summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2018-11-08 22:28:52 +0000
committerjsing <>2018-11-08 22:28:52 +0000
commit3ddaece0e07a9c99e3a1f04d188c5ece7176ee46 (patch)
treeea0388ba51cbbc63fa62e563b9694fedd9ef0f74
parent638a717c204f5dd9a5b399e3c095815fb6d15124 (diff)
downloadopenbsd-3ddaece0e07a9c99e3a1f04d188c5ece7176ee46.tar.gz
openbsd-3ddaece0e07a9c99e3a1f04d188c5ece7176ee46.tar.bz2
openbsd-3ddaece0e07a9c99e3a1f04d188c5ece7176ee46.zip
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO. ok beck@ ("hurry up") and tb@.
Diffstat
-rw-r--r--src/lib/libssl/d1_both.c6
-rw-r--r--src/lib/libssl/s3_lib.c9
-rw-r--r--src/lib/libssl/ssl3.h4
-rw-r--r--src/lib/libssl/ssl_both.c6
-rw-r--r--src/lib/libssl/ssl_clnt.c46
-rw-r--r--src/lib/libssl/ssl_locl.h17
-rw-r--r--src/lib/libssl/ssl_packet.c4
-rw-r--r--src/lib/libssl/ssl_srvr.c74
-rw-r--r--src/lib/libssl/t1_enc.c57
-rw-r--r--src/lib/libssl/t1_hash.c87
10 files changed, 144 insertions, 166 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 95157630f5..f75604ef68 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.55 2018/09/05 16:58:59 jsing Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.56 2018/11/08 22:28:52 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -360,7 +360,7 @@ dtls1_do_write(SSL *s, int type)
360 xlen = ret - DTLS1_HM_HEADER_LENGTH; 360 xlen = ret - DTLS1_HM_HEADER_LENGTH;
361 } 361 }
362 362
363 tls1_finish_mac(s, p, xlen); 363 tls1_transcript_record(s, p, xlen);
364 } 364 }
365 365
366 if (ret == s->internal->init_num) { 366 if (ret == s->internal->init_num) {
@@ -436,7 +436,7 @@ again:
436 436
437 msg_len += DTLS1_HM_HEADER_LENGTH; 437 msg_len += DTLS1_HM_HEADER_LENGTH;
438 438
439 tls1_finish_mac(s, p, msg_len); 439 tls1_transcript_record(s, p, msg_len);
440 if (s->internal->msg_callback) 440 if (s->internal->msg_callback)
441 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, 441 s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len,
442 s, s->internal->msg_callback_arg); 442 s, s->internal->msg_callback_arg);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 356f43a356..091713d12a 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.175 2018/11/08 20:55:18 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.176 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1567,8 +1567,7 @@ ssl3_free(SSL *s)
1567 1567
1568 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); 1568 sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
1569 1569
1570 BIO_free(S3I(s)->handshake_buffer); 1570 tls1_transcript_free(s);
1571
1572 tls1_handshake_hash_free(s); 1571 tls1_handshake_hash_free(s);
1573 1572
1574 free(S3I(s)->alpn_selected); 1573 free(S3I(s)->alpn_selected);
@@ -1602,9 +1601,7 @@ ssl3_clear(SSL *s)
1602 rlen = S3I(s)->rbuf.len; 1601 rlen = S3I(s)->rbuf.len;
1603 wlen = S3I(s)->wbuf.len; 1602 wlen = S3I(s)->wbuf.len;
1604 1603
1605 BIO_free(S3I(s)->handshake_buffer); 1604 tls1_transcript_free(s);
1606 S3I(s)->handshake_buffer = NULL;
1607
1608 tls1_handshake_hash_free(s); 1605 tls1_handshake_hash_free(s);
1609 1606
1610 free(S3I(s)->alpn_selected); 1607 free(S3I(s)->alpn_selected);
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 726fb9db0b..cadf7fd387 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl3.h,v 1.48 2018/10/24 18:04:50 jsing Exp $ */ 1/* $OpenBSD: ssl3.h,v 1.49 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -350,7 +350,7 @@ typedef struct ssl3_buffer_st {
350 350
351#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 351#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
352#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 352#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
353#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 353#define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020
354#define SSL3_FLAGS_CCS_OK 0x0080 354#define SSL3_FLAGS_CCS_OK 0x0080
355 355
356#ifndef OPENSSL_NO_SSL_INTERN 356#ifndef OPENSSL_NO_SSL_INTERN
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 81fd1f80c5..77ab26e8b5 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.13 2018/10/24 18:04:50 jsing Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.14 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -146,7 +146,7 @@ ssl3_do_write(SSL *s, int type)
146 * Should not be done for 'Hello Request's, but in that case 146 * Should not be done for 'Hello Request's, but in that case
147 * we'll ignore the result anyway. 147 * we'll ignore the result anyway.
148 */ 148 */
149 tls1_finish_mac(s, 149 tls1_transcript_record(s,
150 (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); 150 (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret);
151 151
152 if (ret == s->internal->init_num) { 152 if (ret == s->internal->init_num) {
@@ -557,7 +557,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
557 557
558 /* Feed this message into MAC computation. */ 558 /* Feed this message into MAC computation. */
559 if (s->internal->mac_packet) { 559 if (s->internal->mac_packet) {
560 tls1_finish_mac(s, (unsigned char *)s->internal->init_buf->data, 560 tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data,
561 s->internal->init_num + 4); 561 s->internal->init_num + 4);
562 562
563 if (s->internal->msg_callback) 563 if (s->internal->msg_callback)
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 22e41da953..c2aa7e8190 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.36 2018/11/08 20:55:18 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.37 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -244,7 +244,7 @@ ssl3_connect(SSL *s)
244 /* don't push the buffering BIO quite yet */ 244 /* don't push the buffering BIO quite yet */
245 245
246 if (!SSL_IS_DTLS(s)) { 246 if (!SSL_IS_DTLS(s)) {
247 if (!tls1_init_finished_mac(s)) { 247 if (!tls1_transcript_init(s)) {
248 ret = -1; 248 ret = -1;
249 goto end; 249 goto end;
250 } 250 }
@@ -269,7 +269,7 @@ ssl3_connect(SSL *s)
269 269
270 if (SSL_IS_DTLS(s)) { 270 if (SSL_IS_DTLS(s)) {
271 /* every DTLS ClientHello resets Finished MAC */ 271 /* every DTLS ClientHello resets Finished MAC */
272 if (!tls1_init_finished_mac(s)) { 272 if (!tls1_transcript_init(s)) {
273 ret = -1; 273 ret = -1;
274 goto end; 274 goto end;
275 } 275 }
@@ -583,7 +583,7 @@ ssl3_connect(SSL *s)
583 /* clean a few things up */ 583 /* clean a few things up */
584 tls1_cleanup_key_block(s); 584 tls1_cleanup_key_block(s);
585 585
586 if (S3I(s)->handshake_buffer != NULL) { 586 if (S3I(s)->handshake_transcript != NULL) {
587 SSLerror(s, ERR_R_INTERNAL_ERROR); 587 SSLerror(s, ERR_R_INTERNAL_ERROR);
588 ret = -1; 588 ret = -1;
589 goto end; 589 goto end;
@@ -988,11 +988,8 @@ ssl3_get_server_hello(SSL *s)
988 * client authentication. 988 * client authentication.
989 */ 989 */
990 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; 990 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
991 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && 991 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)))
992 !tls1_digest_cached_records(s)) { 992 tls1_transcript_free(s);
993 al = SSL_AD_INTERNAL_ERROR;
994 goto f_err;
995 }
996 993
997 if (!CBS_get_u8(&cbs, &compression_method)) 994 if (!CBS_get_u8(&cbs, &compression_method))
998 goto truncated; 995 goto truncated;
@@ -1619,10 +1616,7 @@ ssl3_get_certificate_request(SSL *s)
1619 * If we get here we don't need any cached handshake records 1616 * If we get here we don't need any cached handshake records
1620 * as we wont be doing client auth. 1617 * as we wont be doing client auth.
1621 */ 1618 */
1622 if (S3I(s)->handshake_buffer) { 1619 tls1_transcript_free(s);
1623 if (!tls1_digest_cached_records(s))
1624 goto err;
1625 }
1626 return (1); 1620 return (1);
1627 } 1621 }
1628 1622
@@ -2372,12 +2366,12 @@ ssl3_send_client_verify(SSL *s)
2372 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 2366 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2373 unsigned char *signature = NULL; 2367 unsigned char *signature = NULL;
2374 unsigned int signature_len; 2368 unsigned int signature_len;
2369 const unsigned char *hdata;
2370 size_t hdatalen;
2375 EVP_PKEY_CTX *pctx = NULL; 2371 EVP_PKEY_CTX *pctx = NULL;
2376 EVP_PKEY *pkey; 2372 EVP_PKEY *pkey;
2377 EVP_MD_CTX mctx; 2373 EVP_MD_CTX mctx;
2378 const EVP_MD *md; 2374 const EVP_MD *md;
2379 long hdatalen;
2380 void *hdata;
2381 2375
2382 EVP_MD_CTX_init(&mctx); 2376 EVP_MD_CTX_init(&mctx);
2383 2377
@@ -2404,10 +2398,7 @@ ssl3_send_client_verify(SSL *s)
2404 goto err; 2398 goto err;
2405 2399
2406 if (!SSL_USE_SIGALGS(s)) { 2400 if (!SSL_USE_SIGALGS(s)) {
2407 if (S3I(s)->handshake_buffer) { 2401 tls1_transcript_free(s);
2408 if (!tls1_digest_cached_records(s))
2409 goto err;
2410 }
2411 if (!tls1_handshake_hash_value(s, data, sizeof(data), 2402 if (!tls1_handshake_hash_value(s, data, sizeof(data),
2412 NULL)) 2403 NULL))
2413 goto err; 2404 goto err;
@@ -2418,10 +2409,9 @@ ssl3_send_client_verify(SSL *s)
2418 * using agreed digest and cached handshake records. 2409 * using agreed digest and cached handshake records.
2419 */ 2410 */
2420 if (SSL_USE_SIGALGS(s)) { 2411 if (SSL_USE_SIGALGS(s)) {
2421 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer,
2422 &hdata);
2423 md = s->cert->key->digest; 2412 md = s->cert->key->digest;
2424 if (hdatalen <= 0 || 2413
2414 if (!tls1_transcript_data(s, &hdata, &hdatalen) ||
2425 !tls12_get_hashandsig(&cert_verify, pkey, md)) { 2415 !tls12_get_hashandsig(&cert_verify, pkey, md)) {
2426 SSLerror(s, ERR_R_INTERNAL_ERROR); 2416 SSLerror(s, ERR_R_INTERNAL_ERROR);
2427 goto err; 2417 goto err;
@@ -2433,8 +2423,7 @@ ssl3_send_client_verify(SSL *s)
2433 SSLerror(s, ERR_R_EVP_LIB); 2423 SSLerror(s, ERR_R_EVP_LIB);
2434 goto err; 2424 goto err;
2435 } 2425 }
2436 if (!tls1_digest_cached_records(s)) 2426 tls1_transcript_free(s);
2437 goto err;
2438 } else if (pkey->type == EVP_PKEY_RSA) { 2427 } else if (pkey->type == EVP_PKEY_RSA) {
2439 if (RSA_sign(NID_md5_sha1, data, 2428 if (RSA_sign(NID_md5_sha1, data,
2440 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature, 2429 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, signature,
@@ -2457,8 +2446,7 @@ ssl3_send_client_verify(SSL *s)
2457 size_t sigsize; 2446 size_t sigsize;
2458 int nid; 2447 int nid;
2459 2448
2460 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); 2449 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2461 if (hdatalen <= 0) {
2462 SSLerror(s, ERR_R_INTERNAL_ERROR); 2450 SSLerror(s, ERR_R_INTERNAL_ERROR);
2463 goto err; 2451 goto err;
2464 } 2452 }
@@ -2482,8 +2470,7 @@ ssl3_send_client_verify(SSL *s)
2482 if (sigsize > UINT_MAX) 2470 if (sigsize > UINT_MAX)
2483 goto err; 2471 goto err;
2484 signature_len = sigsize; 2472 signature_len = sigsize;
2485 if (!tls1_digest_cached_records(s)) 2473 tls1_transcript_free(s);
2486 goto err;
2487#endif 2474#endif
2488 } else { 2475 } else {
2489 SSLerror(s, ERR_R_INTERNAL_ERROR); 2476 SSLerror(s, ERR_R_INTERNAL_ERROR);
@@ -2563,8 +2550,7 @@ ssl3_send_client_certificate(SSL *s)
2563 S3I(s)->tmp.cert_req = 2; 2550 S3I(s)->tmp.cert_req = 2;
2564 2551
2565 /* There is no client certificate to verify. */ 2552 /* There is no client certificate to verify. */
2566 if (!tls1_digest_cached_records(s)) 2553 tls1_transcript_free(s);
2567 goto err;
2568 } 2554 }
2569 2555
2570 /* Ok, we have a cert */ 2556 /* Ok, we have a cert */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 32766de1cf..3b08f8c772 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.221 2018/11/08 20:55:18 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.222 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -780,8 +780,8 @@ typedef struct ssl3_state_internal_st {
780 int wpend_ret; /* number of bytes submitted */ 780 int wpend_ret; /* number of bytes submitted */
781 const unsigned char *wpend_buf; 781 const unsigned char *wpend_buf;
782 782
783 /* used during startup, digest all incoming/outgoing packets */ 783 /* Transcript of handshake messages that have been sent and received. */
784 BIO *handshake_buffer; 784 BUF_MEM *handshake_transcript;
785 785
786 /* Rolling hash of handshake messages. */ 786 /* Rolling hash of handshake messages. */
787 EVP_MD_CTX *handshake_hash; 787 EVP_MD_CTX *handshake_hash;
@@ -1238,11 +1238,14 @@ int tls1_handshake_hash_value(SSL *s, const unsigned char *out, size_t len,
1238 size_t *outlen); 1238 size_t *outlen);
1239void tls1_handshake_hash_free(SSL *s); 1239void tls1_handshake_hash_free(SSL *s);
1240 1240
1241int tls1_init_finished_mac(SSL *s); 1241int tls1_transcript_init(SSL *s);
1242int tls1_finish_mac(SSL *s, const unsigned char *buf, int len); 1242void tls1_transcript_free(SSL *s);
1243void tls1_free_digest_list(SSL *s); 1243int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len);
1244int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len);
1245void tls1_transcript_freeze(SSL *s);
1246int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len);
1247
1244void tls1_cleanup_key_block(SSL *s); 1248void tls1_cleanup_key_block(SSL *s);
1245int tls1_digest_cached_records(SSL *s);
1246int tls1_change_cipher_state(SSL *s, int which); 1249int tls1_change_cipher_state(SSL *s, int which);
1247int tls1_setup_key_block(SSL *s); 1250int tls1_setup_key_block(SSL *s);
1248int tls1_enc(SSL *s, int snd); 1251int tls1_enc(SSL *s, int snd);
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index ca5afb7d93..d8fb409d81 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_packet.c,v 1.7 2018/10/24 18:04:50 jsing Exp $ */ 1/* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -120,7 +120,7 @@ ssl_convert_sslv2_client_hello(SSL *s)
120 if (n != record_length + 2) 120 if (n != record_length + 2)
121 return n; 121 return n;
122 122
123 tls1_finish_mac(s, s->internal->packet + 2, 123 tls1_transcript_record(s, s->internal->packet + 2,
124 s->internal->packet_length - 2); 124 s->internal->packet_length - 2);
125 s->internal->mac_packet = 0; 125 s->internal->mac_packet = 0;
126 126
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index e7f1f5c9ec..af9152d3de 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.50 2018/11/08 20:55:18 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -248,7 +248,8 @@ ssl3_accept(SSL *s)
248 ret = -1; 248 ret = -1;
249 goto end; 249 goto end;
250 } 250 }
251 if (!tls1_init_finished_mac(s)) { 251
252 if (!tls1_transcript_init(s)) {
252 ret = -1; 253 ret = -1;
253 goto end; 254 goto end;
254 } 255 }
@@ -293,7 +294,7 @@ ssl3_accept(SSL *s)
293 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 294 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
294 s->internal->init_num = 0; 295 s->internal->init_num = 0;
295 296
296 if (!tls1_init_finished_mac(s)) { 297 if (!tls1_transcript_init(s)) {
297 ret = -1; 298 ret = -1;
298 goto end; 299 goto end;
299 } 300 }
@@ -366,7 +367,7 @@ ssl3_accept(SSL *s)
366 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; 367 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
367 368
368 /* HelloVerifyRequest resets Finished MAC. */ 369 /* HelloVerifyRequest resets Finished MAC. */
369 if (!tls1_init_finished_mac(s)) { 370 if (!tls1_transcript_init(s)) {
370 ret = -1; 371 ret = -1;
371 goto end; 372 goto end;
372 } 373 }
@@ -467,12 +468,9 @@ ssl3_accept(SSL *s)
467 skip = 1; 468 skip = 1;
468 S3I(s)->tmp.cert_request = 0; 469 S3I(s)->tmp.cert_request = 0;
469 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 470 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
470 if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) { 471
471 if (!tls1_digest_cached_records(s)) { 472 if (!SSL_IS_DTLS(s))
472 ret = -1; 473 tls1_transcript_free(s);
473 goto end;
474 }
475 }
476 } else { 474 } else {
477 S3I(s)->tmp.cert_request = 1; 475 S3I(s)->tmp.cert_request = 1;
478 if (SSL_IS_DTLS(s)) 476 if (SSL_IS_DTLS(s))
@@ -565,33 +563,20 @@ ssl3_accept(SSL *s)
565 if (!s->session->peer) 563 if (!s->session->peer)
566 break; 564 break;
567 /* 565 /*
568 * For sigalgs freeze the handshake buffer 566 * Freeze the transcript for use during client
569 * at this point and digest cached records. 567 * certificate verification.
570 */ 568 */
571 if (!S3I(s)->handshake_buffer) { 569 tls1_transcript_freeze(s);
572 SSLerror(s, ERR_R_INTERNAL_ERROR);
573 ret = -1;
574 goto end;
575 }
576 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
577 if (!tls1_digest_cached_records(s)) {
578 ret = -1;
579 goto end;
580 }
581 } else { 570 } else {
582 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 571 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
583 s->internal->init_num = 0; 572 s->internal->init_num = 0;
584 573
574 tls1_transcript_free(s);
575
585 /* 576 /*
586 * We need to get hashes here so if there is 577 * We need to get hashes here so if there is
587 * a client cert, it can be verified. 578 * a client cert, it can be verified.
588 */ 579 */
589 if (S3I(s)->handshake_buffer) {
590 if (!tls1_digest_cached_records(s)) {
591 ret = -1;
592 goto end;
593 }
594 }
595 if (!tls1_handshake_hash_value(s, 580 if (!tls1_handshake_hash_value(s,
596 S3I(s)->tmp.cert_verify_md, 581 S3I(s)->tmp.cert_verify_md,
597 sizeof(S3I(s)->tmp.cert_verify_md), 582 sizeof(S3I(s)->tmp.cert_verify_md),
@@ -701,7 +686,7 @@ ssl3_accept(SSL *s)
701 /* clean a few things up */ 686 /* clean a few things up */
702 tls1_cleanup_key_block(s); 687 tls1_cleanup_key_block(s);
703 688
704 if (S3I(s)->handshake_buffer != NULL) { 689 if (S3I(s)->handshake_transcript != NULL) {
705 SSLerror(s, ERR_R_INTERNAL_ERROR); 690 SSLerror(s, ERR_R_INTERNAL_ERROR);
706 ret = -1; 691 ret = -1;
707 goto end; 692 goto end;
@@ -1125,12 +1110,8 @@ ssl3_get_client_hello(SSL *s)
1125 1110
1126 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; 1111 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
1127 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || 1112 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1128 !(s->verify_mode & SSL_VERIFY_PEER)) { 1113 !(s->verify_mode & SSL_VERIFY_PEER))
1129 if (!tls1_digest_cached_records(s)) { 1114 tls1_transcript_free(s);
1130 al = SSL_AD_INTERNAL_ERROR;
1131 goto f_err;
1132 }
1133 }
1134 1115
1135 /* 1116 /*
1136 * We now have the following setup. 1117 * We now have the following setup.
@@ -2110,10 +2091,10 @@ ssl3_get_cert_verify(SSL *s)
2110 EVP_MD_CTX mctx; 2091 EVP_MD_CTX mctx;
2111 uint8_t hash_id, sig_id; 2092 uint8_t hash_id, sig_id;
2112 int al, ok, sigalg, verify; 2093 int al, ok, sigalg, verify;
2094 const unsigned char *hdata;
2095 size_t hdatalen;
2113 int type = 0; 2096 int type = 0;
2114 int ret = 0; 2097 int ret = 0;
2115 long hdatalen;
2116 void *hdata;
2117 long n; 2098 long n;
2118 2099
2119 EVP_MD_CTX_init(&mctx); 2100 EVP_MD_CTX_init(&mctx);
@@ -2214,8 +2195,7 @@ ssl3_get_cert_verify(SSL *s)
2214 } 2195 }
2215 2196
2216 if (SSL_USE_SIGALGS(s)) { 2197 if (SSL_USE_SIGALGS(s)) {
2217 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); 2198 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2218 if (hdatalen <= 0) {
2219 SSLerror(s, ERR_R_INTERNAL_ERROR); 2199 SSLerror(s, ERR_R_INTERNAL_ERROR);
2220 al = SSL_AD_INTERNAL_ERROR; 2200 al = SSL_AD_INTERNAL_ERROR;
2221 goto f_err; 2201 goto f_err;
@@ -2265,8 +2245,7 @@ ssl3_get_cert_verify(SSL *s)
2265 EVP_PKEY_CTX *pctx; 2245 EVP_PKEY_CTX *pctx;
2266 int nid; 2246 int nid;
2267 2247
2268 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); 2248 if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2269 if (hdatalen <= 0) {
2270 SSLerror(s, ERR_R_INTERNAL_ERROR); 2249 SSLerror(s, ERR_R_INTERNAL_ERROR);
2271 al = SSL_AD_INTERNAL_ERROR; 2250 al = SSL_AD_INTERNAL_ERROR;
2272 goto f_err; 2251 goto f_err;
@@ -2321,11 +2300,7 @@ ssl3_get_cert_verify(SSL *s)
2321 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2300 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2322 } 2301 }
2323 end: 2302 end:
2324 if (S3I(s)->handshake_buffer) { 2303 tls1_transcript_free(s);
2325 BIO_free(S3I(s)->handshake_buffer);
2326 S3I(s)->handshake_buffer = NULL;
2327 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
2328 }
2329 err: 2304 err:
2330 EVP_MD_CTX_cleanup(&mctx); 2305 EVP_MD_CTX_cleanup(&mctx);
2331 EVP_PKEY_free(pkey); 2306 EVP_PKEY_free(pkey);
@@ -2427,11 +2402,8 @@ ssl3_get_client_certificate(SSL *s)
2427 al = SSL_AD_HANDSHAKE_FAILURE; 2402 al = SSL_AD_HANDSHAKE_FAILURE;
2428 goto f_err; 2403 goto f_err;
2429 } 2404 }
2430 /* No client certificate so digest cached records */ 2405 /* No client certificate so free transcript. */
2431 if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) { 2406 tls1_transcript_free(s);
2432 al = SSL_AD_INTERNAL_ERROR;
2433 goto f_err;
2434 }
2435 } else { 2407 } else {
2436 i = ssl_verify_cert_chain(s, sk); 2408 i = ssl_verify_cert_chain(s, sk);
2437 if (i <= 0) { 2409 if (i <= 0) {
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 2a38d8de6a..33158e160e 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.115 2018/10/24 18:04:50 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.116 2018/11/08 22:28:52 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -157,61 +157,6 @@ tls1_cleanup_key_block(SSL *s)
157 S3I(s)->hs.key_block_len = 0; 157 S3I(s)->hs.key_block_len = 0;
158} 158}
159 159
160int
161tls1_init_finished_mac(SSL *s)
162{
163 BIO_free(S3I(s)->handshake_buffer);
164
165 S3I(s)->handshake_buffer = BIO_new(BIO_s_mem());
166 if (S3I(s)->handshake_buffer == NULL)
167 return (0);
168
169 (void)BIO_set_close(S3I(s)->handshake_buffer, BIO_CLOSE);
170
171 return (1);
172}
173
174int
175tls1_finish_mac(SSL *s, const unsigned char *buf, int len)
176{
177 if (len < 0)
178 return 0;
179
180 if (!tls1_handshake_hash_update(s, buf, len))
181 return 0;
182
183 if (S3I(s)->handshake_buffer &&
184 !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
185 BIO_write(S3I(s)->handshake_buffer, (void *)buf, len);
186 return 1;
187 }
188
189 return 1;
190}
191
192int
193tls1_digest_cached_records(SSL *s)
194{
195 long hdatalen;
196 void *hdata;
197
198 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
199 if (hdatalen <= 0) {
200 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH);
201 goto err;
202 }
203
204 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
205 BIO_free(S3I(s)->handshake_buffer);
206 S3I(s)->handshake_buffer = NULL;
207 }
208
209 return 1;
210
211 err:
212 return 0;
213}
214
215void 160void
216tls1_record_sequence_increment(unsigned char *seq) 161tls1_record_sequence_increment(unsigned char *seq)
217{ 162{
diff --git a/src/lib/libssl/t1_hash.c b/src/lib/libssl/t1_hash.c
index a7e46601e8..f514c5290e 100644
--- a/src/lib/libssl/t1_hash.c
+++ b/src/lib/libssl/t1_hash.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_hash.c,v 1.3 2018/09/05 16:58:59 jsing Exp $ */ 1/* $OpenBSD: t1_hash.c,v 1.4 2018/11/08 22:28:52 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -22,9 +22,9 @@
22int 22int
23tls1_handshake_hash_init(SSL *s) 23tls1_handshake_hash_init(SSL *s)
24{ 24{
25 const unsigned char *data;
25 const EVP_MD *md; 26 const EVP_MD *md;
26 long dlen; 27 size_t len;
27 void *data;
28 28
29 tls1_handshake_hash_free(s); 29 tls1_handshake_hash_free(s);
30 30
@@ -42,12 +42,11 @@ tls1_handshake_hash_init(SSL *s)
42 goto err; 42 goto err;
43 } 43 }
44 44
45 dlen = BIO_get_mem_data(S3I(s)->handshake_buffer, &data); 45 if (!tls1_transcript_data(s, &data, &len)) {
46 if (dlen <= 0) {
47 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); 46 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH);
48 goto err; 47 goto err;
49 } 48 }
50 if (!tls1_handshake_hash_update(s, data, dlen)) { 49 if (!tls1_handshake_hash_update(s, data, len)) {
51 SSLerror(s, ERR_R_EVP_LIB); 50 SSLerror(s, ERR_R_EVP_LIB);
52 goto err; 51 goto err;
53 } 52 }
@@ -109,3 +108,79 @@ tls1_handshake_hash_free(SSL *s)
109 EVP_MD_CTX_free(S3I(s)->handshake_hash); 108 EVP_MD_CTX_free(S3I(s)->handshake_hash);
110 S3I(s)->handshake_hash = NULL; 109 S3I(s)->handshake_hash = NULL;
111} 110}
111
112int
113tls1_transcript_init(SSL *s)
114{
115 if (S3I(s)->handshake_transcript != NULL)
116 return 0;
117
118 if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL)
119 return 0;
120
121 s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
122
123 return 1;
124}
125
126void
127tls1_transcript_free(SSL *s)
128{
129 BUF_MEM_free(S3I(s)->handshake_transcript);
130 S3I(s)->handshake_transcript = NULL;
131}
132
133int
134tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
135{
136 size_t olen, nlen;
137
138 if (S3I(s)->handshake_transcript == NULL)
139 return 1;
140
141 if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT)
142 return 1;
143
144 olen = S3I(s)->handshake_transcript->length;
145 nlen = olen + len;
146
147 if (nlen < olen)
148 return 0;
149
150 if (BUF_MEM_grow(S3I(s)->handshake_transcript, nlen) == 0)
151 return 0;
152
153 memcpy(S3I(s)->handshake_transcript->data + olen, buf, len);
154
155 return 1;
156}
157
158int
159tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len)
160{
161 if (S3I(s)->handshake_transcript == NULL)
162 return 0;
163
164 *data = S3I(s)->handshake_transcript->data;
165 *len = S3I(s)->handshake_transcript->length;
166
167 return 1;
168}
169
170void
171tls1_transcript_freeze(SSL *s)
172{
173 s->s3->flags |= TLS1_FLAGS_FREEZE_TRANSCRIPT;
174}
175
176int
177tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len)
178{
179 if (!tls1_handshake_hash_update(s, buf, len))
180 return 0;
181
182 if (!tls1_transcript_append(s, buf, len))
183 return 0;
184
185 return 1;
186}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 15:26:15 +0000