5 files changed, 29 insertions, 42 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 022efd8b3b..1874d22b94 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.95 2021/05/02 17:18:10 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.96 2021/05/02 17:46:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -474,15 +474,13 @@ ssl3_connect(SSL *s)
                        S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
                        s->internal->init_num = 0;
                        s->session->cipher = S3I(s)->hs.cipher;
                        if (!tls1_setup_key_block(s)) {
                                ret = -1;
                                goto end;
                        }
+                        if (!tls1_change_write_cipher_state(s)) {
-                        if (!tls1_change_cipher_state(s,
-                            SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
                                ret = -1;
                                goto end;
                        }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 38b6838464..9dfa1243c9 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.340 2021/05/02 17:18:10 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.341 2021/05/02 17:46:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1378,7 +1378,8 @@ int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len);
 void tls1_cleanup_key_block(SSL *s);
-int tls1_change_cipher_state(SSL *s, int which);
+int tls1_change_read_cipher_state(SSL *s);
+int tls1_change_write_cipher_state(SSL *s);
 int tls1_setup_key_block(SSL *s);
 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
    const char *label, size_t llen, const unsigned char *p, size_t plen,
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 6e0cfe2102..ba59aa3237 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.41 2021/04/25 13:15:22 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.42 2021/05/02 17:46:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1154,8 +1154,6 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 int
 ssl3_do_change_cipher_spec(SSL *s)
 {
-        int i;
        if (S3I(s)->hs.tls12.key_block == NULL) {
                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
@@ -1168,12 +1166,7 @@ ssl3_do_change_cipher_spec(SSL *s)
                        return (0);
        }
-        if (S3I(s)->hs.state & SSL_ST_ACCEPT)
+        if (!tls1_change_read_cipher_state(s))
-                i = SSL3_CHANGE_CIPHER_SERVER_READ;
-        else
-                i = SSL3_CHANGE_CIPHER_CLIENT_READ;
-        if (!tls1_change_cipher_state(s, i))
                return (0);
        /*
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 8e6a1859eb..f884ea316f 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.107 2021/05/02 17:28:33 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.108 2021/05/02 17:46:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -647,15 +647,13 @@ ssl3_accept(SSL *s)
                                goto end;
                        S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
                        s->internal->init_num = 0;
                        s->session->cipher = S3I(s)->hs.cipher;
                        if (!tls1_setup_key_block(s)) {
                                ret = -1;
                                goto end;
                        }
+                        if (!tls1_change_write_cipher_state(s)) {
-                        if (!tls1_change_cipher_state(s,
-                            SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                                ret = -1;
                                goto end;
                        }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 6cdae0caed..e3cdcc134b 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.141 2021/05/02 17:18:10 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.142 2021/05/02 17:46:58 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -294,8 +294,8 @@ tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
            NULL, 0, NULL, 0, key_block, key_block_len);
 }
-int
+static int
-tls1_change_cipher_state(SSL *s, int which)
+tls1_change_cipher_state(SSL *s, int is_write)
 {
        const unsigned char *client_write_mac_secret, *server_write_mac_secret;
        const unsigned char *client_write_key, *server_write_key;
@@ -305,26 +305,10 @@ tls1_change_cipher_state(SSL *s, int which)
        unsigned char *key_block;
        const EVP_CIPHER *cipher;
        const EVP_AEAD *aead;
-        char is_read, use_client_keys;
        aead = tls12_record_layer_aead(s->internal->rl);
        cipher = tls12_record_layer_cipher(s->internal->rl);
-        /*
-         * is_read is true if we have just read a ChangeCipherSpec message,
-         * that is we need to update the read cipherspec. Otherwise we have
-         * just written one.
-         */
-        is_read = (which & SSL3_CC_READ) != 0;
-        /*
-         * use_client_keys is true if we wish to use the keys for the "client
-         * write" direction. This is the case if we're a client sending a
-         * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec.
-         */
-        use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
-            (which == SSL3_CHANGE_CIPHER_SERVER_READ));
        if (aead != NULL) {
                key_len = EVP_AEAD_key_length(aead);
                iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);
@@ -349,7 +333,8 @@ tls1_change_cipher_state(SSL *s, int which)
        server_write_iv = key_block;
        key_block += iv_len;
-        if (use_client_keys) {
+        /* Use client write keys on client write and server read. */
+        if ((!s->server && is_write) || (s->server && !is_write)) {
                mac_secret = client_write_mac_secret;
                key = client_write_key;
                iv = client_write_iv;
@@ -365,7 +350,7 @@ tls1_change_cipher_state(SSL *s, int which)
                goto err;
        }
-        if (is_read) {
+        if (!is_write) {
                if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
                    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
                        goto err;
@@ -387,6 +372,18 @@ tls1_change_cipher_state(SSL *s, int which)
 }
 int
+tls1_change_read_cipher_state(SSL *s)
+{
+        return tls1_change_cipher_state(s, 0);
+}
+int
+tls1_change_write_cipher_state(SSL *s)
+{
+        return tls1_change_cipher_state(s, 1);
+}
+int
 tls1_setup_key_block(SSL *s)
 {
        unsigned char *key_block;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 022efd8b3b..1874d22b94 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.95 2021/05/02 17:18:10 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.96 2021/05/02 17:46:58 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -474,15 +474,13 @@ ssl3_connect(SSL *s)
474		474
475	S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;	475	S3I(s)->hs.state = SSL3_ST_CW_FINISHED_A;
476	s->internal->init_num = 0;	476	s->internal->init_num = 0;
477
478	s->session->cipher = S3I(s)->hs.cipher;	477	s->session->cipher = S3I(s)->hs.cipher;
		478
479	if (!tls1_setup_key_block(s)) {	479	if (!tls1_setup_key_block(s)) {
480	ret = -1;	480	ret = -1;
481	goto end;	481	goto end;
482	}	482	}
483		483	if (!tls1_change_write_cipher_state(s)) {
484	if (!tls1_change_cipher_state(s,
485	SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
486	ret = -1;	484	ret = -1;
487	goto end;	485	goto end;
488	}	486	}


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 38b6838464..9dfa1243c9 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.340 2021/05/02 17:18:10 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.341 2021/05/02 17:46:58 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1378,7 +1378,8 @@ int tls1_PRF(SSL s, const unsigned char secret, size_t secret_len,
1378	const void seed5, size_t seed5_len, unsigned char out, size_t out_len);	1378	const void seed5, size_t seed5_len, unsigned char out, size_t out_len);
1379		1379
1380	void tls1_cleanup_key_block(SSL *s);	1380	void tls1_cleanup_key_block(SSL *s);
1381	int tls1_change_cipher_state(SSL *s, int which);	1381	int tls1_change_read_cipher_state(SSL *s);
		1382	int tls1_change_write_cipher_state(SSL *s);
1382	int tls1_setup_key_block(SSL *s);	1383	int tls1_setup_key_block(SSL *s);
1383	int tls1_export_keying_material(SSL s, unsigned char out, size_t olen,	1384	int tls1_export_keying_material(SSL s, unsigned char out, size_t olen,
1384	const char label, size_t llen, const unsigned char p, size_t plen,	1385	const char label, size_t llen, const unsigned char p, size_t plen,


diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 6e0cfe2102..ba59aa3237 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.41 2021/04/25 13:15:22 jsing Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.42 2021/05/02 17:46:58 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1154,8 +1154,6 @@ ssl3_read_bytes(SSL s, int type, unsigned char buf, int len, int peek)
1154	int	1154	int
1155	ssl3_do_change_cipher_spec(SSL *s)	1155	ssl3_do_change_cipher_spec(SSL *s)
1156	{	1156	{
1157	int i;
1158
1159	if (S3I(s)->hs.tls12.key_block == NULL) {	1157	if (S3I(s)->hs.tls12.key_block == NULL) {
1160	if (s->session == NULL \|\| s->session->master_key_length == 0) {	1158	if (s->session == NULL \|\| s->session->master_key_length == 0) {
1161	/* might happen if dtls1_read_bytes() calls this */	1159	/* might happen if dtls1_read_bytes() calls this */
@@ -1168,12 +1166,7 @@ ssl3_do_change_cipher_spec(SSL *s)
1168	return (0);	1166	return (0);
1169	}	1167	}
1170		1168
1171	if (S3I(s)->hs.state & SSL_ST_ACCEPT)	1169	if (!tls1_change_read_cipher_state(s))
1172	i = SSL3_CHANGE_CIPHER_SERVER_READ;
1173	else
1174	i = SSL3_CHANGE_CIPHER_CLIENT_READ;
1175
1176	if (!tls1_change_cipher_state(s, i))
1177	return (0);	1170	return (0);
1178		1171
1179	/*	1172	/*


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 8e6a1859eb..f884ea316f 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.107 2021/05/02 17:28:33 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.108 2021/05/02 17:46:58 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -647,15 +647,13 @@ ssl3_accept(SSL *s)
647	goto end;	647	goto end;
648	S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;	648	S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
649	s->internal->init_num = 0;	649	s->internal->init_num = 0;
650
651	s->session->cipher = S3I(s)->hs.cipher;	650	s->session->cipher = S3I(s)->hs.cipher;
		651
652	if (!tls1_setup_key_block(s)) {	652	if (!tls1_setup_key_block(s)) {
653	ret = -1;	653	ret = -1;
654	goto end;	654	goto end;
655	}	655	}
656		656	if (!tls1_change_write_cipher_state(s)) {
657	if (!tls1_change_cipher_state(s,
658	SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
659	ret = -1;	657	ret = -1;
660	goto end;	658	goto end;
661	}	659	}


diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 6cdae0caed..e3cdcc134b 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.141 2021/05/02 17:18:10 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.142 2021/05/02 17:46:58 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -294,8 +294,8 @@ tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
294	NULL, 0, NULL, 0, key_block, key_block_len);	294	NULL, 0, NULL, 0, key_block, key_block_len);
295	}	295	}
296		296
297	int	297	static int
298	tls1_change_cipher_state(SSL *s, int which)	298	tls1_change_cipher_state(SSL *s, int is_write)
299	{	299	{
300	const unsigned char client_write_mac_secret, server_write_mac_secret;	300	const unsigned char client_write_mac_secret, server_write_mac_secret;
301	const unsigned char client_write_key, server_write_key;	301	const unsigned char client_write_key, server_write_key;
@@ -305,26 +305,10 @@ tls1_change_cipher_state(SSL *s, int which)
305	unsigned char *key_block;	305	unsigned char *key_block;
306	const EVP_CIPHER *cipher;	306	const EVP_CIPHER *cipher;
307	const EVP_AEAD *aead;	307	const EVP_AEAD *aead;
308	char is_read, use_client_keys;
309		308
310	aead = tls12_record_layer_aead(s->internal->rl);	309	aead = tls12_record_layer_aead(s->internal->rl);
311	cipher = tls12_record_layer_cipher(s->internal->rl);	310	cipher = tls12_record_layer_cipher(s->internal->rl);
312		311
313	/*
314	* is_read is true if we have just read a ChangeCipherSpec message,
315	* that is we need to update the read cipherspec. Otherwise we have
316	* just written one.
317	*/
318	is_read = (which & SSL3_CC_READ) != 0;
319
320	/*
321	* use_client_keys is true if we wish to use the keys for the "client
322	* write" direction. This is the case if we're a client sending a
323	* ChangeCipherSpec, or a server reading a client's ChangeCipherSpec.
324	*/
325	use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) \|\|
326	(which == SSL3_CHANGE_CIPHER_SERVER_READ));
327
328	if (aead != NULL) {	312	if (aead != NULL) {
329	key_len = EVP_AEAD_key_length(aead);	313	key_len = EVP_AEAD_key_length(aead);
330	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);	314	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);
@@ -349,7 +333,8 @@ tls1_change_cipher_state(SSL *s, int which)
349	server_write_iv = key_block;	333	server_write_iv = key_block;
350	key_block += iv_len;	334	key_block += iv_len;
351		335
352	if (use_client_keys) {	336	/* Use client write keys on client write and server read. */
		337	if ((!s->server && is_write) \|\| (s->server && !is_write)) {
353	mac_secret = client_write_mac_secret;	338	mac_secret = client_write_mac_secret;
354	key = client_write_key;	339	key = client_write_key;
355	iv = client_write_iv;	340	iv = client_write_iv;
@@ -365,7 +350,7 @@ tls1_change_cipher_state(SSL *s, int which)
365	goto err;	350	goto err;
366	}	351	}
367		352
368	if (is_read) {	353	if (!is_write) {
369	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,	354	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
370	mac_secret, mac_secret_size, key, key_len, iv, iv_len))	355	mac_secret, mac_secret_size, key, key_len, iv, iv_len))
371	goto err;	356	goto err;
@@ -387,6 +372,18 @@ tls1_change_cipher_state(SSL *s, int which)
387	}	372	}
388		373
389	int	374	int
		375	tls1_change_read_cipher_state(SSL *s)
		376	{
		377	return tls1_change_cipher_state(s, 0);
		378	}
		379
		380	int
		381	tls1_change_write_cipher_state(SSL *s)
		382	{
		383	return tls1_change_cipher_state(s, 1);
		384	}
		385
		386	int
390	tls1_setup_key_block(SSL *s)	387	tls1_setup_key_block(SSL *s)
391	{	388	{
392	unsigned char *key_block;	389	unsigned char *key_block;