5 files changed, 37 insertions, 18 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 4f15015145..14ff8221be 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.88 2021/01/13 18:38:34 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.89 2021/01/19 18:57:09 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -642,13 +642,12 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                return (0);
        }
+        /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
-        if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+        if (type == rr->type) {
-        {
                /* make sure that we are not getting application data when we
                 * are doing a handshake for the first time */
-                if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+                if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
-                        (s->enc_read_ctx == NULL)) {
+                    !tls12_record_layer_read_protected(s->internal->rl)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);
                        goto f_err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index e09f668121..e0a4c49ccb 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.313 2021/01/19 18:51:08 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.314 2021/01/19 18:57:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -479,6 +479,8 @@ void tls12_record_layer_alert(struct tls12_record_layer *rl,
    uint8_t *alert_desc);
 int tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
    size_t *overhead);
+int tls12_record_layer_read_protected(struct tls12_record_layer *rl);
+int tls12_record_layer_write_protected(struct tls12_record_layer *rl);
 void tls12_record_layer_set_version(struct tls12_record_layer *rl,
    uint16_t version);
 void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl,
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 4cc1914ecd..31a66753bf 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.33 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.34 2021/01/19 18:57:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -370,11 +370,12 @@ ssl3_get_record(SSL *s)
                /* Lets check version */
                if (!s->internal->first_packet && ssl_version != s->version) {
-                        SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
                        if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&
-                            !s->internal->enc_write_ctx && !s->internal->write_hash)
+                            !tls12_record_layer_write_protected(s->internal->rl)) {
                                /* Send back error using their minor version number :-) */
                                s->version = ssl_version;
+                        }
+                        SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
                        al = SSL_AD_PROTOCOL_VERSION;
                        goto f_err;
                }
@@ -569,8 +570,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this
         * is unnecessary for AEAD.
         */
-        if (sess != NULL && s->internal->enc_write_ctx != NULL &&
+        if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) {
-            EVP_MD_CTX_md(s->internal->write_hash) != NULL) {
                if (S3I(s)->need_empty_fragments &&
                    !S3I(s)->empty_fragment_done &&
                    type == SSL3_RT_APPLICATION_DATA)
@@ -814,8 +814,8 @@ start:
        if (type == rr->type) {
                /* make sure that we are not getting application data when we
                 * are doing a handshake for the first time */
-                if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+                if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
-                        (s->enc_read_ctx == NULL)) {
+                    !tls12_record_layer_read_protected(s->internal->rl)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);
                        goto f_err;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index ac3669550c..000cac6785 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.88 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.89 2021/01/19 18:57:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -853,15 +853,15 @@ ssl3_get_client_hello(SSL *s)
        if (!ssl_downgrade_max_version(s, &max_version))
                goto err;
        if (ssl_max_shared_version(s, client_version, &shared_version) != 1) {
-                SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
                if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
-                    !s->internal->enc_write_ctx && !s->internal->write_hash) {
+                    !tls12_record_layer_write_protected(s->internal->rl)) {
                        /*
                         * Similar to ssl3_get_record, send alert using remote
                         * version number.
                         */
                        s->version = s->client_version;
                }
+                SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
        }
diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c
index 7fa31707d3..affc5375a2 100644
--- a/src/lib/libssl/tls12_record_layer.c
+++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.11 2021/01/19 18:51:08 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.12 2021/01/19 18:57:09 jsing Exp $ */
 /*
 * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
 *
@@ -59,6 +59,12 @@ tls12_record_protection_free(struct tls12_record_protection *rp)
 }
 static int
+tls12_record_protection_engaged(struct tls12_record_protection *rp)
+{
+        return rp->aead_ctx != NULL || rp->cipher_ctx != NULL;
+}
+static int
 tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
    size_t *out_eiv_len)
 {
@@ -195,6 +201,18 @@ tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
        return 1;
 }
+int
+tls12_record_layer_read_protected(struct tls12_record_layer *rl)
+{
+        return tls12_record_protection_engaged(rl->read);
+}
+int
+tls12_record_layer_write_protected(struct tls12_record_layer *rl)
+{
+        return tls12_record_protection_engaged(rl->write);
+}
 void
 tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
 {

diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 4f15015145..14ff8221be 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_pkt.c,v 1.88 2021/01/13 18:38:34 jsing Exp $ */	1	/* $OpenBSD: d1_pkt.c,v 1.89 2021/01/19 18:57:09 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -642,13 +642,12 @@ dtls1_read_bytes(SSL s, int type, unsigned char buf, int len, int peek)
642	return (0);	642	return (0);
643	}	643	}
644		644
645		645	/* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
646	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */	646	if (type == rr->type) {
647	{
648	/* make sure that we are not getting application data when we	647	/* make sure that we are not getting application data when we
649	* are doing a handshake for the first time */	648	* are doing a handshake for the first time */
650	if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&	649	if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
651	(s->enc_read_ctx == NULL)) {	650	!tls12_record_layer_read_protected(s->internal->rl)) {
652	al = SSL_AD_UNEXPECTED_MESSAGE;	651	al = SSL_AD_UNEXPECTED_MESSAGE;
653	SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);	652	SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);
654	goto f_err;	653	goto f_err;


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index e09f668121..e0a4c49ccb 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.313 2021/01/19 18:51:08 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.314 2021/01/19 18:57:09 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -479,6 +479,8 @@ void tls12_record_layer_alert(struct tls12_record_layer *rl,
479	uint8_t *alert_desc);	479	uint8_t *alert_desc);
480	int tls12_record_layer_write_overhead(struct tls12_record_layer *rl,	480	int tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
481	size_t *overhead);	481	size_t *overhead);
		482	int tls12_record_layer_read_protected(struct tls12_record_layer *rl);
		483	int tls12_record_layer_write_protected(struct tls12_record_layer *rl);
482	void tls12_record_layer_set_version(struct tls12_record_layer *rl,	484	void tls12_record_layer_set_version(struct tls12_record_layer *rl,
483	uint16_t version);	485	uint16_t version);
484	void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl,	486	void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl,


diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index 4cc1914ecd..31a66753bf 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.33 2020/10/14 16:57:33 jsing Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.34 2021/01/19 18:57:09 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -370,11 +370,12 @@ ssl3_get_record(SSL *s)
370		370
371	/* Lets check version */	371	/* Lets check version */
372	if (!s->internal->first_packet && ssl_version != s->version) {	372	if (!s->internal->first_packet && ssl_version != s->version) {
373	SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
374	if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&	373	if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&
375	!s->internal->enc_write_ctx && !s->internal->write_hash)	374	!tls12_record_layer_write_protected(s->internal->rl)) {
376	/* Send back error using their minor version number :-) */	375	/* Send back error using their minor version number :-) */
377	s->version = ssl_version;	376	s->version = ssl_version;
		377	}
		378	SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
378	al = SSL_AD_PROTOCOL_VERSION;	379	al = SSL_AD_PROTOCOL_VERSION;
379	goto f_err;	380	goto f_err;
380	}	381	}
@@ -569,8 +570,7 @@ do_ssl3_write(SSL s, int type, const unsigned char buf, unsigned int len)
569	* (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this	570	* (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this
570	* is unnecessary for AEAD.	571	* is unnecessary for AEAD.
571	*/	572	*/
572	if (sess != NULL && s->internal->enc_write_ctx != NULL &&	573	if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) {
573	EVP_MD_CTX_md(s->internal->write_hash) != NULL) {
574	if (S3I(s)->need_empty_fragments &&	574	if (S3I(s)->need_empty_fragments &&
575	!S3I(s)->empty_fragment_done &&	575	!S3I(s)->empty_fragment_done &&
576	type == SSL3_RT_APPLICATION_DATA)	576	type == SSL3_RT_APPLICATION_DATA)
@@ -814,8 +814,8 @@ start:
814	if (type == rr->type) {	814	if (type == rr->type) {
815	/* make sure that we are not getting application data when we	815	/* make sure that we are not getting application data when we
816	* are doing a handshake for the first time */	816	* are doing a handshake for the first time */
817	if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&	817	if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA &&
818	(s->enc_read_ctx == NULL)) {	818	!tls12_record_layer_read_protected(s->internal->rl)) {
819	al = SSL_AD_UNEXPECTED_MESSAGE;	819	al = SSL_AD_UNEXPECTED_MESSAGE;
820	SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);	820	SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE);
821	goto f_err;	821	goto f_err;


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index ac3669550c..000cac6785 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.88 2020/10/14 16:57:33 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.89 2021/01/19 18:57:09 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -853,15 +853,15 @@ ssl3_get_client_hello(SSL *s)
853	if (!ssl_downgrade_max_version(s, &max_version))	853	if (!ssl_downgrade_max_version(s, &max_version))
854	goto err;	854	goto err;
855	if (ssl_max_shared_version(s, client_version, &shared_version) != 1) {	855	if (ssl_max_shared_version(s, client_version, &shared_version) != 1) {
856	SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
857	if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&	856	if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
858	!s->internal->enc_write_ctx && !s->internal->write_hash) {	857	!tls12_record_layer_write_protected(s->internal->rl)) {
859	/*	858	/*
860	* Similar to ssl3_get_record, send alert using remote	859	* Similar to ssl3_get_record, send alert using remote
861	* version number.	860	* version number.
862	*/	861	*/
863	s->version = s->client_version;	862	s->version = s->client_version;
864	}	863	}
		864	SSLerror(s, SSL_R_WRONG_VERSION_NUMBER);
865	al = SSL_AD_PROTOCOL_VERSION;	865	al = SSL_AD_PROTOCOL_VERSION;
866	goto f_err;	866	goto f_err;
867	}	867	}


diff --git a/src/lib/libssl/tls12_record_layer.c b/src/lib/libssl/tls12_record_layer.c index 7fa31707d3..affc5375a2 100644 --- a/src/lib/libssl/tls12_record_layer.c +++ b/src/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls12_record_layer.c,v 1.11 2021/01/19 18:51:08 jsing Exp $ */	1	/* $OpenBSD: tls12_record_layer.c,v 1.12 2021/01/19 18:57:09 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -59,6 +59,12 @@ tls12_record_protection_free(struct tls12_record_protection *rp)
59	}	59	}
60		60
61	static int	61	static int
		62	tls12_record_protection_engaged(struct tls12_record_protection *rp)
		63	{
		64	return rp->aead_ctx != NULL \|\| rp->cipher_ctx != NULL;
		65	}
		66
		67	static int
62	tls12_record_protection_eiv_len(struct tls12_record_protection *rp,	68	tls12_record_protection_eiv_len(struct tls12_record_protection *rp,
63	size_t *out_eiv_len)	69	size_t *out_eiv_len)
64	{	70	{
@@ -195,6 +201,18 @@ tls12_record_layer_write_overhead(struct tls12_record_layer *rl,
195	return 1;	201	return 1;
196	}	202	}
197		203
		204	int
		205	tls12_record_layer_read_protected(struct tls12_record_layer *rl)
		206	{
		207	return tls12_record_protection_engaged(rl->read);
		208	}
		209
		210	int
		211	tls12_record_layer_write_protected(struct tls12_record_layer *rl)
		212	{
		213	return tls12_record_protection_engaged(rl->write);
		214	}
		215
198	void	216	void
199	tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)	217	tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
200	{	218	{