *pctx; | 2245 | EVP_PKEY_CTX *pctx; |
| 2266 | int nid; | 2246 | int nid; |
| 2267 | 2247 | ||
| 2268 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); | 2248 | if (!tls1_transcript_data(s, &hdata, &hdatalen)) { |
| 2269 | if (hdatalen <= 0) { | ||
| 2270 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 2249 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 2271 | al = SSL_AD_INTERNAL_ERROR; | 2250 | al = SSL_AD_INTERNAL_ERROR; |
| 2272 | goto f_err; | 2251 | goto f_err; |
| @@ -2321,11 +2300,7 @@ ssl3_get_cert_verify(SSL *s) | |||
| 2321 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | 2300 | ssl3_send_alert(s, SSL3_AL_FATAL, al); |
| 2322 | } | 2301 | } |
| 2323 | end: | 2302 | end: |
| 2324 | if (S3I(s)->handshake_buffer) { | 2303 | tls1_transcript_free(s); |
| 2325 | BIO_free(S3I(s)->handshake_buffer); | ||
| 2326 | S3I(s)->handshake_buffer = NULL; | ||
| 2327 | s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; | ||
| 2328 | } | ||
| 2329 | err: | 2304 | err: |
| 2330 | EVP_MD_CTX_cleanup(&mctx); | 2305 | EVP_MD_CTX_cleanup(&mctx); |
| 2331 | EVP_PKEY_free(pkey); | 2306 | EVP_PKEY_free(pkey); |
| @@ -2427,11 +2402,8 @@ ssl3_get_client_certificate(SSL *s) | |||
| 2427 | al = SSL_AD_HANDSHAKE_FAILURE; | 2402 | al = SSL_AD_HANDSHAKE_FAILURE; |
| 2428 | goto f_err; | 2403 | goto f_err; |
| 2429 | } | 2404 | } |
| 2430 | /* No client certificate so digest cached records */ | 2405 | /* No client certificate so free transcript. */ |
| 2431 | if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) { | 2406 | tls1_transcript_free(s); |
| 2432 | al = SSL_AD_INTERNAL_ERROR; | ||
| 2433 | goto f_err; | ||
| 2434 | } | ||
| 2435 | } else { | 2407 | } else { |
| 2436 | i = ssl_verify_cert_chain(s, sk); | 2408 | i = ssl_verify_cert_chain(s, sk); |
| 2437 | if (i <= 0) { | 2409 | if (i <= 0) { |
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 2a38d8de6a..33158e160e 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.115 2018/10/24 18:04:50 jsing Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.116 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -157,61 +157,6 @@ tls1_cleanup_key_block(SSL *s) | |||
| 157 | S3I(s)->hs.key_block_len = 0; | 157 | S3I(s)->hs.key_block_len = 0; |
| 158 | } | 158 | } |
| 159 | 159 | ||
| 160 | int | ||
| 161 | tls1_init_finished_mac(SSL *s) | ||
| 162 | { | ||
| 163 | BIO_free(S3I(s)->handshake_buffer); | ||
| 164 | |||
| 165 | S3I(s)->handshake_buffer = BIO_new(BIO_s_mem()); | ||
| 166 | if (S3I(s)->handshake_buffer == NULL) | ||
| 167 | return (0); | ||
| 168 | |||
| 169 | (void)BIO_set_close(S3I(s)->handshake_buffer, BIO_CLOSE); | ||
| 170 | |||
| 171 | return (1); | ||
| 172 | } | ||
| 173 | |||
| 174 | int | ||
| 175 | tls1_finish_mac(SSL *s, const unsigned char *buf, int len) | ||
| 176 | { | ||
| 177 | if (len < 0) | ||
| 178 | return 0; | ||
| 179 | |||
| 180 | if (!tls1_handshake_hash_update(s, buf, len)) | ||
| 181 | return 0; | ||
| 182 | |||
| 183 | if (S3I(s)->handshake_buffer && | ||
| 184 | !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { | ||
| 185 | BIO_write(S3I(s)->handshake_buffer, (void *)buf, len); | ||
| 186 | return 1; | ||
| 187 | } | ||
| 188 | |||
| 189 | return 1; | ||
| 190 | } | ||
| 191 | |||
| 192 | int | ||
| 193 | tls1_digest_cached_records(SSL *s) | ||
| 194 | { | ||
| 195 | long hdatalen; | ||
| 196 | void *hdata; | ||
| 197 | |||
| 198 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); | ||
| 199 | if (hdatalen <= 0) { | ||
| 200 | SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); | ||
| 201 | goto err; | ||
| 202 | } | ||
| 203 | |||
| 204 | if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { | ||
| 205 | BIO_free(S3I(s)->handshake_buffer); | ||
| 206 | S3I(s)->handshake_buffer = NULL; | ||
| 207 | } | ||
| 208 | |||
| 209 | return 1; | ||
| 210 | |||
| 211 | err: | ||
| 212 | return 0; | ||
| 213 | } | ||
| 214 | |||
| 215 | void | 160 | void |
| 216 | tls1_record_sequence_increment(unsigned char *seq) | 161 | tls1_record_sequence_increment(unsigned char *seq) |
| 217 | { | 162 | { |
diff --git a/src/lib/libssl/t1_hash.c b/src/lib/libssl/t1_hash.c index a7e46601e8..f514c5290e 100644 --- a/src/lib/libssl/t1_hash.c +++ b/src/lib/libssl/t1_hash.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_hash.c,v 1.3 2018/09/05 16:58:59 jsing Exp $ */ | 1 | /* $OpenBSD: t1_hash.c,v 1.4 2018/11/08 22:28:52 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -22,9 +22,9 @@ | |||
| 22 | int | 22 | int |
| 23 | tls1_handshake_hash_init(SSL *s) | 23 | tls1_handshake_hash_init(SSL *s) |
| 24 | { | 24 | { |
| 25 | const unsigned char *data; | ||
| 25 | const EVP_MD *md; | 26 | const EVP_MD *md; |
| 26 | long dlen; | 27 | size_t len; |
| 27 | void *data; | ||
| 28 | 28 | ||
| 29 | tls1_handshake_hash_free(s); | 29 | tls1_handshake_hash_free(s); |
| 30 | 30 | ||
| @@ -42,12 +42,11 @@ tls1_handshake_hash_init(SSL *s) | |||
| 42 | goto err; | 42 | goto err; |
| 43 | } | 43 | } |
| 44 | 44 | ||
| 45 | dlen = BIO_get_mem_data(S3I(s)->handshake_buffer, &data); | 45 | if (!tls1_transcript_data(s, &data, &len)) { |
| 46 | if (dlen <= 0) { | ||
| 47 | SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); | 46 | SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); |
| 48 | goto err; | 47 | goto err; |
| 49 | } | 48 | } |
| 50 | if (!tls1_handshake_hash_update(s, data, dlen)) { | 49 | if (!tls1_handshake_hash_update(s, data, len)) { |
| 51 | SSLerror(s, ERR_R_EVP_LIB); | 50 | SSLerror(s, ERR_R_EVP_LIB); |
| 52 | goto err; | 51 | goto err; |
| 53 | } | 52 | } |
| @@ -109,3 +108,79 @@ tls1_handshake_hash_free(SSL *s) | |||
| 109 | EVP_MD_CTX_free(S3I(s)->handshake_hash); | 108 | EVP_MD_CTX_free(S3I(s)->handshake_hash); |
| 110 | S3I(s)->handshake_hash = NULL; | 109 | S3I(s)->handshake_hash = NULL; |
| 111 | } | 110 | } |
| 111 | |||
| 112 | int | ||
| 113 | tls1_transcript_init(SSL *s) | ||
| 114 | { | ||
| 115 | if (S3I(s)->handshake_transcript != NULL) | ||
| 116 | return 0; | ||
| 117 | |||
| 118 | if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL) | ||
| 119 | return 0; | ||
| 120 | |||
| 121 | s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT; | ||
| 122 | |||
| 123 | return 1; | ||
| 124 | } | ||
| 125 | |||
| 126 | void | ||
| 127 | tls1_transcript_free(SSL *s) | ||
| 128 | { | ||
| 129 | BUF_MEM_free(S3I(s)->handshake_transcript); | ||
| 130 | S3I(s)->handshake_transcript = NULL; | ||
| 131 | } | ||
| 132 | |||
| 133 | int | ||
| 134 | tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len) | ||
| 135 | { | ||
| 136 | size_t olen, nlen; | ||
| 137 | |||
| 138 | if (S3I(s)->handshake_transcript == NULL) | ||
| 139 | return 1; | ||
| 140 | |||
| 141 | if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT) | ||
| 142 | return 1; | ||
| 143 | |||
| 144 | olen = S3I(s)->handshake_transcript->length; | ||
| 145 | nlen = olen + len; | ||
| 146 | |||
| 147 | if (nlen < olen) | ||
| 148 | return 0; | ||
| 149 | |||
| 150 | if (BUF_MEM_grow(S3I(s)->handshake_transcript, nlen) == 0) | ||
| 151 | return 0; | ||
| 152 | |||
| 153 | memcpy(S3I(s)->handshake_transcript->data + olen, buf, len); | ||
| 154 | |||
| 155 | return 1; | ||
| 156 | } | ||
| 157 | |||
| 158 | int | ||
| 159 | tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len) | ||
| 160 | { | ||
| 161 | if (S3I(s)->handshake_transcript == NULL) | ||
| 162 | return 0; | ||
| 163 | |||
| 164 | *data = S3I(s)->handshake_transcript->data; | ||
| 165 | *len = S3I(s)->handshake_transcript->length; | ||
| 166 | |||
| 167 | return 1; | ||
| 168 | } | ||
| 169 | |||
| 170 | void | ||
| 171 | tls1_transcript_freeze(SSL *s) | ||
| 172 | { | ||
| 173 | s->s3->flags |= TLS1_FLAGS_FREEZE_TRANSCRIPT; | ||
| 174 | } | ||
| 175 | |||
| 176 | int | ||
| 177 | tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len) | ||
| 178 | { | ||
| 179 | if (!tls1_handshake_hash_update(s, buf, len)) | ||
| 180 | return 0; | ||
| 181 | |||
| 182 | if (!tls1_transcript_append(s, buf, len)) | ||
| 183 | return 0; | ||
| 184 | |||
| 185 | return 1; | ||
| 186 | } | ||