Clean up/simplify more of the dtls1/ssl3 record writing code:

- Make the DTLS code much more consistent with the ssl3 code. - Avoid assigning wr->input and wr->length just so they can be used as arguments to memcpy(). - Remove the arc4random_buf() call for the explicit IV, since tls1_enc() already does this for us. ok tb@
author: jsing <> 2020-08-01 16:50:16 +0000
committer: jsing <> 2020-08-01 16:50:16 +0000
commit: 6e5d9da264e1017a10d374a9ba566f293528170e (patch)
tree: f0851cecf2a74b26e51aabe70b3187043bacef1a /src/lib/libssl/d1_pkt.c
parent: f687d8a359d0a472b6c9fc20fc47af1750e0c808 (diff)
download: openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.tar.gz
openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.tar.bz2
openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.zip
1 files changed, 25 insertions, 48 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index d6b1506119..f888592223 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.74 2020/07/30 16:53:01 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.75 2020/08/01 16:50:16 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1174,12 +1174,12 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
 int
 do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 {
+        SSL3_RECORD_INTERNAL *wr = &(S3I(s)->wrec);
+        SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf);
+        SSL_SESSION *sess = s->session;
+        int eivlen = 0, mac_size = 0;
        unsigned char *p;
-        SSL3_RECORD_INTERNAL *wr;
+        int ret;
-        SSL3_BUFFER_INTERNAL *wb;
-        SSL_SESSION *sess;
-        int mac_size = 0;
-        int bs, ret;
        CBB cbb;
        memset(&cbb, 0, sizeof(cbb));
@@ -1188,7 +1188,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         * First check if there is a SSL3_BUFFER_INTERNAL still being written
         * out.  This will happen with non blocking IO.
         */
-        if (S3I(s)->wbuf.left != 0) {
+        if (wb->left != 0) {
                OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
                return (ssl3_write_pending(s, type, buf, len));
        }
@@ -1203,10 +1203,6 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        if (len == 0)
                return 0;
-        wr = &(S3I(s)->wrec);
-        wb = &(S3I(s)->wbuf);
-        sess = s->session;
        if (sess != NULL && s->internal->enc_write_ctx != NULL &&
            EVP_MD_CTX_md(s->internal->write_hash) != NULL) {
                if ((mac_size = EVP_MD_CTX_size(s->internal->write_hash)) < 0)
@@ -1216,6 +1212,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        /* DTLS implements explicit IV, so no need for empty fragments. */
        p = wb->buf;
+        wb->offset = 0;
        if (!CBB_init_fixed(&cbb, p, DTLS1_RT_HEADER_LENGTH))
                goto err;
@@ -1232,50 +1229,30 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        p += DTLS1_RT_HEADER_LENGTH;
-        /* lets setup the record stuff. */
+        /*
+         * Make space for the explicit IV in case of CBC.
-        /* Make space for the explicit IV in case of CBC.
         * (this is a bit of a boundary violation, but what the heck).
         */
        if (s->internal->enc_write_ctx &&
            (EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
-                bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher);
+                eivlen = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher);
-        else
-                bs = 0;
        wr->type = type;
-        wr->data = p + bs;
+        wr->data = p + eivlen;
-        /* make room for IV in case of CBC */
        wr->length = (int)len;
-        wr->input = (unsigned char *)buf;
-        /* we now 'read' from wr->input, wr->length bytes into
-         * wr->data */
-        memcpy(wr->data, wr->input, wr->length);
        wr->input = wr->data;
-        /* we should still have the output to wr->data and the input
+        memcpy(wr->data, buf, len);
-         * from wr->input.  Length should be wr->length.
-         * wr->data still points in the wb->buf */
        if (mac_size != 0) {
-                if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0)
+                if (tls1_mac(s, &(p[wr->length + eivlen]), 1) < 0)
                        goto err;
                wr->length += mac_size;
        }
-        /* this is true regardless of mac size */
-        wr->input = p;
        wr->data = p;
+        wr->input = p;
-        /* bs != 0 in case of CBC */
+        wr->length += eivlen;
-        if (bs) {
-                arc4random_buf(p, bs);
-                /* master IV and last CBC residue stand for
-                 * the rest of randomness */
-                wr->length += bs;
-        }
        /* tls1_enc can only have an error on read */
        tls1_enc(s, 1);
@@ -1285,25 +1262,27 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        if (!CBB_finish(&cbb, NULL, NULL))
                goto err;
-        /* we should now have
+        /*
-         * wr->data pointing to the encrypted data, which is
+         * We should now have wr->data pointing to the encrypted data,
-         * wr->length long */
+         * which is wr->length long.
+         */
        wr->type = type; /* not needed but helps for debugging */
        wr->length += DTLS1_RT_HEADER_LENGTH;
        tls1_record_sequence_increment(S3I(s)->write_sequence);
-        /* now let's set up wb */
        wb->left = wr->length;
-        wb->offset = 0;
-        /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
+        /*
+         * Memorize arguments so that ssl3_write_pending can detect
+         * bad write retries later.
+         */
        S3I(s)->wpend_tot = len;
        S3I(s)->wpend_buf = buf;
        S3I(s)->wpend_type = type;
        S3I(s)->wpend_ret = len;
-        /* we now just need to write the buffer */
+        /* We now just need to write the buffer. */
        return ssl3_write_pending(s, type, buf, len);
 err:
@@ -1312,8 +1291,6 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        return -1;
 }
 static int
 dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
 {
author	jsing <>	2020-08-01 16:50:16 +0000
committer	jsing <>	2020-08-01 16:50:16 +0000
commit	6e5d9da264e1017a10d374a9ba566f293528170e (patch)
tree	f0851cecf2a74b26e51aabe70b3187043bacef1a /src/lib/libssl/d1_pkt.c
parent	f687d8a359d0a472b6c9fc20fc47af1750e0c808 (diff)
download	openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.tar.gz openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.tar.bz2 openbsd-6e5d9da264e1017a10d374a9ba566f293528170e.zip

diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index d6b1506119..f888592223 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_pkt.c,v 1.74 2020/07/30 16:53:01 jsing Exp $ */	1	/* $OpenBSD: d1_pkt.c,v 1.75 2020/08/01 16:50:16 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1174,12 +1174,12 @@ dtls1_write_bytes(SSL s, int type, const void buf, int len)
1174	int	1174	int
1175	do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)	1175	do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1176	{	1176	{
		1177	SSL3_RECORD_INTERNAL *wr = &(S3I(s)->wrec);
		1178	SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf);
		1179	SSL_SESSION *sess = s->session;
		1180	int eivlen = 0, mac_size = 0;
1177	unsigned char *p;	1181	unsigned char *p;
1178	SSL3_RECORD_INTERNAL *wr;	1182	int ret;
1179	SSL3_BUFFER_INTERNAL *wb;
1180	SSL_SESSION *sess;
1181	int mac_size = 0;
1182	int bs, ret;
1183	CBB cbb;	1183	CBB cbb;
1184		1184
1185	memset(&cbb, 0, sizeof(cbb));	1185	memset(&cbb, 0, sizeof(cbb));
@@ -1188,7 +1188,7 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1188	* First check if there is a SSL3_BUFFER_INTERNAL still being written	1188	* First check if there is a SSL3_BUFFER_INTERNAL still being written
1189	* out. This will happen with non blocking IO.	1189	* out. This will happen with non blocking IO.
1190	*/	1190	*/
1191	if (S3I(s)->wbuf.left != 0) {	1191	if (wb->left != 0) {
1192	OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */	1192	OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
1193	return (ssl3_write_pending(s, type, buf, len));	1193	return (ssl3_write_pending(s, type, buf, len));
1194	}	1194	}
@@ -1203,10 +1203,6 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1203	if (len == 0)	1203	if (len == 0)
1204	return 0;	1204	return 0;
1205		1205
1206	wr = &(S3I(s)->wrec);
1207	wb = &(S3I(s)->wbuf);
1208	sess = s->session;
1209
1210	if (sess != NULL && s->internal->enc_write_ctx != NULL &&	1206	if (sess != NULL && s->internal->enc_write_ctx != NULL &&
1211	EVP_MD_CTX_md(s->internal->write_hash) != NULL) {	1207	EVP_MD_CTX_md(s->internal->write_hash) != NULL) {
1212	if ((mac_size = EVP_MD_CTX_size(s->internal->write_hash)) < 0)	1208	if ((mac_size = EVP_MD_CTX_size(s->internal->write_hash)) < 0)
@@ -1216,6 +1212,7 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1216	/* DTLS implements explicit IV, so no need for empty fragments. */	1212	/* DTLS implements explicit IV, so no need for empty fragments. */
1217		1213
1218	p = wb->buf;	1214	p = wb->buf;
		1215	wb->offset = 0;
1219		1216
1220	if (!CBB_init_fixed(&cbb, p, DTLS1_RT_HEADER_LENGTH))	1217	if (!CBB_init_fixed(&cbb, p, DTLS1_RT_HEADER_LENGTH))
1221	goto err;	1218	goto err;
@@ -1232,50 +1229,30 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1232		1229
1233	p += DTLS1_RT_HEADER_LENGTH;	1230	p += DTLS1_RT_HEADER_LENGTH;
1234		1231
1235	/* lets setup the record stuff. */	1232	/*
1236		1233	* Make space for the explicit IV in case of CBC.
1237	/* Make space for the explicit IV in case of CBC.
1238	* (this is a bit of a boundary violation, but what the heck).	1234	* (this is a bit of a boundary violation, but what the heck).
1239	*/	1235	*/
1240	if (s->internal->enc_write_ctx &&	1236	if (s->internal->enc_write_ctx &&
1241	(EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))	1237	(EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
1242	bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher);	1238	eivlen = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher);
1243	else
1244	bs = 0;
1245		1239
1246	wr->type = type;	1240	wr->type = type;
1247	wr->data = p + bs;	1241	wr->data = p + eivlen;
1248	/* make room for IV in case of CBC */
1249	wr->length = (int)len;	1242	wr->length = (int)len;
1250	wr->input = (unsigned char *)buf;
1251
1252	/* we now 'read' from wr->input, wr->length bytes into
1253	* wr->data */
1254
1255	memcpy(wr->data, wr->input, wr->length);
1256	wr->input = wr->data;	1243	wr->input = wr->data;
1257		1244
1258	/* we should still have the output to wr->data and the input	1245	memcpy(wr->data, buf, len);
1259	* from wr->input. Length should be wr->length.
1260	* wr->data still points in the wb->buf */
1261		1246
1262	if (mac_size != 0) {	1247	if (mac_size != 0) {
1263	if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0)	1248	if (tls1_mac(s, &(p[wr->length + eivlen]), 1) < 0)
1264	goto err;	1249	goto err;
1265	wr->length += mac_size;	1250	wr->length += mac_size;
1266	}	1251	}
1267		1252
1268	/* this is true regardless of mac size */
1269	wr->input = p;
1270	wr->data = p;	1253	wr->data = p;
1271		1254	wr->input = p;
1272	/* bs != 0 in case of CBC */	1255	wr->length += eivlen;
1273	if (bs) {
1274	arc4random_buf(p, bs);
1275	/* master IV and last CBC residue stand for
1276	* the rest of randomness */
1277	wr->length += bs;
1278	}
1279		1256
1280	/* tls1_enc can only have an error on read */	1257	/* tls1_enc can only have an error on read */
1281	tls1_enc(s, 1);	1258	tls1_enc(s, 1);
@@ -1285,25 +1262,27 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1285	if (!CBB_finish(&cbb, NULL, NULL))	1262	if (!CBB_finish(&cbb, NULL, NULL))
1286	goto err;	1263	goto err;
1287		1264
1288	/* we should now have	1265	/*
1289	* wr->data pointing to the encrypted data, which is	1266	* We should now have wr->data pointing to the encrypted data,
1290	* wr->length long */	1267	* which is wr->length long.
		1268	*/
1291	wr->type = type; /* not needed but helps for debugging */	1269	wr->type = type; /* not needed but helps for debugging */
1292	wr->length += DTLS1_RT_HEADER_LENGTH;	1270	wr->length += DTLS1_RT_HEADER_LENGTH;
1293		1271
1294	tls1_record_sequence_increment(S3I(s)->write_sequence);	1272	tls1_record_sequence_increment(S3I(s)->write_sequence);
1295		1273
1296	/* now let's set up wb */
1297	wb->left = wr->length;	1274	wb->left = wr->length;
1298	wb->offset = 0;
1299		1275
1300	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */	1276	/*
		1277	* Memorize arguments so that ssl3_write_pending can detect
		1278	* bad write retries later.
		1279	*/
1301	S3I(s)->wpend_tot = len;	1280	S3I(s)->wpend_tot = len;
1302	S3I(s)->wpend_buf = buf;	1281	S3I(s)->wpend_buf = buf;
1303	S3I(s)->wpend_type = type;	1282	S3I(s)->wpend_type = type;
1304	S3I(s)->wpend_ret = len;	1283	S3I(s)->wpend_ret = len;
1305		1284
1306	/* we now just need to write the buffer */	1285	/* We now just need to write the buffer. */
1307	return ssl3_write_pending(s, type, buf, len);	1286	return ssl3_write_pending(s, type, buf, len);
1308		1287
1309	err:	1288	err:
@@ -1312,8 +1291,6 @@ do_dtls1_write(SSL s, int type, const unsigned char buf, unsigned int len)
1312	return -1;	1291	return -1;
1313	}	1292	}
1314		1293
1315
1316
1317	static int	1294	static int
1318	dtls1_record_replay_check(SSL s, DTLS1_BITMAP bitmap)	1295	dtls1_record_replay_check(SSL s, DTLS1_BITMAP bitmap)
1319	{	1296	{