Stop deriving peer finished twice for TLSv1.2.

We already derive the peer finished in ssl3_do_change_cipher_spec(), which DTLS relies on. In the case of TLS we've been doing it twice - once in ssl3_get_message() and once in ssl3_do_change_cipher_spec(). ok tb@
author: jsing <> 2021-05-02 15:55:29 +0000
committer: jsing <> 2021-05-02 15:55:29 +0000
commit: 11742e8bc2d14b2bb2eb9e732820f0b626fe8d57 (patch)
tree: 99ecf9c81164fe2fcf1321f32b88bc60bd233533 /src/lib/libssl/ssl_both.c
parent: 63fb3940fa3e6cc8c92f3ed37d159fa4034bc320 (diff)
download: openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.tar.gz
openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.tar.bz2
openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.zip
1 files changed, 1 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index fe04f809b0..c133449a6d 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.29 2021/04/25 13:15:22 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.30 2021/05/02 15:55:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -511,17 +511,6 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                n -= i;
        }
-        /*
-         * If receiving Finished, record MAC of prior handshake messages for
-         * Finished verification.
-         */
-        if (*s->internal->init_buf->data == SSL3_MT_FINISHED) {
-                if (S3I(s)->hs.cipher != NULL) {
-                        if (!tls12_derive_peer_finished(s))
-                                goto err;
-                }
-        }
        /* Feed this message into MAC computation. */
        if (s->internal->mac_packet) {
                tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data,
author	jsing <>	2021-05-02 15:55:29 +0000
committer	jsing <>	2021-05-02 15:55:29 +0000
commit	11742e8bc2d14b2bb2eb9e732820f0b626fe8d57 (patch)
tree	99ecf9c81164fe2fcf1321f32b88bc60bd233533 /src/lib/libssl/ssl_both.c
parent	63fb3940fa3e6cc8c92f3ed37d159fa4034bc320 (diff)
download	openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.tar.gz openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.tar.bz2 openbsd-11742e8bc2d14b2bb2eb9e732820f0b626fe8d57.zip

diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index fe04f809b0..c133449a6d 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_both.c,v 1.29 2021/04/25 13:15:22 jsing Exp $ */	1	/* $OpenBSD: ssl_both.c,v 1.30 2021/05/02 15:55:29 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -511,17 +511,6 @@ ssl3_get_message(SSL s, int st1, int stn, int mt, long max, int ok)
511	n -= i;	511	n -= i;
512	}	512	}
513		513
514	/*
515	* If receiving Finished, record MAC of prior handshake messages for
516	* Finished verification.
517	*/
518	if (*s->internal->init_buf->data == SSL3_MT_FINISHED) {
519	if (S3I(s)->hs.cipher != NULL) {
520	if (!tls12_derive_peer_finished(s))
521	goto err;
522	}
523	}
524
525	/* Feed this message into MAC computation. */	514	/* Feed this message into MAC computation. */
526	if (s->internal->mac_packet) {	515	if (s->internal->mac_packet) {
527	tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data,	516	tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data,