Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and

EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
author: jsing <> 2014-06-13 12:49:10 +0000
committer: jsing <> 2014-06-13 12:49:10 +0000
commit: 7f237053a2bc342110d66f7208fbda6b6aca9695 (patch)
tree: ec3dfb6acbd3752246650a24b6f86f0fb56f09a0
parent: 85307e4b097e3e481923a2153687f1f420145ec8 (diff)
download: openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.tar.gz
openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.tar.bz2
openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.zip
2 files changed, 22 insertions, 28 deletions
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 0ddb2d09b2..d6324fa831 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.56 2014/06/13 11:52:03 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.57 2014/06/13 12:49:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -382,7 +382,6 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
        const EVP_CIPHER *cipher;
        EVP_MD_CTX *mac_ctx;
        const EVP_MD *mac;
-        EVP_PKEY *mac_key;
        int mac_type;
        int is_export;
@@ -435,15 +434,6 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
                s->write_hash = mac_ctx;
        }
-        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-                mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-                    mac_secret, mac_secret_size);
-                if (mac_key == NULL)
-                        goto err;
-                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_PKEY_free(mac_key);
-        }
        if (is_export) {
                /*
                 * Both the read and write key/iv are set to the same value
@@ -488,11 +478,18 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
        } else
                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-        /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
+        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-        if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) &&
+                EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-            mac_secret_size)
+                    mac_secret, mac_secret_size);
+                if (mac_key == NULL)
+                        goto err;
+                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
+                EVP_PKEY_free(mac_key);
+        } else if (mac_secret_size > 0) {
+                /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
                    mac_secret_size, (unsigned char *)mac_secret);
+        }
        if (is_export) {
                OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1));
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 0ddb2d09b2..d6324fa831 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.56 2014/06/13 11:52:03 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.57 2014/06/13 12:49:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -382,7 +382,6 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
        const EVP_CIPHER *cipher;
        EVP_MD_CTX *mac_ctx;
        const EVP_MD *mac;
-        EVP_PKEY *mac_key;
        int mac_type;
        int is_export;
@@ -435,15 +434,6 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
                s->write_hash = mac_ctx;
        }
-        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-                mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-                    mac_secret, mac_secret_size);
-                if (mac_key == NULL)
-                        goto err;
-                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_PKEY_free(mac_key);
-        }
        if (is_export) {
                /*
                 * Both the read and write key/iv are set to the same value
@@ -488,11 +478,18 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
        } else
                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-        /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
+        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-        if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) &&
+                EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-            mac_secret_size)
+                    mac_secret, mac_secret_size);
+                if (mac_key == NULL)
+                        goto err;
+                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
+                EVP_PKEY_free(mac_key);
+        } else if (mac_secret_size > 0) {
+                /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
                    mac_secret_size, (unsigned char *)mac_secret);
+        }
        if (is_export) {
                OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1));
author	jsing <>	2014-06-13 12:49:10 +0000
committer	jsing <>	2014-06-13 12:49:10 +0000
commit	7f237053a2bc342110d66f7208fbda6b6aca9695 (patch)
tree	ec3dfb6acbd3752246650a24b6f86f0fb56f09a0
parent	85307e4b097e3e481923a2153687f1f420145ec8 (diff)
download	openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.tar.gz openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.tar.bz2 openbsd-7f237053a2bc342110d66f7208fbda6b6aca9695.zip