From 03eef7138159665bd93e1d34f098f9e160bf3b99 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 19 Apr 2021 16:51:56 +0000 Subject: [PATCH] Move reuse_message, message_type, message_size and cert_verify into the TLSv1.2 handshake struct. ok inoguchi@ tb@ --- lib/libssl/d1_both.c | 14 ++++++------- lib/libssl/ssl_both.c | 16 +++++++-------- lib/libssl/ssl_clnt.c | 42 +++++++++++++++++++-------------------- lib/libssl/ssl_locl.h | 19 ++++++++++-------- lib/libssl/ssl_srvr.c | 22 ++++++++++---------- lib/libssl/tls13_legacy.c | 8 ++++---- 6 files changed, 62 insertions(+), 59 deletions(-) diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index f4c1cb95b09..ba05c2a3543 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.68 2021/02/27 14:20:50 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.69 2021/04/19 16:51:56 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -380,16 +380,16 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) * s3->internal->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ - if (S3I(s)->tmp.reuse_message) { - S3I(s)->tmp.reuse_message = 0; - if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { + if (S3I(s)->hs.tls12.reuse_message) { + S3I(s)->hs.tls12.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } *ok = 1; s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->internal->init_num = (int)S3I(s)->tmp.message_size; + s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; return s->internal->init_num; } @@ -466,9 +466,9 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) return SSL_AD_INTERNAL_ERROR; } - S3I(s)->tmp.message_size = msg_len; + S3I(s)->hs.tls12.message_size = msg_len; D1I(s)->r_msg_hdr.msg_len = msg_len; - S3I(s)->tmp.message_type = msg_hdr->type; + S3I(s)->hs.tls12.message_type = msg_hdr->type; D1I(s)->r_msg_hdr.type = msg_hdr->type; D1I(s)->r_msg_hdr.seq = msg_hdr->seq; } else if (msg_len != D1I(s)->r_msg_hdr.msg_len) { diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c index 4851231a8f3..ad9b0ee2578 100644 --- a/lib/libssl/ssl_both.c +++ b/lib/libssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.27 2021/03/29 16:46:09 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.28 2021/04/19 16:51:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -445,16 +445,16 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) if (SSL_is_dtls(s)) return (dtls1_get_message(s, st1, stn, mt, max, ok)); - if (S3I(s)->tmp.reuse_message) { - S3I(s)->tmp.reuse_message = 0; - if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { + if (S3I(s)->hs.tls12.reuse_message) { + S3I(s)->hs.tls12.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->hs.tls12.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } *ok = 1; s->internal->init_msg = s->internal->init_buf->data + 4; - s->internal->init_num = (int)S3I(s)->tmp.message_size; + s->internal->init_num = (int)S3I(s)->hs.tls12.message_size; return s->internal->init_num; } @@ -511,7 +511,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerror(s, ERR_R_BUF_LIB); goto err; } - S3I(s)->tmp.message_type = u8; + S3I(s)->hs.tls12.message_type = u8; if (l > (unsigned long)max) { al = SSL_AD_ILLEGAL_PARAMETER; @@ -522,7 +522,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerror(s, ERR_R_BUF_LIB); goto err; } - S3I(s)->tmp.message_size = l; + S3I(s)->hs.tls12.message_size = l; S3I(s)->hs.state = stn; s->internal->init_msg = s->internal->init_buf->data + 4; @@ -531,7 +531,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) /* next state (stn) */ p = s->internal->init_msg; - n = S3I(s)->tmp.message_size - s->internal->init_num; + n = S3I(s)->hs.tls12.message_size - s->internal->init_num; while (n > 0) { i = s->method->internal->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->internal->init_num], n, 0); diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 92113c29531..6b43b565b98 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.90 2021/04/11 07:06:01 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.91 2021/04/19 16:51:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -623,7 +623,7 @@ ssl3_connect(SSL *s) } /* did we do anything */ - if (!S3I(s)->tmp.reuse_message && !skip) { + if (!S3I(s)->hs.tls12.reuse_message && !skip) { if (s->internal->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; @@ -804,9 +804,9 @@ ssl3_get_dtls_hello_verify(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (S3I(s)->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { D1I(s)->send_cookie = 0; - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; return (1); } @@ -878,9 +878,9 @@ ssl3_get_server_hello(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); if (SSL_is_dtls(s)) { - if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (S3I(s)->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { if (D1I(s)->send_cookie == 0) { - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; return (1); } else { /* Already sent a cookie. */ @@ -891,7 +891,7 @@ ssl3_get_server_hello(SSL *s) } } - if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto fatal_err; @@ -1128,12 +1128,12 @@ ssl3_get_server_certificate(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto fatal_err; @@ -1498,7 +1498,7 @@ ssl3_get_server_key_exchange(SSL *s) CBS_init(&cbs, s->internal->init_msg, n); - if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* * Do not skip server key exchange if this cipher suite uses * ephemeral keys. @@ -1509,7 +1509,7 @@ ssl3_get_server_key_exchange(SSL *s) goto fatal_err; } - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; EVP_MD_CTX_cleanup(&md_ctx); return (1); } @@ -1663,8 +1663,8 @@ ssl3_get_certificate_request(SSL *s) S3I(s)->tmp.cert_req = 0; - if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_DONE) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_DONE) { + S3I(s)->hs.tls12.reuse_message = 1; /* * If we get here we don't need any cached handshake records * as we wont be doing client auth. @@ -1673,7 +1673,7 @@ ssl3_get_certificate_request(SSL *s) return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); goto err; @@ -1814,11 +1814,11 @@ ssl3_get_new_session_ticket(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_FINISHED) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) { + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_BAD_MESSAGE_TYPE); goto fatal_err; @@ -2799,9 +2799,9 @@ ssl3_check_finished(SSL *s) if (!ok) return ((int)n); - S3I(s)->tmp.reuse_message = 1; - if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || - (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) + S3I(s)->hs.tls12.reuse_message = 1; + if ((S3I(s)->hs.tls12.message_type == SSL3_MT_FINISHED) || + (S3I(s)->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET)) return (2); return (1); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 3339c57390c..3b86f5874b0 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.333 2021/03/29 16:46:09 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.334 2021/04/19 16:51:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -420,9 +420,19 @@ typedef struct ssl_handshake_tls12_st { /* Used when SSL_ST_FLUSH_DATA is entered. */ int next_state; + /* Handshake message type and size. */ + int message_type; + unsigned long message_size; + + /* Reuse current handshake message. */ + int reuse_message; + /* Record-layer key block for TLS 1.2 and earlier. */ unsigned char *key_block; size_t key_block_len; + + /* Transcript hash prior to sending certificate verify message. */ + uint8_t cert_verify[EVP_MAX_MD_SIZE]; } SSL_HANDSHAKE_TLS12; typedef struct ssl_handshake_tls13_st { @@ -925,11 +935,6 @@ typedef struct ssl3_state_internal_st { SSL_HANDSHAKE hs; struct { - unsigned char cert_verify_md[EVP_MAX_MD_SIZE]; - - unsigned long message_size; - int message_type; - DH *dh; EC_KEY *ecdh; /* holds short lived ECDH key */ @@ -937,8 +942,6 @@ typedef struct ssl3_state_internal_st { uint8_t *x25519; - int reuse_message; - /* used for certificate requests */ int cert_req; int ctype_num; diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 0f3572a6786..8241a59ac07 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.101 2021/03/29 16:56:20 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.102 2021/04/19 16:51:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -576,8 +576,8 @@ ssl3_accept(SSL *s) * a client cert, it can be verified. */ if (!tls1_transcript_hash_value(s, - S3I(s)->tmp.cert_verify_md, - sizeof(S3I(s)->tmp.cert_verify_md), + S3I(s)->hs.tls12.cert_verify, + sizeof(S3I(s)->hs.tls12.cert_verify), NULL)) { ret = -1; goto end; @@ -733,7 +733,7 @@ ssl3_accept(SSL *s) /* break; */ } - if (!S3I(s)->tmp.reuse_message && !skip) { + if (!S3I(s)->hs.tls12.reuse_message && !skip) { if (s->internal->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; @@ -2149,8 +2149,8 @@ ssl3_get_cert_verify(SSL *s) type = X509_certificate_type(peer, pkey); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { - S3I(s)->tmp.reuse_message = 1; + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) { + S3I(s)->hs.tls12.reuse_message = 1; if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); @@ -2261,7 +2261,7 @@ ssl3_get_cert_verify(SSL *s) goto fatal_err; } } else if (pkey->type == EVP_PKEY_RSA) { - verify = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, + verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), CBS_len(&signature), pkey->pkey.rsa); if (verify < 0) { @@ -2276,7 +2276,7 @@ ssl3_get_cert_verify(SSL *s) } } else if (pkey->type == EVP_PKEY_EC) { verify = ECDSA_verify(pkey->save_type, - &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), + &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, CBS_data(&signature), CBS_len(&signature), pkey->pkey.ec); if (verify <= 0) { @@ -2368,7 +2368,7 @@ ssl3_get_client_certificate(SSL *s) if (!ok) return ((int)n); - if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { + if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); @@ -2385,11 +2385,11 @@ ssl3_get_client_certificate(SSL *s) al = SSL_AD_UNEXPECTED_MESSAGE; goto fatal_err; } - S3I(s)->tmp.reuse_message = 1; + S3I(s)->hs.tls12.reuse_message = 1; return (1); } - if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); goto fatal_err; diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c index 19271ef7874..f71bac48cde 100644 --- a/lib/libssl/tls13_legacy.c +++ b/lib/libssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.23 2021/03/21 18:36:34 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.24 2021/04/19 16:51:56 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -338,9 +338,9 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) s->internal->init_buf->length, NULL)) goto err; - S3I(s)->tmp.reuse_message = 1; - S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); - S3I(s)->tmp.message_size = CBS_len(&cbs); + S3I(s)->hs.tls12.reuse_message = 1; + S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg); + S3I(s)->hs.tls12.message_size = CBS_len(&cbs); return 1; -- 2.20.1