1 files changed, 102 insertions, 5 deletions
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index affc5375a2..83d71d1c7a 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.12 2021/01/19 18:57:09 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.13 2021/01/19 19:07:39 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -132,8 +132,13 @@ struct tls12_record_layer {
        uint8_t alert_desc;
+        /* Pointers to active record protection (memory is not owned). */
        struct tls12_record_protection *read;
        struct tls12_record_protection *write;
+        struct tls12_record_protection *read_current;
+        struct tls12_record_protection *write_current;
+        struct tls12_record_protection *write_previous;
 };
 struct tls12_record_layer *
@@ -143,11 +148,14 @@ tls12_record_layer_new(void)
        if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
                goto err;
-        if ((rl->read = tls12_record_protection_new()) == NULL)
+        if ((rl->read_current = tls12_record_protection_new()) == NULL)
                goto err;
-        if ((rl->write = tls12_record_protection_new()) == NULL)
+        if ((rl->write_current = tls12_record_protection_new()) == NULL)
                goto err;
+        rl->read = rl->read_current;
+        rl->write = rl->write_current;
        return rl;
 err:
@@ -162,8 +170,9 @@ tls12_record_layer_free(struct tls12_record_layer *rl)
        if (rl == NULL)
                return;
-        tls12_record_protection_free(rl->read);
+        tls12_record_protection_free(rl->read_current);
-        tls12_record_protection_free(rl->write);
+        tls12_record_protection_free(rl->write_current);
+        tls12_record_protection_free(rl->write_previous);
        freezero(rl, sizeof(struct tls12_record_layer));
 }
@@ -226,6 +235,37 @@ tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch
        rl->write->epoch = epoch;
 }
+int
+tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
+{
+        if (rl->write->epoch == epoch)
+                return 1;
+        if (rl->write_current->epoch == epoch) {
+                rl->write = rl->write_current;
+                return 1;
+        }
+        if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
+                rl->write = rl->write_previous;
+                return 1;
+        }
+        return 0;
+}
+void
+tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
+{
+        if (rl->write_previous == NULL || rl->write_previous->epoch != epoch)
+                return;
+        rl->write = rl->write_current;
+        tls12_record_protection_free(rl->write_previous);
+        rl->write_previous = NULL;
+}
 static void
 tls12_record_layer_set_read_state(struct tls12_record_layer *rl,
    SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx,
@@ -263,6 +303,9 @@ tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
 {
        tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0);
        rl->write->seq_num = NULL;
+        tls12_record_protection_free(rl->write_previous);
+        rl->write_previous = NULL;
 }
 void
@@ -337,6 +380,60 @@ tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
        return 1;
 }
+int
+tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
+    const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key,
+    size_t key_len, const uint8_t *iv, size_t iv_len)
+{
+        struct tls12_record_protection *read_new = NULL;
+        int ret = 0;
+        if ((read_new = tls12_record_protection_new()) == NULL)
+                goto err;
+        /* XXX - change cipher state. */
+        tls12_record_protection_free(rl->read_current);
+        rl->read = rl->read_current = read_new;
+        read_new = NULL;
+        ret = 1;
+ err:
+        tls12_record_protection_free(read_new);
+        return ret;
+}
+int
+tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
+    const uint8_t *mac_key, size_t mac_key_len, const uint8_t *key,
+    size_t key_len, const uint8_t *iv, size_t iv_len)
+{
+        struct tls12_record_protection *write_new;
+        int ret = 0;
+        if ((write_new = tls12_record_protection_new()) == NULL)
+                goto err;
+        /* XXX - change cipher state. */
+        if (rl->dtls) {
+                tls12_record_protection_free(rl->write_previous);
+                rl->write_previous = rl->write_current;
+                rl->write_current = NULL;
+        }
+        tls12_record_protection_free(rl->write_current);
+        rl->write = rl->write_current = write_new;
+        write_new = NULL;
+        ret = 1;
+ err:
+        tls12_record_protection_free(write_new);
+        return ret;
+}
 static int
 tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb,
    uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)

diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index affc5375a2..83d71d1c7a 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls12_record_layer.c,v 1.12 2021/01/19 18:57:09 jsing Exp $ */	1	/* $OpenBSD: tls12_record_layer.c,v 1.13 2021/01/19 19:07:39 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -132,8 +132,13 @@ struct tls12_record_layer {
132		132
133	uint8_t alert_desc;	133	uint8_t alert_desc;
134		134
		135	/* Pointers to active record protection (memory is not owned). */
135	struct tls12_record_protection *read;	136	struct tls12_record_protection *read;
136	struct tls12_record_protection *write;	137	struct tls12_record_protection *write;
		138
		139	struct tls12_record_protection *read_current;
		140	struct tls12_record_protection *write_current;
		141	struct tls12_record_protection *write_previous;
137	};	142	};
138		143
139	struct tls12_record_layer *	144	struct tls12_record_layer *
@@ -143,11 +148,14 @@ tls12_record_layer_new(void)
143		148
144	if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)	149	if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL)
145	goto err;	150	goto err;
146	if ((rl->read = tls12_record_protection_new()) == NULL)	151	if ((rl->read_current = tls12_record_protection_new()) == NULL)
147	goto err;	152	goto err;
148	if ((rl->write = tls12_record_protection_new()) == NULL)	153	if ((rl->write_current = tls12_record_protection_new()) == NULL)
149	goto err;	154	goto err;
150		155
		156	rl->read = rl->read_current;
		157	rl->write = rl->write_current;
		158
151	return rl;	159	return rl;
152		160
153	err:	161	err:
@@ -162,8 +170,9 @@ tls12_record_layer_free(struct tls12_record_layer *rl)
162	if (rl == NULL)	170	if (rl == NULL)
163	return;	171	return;
164		172
165	tls12_record_protection_free(rl->read);	173	tls12_record_protection_free(rl->read_current);
166	tls12_record_protection_free(rl->write);	174	tls12_record_protection_free(rl->write_current);
		175	tls12_record_protection_free(rl->write_previous);
167		176
168	freezero(rl, sizeof(struct tls12_record_layer));	177	freezero(rl, sizeof(struct tls12_record_layer));
169	}	178	}
@@ -226,6 +235,37 @@ tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch
226	rl->write->epoch = epoch;	235	rl->write->epoch = epoch;
227	}	236	}
228		237
		238	int
		239	tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
		240	{
		241	if (rl->write->epoch == epoch)
		242	return 1;
		243
		244	if (rl->write_current->epoch == epoch) {
		245	rl->write = rl->write_current;
		246	return 1;
		247	}
		248
		249	if (rl->write_previous != NULL && rl->write_previous->epoch == epoch) {
		250	rl->write = rl->write_previous;
		251	return 1;
		252	}
		253
		254	return 0;
		255	}
		256
		257	void
		258	tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl, uint16_t epoch)
		259	{
		260	if (rl->write_previous == NULL \|\| rl->write_previous->epoch != epoch)
		261	return;
		262
		263	rl->write = rl->write_current;
		264
		265	tls12_record_protection_free(rl->write_previous);
		266	rl->write_previous = NULL;
		267	}
		268
229	static void	269	static void
230	tls12_record_layer_set_read_state(struct tls12_record_layer *rl,	270	tls12_record_layer_set_read_state(struct tls12_record_layer *rl,
231	SSL_AEAD_CTX aead_ctx, EVP_CIPHER_CTX cipher_ctx, EVP_MD_CTX *hash_ctx,	271	SSL_AEAD_CTX aead_ctx, EVP_CIPHER_CTX cipher_ctx, EVP_MD_CTX *hash_ctx,
@@ -263,6 +303,9 @@ tls12_record_layer_clear_write_state(struct tls12_record_layer *rl)
263	{	303	{
264	tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0);	304	tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0);
265	rl->write->seq_num = NULL;	305	rl->write->seq_num = NULL;
		306
		307	tls12_record_protection_free(rl->write_previous);
		308	rl->write_previous = NULL;
266	}	309	}
267		310
268	void	311	void
@@ -337,6 +380,60 @@ tls12_record_layer_set_read_mac_key(struct tls12_record_layer *rl,
337	return 1;	380	return 1;
338	}	381	}
339		382
		383	int
		384	tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl,
		385	const uint8_t mac_key, size_t mac_key_len, const uint8_t key,
		386	size_t key_len, const uint8_t *iv, size_t iv_len)
		387	{
		388	struct tls12_record_protection *read_new = NULL;
		389	int ret = 0;
		390
		391	if ((read_new = tls12_record_protection_new()) == NULL)
		392	goto err;
		393
		394	/* XXX - change cipher state. */
		395
		396	tls12_record_protection_free(rl->read_current);
		397	rl->read = rl->read_current = read_new;
		398	read_new = NULL;
		399
		400	ret = 1;
		401
		402	err:
		403	tls12_record_protection_free(read_new);
		404
		405	return ret;
		406	}
		407
		408	int
		409	tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
		410	const uint8_t mac_key, size_t mac_key_len, const uint8_t key,
		411	size_t key_len, const uint8_t *iv, size_t iv_len)
		412	{
		413	struct tls12_record_protection *write_new;
		414	int ret = 0;
		415
		416	if ((write_new = tls12_record_protection_new()) == NULL)
		417	goto err;
		418
		419	/* XXX - change cipher state. */
		420
		421	if (rl->dtls) {
		422	tls12_record_protection_free(rl->write_previous);
		423	rl->write_previous = rl->write_current;
		424	rl->write_current = NULL;
		425	}
		426	tls12_record_protection_free(rl->write_current);
		427	rl->write = rl->write_current = write_new;
		428	write_new = NULL;
		429
		430	ret = 1;
		431
		432	err:
		433	tls12_record_protection_free(write_new);
		434
		435	return ret;
		436	}
340	static int	437	static int
341	tls12_record_layer_build_seq_num(struct tls12_record_layer rl, CBB cbb,	438	tls12_record_layer_build_seq_num(struct tls12_record_layer rl, CBB cbb,
342	uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)	439	uint16_t epoch, uint8_t *seq_num, size_t seq_num_len)