Remove the handshake digests and related code, replacing remaining uses

with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.

ok beck@ inoguchi@

7 files changed, 45 insertions, 166 deletions

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 508e131730..605f0a59ad 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.85 2017/03/05 14:24:12 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.86 2017/03/10 16:03:27 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -519,13 +519,23 @@ dtls1_accept(SSL *s)
                                 s->internal->state = SSL3_ST_SR_CERT_VRFY_A;
                                 s->internal->init_num = 0;
 
-                                /* We need to get hashes here so if there is
-                                 * a client cert, it can be verified */
-                                tls1_cert_verify_mac(s,
-                                    NID_md5, &(S3I(s)->tmp.cert_verify_md[0]));
-                                tls1_cert_verify_mac(s,
-                                    NID_sha1,
-                                    &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
+                                /*
+                                 * We need to get hashes here so if there is
+                                 * a client cert, it can be verified.
+                                 */
+                                if (S3I(s)->handshake_buffer) {
+                                        if (!tls1_digest_cached_records(s)) {
+                                                ret = -1;
+                                                goto end;
+                                        }
+                                }
+                                if (!tls1_handshake_hash_value(s,
+                                    S3I(s)->tmp.cert_verify_md,
+                                    sizeof(S3I(s)->tmp.cert_verify_md),
+                                    NULL)) {
+                                        ret = -1;
+                                        goto end;
+                                }
                         }
                         break;
 
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index d6bf6a4574..8d45e1f8c1 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.137 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.138 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1842,7 +1842,6 @@ ssl3_free(SSL *s)
 
         BIO_free(S3I(s)->handshake_buffer);
 
-        tls1_free_digest_list(s);
         tls1_handshake_hash_free(s);
 
         free(S3I(s)->alpn_selected);
@@ -1884,7 +1883,6 @@ ssl3_clear(SSL *s)
         BIO_free(S3I(s)->handshake_buffer);
         S3I(s)->handshake_buffer = NULL;
 
-        tls1_free_digest_list(s);
         tls1_handshake_hash_free(s);
 
         free(S3I(s)->alpn_selected);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index da48765aba..49af292d6c 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.95 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.96 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -193,12 +193,6 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
         0, 0, 0, 0, 0, 0, 0,
 };
 
-static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = {
-        SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA,
-        SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
-        SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256,
-};
-
 #define CIPHER_ADD      1
 #define CIPHER_KILL     2
 #define CIPHER_DEL      3
@@ -706,20 +700,6 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
 }
 
 int
-ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
-{
-        if (idx < 0 || idx >= SSL_MD_NUM_IDX) {
-                return 0;
-        }
-        *mask = ssl_handshake_digest_flag[idx];
-        if (*mask)
-                *md = ssl_digest_methods[idx];
-        else
-                *md = NULL;
-        return 1;
-}
-
-int
 ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
 {
         *md = NULL;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 8dd30e87fb..1cdbf86c50 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.10 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2354,13 +2354,21 @@ ssl3_send_client_verify(SSL *s)
                 pkey = s->cert->key->privatekey;
                 pctx = EVP_PKEY_CTX_new(pkey, NULL);
                 EVP_PKEY_sign_init(pctx);
-                if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
-                        if (!SSL_USE_SIGALGS(s))
-                                tls1_cert_verify_mac(s,
-                                    NID_sha1, &(data[MD5_DIGEST_LENGTH]));
-                } else {
+
+                /* XXX - is this needed? */
+                if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0)
                         ERR_clear_error();
+
+                if (!SSL_USE_SIGALGS(s)) {
+                        if (S3I(s)->handshake_buffer) {
+                                if (!tls1_digest_cached_records(s))
+                                        goto err;
+                        }
+                        if (!tls1_handshake_hash_value(s, data, sizeof(data),
+                            NULL))
+                                goto err;
                 }
+
                 /*
                  * For TLS v1.2 send signature algorithm and signature
                  * using agreed digest and cached handshake records.
@@ -2388,8 +2396,6 @@ ssl3_send_client_verify(SSL *s)
                         if (!tls1_digest_cached_records(s))
                                 goto err;
                 } else if (pkey->type == EVP_PKEY_RSA) {
-                        tls1_cert_verify_mac(
-                            s, NID_md5, &(data[0]));
                         if (RSA_sign(NID_md5_sha1, data,
                             MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
                             &u, pkey->pkey.rsa) <= 0 ) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3f5d6fad20..b68b680106 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.177 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.178 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -805,10 +805,6 @@ typedef struct ssl3_state_internal_st {
 
         /* used during startup, digest all incoming/outgoing packets */
         BIO *handshake_buffer;
-        /* When set of handshake digests is determined, buffer is hashed
-         * and freed and MD_CTX-es for all required digests are stored in
-         * this array */
-        EVP_MD_CTX **handshake_dgst;
 
         /* Rolling hash of handshake messages. */
         EVP_MD_CTX *handshake_hash;
@@ -1103,7 +1099,6 @@ void ssl_update_cache(SSL *s, int mode);
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
     const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
 int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
-int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md);
 int ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md);
 
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
@@ -1293,7 +1288,6 @@ int tls1_change_cipher_state(SSL *s, int which);
 int tls1_setup_key_block(SSL *s);
 int tls1_enc(SSL *s, int snd);
 int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p);
-int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
 int tls1_mac(SSL *ssl, unsigned char *md, int snd);
 int tls1_generate_master_secret(SSL *s, unsigned char *out,
     unsigned char *p, int len);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index a48cf246da..d98a76f8f0 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.10 2017/03/05 14:39:53 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.11 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -493,18 +493,12 @@ ssl3_accept(SSL *s)
                                         goto end;
                                 }
                         } else {
-                                int offset = 0;
-                                int dgst_num;
-
                                 s->internal->state = SSL3_ST_SR_CERT_VRFY_A;
                                 s->internal->init_num = 0;
 
                                 /*
                                  * We need to get hashes here so if there is
-                                 * a client cert, it can be verified
-                                 * FIXME - digest processing for
-                                 * CertificateVerify should be generalized.
-                                 * But it is next step
+                                 * a client cert, it can be verified.
                                  */
                                 if (S3I(s)->handshake_buffer) {
                                         if (!tls1_digest_cached_records(s)) {
@@ -512,22 +506,12 @@ ssl3_accept(SSL *s)
                                                 goto end;
                                         }
                                 }
-                                for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
-                                    dgst_num++)
-                                        if (S3I(s)->handshake_dgst[dgst_num]) {
-                                        int dgst_size;
-
-                                        tls1_cert_verify_mac(s,
-                                            EVP_MD_CTX_type(
-                                            S3I(s)->handshake_dgst[dgst_num]),
-                                            &(S3I(s)->tmp.cert_verify_md[offset]));
-                                        dgst_size = EVP_MD_CTX_size(
-                                            S3I(s)->handshake_dgst[dgst_num]);
-                                        if (dgst_size < 0) {
-                                                ret = -1;
-                                                goto end;
-                                        }
-                                        offset += dgst_size;
+                                if (!tls1_handshake_hash_value(s,
+                                    S3I(s)->tmp.cert_verify_md,
+                                    sizeof(S3I(s)->tmp.cert_verify_md),
+                                    NULL)) {
+                                        ret = -1;
+                                        goto end;
                                 }
                         }
                         break;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 0179ac3061..e9a9713134 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.101 2017/03/10 15:08:49 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.102 2017/03/10 16:03:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -165,7 +165,6 @@ int
 tls1_init_finished_mac(SSL *s)
 {
         BIO_free(S3I(s)->handshake_buffer);
-        tls1_free_digest_list(s);
 
         S3I(s)->handshake_buffer = BIO_new(BIO_s_mem());
         if (S3I(s)->handshake_buffer == NULL)
@@ -176,29 +175,9 @@ tls1_init_finished_mac(SSL *s)
         return (1);
 }
 
-void
-tls1_free_digest_list(SSL *s)
-{
-        int i;
-
-        if (s == NULL)
-                return;
-        if (S3I(s)->handshake_dgst == NULL)
-                return;
-
-        for (i = 0; i < SSL_MAX_DIGEST; i++) {
-                if (S3I(s)->handshake_dgst[i])
-                        EVP_MD_CTX_destroy(S3I(s)->handshake_dgst[i]);
-        }
-        free(S3I(s)->handshake_dgst);
-        S3I(s)->handshake_dgst = NULL;
-}
-
 int
 tls1_finish_mac(SSL *s, const unsigned char *buf, int len)
 {
-        int i;
-
         if (len < 0)
                 return 0;
 
@@ -211,60 +190,21 @@ tls1_finish_mac(SSL *s, const unsigned char *buf, int len)
                 return 1;
         }
 
-        for (i = 0; i < SSL_MAX_DIGEST; i++) {
-                if (S3I(s)->handshake_dgst[i] == NULL)
-                        continue;
-                if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], buf, len)) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        return 0;
-                }
-        }
-
         return 1;
 }
 
 int
 tls1_digest_cached_records(SSL *s)
 {
-        const EVP_MD *md;
-        long hdatalen, mask;
+        long hdatalen;
         void *hdata;
-        int i;
-
-        tls1_free_digest_list(s);
 
-        S3I(s)->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *));
-        if (S3I(s)->handshake_dgst == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
         hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
         if (hdatalen <= 0) {
                 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH);
                 goto err;
         }
 
-        /* Loop through bits of the algorithm2 field and create MD contexts. */
-        for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
-                if ((mask & ssl_get_algorithm2(s)) == 0 || md == NULL)
-                        continue;
-
-                S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create();
-                if (S3I(s)->handshake_dgst[i] == NULL) {
-                        SSLerror(s, ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-                if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        goto err;
-                }
-                if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], hdata,
-                    hdatalen)) {
-                        SSLerror(s, ERR_R_EVP_LIB);
-                        goto err;
-                }
-        }
-
         if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
                 BIO_free(S3I(s)->handshake_buffer);
                 S3I(s)->handshake_buffer = NULL;
@@ -273,7 +213,6 @@ tls1_digest_cached_records(SSL *s)
         return 1;
 
  err:
-        tls1_free_digest_list(s);
         return 0;
 }
 
@@ -1091,38 +1030,6 @@ tls1_enc(SSL *s, int send)
 }
 
 int
-tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
-{
-        EVP_MD_CTX ctx, *d = NULL;
-        unsigned int ret;
-        int i;
-
-        if (S3I(s)->handshake_buffer)
-                if (!tls1_digest_cached_records(s))
-                        return 0;
-
-        for (i = 0; i < SSL_MAX_DIGEST; i++) {
-                if (S3I(s)->handshake_dgst[i] &&
-                    EVP_MD_CTX_type(S3I(s)->handshake_dgst[i]) == md_nid) {
-                        d = S3I(s)->handshake_dgst[i];
-                        break;
-                }
-        }
-        if (d == NULL) {
-                SSLerror(s, SSL_R_NO_REQUIRED_DIGEST);
-                return 0;
-        }
-
-        EVP_MD_CTX_init(&ctx);
-        if (!EVP_MD_CTX_copy_ex(&ctx, d))
-                return 0;
-        EVP_DigestFinal_ex(&ctx, out, &ret);
-        EVP_MD_CTX_cleanup(&ctx);
-
-        return ((int)ret);
-}
-
-int
 tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
 {
         unsigned char buf1[EVP_MAX_MD_SIZE];