1 files changed, 10 insertions, 56 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 77ac5899ac..b8ebf52417 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.114 2018/09/08 14:39:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -458,6 +458,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
        EVP_CIPHER_CTX *cipher_ctx;
        const EVP_CIPHER *cipher;
        EVP_MD_CTX *mac_ctx;
+        EVP_PKEY *mac_key;
        const EVP_MD *mac;
        int mac_type;
@@ -503,26 +504,13 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
                s->internal->write_hash = mac_ctx;
        }
-        if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
+        EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL,
-                    !is_read);
+        if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
-                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED,
+            mac_secret_size)) == NULL)
-                    iv_len, (unsigned char *)iv);
+                goto err;
-        } else
+        EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
+        EVP_PKEY_free(mac_key);
-        if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-                EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
-                    mac_secret, mac_secret_size);
-                if (mac_key == NULL)
-                        goto err;
-                EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
-                EVP_PKEY_free(mac_key);
-        } else if (mac_secret_size > 0) {
-                /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
-                EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
-                    mac_secret_size, (unsigned char *)mac_secret);
-        }
        if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
                int nid;
@@ -589,10 +577,6 @@ tls1_change_cipher_state(SSL *s, int which)
        } else {
                key_len = EVP_CIPHER_key_length(cipher);
                iv_len = EVP_CIPHER_iv_length(cipher);
-                /* If GCM mode only part of IV comes from PRF. */
-                if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
-                        iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
        }
        mac_secret_size = s->s3->tmp.new_mac_secret_size;
@@ -676,10 +660,6 @@ tls1_setup_key_block(SSL *s)
                }
                key_len = EVP_CIPHER_key_length(cipher);
                iv_len = EVP_CIPHER_iv_length(cipher);
-                /* If GCM mode only part of IV comes from PRF. */
-                if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
-                        iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
        }
        S3I(s)->tmp.new_aead = aead;
@@ -951,28 +931,7 @@ tls1_enc(SSL *s, int send)
                l = rec->length;
                bs = EVP_CIPHER_block_size(ds->cipher);
-                if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+                if (bs != 1 && send) {
-                        unsigned char buf[13];
-                        if (SSL_IS_DTLS(s)) {
-                                dtls1_build_sequence_number(buf, seq,
-                                    send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
-                        } else {
-                                memcpy(buf, seq, SSL3_SEQUENCE_SIZE);
-                                tls1_record_sequence_increment(seq);
-                        }
-                        buf[8] = rec->type;
-                        buf[9] = (unsigned char)(s->version >> 8);
-                        buf[10] = (unsigned char)(s->version);
-                        buf[11] = rec->length >> 8;
-                        buf[12] = rec->length & 0xff;
-                        pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
-                        if (send) {
-                                l += pad;
-                                rec->length += pad;
-                        }
-                } else if ((bs != 1) && send) {
                        i = bs - ((int)l % bs);
                        /* Add weird padding of upto 256 bytes */
@@ -994,11 +953,6 @@ tls1_enc(SSL *s, int send)
                if ((EVP_CIPHER_flags(ds->cipher) &
                    EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
                        return -1;      /* AEAD can fail to verify MAC */
-                if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
-                        rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                        rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                        rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                }
                ret = 1;
                if (EVP_MD_CTX_md(s->read_hash) != NULL)

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 77ac5899ac..b8ebf52417 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.113 2018/09/06 16:40:45 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.114 2018/09/08 14:39:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -458,6 +458,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
458	EVP_CIPHER_CTX *cipher_ctx;	458	EVP_CIPHER_CTX *cipher_ctx;
459	const EVP_CIPHER *cipher;	459	const EVP_CIPHER *cipher;
460	EVP_MD_CTX *mac_ctx;	460	EVP_MD_CTX *mac_ctx;
		461	EVP_PKEY *mac_key;
461	const EVP_MD *mac;	462	const EVP_MD *mac;
462	int mac_type;	463	int mac_type;
463		464
@@ -503,26 +504,13 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
503	s->internal->write_hash = mac_ctx;	504	s->internal->write_hash = mac_ctx;
504	}	505	}
505		506
506	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {	507	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
507	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL,	508
508	!is_read);	509	if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret,
509	EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED,	510	mac_secret_size)) == NULL)
510	iv_len, (unsigned char *)iv);	511	goto err;
511	} else	512	EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
512	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);	513	EVP_PKEY_free(mac_key);
513
514	if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
515	EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
516	mac_secret, mac_secret_size);
517	if (mac_key == NULL)
518	goto err;
519	EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key);
520	EVP_PKEY_free(mac_key);
521	} else if (mac_secret_size > 0) {
522	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
523	EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
524	mac_secret_size, (unsigned char *)mac_secret);
525	}
526		514
527	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {	515	if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) {
528	int nid;	516	int nid;
@@ -589,10 +577,6 @@ tls1_change_cipher_state(SSL *s, int which)
589	} else {	577	} else {
590	key_len = EVP_CIPHER_key_length(cipher);	578	key_len = EVP_CIPHER_key_length(cipher);
591	iv_len = EVP_CIPHER_iv_length(cipher);	579	iv_len = EVP_CIPHER_iv_length(cipher);
592
593	/* If GCM mode only part of IV comes from PRF. */
594	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
595	iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
596	}	580	}
597		581
598	mac_secret_size = s->s3->tmp.new_mac_secret_size;	582	mac_secret_size = s->s3->tmp.new_mac_secret_size;
@@ -676,10 +660,6 @@ tls1_setup_key_block(SSL *s)
676	}	660	}
677	key_len = EVP_CIPHER_key_length(cipher);	661	key_len = EVP_CIPHER_key_length(cipher);
678	iv_len = EVP_CIPHER_iv_length(cipher);	662	iv_len = EVP_CIPHER_iv_length(cipher);
679
680	/* If GCM mode only part of IV comes from PRF. */
681	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
682	iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
683	}	663	}
684		664
685	S3I(s)->tmp.new_aead = aead;	665	S3I(s)->tmp.new_aead = aead;
@@ -951,28 +931,7 @@ tls1_enc(SSL *s, int send)
951	l = rec->length;	931	l = rec->length;
952	bs = EVP_CIPHER_block_size(ds->cipher);	932	bs = EVP_CIPHER_block_size(ds->cipher);
953		933
954	if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {	934	if (bs != 1 && send) {
955	unsigned char buf[13];
956
957	if (SSL_IS_DTLS(s)) {
958	dtls1_build_sequence_number(buf, seq,
959	send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
960	} else {
961	memcpy(buf, seq, SSL3_SEQUENCE_SIZE);
962	tls1_record_sequence_increment(seq);
963	}
964
965	buf[8] = rec->type;
966	buf[9] = (unsigned char)(s->version >> 8);
967	buf[10] = (unsigned char)(s->version);
968	buf[11] = rec->length >> 8;
969	buf[12] = rec->length & 0xff;
970	pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
971	if (send) {
972	l += pad;
973	rec->length += pad;
974	}
975	} else if ((bs != 1) && send) {
976	i = bs - ((int)l % bs);	935	i = bs - ((int)l % bs);
977		936
978	/* Add weird padding of upto 256 bytes */	937	/* Add weird padding of upto 256 bytes */
@@ -994,11 +953,6 @@ tls1_enc(SSL *s, int send)
994	if ((EVP_CIPHER_flags(ds->cipher) &	953	if ((EVP_CIPHER_flags(ds->cipher) &
995	EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))	954	EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
996	return -1; /* AEAD can fail to verify MAC */	955	return -1; /* AEAD can fail to verify MAC */
997	if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
998	rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
999	rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
1000	rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
1001	}
1002		956
1003	ret = 1;	957	ret = 1;
1004	if (EVP_MD_CTX_md(s->read_hash) != NULL)	958	if (EVP_MD_CTX_md(s->read_hash) != NULL)