From 3dd336e6ff4073ca34d5f248d90afd65c6e3f27f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 5 Sep 2018 16:48:11 +0000 Subject: Correctly clear the current cipher state, when changing cipher state. When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures. Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions. Issue reported by Bernard Spil, who also tested this diff. ok tb@ --- src/lib/libssl/ssl_locl.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src/lib/libssl/ssl_locl.h') diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index b6d71492fd..a4e831577d 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.212 2018/08/30 16:56:16 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.213 2018/09/05 16:48:11 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1039,7 +1039,9 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_1_enc_data; extern SSL3_ENC_METHOD TLSv1_2_enc_data; -void ssl_clear_cipher_ctx(SSL *s); +void ssl_clear_cipher_state(SSL *s); +void ssl_clear_cipher_read_state(SSL *s); +void ssl_clear_cipher_write_state(SSL *s); int ssl_clear_bad_session(SSL *s); CERT *ssl_cert_new(void); CERT *ssl_cert_dup(CERT *cert); @@ -1279,7 +1281,6 @@ int tls12_get_sigid(const EVP_PKEY *pk); int tls12_get_hashandsig(CBB *cbb, const EVP_PKEY *pk, const EVP_MD *md); const EVP_MD *tls12_get_hash(unsigned char hash_alg); -void ssl_clear_hash_ctx(EVP_MD_CTX **hash); long ssl_get_algorithm2(SSL *s); int tls1_process_sigalgs(SSL *s, CBS *cbs); void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, -- cgit v1.2.3-55-g6feb