1 files changed, 23 insertions, 74 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index e3cdcc134b..5a626fb880 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.142 2021/05/02 17:46:58 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.143 2021/05/05 10:05:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -147,9 +147,8 @@
 void
 tls1_cleanup_key_block(SSL *s)
 {
-        freezero(S3I(s)->hs.tls12.key_block, S3I(s)->hs.tls12.key_block_len);
+        tls12_key_block_free(S3I(s)->hs.tls12.key_block);
        S3I(s)->hs.tls12.key_block = NULL;
-        S3I(s)->hs.tls12.key_block_len = 0;
 }
 /*
@@ -283,7 +282,7 @@ tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
        return (1);
 }
-static int
+int
 tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
 {
        return tls1_PRF(s,
@@ -297,62 +296,20 @@ tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
 static int
 tls1_change_cipher_state(SSL *s, int is_write)
 {
-        const unsigned char *client_write_mac_secret, *server_write_mac_secret;
+        CBS mac_key, key, iv;
-        const unsigned char *client_write_key, *server_write_key;
-        const unsigned char *client_write_iv, *server_write_iv;
-        const unsigned char *mac_secret, *key, *iv;
-        int mac_secret_size, key_len, iv_len;
-        unsigned char *key_block;
-        const EVP_CIPHER *cipher;
-        const EVP_AEAD *aead;
-        aead = tls12_record_layer_aead(s->internal->rl);
-        cipher = tls12_record_layer_cipher(s->internal->rl);
-        if (aead != NULL) {
-                key_len = EVP_AEAD_key_length(aead);
-                iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);
-        } else {
-                key_len = EVP_CIPHER_key_length(cipher);
-                iv_len = EVP_CIPHER_iv_length(cipher);
-        }
-        mac_secret_size = S3I(s)->hs.tls12.mac_secret_size;
-        key_block = S3I(s)->hs.tls12.key_block;
-        client_write_mac_secret = key_block;
-        key_block += mac_secret_size;
-        server_write_mac_secret = key_block;
-        key_block += mac_secret_size;
-        client_write_key = key_block;
-        key_block += key_len;
-        server_write_key = key_block;
-        key_block += key_len;
-        client_write_iv = key_block;
-        key_block += iv_len;
-        server_write_iv = key_block;
-        key_block += iv_len;
        /* Use client write keys on client write and server read. */
        if ((!s->server && is_write) || (s->server && !is_write)) {
-                mac_secret = client_write_mac_secret;
+                tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
-                key = client_write_key;
+                    &mac_key, &key, &iv);
-                iv = client_write_iv;
        } else {
-                mac_secret = server_write_mac_secret;
+                tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
-                key = server_write_key;
+                    &mac_key, &key, &iv);
-                iv = server_write_iv;
-        }
-        if (key_block - S3I(s)->hs.tls12.key_block !=
-            S3I(s)->hs.tls12.key_block_len) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                goto err;
        }
        if (!is_write) {
                if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
-                    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
+                    &mac_key, &key, &iv))
                        goto err;
                if (SSL_is_dtls(s))
                        dtls1_reset_read_seq_numbers(s);
@@ -360,7 +317,7 @@ tls1_change_cipher_state(SSL *s, int is_write)
                    &s->enc_read_ctx, &s->read_hash);
        } else {
                if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
-                    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
+                    &mac_key, &key, &iv))
                        goto err;
                if (SSL_is_dtls(s))
                        dtls1_reset_write_seq_numbers(s);
@@ -386,17 +343,19 @@ tls1_change_write_cipher_state(SSL *s)
 int
 tls1_setup_key_block(SSL *s)
 {
-        unsigned char *key_block;
+        struct tls12_key_block *key_block;
        int mac_type = NID_undef, mac_secret_size = 0;
-        size_t key_block_len;
-        int key_len, iv_len;
        const EVP_CIPHER *cipher = NULL;
        const EVP_AEAD *aead = NULL;
        const EVP_MD *handshake_hash = NULL;
        const EVP_MD *mac_hash = NULL;
        int ret = 0;
-        if (S3I(s)->hs.tls12.key_block_len != 0)
+        /*
+         * XXX - callers should be changed so that they only call this
+         * function once.
+         */
+        if (S3I(s)->hs.tls12.key_block != NULL)
                return (1);
        if (s->session->cipher &&
@@ -405,41 +364,29 @@ tls1_setup_key_block(SSL *s)
                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                        return (0);
                }
-                key_len = EVP_AEAD_key_length(aead);
-                iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
        } else {
+                /* XXX - mac_type and mac_secret_size are now unused. */
                if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
                    &mac_type, &mac_secret_size)) {
                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                        return (0);
                }
-                key_len = EVP_CIPHER_key_length(cipher);
-                iv_len = EVP_CIPHER_iv_length(cipher);
        }
        if (!ssl_get_handshake_evp_md(s, &handshake_hash))
                return (0);
-        S3I(s)->hs.tls12.mac_secret_size = mac_secret_size;
        tls12_record_layer_set_aead(s->internal->rl, aead);
        tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
            handshake_hash, mac_hash);
-        tls1_cleanup_key_block(s);
+        if ((key_block = tls12_key_block_new()) == NULL)
+                goto err;
-        if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,
+        if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
-            2)) == NULL) {
-                SSLerror(s, ERR_R_MALLOC_FAILURE);
                goto err;
-        }
-        key_block_len = (mac_secret_size + key_len + iv_len) * 2;
-        S3I(s)->hs.tls12.key_block_len = key_block_len;
        S3I(s)->hs.tls12.key_block = key_block;
+        key_block = NULL;
-        if (!tls1_generate_key_block(s, key_block, key_block_len))
-                goto err;
        if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
            s->method->internal->version <= TLS1_VERSION) {
@@ -463,6 +410,8 @@ tls1_setup_key_block(SSL *s)
        ret = 1;
 err:
+        tls12_key_block_free(key_block);
        return (ret);
 }

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index e3cdcc134b..5a626fb880 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.142 2021/05/02 17:46:58 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.143 2021/05/05 10:05:27 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -147,9 +147,8 @@
147	void	147	void
148	tls1_cleanup_key_block(SSL *s)	148	tls1_cleanup_key_block(SSL *s)
149	{	149	{
150	freezero(S3I(s)->hs.tls12.key_block, S3I(s)->hs.tls12.key_block_len);	150	tls12_key_block_free(S3I(s)->hs.tls12.key_block);
151	S3I(s)->hs.tls12.key_block = NULL;	151	S3I(s)->hs.tls12.key_block = NULL;
152	S3I(s)->hs.tls12.key_block_len = 0;
153	}	152	}
154		153
155	/*	154	/*
@@ -283,7 +282,7 @@ tls1_PRF(SSL s, const unsigned char secret, size_t secret_len,
283	return (1);	282	return (1);
284	}	283	}
285		284
286	static int	285	int
287	tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)	286	tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
288	{	287	{
289	return tls1_PRF(s,	288	return tls1_PRF(s,
@@ -297,62 +296,20 @@ tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
297	static int	296	static int
298	tls1_change_cipher_state(SSL *s, int is_write)	297	tls1_change_cipher_state(SSL *s, int is_write)
299	{	298	{
300	const unsigned char client_write_mac_secret, server_write_mac_secret;	299	CBS mac_key, key, iv;
301	const unsigned char client_write_key, server_write_key;
302	const unsigned char client_write_iv, server_write_iv;
303	const unsigned char mac_secret, key, *iv;
304	int mac_secret_size, key_len, iv_len;
305	unsigned char *key_block;
306	const EVP_CIPHER *cipher;
307	const EVP_AEAD *aead;
308
309	aead = tls12_record_layer_aead(s->internal->rl);
310	cipher = tls12_record_layer_cipher(s->internal->rl);
311
312	if (aead != NULL) {
313	key_len = EVP_AEAD_key_length(aead);
314	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);
315	} else {
316	key_len = EVP_CIPHER_key_length(cipher);
317	iv_len = EVP_CIPHER_iv_length(cipher);
318	}
319
320	mac_secret_size = S3I(s)->hs.tls12.mac_secret_size;
321
322	key_block = S3I(s)->hs.tls12.key_block;
323	client_write_mac_secret = key_block;
324	key_block += mac_secret_size;
325	server_write_mac_secret = key_block;
326	key_block += mac_secret_size;
327	client_write_key = key_block;
328	key_block += key_len;
329	server_write_key = key_block;
330	key_block += key_len;
331	client_write_iv = key_block;
332	key_block += iv_len;
333	server_write_iv = key_block;
334	key_block += iv_len;
335		300
336	/* Use client write keys on client write and server read. */	301	/* Use client write keys on client write and server read. */
337	if ((!s->server && is_write) \|\| (s->server && !is_write)) {	302	if ((!s->server && is_write) \|\| (s->server && !is_write)) {
338	mac_secret = client_write_mac_secret;	303	tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
339	key = client_write_key;	304	&mac_key, &key, &iv);
340	iv = client_write_iv;
341	} else {	305	} else {
342	mac_secret = server_write_mac_secret;	306	tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
343	key = server_write_key;	307	&mac_key, &key, &iv);
344	iv = server_write_iv;
345	}
346
347	if (key_block - S3I(s)->hs.tls12.key_block !=
348	S3I(s)->hs.tls12.key_block_len) {
349	SSLerror(s, ERR_R_INTERNAL_ERROR);
350	goto err;
351	}	308	}
352		309
353	if (!is_write) {	310	if (!is_write) {
354	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,	311	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
355	mac_secret, mac_secret_size, key, key_len, iv, iv_len))	312	&mac_key, &key, &iv))
356	goto err;	313	goto err;
357	if (SSL_is_dtls(s))	314	if (SSL_is_dtls(s))
358	dtls1_reset_read_seq_numbers(s);	315	dtls1_reset_read_seq_numbers(s);
@@ -360,7 +317,7 @@ tls1_change_cipher_state(SSL *s, int is_write)
360	&s->enc_read_ctx, &s->read_hash);	317	&s->enc_read_ctx, &s->read_hash);
361	} else {	318	} else {
362	if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,	319	if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
363	mac_secret, mac_secret_size, key, key_len, iv, iv_len))	320	&mac_key, &key, &iv))
364	goto err;	321	goto err;
365	if (SSL_is_dtls(s))	322	if (SSL_is_dtls(s))
366	dtls1_reset_write_seq_numbers(s);	323	dtls1_reset_write_seq_numbers(s);
@@ -386,17 +343,19 @@ tls1_change_write_cipher_state(SSL *s)
386	int	343	int
387	tls1_setup_key_block(SSL *s)	344	tls1_setup_key_block(SSL *s)
388	{	345	{
389	unsigned char *key_block;	346	struct tls12_key_block *key_block;
390	int mac_type = NID_undef, mac_secret_size = 0;	347	int mac_type = NID_undef, mac_secret_size = 0;
391	size_t key_block_len;
392	int key_len, iv_len;
393	const EVP_CIPHER *cipher = NULL;	348	const EVP_CIPHER *cipher = NULL;
394	const EVP_AEAD *aead = NULL;	349	const EVP_AEAD *aead = NULL;
395	const EVP_MD *handshake_hash = NULL;	350	const EVP_MD *handshake_hash = NULL;
396	const EVP_MD *mac_hash = NULL;	351	const EVP_MD *mac_hash = NULL;
397	int ret = 0;	352	int ret = 0;
398		353
399	if (S3I(s)->hs.tls12.key_block_len != 0)	354	/*
		355	* XXX - callers should be changed so that they only call this
		356	* function once.
		357	*/
		358	if (S3I(s)->hs.tls12.key_block != NULL)
400	return (1);	359	return (1);
401		360
402	if (s->session->cipher &&	361	if (s->session->cipher &&
@@ -405,41 +364,29 @@ tls1_setup_key_block(SSL *s)
405	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	364	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
406	return (0);	365	return (0);
407	}	366	}
408	key_len = EVP_AEAD_key_length(aead);
409	iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
410	} else {	367	} else {
		368	/* XXX - mac_type and mac_secret_size are now unused. */
411	if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,	369	if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
412	&mac_type, &mac_secret_size)) {	370	&mac_type, &mac_secret_size)) {
413	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	371	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
414	return (0);	372	return (0);
415	}	373	}
416	key_len = EVP_CIPHER_key_length(cipher);
417	iv_len = EVP_CIPHER_iv_length(cipher);
418	}	374	}
419		375
420	if (!ssl_get_handshake_evp_md(s, &handshake_hash))	376	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
421	return (0);	377	return (0);
422		378
423	S3I(s)->hs.tls12.mac_secret_size = mac_secret_size;
424
425	tls12_record_layer_set_aead(s->internal->rl, aead);	379	tls12_record_layer_set_aead(s->internal->rl, aead);
426	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,	380	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
427	handshake_hash, mac_hash);	381	handshake_hash, mac_hash);
428		382
429	tls1_cleanup_key_block(s);	383	if ((key_block = tls12_key_block_new()) == NULL)
430		384	goto err;
431	if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,	385	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
432	2)) == NULL) {
433	SSLerror(s, ERR_R_MALLOC_FAILURE);
434	goto err;	386	goto err;
435	}
436	key_block_len = (mac_secret_size + key_len + iv_len) * 2;
437		387
438	S3I(s)->hs.tls12.key_block_len = key_block_len;
439	S3I(s)->hs.tls12.key_block = key_block;	388	S3I(s)->hs.tls12.key_block = key_block;
440		389	key_block = NULL;
441	if (!tls1_generate_key_block(s, key_block, key_block_len))
442	goto err;
443		390
444	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&	391	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
445	s->method->internal->version <= TLS1_VERSION) {	392	s->method->internal->version <= TLS1_VERSION) {
@@ -463,6 +410,8 @@ tls1_setup_key_block(SSL *s)
463	ret = 1;	410	ret = 1;
464		411
465	err:	412	err:
		413	tls12_key_block_free(key_block);
		414
466	return (ret);	415	return (ret);
467	}	416	}
468		417