Fix DTLS transcript handling for HelloVerifyRequest.

If DTLS sees a HelloVerifyRequest the transcript is reset - the previous tls1_init_finished_mac() function could be called multiple times and would discard any existing state. The replacement tls1_transcript_init() is more strict and fails if a transcript already exists. Provide an explicit tls1_transcript_reset() function and call it from the appropriate places. This also lets us make DTLS less of a special snowflake and call tls1_transcript_init() in the same place as used for TLS. ok beck@ tb@
author: jsing <> 2018-11-21 15:13:29 +0000
committer: jsing <> 2018-11-21 15:13:29 +0000
commit: ab91451e6ebf1260022c78c25a334e437c04d78e (patch)
tree: 7992535c747d2aff7dd9a131f8fc65ad2af3636d
parent: 1b50b4396296c64d8937c2ec1c7ed2eb5547cf91 (diff)
download: openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.tar.gz
openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.tar.bz2
openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.zip
4 files changed, 26 insertions, 18 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 35df70f2f0..65277ef4ef 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.49 2018/11/19 15:07:29 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.50 2018/11/21 15:13:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -244,11 +244,9 @@ ssl3_connect(SSL *s)
                        /* don't push the buffering BIO quite yet */
-                        if (!SSL_IS_DTLS(s)) {
+                        if (!tls1_transcript_init(s)) {
-                                if (!tls1_transcript_init(s)) {
+                                ret = -1;
-                                        ret = -1;
+                                goto end;
-                                        goto end;
-                                }
                        }
                        S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
@@ -270,10 +268,7 @@ ssl3_connect(SSL *s)
                        if (SSL_IS_DTLS(s)) {
                                /* every DTLS ClientHello resets Finished MAC */
-                                if (!tls1_transcript_init(s)) {
+                                tls1_transcript_reset(s);
-                                        ret = -1;
-                                        goto end;
-                                }
                                dtls1_start_timer(s);
                        }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 50806d1b18..94bb76eca3 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.224 2018/11/10 01:19:09 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.225 2018/11/21 15:13:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1242,6 +1242,7 @@ void tls1_handshake_hash_free(SSL *s);
 int tls1_transcript_init(SSL *s);
 void tls1_transcript_free(SSL *s);
+void tls1_transcript_reset(SSL *s);
 int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len);
 int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len);
 void tls1_transcript_freeze(SSL *s);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 27024be856..0667ac8da3 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.60 2018/11/11 21:54:47 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.61 2018/11/21 15:13:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -368,10 +368,7 @@ ssl3_accept(SSL *s)
                        S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
                        /* HelloVerifyRequest resets Finished MAC. */
-                        if (!tls1_transcript_init(s)) {
+                        tls1_transcript_reset(s);
-                                ret = -1;
-                                goto end;
-                        }
                        break;
                case SSL3_ST_SW_SRVR_HELLO_A:
diff --git a/src/lib/libssl/t1_hash.c b/src/lib/libssl/t1_hash.c
index f514c5290e..50e0ad3ca0 100644
--- a/src/lib/libssl/t1_hash.c
+++ b/src/lib/libssl/t1_hash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_hash.c,v 1.4 2018/11/08 22:28:52 jsing Exp $ */
+/* $OpenBSD: t1_hash.c,v 1.5 2018/11/21 15:13:29 jsing Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -118,7 +118,7 @@ tls1_transcript_init(SSL *s)
        if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL)
                return 0;
-        s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
+        tls1_transcript_reset(s);
        return 1;
 }
@@ -130,6 +130,21 @@ tls1_transcript_free(SSL *s)
        S3I(s)->handshake_transcript = NULL;
 }
+void
+tls1_transcript_reset(SSL *s)
+{
+        /*
+         * We should check the return value of BUF_MEM_grow_clean(), however
+         * due to yet another bad API design, when called with a length of zero
+         * it is impossible to tell if it succeeded (returning a length of zero)
+         * or if it failed (and returned zero)... our implementation never
+         * fails with a length of zero, so we trust all is okay...
+         */ 
+        (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0);
+        s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
+}
 int
 tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
 {
author	jsing <>	2018-11-21 15:13:29 +0000
committer	jsing <>	2018-11-21 15:13:29 +0000
commit	ab91451e6ebf1260022c78c25a334e437c04d78e (patch)
tree	7992535c747d2aff7dd9a131f8fc65ad2af3636d
parent	1b50b4396296c64d8937c2ec1c7ed2eb5547cf91 (diff)
download	openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.tar.gz openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.tar.bz2 openbsd-ab91451e6ebf1260022c78c25a334e437c04d78e.zip