move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and

other perversions touches them sickly and unnaturally.

8 files changed, 57 insertions, 52 deletions

diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index 0e49fb6df2..20686d2963 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.13 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.14 2017/01/23 08:08:06 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -162,16 +162,16 @@ dtls1_enc(SSL *s, int send)
                         }
                 }
         } else {
-                if (EVP_MD_CTX_md(s->internal->read_hash)) {
-                        mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+                if (EVP_MD_CTX_md(s->read_hash)) {
+                        mac_size = EVP_MD_CTX_size(s->read_hash);
                         OPENSSL_assert(mac_size >= 0);
                 }
-                ds = s->internal->enc_read_ctx;
+                ds = s->enc_read_ctx;
                 rec = &(S3I(s)->rrec);
-                if (s->internal->enc_read_ctx == NULL)
+                if (s->enc_read_ctx == NULL)
                         enc = NULL;
                 else
-                        enc = EVP_CIPHER_CTX_cipher(s->internal->enc_read_ctx);
+                        enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
         }
 
 
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 34e6d58c00..2768d7ed9c 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.54 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.55 2017/01/23 08:08:06 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -375,12 +375,12 @@ dtls1_process_record(SSL *s)
 
 
         /* r->length is now the compressed data plus mac */
-        if ((sess != NULL) && (s->internal->enc_read_ctx != NULL) &&
-            (EVP_MD_CTX_md(s->internal->read_hash) != NULL)) {
-                /* s->internal->read_hash != NULL => mac_size != -1 */
+        if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+            (EVP_MD_CTX_md(s->read_hash) != NULL)) {
+                /* s->read_hash != NULL => mac_size != -1 */
                 unsigned char *mac = NULL;
                 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-                mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+                mac_size = EVP_MD_CTX_size(s->read_hash);
                 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
                 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
@@ -393,14 +393,14 @@ dtls1_process_record(SSL *s)
                  */
                 if (orig_len < mac_size ||
                         /* CBC records must have a padding length byte too. */
-                    (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                     orig_len < mac_size + 1)) {
                         al = SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
                 }
 
-                if (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
+                if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
                         /* We update the length so that the TLS header bytes
                          * can be constructed correctly but we need to extract
                          * the MAC in constant time from within the record,
@@ -759,7 +759,7 @@ start:
                 /* make sure that we are not getting application data when we
                  * are doing a handshake for the first time */
                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-                        (s->internal->enc_read_ctx == NULL)) {
+                        (s->enc_read_ctx == NULL)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
                         SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
                         goto f_err;
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 10b6ddde0f..8c910c5f86 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.15 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -135,7 +135,7 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
 
         padding_length = rec->data[rec->length - 1];
 
-        if (EVP_CIPHER_flags(s->internal->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+        if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
                 /* padding is already verified */
                 rec->length -= padding_length + 1;
                 return 1;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 458a355692..3fb5168d16 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.64 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.65 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -395,13 +395,13 @@ again:
 
 
         /* r->length is now the compressed data plus mac */
-        if ((sess != NULL) && (s->internal->enc_read_ctx != NULL) &&
-            (EVP_MD_CTX_md(s->internal->read_hash) != NULL)) {
-                /* s->internal->read_hash != NULL => mac_size != -1 */
+        if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+            (EVP_MD_CTX_md(s->read_hash) != NULL)) {
+                /* s->read_hash != NULL => mac_size != -1 */
                 unsigned char *mac = NULL;
                 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
 
-                mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+                mac_size = EVP_MD_CTX_size(s->read_hash);
                 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
                 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
@@ -414,14 +414,14 @@ again:
                  */
                 if (orig_len < mac_size ||
                         /* CBC records must have a padding length byte too. */
-                    (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                     orig_len < mac_size + 1)) {
                         al = SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
                 }
 
-                if (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
+                if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
                         /* We update the length so that the TLS header bytes
                          * can be constructed correctly but we need to extract
                          * the MAC in constant time from within the record,
@@ -960,7 +960,7 @@ start:
                 /* make sure that we are not getting application data when we
                  * are doing a handshake for the first time */
                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-                        (s->internal->enc_read_ctx == NULL)) {
+                        (s->enc_read_ctx == NULL)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
                         SSLerr(SSL_F_SSL3_READ_BYTES,
                             SSL_R_APP_DATA_IN_HANDSHAKE);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 4069fcd024..678246b23e 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.114 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl.h,v 1.115 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -894,6 +894,14 @@ struct ssl_st {
         SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
 #define session_ctx initial_ctx
 
+        /*
+         * XXX really should be internal, but is
+         * touched unnaturally by wpa-supplicant
+         * and freeradius and other perversions
+         */
+        EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
+        EVP_MD_CTX *read_hash;                  /* used for mac generation */
+
         struct ssl_internal_st *internal;
 };
 
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index c29d6225df..5839bd8048 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.135 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.136 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -221,7 +221,7 @@ SSL_clear(SSL *s)
         s->internal->init_buf = NULL;
 
         ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->internal->read_hash);
+        ssl_clear_hash_ctx(&s->read_hash);
         ssl_clear_hash_ctx(&s->internal->write_hash);
 
         s->internal->first_packet = 0;
@@ -528,7 +528,7 @@ SSL_free(SSL *s)
         }
 
         ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->internal->read_hash);
+        ssl_clear_hash_ctx(&s->read_hash);
         ssl_clear_hash_ctx(&s->internal->write_hash);
 
         if (s->cert != NULL)
@@ -2434,7 +2434,7 @@ SSL_set_accept_state(SSL *s)
         s->internal->handshake_func = s->method->ssl_accept;
         /* clear the current cipher */
         ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->internal->read_hash);
+        ssl_clear_hash_ctx(&s->read_hash);
         ssl_clear_hash_ctx(&s->internal->write_hash);
 }
 
@@ -2447,7 +2447,7 @@ SSL_set_connect_state(SSL *s)
         s->internal->handshake_func = s->method->ssl_connect;
         /* clear the current cipher */
         ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->internal->read_hash);
+        ssl_clear_hash_ctx(&s->read_hash);
         ssl_clear_hash_ctx(&s->internal->write_hash);
 }
 
@@ -2732,8 +2732,8 @@ err:
 void
 ssl_clear_cipher_ctx(SSL *s)
 {
-        EVP_CIPHER_CTX_free(s->internal->enc_read_ctx);
-        s->internal->enc_read_ctx = NULL;
+        EVP_CIPHER_CTX_free(s->enc_read_ctx);
+        s->enc_read_ctx = NULL;
         EVP_CIPHER_CTX_free(s->internal->enc_write_ctx);
         s->internal->enc_write_ctx = NULL;
 
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d8818e1850..6da2ce3fab 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.158 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.159 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -670,9 +670,6 @@ typedef struct ssl_internal_st {
                                            enc_read_ctx and read_hash are
                                            ignored. */
 
-        EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
-        EVP_MD_CTX *read_hash;                  /* used for mac generation */
-
         SSL_AEAD_CTX *aead_write_ctx;   /* AEAD context. If non-NULL, then
                                            enc_write_ctx and write_hash are
                                            ignored. */
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 4b337a4706..2100faac22 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.90 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.91 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -536,17 +536,17 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
                 else
                         s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
 
-                EVP_CIPHER_CTX_free(s->internal->enc_read_ctx);
-                s->internal->enc_read_ctx = NULL;
-                EVP_MD_CTX_destroy(s->internal->read_hash);
-                s->internal->read_hash = NULL;
+                EVP_CIPHER_CTX_free(s->enc_read_ctx);
+                s->enc_read_ctx = NULL;
+                EVP_MD_CTX_destroy(s->read_hash);
+                s->read_hash = NULL;
 
                 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
                         goto err;
-                s->internal->enc_read_ctx = cipher_ctx;
+                s->enc_read_ctx = cipher_ctx;
                 if ((mac_ctx = EVP_MD_CTX_create()) == NULL)
                         goto err;
-                s->internal->read_hash = mac_ctx;
+                s->read_hash = mac_ctx;
         } else {
                 if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
                         s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -1016,15 +1016,15 @@ tls1_enc(SSL *s, int send)
                         }
                 }
         } else {
-                if (EVP_MD_CTX_md(s->internal->read_hash)) {
-                        int n = EVP_MD_CTX_size(s->internal->read_hash);
+                if (EVP_MD_CTX_md(s->read_hash)) {
+                        int n = EVP_MD_CTX_size(s->read_hash);
                         OPENSSL_assert(n >= 0);
                 }
-                ds = s->internal->enc_read_ctx;
-                if (s->internal->enc_read_ctx == NULL)
+                ds = s->enc_read_ctx;
+                if (s->enc_read_ctx == NULL)
                         enc = NULL;
                 else
-                        enc = EVP_CIPHER_CTX_cipher(s->internal->enc_read_ctx);
+                        enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
         }
 
         if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
@@ -1085,8 +1085,8 @@ tls1_enc(SSL *s, int send)
                 }
 
                 ret = 1;
-                if (EVP_MD_CTX_md(s->internal->read_hash) != NULL)
-                        mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+                if (EVP_MD_CTX_md(s->read_hash) != NULL)
+                        mac_size = EVP_MD_CTX_size(s->read_hash);
                 if ((bs != 1) && !send)
                         ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
                 if (pad && !send)
@@ -1199,7 +1199,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
         } else {
                 rec = &(ssl->s3->internal->rrec);
                 seq = &(ssl->s3->internal->read_sequence[0]);
-                hash = ssl->internal->read_hash;
+                hash = ssl->read_hash;
         }
 
         t = EVP_MD_CTX_size(hash);
@@ -1232,7 +1232,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
         header[12] = (rec->length) & 0xff;
 
         if (!send &&
-            EVP_CIPHER_CTX_mode(ssl->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+            EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
             ssl3_cbc_record_digest_supported(mac_ctx)) {
                 /* This is a CBC-encrypted record. We must avoid leaking any
                  * timing-side channel information about how many blocks of