From d6a17a33bad1b73601de3cd3d861235bb94095e4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 11 Sep 2015 17:03:03 +0000
Subject: Nuke ssl3_change_cipher_state().

ok "flensing knife"
---
 src/lib/libssl/src/ssl/s3_enc.c   | 110 +-------------------------------------
 src/lib/libssl/src/ssl/ssl_locl.h |   3 +-
 src/lib/libssl/ssl_locl.h         |   3 +-
 3 files changed, 3 insertions(+), 113 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index ced1083497..14c29e4edd 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.66 2015/09/11 17:01:19 jsing Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.67 2015/09/11 17:03:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -163,114 +163,6 @@ static unsigned char ssl3_pad_2[48] = {
 static int ssl3_handshake_mac(SSL *s, int md_nid, const char *sender,
     int len, unsigned char *p);
 
-int
-ssl3_change_cipher_state(SSL *s, int which)
-{
-	const unsigned char *client_write_mac_secret, *server_write_mac_secret;
-	const unsigned char *client_write_key, *server_write_key;
-	const unsigned char *client_write_iv, *server_write_iv;
-	const unsigned char *mac_secret, *key, *iv;
-	unsigned char *key_block;
-	int mac_len, key_len, iv_len;
-	char is_read, use_client_keys;
-	EVP_CIPHER_CTX *cipher_ctx;
-	const EVP_CIPHER *cipher;
-	const EVP_MD *mac;
-
-
-	cipher = s->s3->tmp.new_sym_enc;
-	mac = s->s3->tmp.new_hash;
-
-	/* mac == NULL will lead to a crash later */
-	OPENSSL_assert(mac);
-
-	/*
-	 * is_read is true if we have just read a ChangeCipherSpec message,
-	 * that is we need to update the read cipherspec. Otherwise we have
-	 * just written one.
-	 */
-	is_read = (which & SSL3_CC_READ) != 0;
-
-	/*
-	 * use_client_keys is true if we wish to use the keys for the "client
-	 * write" direction. This is the case if we're a client sending a
-	 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec.
-	 */
-	use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
-	    (which == SSL3_CHANGE_CIPHER_SERVER_READ));
-
-
-	if (is_read) {
-		EVP_CIPHER_CTX_free(s->enc_read_ctx);
-		s->enc_read_ctx = NULL;
-		if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
-			goto err;
-		s->enc_read_ctx = cipher_ctx;
-
-		if (ssl_replace_hash(&s->read_hash, mac) == NULL)
-			goto err;
-	} else {
-		EVP_CIPHER_CTX_free(s->enc_write_ctx);
-		s->enc_write_ctx = NULL;
-		if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
-			goto err;
-		s->enc_write_ctx = cipher_ctx;
-
-		if (ssl_replace_hash(&s->write_hash, mac) == NULL)
-			goto err;
-	}
-
-	memset(is_read ? s->s3->read_sequence : s->s3->write_sequence,
-	    0, SSL3_SEQUENCE_SIZE);
-
-	mac_len = EVP_MD_size(mac);
-	key_len = EVP_CIPHER_key_length(cipher);
-	iv_len = EVP_CIPHER_iv_length(cipher);
-
-	if (mac_len < 0)
-		goto err2;
-
-	key_block = s->s3->tmp.key_block;
-	client_write_mac_secret = key_block;
-	key_block += mac_len;
-	server_write_mac_secret = key_block;
-	key_block += mac_len;
-	client_write_key = key_block;
-	key_block += key_len;
-	server_write_key = key_block;
-	key_block += key_len;
-	client_write_iv = key_block;
-	key_block += iv_len;
-	server_write_iv = key_block;
-	key_block += iv_len;
-
-	if (use_client_keys) {
-		mac_secret = client_write_mac_secret;
-		key = client_write_key;
-		iv = client_write_iv;
-	} else {
-		mac_secret = server_write_mac_secret;
-		key = server_write_key;
-		iv = server_write_iv;
-	}
-
-	if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) {
-		SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
-		goto err2;
-	}
-
-	memcpy(is_read ? s->s3->read_mac_secret : s->s3->write_mac_secret,
-	    mac_secret, mac_len);
-
-	EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read);
-
-	return (1);
-err:
-	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
-err2:
-	return (0);
-}
-
 void
 ssl3_cleanup_key_block(SSL *s)
 {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index ec30c9cb6a..e4c6c45196 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.109 2015/09/11 17:01:19 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.110 2015/09/11 17:03:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -603,7 +603,6 @@ int ssl3_send_newsession_ticket(SSL *s);
 int ssl3_send_cert_status(SSL *s);
 int ssl3_get_finished(SSL *s, int state_a, int state_b);
 int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
-int ssl3_change_cipher_state(SSL *s, int which);
 void ssl3_cleanup_key_block(SSL *s);
 int ssl3_do_write(SSL *s, int type);
 int ssl3_send_alert(SSL *s, int level, int desc);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index ec30c9cb6a..e4c6c45196 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.109 2015/09/11 17:01:19 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.110 2015/09/11 17:03:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -603,7 +603,6 @@ int ssl3_send_newsession_ticket(SSL *s);
 int ssl3_send_cert_status(SSL *s);
 int ssl3_get_finished(SSL *s, int state_a, int state_b);
 int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
-int ssl3_change_cipher_state(SSL *s, int which);
 void ssl3_cleanup_key_block(SSL *s);
 int ssl3_do_write(SSL *s, int type);
 int ssl3_send_alert(SSL *s, int level, int desc);
-- 
cgit v1.2.3-55-g6feb