From 8950dd79c5d213b9b727383104c7a50e71ec7bdf Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Sun, 2 May 2021 17:18:10 +0000
Subject: [PATCH] Clean up dtls1_reset_seq_numbers().

Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into
separate read and write functions. Move the calls of these functions into
tls1_change_cipher_state() so they directly follow the change of cipher
state in the record layer, which avoids having to duplicate the calls in
the client and server.

ok inoguchi@ tb@
---
 lib/libssl/d1_pkt.c   | 26 ++++++++++++--------------
 lib/libssl/ssl_clnt.c |  6 +-----
 lib/libssl/ssl_locl.h |  5 +++--
 lib/libssl/ssl_srvr.c |  5 +----
 lib/libssl/t1_enc.c   |  6 +++++-
 5 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c
index 7f4261e47e7..4cb26d7ea18 100644
--- a/lib/libssl/d1_pkt.c
+++ b/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.93 2021/02/20 14:14:16 tb Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.94 2021/05/02 17:18:10 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -869,9 +869,6 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		if (!ssl3_do_change_cipher_spec(s))
 			goto err;
 
-		/* do this whenever CCS is processed */
-		dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-
 		goto start;
 	}
 
@@ -1219,15 +1216,16 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch)
 }
 
 void
-dtls1_reset_seq_numbers(SSL *s, int rw)
+dtls1_reset_read_seq_numbers(SSL *s)
 {
-	if (rw & SSL3_CC_READ) {
-		D1I(s)->r_epoch++;
-		memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap),
-		    sizeof(DTLS1_BITMAP));
-		memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP));
-	} else {
-		D1I(s)->w_epoch++;
-		tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch);
-	}
+	D1I(s)->r_epoch++;
+	memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP));
+	memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP));
+}
+
+void
+dtls1_reset_write_seq_numbers(SSL *s)
+{
+	D1I(s)->w_epoch++;
+	tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch);
 }
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index a38d1f1ed44..022efd8b3b1 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.94 2021/04/30 19:26:44 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.95 2021/05/02 17:18:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -486,10 +486,6 @@ ssl3_connect(SSL *s)
 				ret = -1;
 				goto end;
 			}
-
-			if (SSL_is_dtls(s))
-				dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
-
 			break;
 
 		case SSL3_ST_CW_FINISHED_A:
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index c55dada70f5..38b68384647 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.339 2021/04/30 19:26:44 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.340 2021/05/02 17:18:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1293,7 +1293,8 @@ void dtls1_clear_record_buffer(SSL *s);
 int dtls1_get_message_header(unsigned char *data,
     struct hm_header_st *msg_hdr);
 void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
-void dtls1_reset_seq_numbers(SSL *s, int rw);
+void dtls1_reset_read_seq_numbers(SSL *s);
+void dtls1_reset_write_seq_numbers(SSL *s);
 struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
 int dtls1_check_timeout_num(SSL *s);
 int dtls1_handle_timeout(SSL *s);
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 32ffa88f15b..2d1af2f86f1 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.105 2021/04/30 19:26:45 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.106 2021/05/02 17:18:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -659,9 +659,6 @@ ssl3_accept(SSL *s)
 				ret = -1;
 				goto end;
 			}
-
-			if (SSL_is_dtls(s))
-				dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
 			break;
 
 		case SSL3_ST_SW_FINISHED_A:
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 642c2109008..6cdae0caedb 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.140 2021/04/30 19:26:45 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.141 2021/05/02 17:18:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -369,12 +369,16 @@ tls1_change_cipher_state(SSL *s, int which)
 		if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
 		    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
 			goto err;
+		if (SSL_is_dtls(s))
+			dtls1_reset_read_seq_numbers(s);
 		tls12_record_layer_read_cipher_hash(s->internal->rl,
 		    &s->enc_read_ctx, &s->read_hash);
 	} else {
 		if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
 		    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
 			goto err;
+		if (SSL_is_dtls(s))
+			dtls1_reset_write_seq_numbers(s);
 	}
 	return (1);
 
-- 
2.20.1