1 files changed, 23 insertions, 51 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index e7f1f5c9ec..af9152d3de 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.50 2018/11/08 20:55:18 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -248,7 +248,8 @@ ssl3_accept(SSL *s)
                                        ret = -1;
                                        goto end;
                                }
-                                if (!tls1_init_finished_mac(s)) {
+                                if (!tls1_transcript_init(s)) {
                                        ret = -1;
                                        goto end;
                                }
@@ -293,7 +294,7 @@ ssl3_accept(SSL *s)
                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
                        s->internal->init_num = 0;
-                        if (!tls1_init_finished_mac(s)) {
+                        if (!tls1_transcript_init(s)) {
                                ret = -1;
                                goto end;
                        }
@@ -366,7 +367,7 @@ ssl3_accept(SSL *s)
                        S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
                        /* HelloVerifyRequest resets Finished MAC. */
-                        if (!tls1_init_finished_mac(s)) {
+                        if (!tls1_transcript_init(s)) {
                                ret = -1;
                                goto end;
                        }
@@ -467,12 +468,9 @@ ssl3_accept(SSL *s)
                                skip = 1;
                                S3I(s)->tmp.cert_request = 0;
                                S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
-                                if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) {
-                                        if (!tls1_digest_cached_records(s)) {
+                                if (!SSL_IS_DTLS(s))
-                                                ret = -1;
+                                        tls1_transcript_free(s);
-                                                goto end;
-                                        }
-                                }
                        } else {
                                S3I(s)->tmp.cert_request = 1;
                                if (SSL_IS_DTLS(s))
@@ -565,33 +563,20 @@ ssl3_accept(SSL *s)
                                if (!s->session->peer)
                                        break;
                                /*
-                                 * For sigalgs freeze the handshake buffer
+                                 * Freeze the transcript for use during client
-                                 * at this point and digest cached records.
+                                 * certificate verification.
                                 */
-                                if (!S3I(s)->handshake_buffer) {
+                                tls1_transcript_freeze(s);
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        ret = -1;
-                                        goto end;
-                                }
-                                s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
-                                if (!tls1_digest_cached_records(s)) {
-                                        ret = -1;
-                                        goto end;
-                                }
                        } else {
                                S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
                                s->internal->init_num = 0;
+                                tls1_transcript_free(s);
                                /*
                                 * We need to get hashes here so if there is
                                 * a client cert, it can be verified.
                                 */
-                                if (S3I(s)->handshake_buffer) {
-                                        if (!tls1_digest_cached_records(s)) {
-                                                ret = -1;
-                                                goto end;
-                                        }
-                                }
                                if (!tls1_handshake_hash_value(s,
                                    S3I(s)->tmp.cert_verify_md,
                                    sizeof(S3I(s)->tmp.cert_verify_md),
@@ -701,7 +686,7 @@ ssl3_accept(SSL *s)
                        /* clean a few things up */
                        tls1_cleanup_key_block(s);
-                        if (S3I(s)->handshake_buffer != NULL) {
+                        if (S3I(s)->handshake_transcript != NULL) {
                                SSLerror(s, ERR_R_INTERNAL_ERROR);
                                ret = -1;
                                goto end;
@@ -1125,12 +1110,8 @@ ssl3_get_client_hello(SSL *s)
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
        if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
-            !(s->verify_mode & SSL_VERIFY_PEER)) {
+            !(s->verify_mode & SSL_VERIFY_PEER))
-                if (!tls1_digest_cached_records(s)) {
+                tls1_transcript_free(s);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto f_err;
-                }
-        }
        /*
         * We now have the following setup.
@@ -2110,10 +2091,10 @@ ssl3_get_cert_verify(SSL *s)
        EVP_MD_CTX mctx;
        uint8_t hash_id, sig_id;
        int al, ok, sigalg, verify;
+        const unsigned char *hdata;
+        size_t hdatalen;
        int type = 0;
        int ret = 0;
-        long hdatalen;
-        void *hdata;
        long n;
        EVP_MD_CTX_init(&mctx);
@@ -2214,8 +2195,7 @@ ssl3_get_cert_verify(SSL *s)
        }
        if (SSL_USE_SIGALGS(s)) {
-                hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
+                if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
-                if (hdatalen <= 0) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
@@ -2265,8 +2245,7 @@ ssl3_get_cert_verify(SSL *s)
                EVP_PKEY_CTX *pctx;
                int nid;
-                hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
+                if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
-                if (hdatalen <= 0) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
@@ -2321,11 +2300,7 @@ ssl3_get_cert_verify(SSL *s)
                ssl3_send_alert(s, SSL3_AL_FATAL, al);
        }
 end:
-        if (S3I(s)->handshake_buffer) {
+        tls1_transcript_free(s);
-                BIO_free(S3I(s)->handshake_buffer);
-                S3I(s)->handshake_buffer = NULL;
-                s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
-        }
 err:
        EVP_MD_CTX_cleanup(&mctx);
        EVP_PKEY_free(pkey);
@@ -2427,11 +2402,8 @@ ssl3_get_client_certificate(SSL *s)
                        al = SSL_AD_HANDSHAKE_FAILURE;
                        goto f_err;
                }
-                /* No client certificate so digest cached records */
+                /* No client certificate so free transcript. */
-                if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) {
+                tls1_transcript_free(s);
-                        al = SSL_AD_INTERNAL_ERROR;
-                        goto f_err;
-                }
        } else {
                i = ssl_verify_cert_chain(s, sk);
                if (i <= 0) {

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e7f1f5c9ec..af9152d3de 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.50 2018/11/08 20:55:18 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.51 2018/11/08 22:28:52 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -248,7 +248,8 @@ ssl3_accept(SSL *s)
248	ret = -1;	248	ret = -1;
249	goto end;	249	goto end;
250	}	250	}
251	if (!tls1_init_finished_mac(s)) {	251
		252	if (!tls1_transcript_init(s)) {
252	ret = -1;	253	ret = -1;
253	goto end;	254	goto end;
254	}	255	}
@@ -293,7 +294,7 @@ ssl3_accept(SSL *s)
293	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;	294	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
294	s->internal->init_num = 0;	295	s->internal->init_num = 0;
295		296
296	if (!tls1_init_finished_mac(s)) {	297	if (!tls1_transcript_init(s)) {
297	ret = -1;	298	ret = -1;
298	goto end;	299	goto end;
299	}	300	}
@@ -366,7 +367,7 @@ ssl3_accept(SSL *s)
366	S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;	367	S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
367		368
368	/* HelloVerifyRequest resets Finished MAC. */	369	/* HelloVerifyRequest resets Finished MAC. */
369	if (!tls1_init_finished_mac(s)) {	370	if (!tls1_transcript_init(s)) {
370	ret = -1;	371	ret = -1;
371	goto end;	372	goto end;
372	}	373	}
@@ -467,12 +468,9 @@ ssl3_accept(SSL *s)
467	skip = 1;	468	skip = 1;
468	S3I(s)->tmp.cert_request = 0;	469	S3I(s)->tmp.cert_request = 0;
469	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;	470	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
470	if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) {	471
471	if (!tls1_digest_cached_records(s)) {	472	if (!SSL_IS_DTLS(s))
472	ret = -1;	473	tls1_transcript_free(s);
473	goto end;
474	}
475	}
476	} else {	474	} else {
477	S3I(s)->tmp.cert_request = 1;	475	S3I(s)->tmp.cert_request = 1;
478	if (SSL_IS_DTLS(s))	476	if (SSL_IS_DTLS(s))
@@ -565,33 +563,20 @@ ssl3_accept(SSL *s)
565	if (!s->session->peer)	563	if (!s->session->peer)
566	break;	564	break;
567	/*	565	/*
568	* For sigalgs freeze the handshake buffer	566	* Freeze the transcript for use during client
569	* at this point and digest cached records.	567	* certificate verification.
570	*/	568	*/
571	if (!S3I(s)->handshake_buffer) {	569	tls1_transcript_freeze(s);
572	SSLerror(s, ERR_R_INTERNAL_ERROR);
573	ret = -1;
574	goto end;
575	}
576	s->s3->flags \|= TLS1_FLAGS_KEEP_HANDSHAKE;
577	if (!tls1_digest_cached_records(s)) {
578	ret = -1;
579	goto end;
580	}
581	} else {	570	} else {
582	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;	571	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
583	s->internal->init_num = 0;	572	s->internal->init_num = 0;
584		573
		574	tls1_transcript_free(s);
		575
585	/*	576	/*
586	* We need to get hashes here so if there is	577	* We need to get hashes here so if there is
587	* a client cert, it can be verified.	578	* a client cert, it can be verified.
588	*/	579	*/
589	if (S3I(s)->handshake_buffer) {
590	if (!tls1_digest_cached_records(s)) {
591	ret = -1;
592	goto end;
593	}
594	}
595	if (!tls1_handshake_hash_value(s,	580	if (!tls1_handshake_hash_value(s,
596	S3I(s)->tmp.cert_verify_md,	581	S3I(s)->tmp.cert_verify_md,
597	sizeof(S3I(s)->tmp.cert_verify_md),	582	sizeof(S3I(s)->tmp.cert_verify_md),
@@ -701,7 +686,7 @@ ssl3_accept(SSL *s)
701	/* clean a few things up */	686	/* clean a few things up */
702	tls1_cleanup_key_block(s);	687	tls1_cleanup_key_block(s);
703		688
704	if (S3I(s)->handshake_buffer != NULL) {	689	if (S3I(s)->handshake_transcript != NULL) {
705	SSLerror(s, ERR_R_INTERNAL_ERROR);	690	SSLerror(s, ERR_R_INTERNAL_ERROR);
706	ret = -1;	691	ret = -1;
707	goto end;	692	goto end;
@@ -1125,12 +1110,8 @@ ssl3_get_client_hello(SSL *s)
1125		1110
1126	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	1111	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
1127	if (!(SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) \|\|	1112	if (!(SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) \|\|
1128	!(s->verify_mode & SSL_VERIFY_PEER)) {	1113	!(s->verify_mode & SSL_VERIFY_PEER))
1129	if (!tls1_digest_cached_records(s)) {	1114	tls1_transcript_free(s);
1130	al = SSL_AD_INTERNAL_ERROR;
1131	goto f_err;
1132	}
1133	}
1134		1115
1135	/*	1116	/*
1136	* We now have the following setup.	1117	* We now have the following setup.
@@ -2110,10 +2091,10 @@ ssl3_get_cert_verify(SSL *s)
2110	EVP_MD_CTX mctx;	2091	EVP_MD_CTX mctx;
2111	uint8_t hash_id, sig_id;	2092	uint8_t hash_id, sig_id;
2112	int al, ok, sigalg, verify;	2093	int al, ok, sigalg, verify;
		2094	const unsigned char *hdata;
		2095	size_t hdatalen;
2113	int type = 0;	2096	int type = 0;
2114	int ret = 0;	2097	int ret = 0;
2115	long hdatalen;
2116	void *hdata;
2117	long n;	2098	long n;
2118		2099
2119	EVP_MD_CTX_init(&mctx);	2100	EVP_MD_CTX_init(&mctx);
@@ -2214,8 +2195,7 @@ ssl3_get_cert_verify(SSL *s)
2214	}	2195	}
2215		2196
2216	if (SSL_USE_SIGALGS(s)) {	2197	if (SSL_USE_SIGALGS(s)) {
2217	hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);	2198	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2218	if (hdatalen <= 0) {
2219	SSLerror(s, ERR_R_INTERNAL_ERROR);	2199	SSLerror(s, ERR_R_INTERNAL_ERROR);
2220	al = SSL_AD_INTERNAL_ERROR;	2200	al = SSL_AD_INTERNAL_ERROR;
2221	goto f_err;	2201	goto f_err;
@@ -2265,8 +2245,7 @@ ssl3_get_cert_verify(SSL *s)
2265	EVP_PKEY_CTX *pctx;	2245	EVP_PKEY_CTX *pctx;
2266	int nid;	2246	int nid;
2267		2247
2268	hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);	2248	if (!tls1_transcript_data(s, &hdata, &hdatalen)) {
2269	if (hdatalen <= 0) {
2270	SSLerror(s, ERR_R_INTERNAL_ERROR);	2249	SSLerror(s, ERR_R_INTERNAL_ERROR);
2271	al = SSL_AD_INTERNAL_ERROR;	2250	al = SSL_AD_INTERNAL_ERROR;
2272	goto f_err;	2251	goto f_err;
@@ -2321,11 +2300,7 @@ ssl3_get_cert_verify(SSL *s)
2321	ssl3_send_alert(s, SSL3_AL_FATAL, al);	2300	ssl3_send_alert(s, SSL3_AL_FATAL, al);
2322	}	2301	}
2323	end:	2302	end:
2324	if (S3I(s)->handshake_buffer) {	2303	tls1_transcript_free(s);
2325	BIO_free(S3I(s)->handshake_buffer);
2326	S3I(s)->handshake_buffer = NULL;
2327	s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
2328	}
2329	err:	2304	err:
2330	EVP_MD_CTX_cleanup(&mctx);	2305	EVP_MD_CTX_cleanup(&mctx);
2331	EVP_PKEY_free(pkey);	2306	EVP_PKEY_free(pkey);
@@ -2427,11 +2402,8 @@ ssl3_get_client_certificate(SSL *s)
2427	al = SSL_AD_HANDSHAKE_FAILURE;	2402	al = SSL_AD_HANDSHAKE_FAILURE;
2428	goto f_err;	2403	goto f_err;
2429	}	2404	}
2430	/* No client certificate so digest cached records */	2405	/* No client certificate so free transcript. */
2431	if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) {	2406	tls1_transcript_free(s);
2432	al = SSL_AD_INTERNAL_ERROR;
2433	goto f_err;
2434	}
2435	} else {	2407	} else {
2436	i = ssl_verify_cert_chain(s, sk);	2408	i = ssl_verify_cert_chain(s, sk);
2437	if (i <= 0) {	2409	if (i <= 0) {