From 44aae0c1841c9943ed3042ef2d58a9fb0781ab24 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 30 Aug 2021 19:12:25 +0000 Subject: [PATCH] Replace DTLS r_epoch with the read epoch from the TLSv1.2 record layer. ok inoguchi@ tb@ --- lib/libssl/d1_lib.c | 8 +++----- lib/libssl/d1_pkt.c | 22 +++++++++++++--------- lib/libssl/dtls_locl.h | 9 +-------- lib/libssl/ssl_locl.h | 4 ++-- lib/libssl/tls12_record_layer.c | 10 +++++++--- 5 files changed, 26 insertions(+), 27 deletions(-) diff --git a/lib/libssl/d1_lib.c b/lib/libssl/d1_lib.c index 3db5629e234..d4280a277c2 100644 --- a/lib/libssl/d1_lib.c +++ b/lib/libssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.58 2021/07/21 08:42:14 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.59 2021/08/30 19:12:25 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -191,10 +191,8 @@ dtls1_clear(SSL *s) memset(s->d1, 0, sizeof(*s->d1)); s->d1->internal = internal; - D1I(s)->r_epoch = - tls12_record_layer_initial_epoch(s->internal->rl); - - D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; + D1I(s)->unprocessed_rcds.epoch = + tls12_record_layer_read_epoch(s->internal->rl) + 1; if (s->server) { D1I(s)->cookie_len = sizeof(D1I(s)->cookie); diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 6963e58ed35..4f0678f0b89 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.105 2021/07/31 09:31:04 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.106 2021/08/30 19:12:25 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -273,12 +273,14 @@ static int dtls1_process_buffered_record(SSL *s) { /* Check if epoch is current. */ - if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch) + if (D1I(s)->unprocessed_rcds.epoch != + tls12_record_layer_read_epoch(s->internal->rl)) return (0); /* Update epoch once all unprocessed records have been processed. */ if (pqueue_peek(D1I(s)->unprocessed_rcds.q) == NULL) { - D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; + D1I(s)->unprocessed_rcds.epoch = + tls12_record_layer_read_epoch(s->internal->rl) + 1; return (0); } @@ -858,7 +860,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) /* this may just be a stale retransmit */ if (!dtls1_get_message_header(rr->data, &msg_hdr)) return -1; - if (rr->epoch != D1I(s)->r_epoch) { + if (rr->epoch != tls12_record_layer_read_epoch(s->internal->rl)) { rr->length = 0; goto start; } @@ -1136,17 +1138,20 @@ dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap, static DTLS1_BITMAP * dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) { - uint16_t next_epoch = D1I(s)->r_epoch + 1; + uint16_t read_epoch, read_epoch_next; *is_next_epoch = 0; + read_epoch = tls12_record_layer_read_epoch(s->internal->rl); + read_epoch_next = read_epoch + 1; + /* In current epoch, accept HM, CCS, DATA, & ALERT */ - if (rr->epoch == D1I(s)->r_epoch) + if (rr->epoch == read_epoch) return &D1I(s)->bitmap; /* Only HM and ALERT messages can be from the next epoch */ - else if (rr->epoch == next_epoch && - (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { + if (rr->epoch == read_epoch_next && + (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { *is_next_epoch = 1; return &D1I(s)->next_bitmap; } @@ -1157,7 +1162,6 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) void dtls1_reset_read_seq_numbers(SSL *s) { - D1I(s)->r_epoch++; memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP)); } diff --git a/lib/libssl/dtls_locl.h b/lib/libssl/dtls_locl.h index 97f05b26bd1..83fb9e0e10c 100644 --- a/lib/libssl/dtls_locl.h +++ b/lib/libssl/dtls_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls_locl.h,v 1.4 2021/07/26 03:17:38 jsing Exp $ */ +/* $OpenBSD: dtls_locl.h,v 1.5 2021/08/30 19:12:25 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -132,13 +132,6 @@ typedef struct dtls1_state_internal_st { unsigned char rcvd_cookie[DTLS1_COOKIE_LENGTH]; unsigned int cookie_len; - /* - * The current data and handshake epoch. This is initially - * undefined, and starts at zero once the initial handshake is - * completed - */ - unsigned short r_epoch; - /* records being received in the current epoch */ DTLS1_BITMAP bitmap; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index f3650f238e1..d25ac1a1a60 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.356 2021/07/26 03:17:38 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.357 2021/08/30 19:12:25 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -641,7 +641,7 @@ void tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version); void tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, uint16_t epoch); -uint16_t tls12_record_layer_initial_epoch(struct tls12_record_layer *rl); +uint16_t tls12_record_layer_read_epoch(struct tls12_record_layer *rl); uint16_t tls12_record_layer_write_epoch(struct tls12_record_layer *rl); int tls12_record_layer_use_write_epoch(struct tls12_record_layer *rl, uint16_t epoch); diff --git a/lib/libssl/tls12_record_layer.c b/lib/libssl/tls12_record_layer.c index f59364bb672..6d7d8696eb8 100644 --- a/lib/libssl/tls12_record_layer.c +++ b/lib/libssl/tls12_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_record_layer.c,v 1.33 2021/08/30 19:00:49 jsing Exp $ */ +/* $OpenBSD: tls12_record_layer.c,v 1.34 2021/08/30 19:12:25 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -296,9 +296,9 @@ tls12_record_layer_set_initial_epoch(struct tls12_record_layer *rl, } uint16_t -tls12_record_layer_initial_epoch(struct tls12_record_layer *rl) +tls12_record_layer_read_epoch(struct tls12_record_layer *rl) { - return rl->initial_epoch; + return rl->read->epoch; } uint16_t @@ -580,6 +580,10 @@ tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, /* Read sequence number gets reset to zero. */ + /* DTLS epoch is incremented and is permitted to wrap. */ + if (rl->dtls) + read_new->epoch = rl->read_current->epoch + 1; + if (!tls12_record_layer_change_cipher_state(rl, read_new, 0, mac_key, key, iv)) goto err; -- 2.20.1