Fix DTLS transcript handling for HelloVerifyRequest.

If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.

Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.

ok beck@ tb@

1 files changed, 17 insertions, 2 deletions

diff --git a/src/lib/libssl/t1_hash.c b/src/lib/libssl/t1_hash.c
index f514c5290e..50e0ad3ca0 100644
--- a/src/lib/libssl/t1_hash.c
+++ b/src/lib/libssl/t1_hash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_hash.c,v 1.4 2018/11/08 22:28:52 jsing Exp $ */
+/* $OpenBSD: t1_hash.c,v 1.5 2018/11/21 15:13:29 jsing Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -118,7 +118,7 @@ tls1_transcript_init(SSL *s)
         if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL)
                 return 0;
 
-        s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
+        tls1_transcript_reset(s);
 
         return 1;
 }
@@ -130,6 +130,21 @@ tls1_transcript_free(SSL *s)
         S3I(s)->handshake_transcript = NULL;
 }
 
+void
+tls1_transcript_reset(SSL *s)
+{
+        /*
+         * We should check the return value of BUF_MEM_grow_clean(), however
+         * due to yet another bad API design, when called with a length of zero
+         * it is impossible to tell if it succeeded (returning a length of zero)
+         * or if it failed (and returned zero)... our implementation never
+         * fails with a length of zero, so we trust all is okay...
+         */ 
+        (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0);
+
+        s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT;
+}
+
 int
 tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len)
 {