1 files changed, 13 insertions, 104 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 8f3e9649b0..05a5b1d953 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.132 2021/02/03 15:14:44 tb Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.133 2021/02/27 14:20:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -310,98 +310,6 @@ tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
            NULL, 0, NULL, 0, key_block, key_block_len);
 }
-/*
- * tls1_change_cipher_state_cipher performs the work needed to switch cipher
- * states when using EVP_CIPHER. The argument is_read is true iff this function
- * is being called due to reading, as opposed to writing, a ChangeCipherSpec
- * message.
- */
-static int
-tls1_change_cipher_state_cipher(SSL *s, char is_read,
-    const unsigned char *mac_secret, unsigned int mac_secret_size,
-    const unsigned char *key, unsigned int key_len, const unsigned char *iv,
-    unsigned int iv_len)
-{
-        EVP_CIPHER_CTX *cipher_ctx;
-        const EVP_CIPHER *cipher;
-        EVP_MD_CTX *mac_ctx;
-        EVP_PKEY *mac_key;
-        const EVP_MD *mac;
-        int stream_mac;
-        int mac_type;
-        cipher = S3I(s)->tmp.new_sym_enc;
-        mac = S3I(s)->tmp.new_hash;
-        mac_type = S3I(s)->tmp.new_mac_pkey_type;
-        stream_mac = S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC;
-        if (is_read) {
-                ssl_clear_cipher_read_state(s);
-                if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
-                        goto err;
-                s->enc_read_ctx = cipher_ctx;
-                if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
-                        goto err;
-                s->read_hash = mac_ctx;
-                if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
-                    cipher_ctx, mac_ctx, stream_mac))
-                        goto err;
-                if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
-                    mac_secret, mac_secret_size))
-                        goto err;
-        } else {
-                /*
-                 * DTLS fragments retain a pointer to the compression, cipher
-                 * and hash contexts, so that it can restore state in order
-                 * to perform retransmissions. As such, we cannot free write
-                 * contexts that are used for DTLS - these are instead freed
-                 * by DTLS when its frees a ChangeCipherSpec fragment.
-                 */
-                if (!SSL_is_dtls(s))
-                        ssl_clear_cipher_write_state(s);
-                if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
-                        goto err;
-                s->internal->enc_write_ctx = cipher_ctx;
-                if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
-                        goto err;
-                s->internal->write_hash = mac_ctx;
-                if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
-                    cipher_ctx, mac_ctx, stream_mac))
-                        goto err;
-        }
-        EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-        if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
-            mac_secret_size)) == NULL)
-                goto err;
-        EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-        EVP_PKEY_free(mac_key);
-        if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
-                int nid;
-                if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
-                        nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet;
-                else
-                        nid = NID_id_tc26_gost_28147_param_Z;
-                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0);
-                if (S3I(s)->hs.new_cipher->algorithm_mac == SSL_GOST89MAC)
-                        EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0);
-        }
-        return (1);
-err:
-        SSLerrorx(ERR_R_MALLOC_FAILURE);
-        return (0);
-}
 int
 tls1_change_cipher_state(SSL *s, int which)
 {
@@ -476,17 +384,14 @@ tls1_change_cipher_state(SSL *s, int which)
                if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
                    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
                        goto err;
+                tls12_record_layer_read_cipher_hash(s->internal->rl,
+                    &s->enc_read_ctx, &s->read_hash);
        } else {
                if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
                    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
                        goto err;
        }
+        return (1);
-        if (aead != NULL)
-                return 1;
-        return tls1_change_cipher_state_cipher(s, is_read,
-            mac_secret, mac_secret_size, key, key_len, iv, iv_len);
 err:
        return (0);
@@ -501,7 +406,8 @@ tls1_setup_key_block(SSL *s)
        int key_len, iv_len;
        const EVP_CIPHER *cipher = NULL;
        const EVP_AEAD *aead = NULL;
-        const EVP_MD *mac = NULL;
+        const EVP_MD *handshake_hash = NULL;
+        const EVP_MD *mac_hash = NULL;
        int ret = 0;
        if (S3I(s)->hs.key_block_len != 0)
@@ -516,8 +422,8 @@ tls1_setup_key_block(SSL *s)
                key_len = EVP_AEAD_key_length(aead);
                iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
        } else {
-                if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type,
+                if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
-                    &mac_secret_size)) {
+                    &mac_type, &mac_secret_size)) {
                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                        return (0);
                }
@@ -525,13 +431,16 @@ tls1_setup_key_block(SSL *s)
                iv_len = EVP_CIPHER_iv_length(cipher);
        }
+        if (!ssl_get_handshake_evp_md(s, &handshake_hash))
+                return (0);
        S3I(s)->tmp.new_aead = aead;
        S3I(s)->tmp.new_sym_enc = cipher;
-        S3I(s)->tmp.new_hash = mac;
-        S3I(s)->tmp.new_mac_pkey_type = mac_type;
        S3I(s)->tmp.new_mac_secret_size = mac_secret_size;
        tls12_record_layer_set_aead(s->internal->rl, aead);
+        tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
+            handshake_hash, mac_hash);
        tls1_cleanup_key_block(s);

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 8f3e9649b0..05a5b1d953 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.132 2021/02/03 15:14:44 tb Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.133 2021/02/27 14:20:50 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -310,98 +310,6 @@ tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
310	NULL, 0, NULL, 0, key_block, key_block_len);	310	NULL, 0, NULL, 0, key_block, key_block_len);
311	}	311	}
312		312
313	/*
314	* tls1_change_cipher_state_cipher performs the work needed to switch cipher
315	* states when using EVP_CIPHER. The argument is_read is true iff this function
316	* is being called due to reading, as opposed to writing, a ChangeCipherSpec
317	* message.
318	*/
319	static int
320	tls1_change_cipher_state_cipher(SSL *s, char is_read,
321	const unsigned char *mac_secret, unsigned int mac_secret_size,
322	const unsigned char key, unsigned int key_len, const unsigned char iv,
323	unsigned int iv_len)
324	{
325	EVP_CIPHER_CTX *cipher_ctx;
326	const EVP_CIPHER *cipher;
327	EVP_MD_CTX *mac_ctx;
328	EVP_PKEY *mac_key;
329	const EVP_MD *mac;
330	int stream_mac;
331	int mac_type;
332
333	cipher = S3I(s)->tmp.new_sym_enc;
334	mac = S3I(s)->tmp.new_hash;
335	mac_type = S3I(s)->tmp.new_mac_pkey_type;
336	stream_mac = S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC;
337
338	if (is_read) {
339	ssl_clear_cipher_read_state(s);
340
341	if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
342	goto err;
343	s->enc_read_ctx = cipher_ctx;
344	if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
345	goto err;
346	s->read_hash = mac_ctx;
347
348	if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
349	cipher_ctx, mac_ctx, stream_mac))
350	goto err;
351
352	if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
353	mac_secret, mac_secret_size))
354	goto err;
355	} else {
356	/*
357	* DTLS fragments retain a pointer to the compression, cipher
358	* and hash contexts, so that it can restore state in order
359	* to perform retransmissions. As such, we cannot free write
360	* contexts that are used for DTLS - these are instead freed
361	* by DTLS when its frees a ChangeCipherSpec fragment.
362	*/
363	if (!SSL_is_dtls(s))
364	ssl_clear_cipher_write_state(s);
365
366	if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
367	goto err;
368	s->internal->enc_write_ctx = cipher_ctx;
369	if ((mac_ctx = EVP_MD_CTX_new()) == NULL)
370	goto err;
371	s->internal->write_hash = mac_ctx;
372
373	if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl,
374	cipher_ctx, mac_ctx, stream_mac))
375	goto err;
376	}
377
378	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
379
380	if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
381	mac_secret_size)) == NULL)
382	goto err;
383	EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
384	EVP_PKEY_free(mac_key);
385
386	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
387	int nid;
388	if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
389	nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet;
390	else
391	nid = NID_id_tc26_gost_28147_param_Z;
392
393	EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0);
394	if (S3I(s)->hs.new_cipher->algorithm_mac == SSL_GOST89MAC)
395	EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0);
396	}
397
398	return (1);
399
400	err:
401	SSLerrorx(ERR_R_MALLOC_FAILURE);
402	return (0);
403	}
404
405	int	313	int
406	tls1_change_cipher_state(SSL *s, int which)	314	tls1_change_cipher_state(SSL *s, int which)
407	{	315	{
@@ -476,17 +384,14 @@ tls1_change_cipher_state(SSL *s, int which)
476	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,	384	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
477	mac_secret, mac_secret_size, key, key_len, iv, iv_len))	385	mac_secret, mac_secret_size, key, key_len, iv, iv_len))
478	goto err;	386	goto err;
		387	tls12_record_layer_read_cipher_hash(s->internal->rl,
		388	&s->enc_read_ctx, &s->read_hash);
479	} else {	389	} else {
480	if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,	390	if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
481	mac_secret, mac_secret_size, key, key_len, iv, iv_len))	391	mac_secret, mac_secret_size, key, key_len, iv, iv_len))
482	goto err;	392	goto err;
483	}	393	}
484		394	return (1);
485	if (aead != NULL)
486	return 1;
487
488	return tls1_change_cipher_state_cipher(s, is_read,
489	mac_secret, mac_secret_size, key, key_len, iv, iv_len);
490		395
491	err:	396	err:
492	return (0);	397	return (0);
@@ -501,7 +406,8 @@ tls1_setup_key_block(SSL *s)
501	int key_len, iv_len;	406	int key_len, iv_len;
502	const EVP_CIPHER *cipher = NULL;	407	const EVP_CIPHER *cipher = NULL;
503	const EVP_AEAD *aead = NULL;	408	const EVP_AEAD *aead = NULL;
504	const EVP_MD *mac = NULL;	409	const EVP_MD *handshake_hash = NULL;
		410	const EVP_MD *mac_hash = NULL;
505	int ret = 0;	411	int ret = 0;
506		412
507	if (S3I(s)->hs.key_block_len != 0)	413	if (S3I(s)->hs.key_block_len != 0)
@@ -516,8 +422,8 @@ tls1_setup_key_block(SSL *s)
516	key_len = EVP_AEAD_key_length(aead);	422	key_len = EVP_AEAD_key_length(aead);
517	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);	423	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
518	} else {	424	} else {
519	if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type,	425	if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
520	&mac_secret_size)) {	426	&mac_type, &mac_secret_size)) {
521	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	427	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
522	return (0);	428	return (0);
523	}	429	}
@@ -525,13 +431,16 @@ tls1_setup_key_block(SSL *s)
525	iv_len = EVP_CIPHER_iv_length(cipher);	431	iv_len = EVP_CIPHER_iv_length(cipher);
526	}	432	}
527		433
		434	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
		435	return (0);
		436
528	S3I(s)->tmp.new_aead = aead;	437	S3I(s)->tmp.new_aead = aead;
529	S3I(s)->tmp.new_sym_enc = cipher;	438	S3I(s)->tmp.new_sym_enc = cipher;
530	S3I(s)->tmp.new_hash = mac;
531	S3I(s)->tmp.new_mac_pkey_type = mac_type;
532	S3I(s)->tmp.new_mac_secret_size = mac_secret_size;	439	S3I(s)->tmp.new_mac_secret_size = mac_secret_size;
533		440
534	tls12_record_layer_set_aead(s->internal->rl, aead);	441	tls12_record_layer_set_aead(s->internal->rl, aead);
		442	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
		443	handshake_hash, mac_hash);
535		444
536	tls1_cleanup_key_block(s);	445	tls1_cleanup_key_block(s);
537		446