artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 316cf75)
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
authorjsing <jsing@openbsd.org>
Wed, 5 May 2021 19:52:00 +0000 (19:52 +0000)
committerjsing <jsing@openbsd.org>
Wed, 5 May 2021 19:52:00 +0000 (19:52 +0000)
ok inoguchi@ tb@

lib/libssl/d1_both.c patch | blob | history
lib/libssl/d1_pkt.c patch | blob | history
lib/libssl/ssl_locl.h patch | blob | history
lib/libssl/t1_enc.c patch | blob | history
lib/libssl/tls12_record_layer.c patch | blob | history

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index ba05c2a..3b9880b 100644 (file)
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.69 2021/04/19 16:51:56 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.70 2021/05/05 19:52:00 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -972,7 +972,8 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 
        /* save current state*/
        frag->msg_header.saved_retransmit_state.session = s->session;
-       frag->msg_header.saved_retransmit_state.epoch = D1I(s)->w_epoch;
+       frag->msg_header.saved_retransmit_state.epoch =
+           tls12_record_layer_write_epoch(s->internal->rl);
 
        memset(seq64be, 0, sizeof(seq64be));
        seq64be[6] = (unsigned char)(dtls1_get_queue_priority(
@@ -1039,15 +1040,14 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 
        /* save current state */
        saved_state.session = s->session;
-       saved_state.epoch = D1I(s)->w_epoch;
+       saved_state.epoch = tls12_record_layer_write_epoch(s->internal->rl);
 
        D1I(s)->retransmitting = 1;
 
        /* restore state in which the message was originally sent */
        s->session = frag->msg_header.saved_retransmit_state.session;
-       D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
-
-       if (!tls12_record_layer_use_write_epoch(s->internal->rl, D1I(s)->w_epoch))
+       if (!tls12_record_layer_use_write_epoch(s->internal->rl,
+           frag->msg_header.saved_retransmit_state.epoch))
                return 0;
 
        ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
@@ -1055,9 +1055,8 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 
        /* restore current state */
        s->session = saved_state.session;
-       D1I(s)->w_epoch = saved_state.epoch;
-
-       if (!tls12_record_layer_use_write_epoch(s->internal->rl, D1I(s)->w_epoch))
+       if (!tls12_record_layer_use_write_epoch(s->internal->rl,
+           saved_state.epoch))
                return 0;
 
        D1I(s)->retransmitting = 0;
diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 4cb26d7..31ee5a6 100644 (file)
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.94 2021/05/02 17:18:10 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.95 2021/05/05 19:52:00 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1222,10 +1222,3 @@ dtls1_reset_read_seq_numbers(SSL *s)
        memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP));
        memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP));
 }
-
-void
-dtls1_reset_write_seq_numbers(SSL *s)
-{
-       D1I(s)->w_epoch++;
-       tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch);
-}
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 1f7e1fa..50ed47d 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.342 2021/05/05 10:05:27 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.343 2021/05/05 19:52:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -546,8 +546,7 @@ void tls12_record_layer_set_cipher_hash(struct tls12_record_layer *rl,
     const EVP_MD *mac_hash);
 void tls12_record_layer_set_version(struct tls12_record_layer *rl,
     uint16_t version);
-void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl,
-    uint16_t epoch);
+uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl);
 int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl,
     uint16_t epoch);
 void tls12_record_layer_write_epoch_done(struct tls12_record_layer *rl,
@@ -997,7 +996,6 @@ typedef struct dtls1_state_internal_st {
         * completed
         */
        unsigned short r_epoch;
-       unsigned short w_epoch;
 
        /* records being received in the current epoch */
        DTLS1_BITMAP bitmap;
@@ -1297,7 +1295,6 @@ int dtls1_get_message_header(unsigned char *data,
     struct hm_header_st *msg_hdr);
 void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
 void dtls1_reset_read_seq_numbers(SSL *s);
-void dtls1_reset_write_seq_numbers(SSL *s);
 struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
 int dtls1_check_timeout_num(SSL *s);
 int dtls1_handle_timeout(SSL *s);
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 5a626fb..57ddecb 100644 (file)
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.143 2021/05/05 10:05:27 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.144 2021/05/05 19:52:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -319,8 +319,6 @@ tls1_change_cipher_state(SSL *s, int is_write)
                if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
                    &mac_key, &key, &iv))
                        goto err;
-               if (SSL_is_dtls(s))
-                       dtls1_reset_write_seq_numbers(s);
        }
        return (1);
 
diff --git a/lib/libssl/tls12_record_layer.c b/lib/libssl/tls12_record_layer.c
index b9a3320..652ca87 100644 (file)
--- a/lib/libssl/tls12_record_layer.c
+++ b/lib/libssl/tls12_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls12_record_layer.c,v 1.27 2021/05/05 10:05:27 jsing Exp $ */
+/* $OpenBSD: tls12_record_layer.c,v 1.28 2021/05/05 19:52:00 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  *
@@ -277,10 +277,10 @@ tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version)
        rl->dtls = ((version >> 8) == DTLS1_VERSION_MAJOR);
 }
 
-void
-tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch)
+uint16_t
+tls12_record_layer_write_epoch(struct tls12_record_layer *rl)
 {
-       rl->write->epoch = epoch;
+       return rl->write->epoch;
 }
 
 int
@@ -583,6 +583,10 @@ tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl,
 
        /* Write sequence number gets reset to zero. */
 
+       /* DTLS epoch is incremented and is permitted to wrap. */
+       if (rl->dtls)
+               write_new->epoch = rl->write_current->epoch + 1;
+
        if (!tls12_record_layer_change_cipher_state(rl, write_new, 1,
            mac_key, key, iv))
                goto err;
OpenBSD src
by Ahmet Artu Yildirim