diff options
| author |   jsing <jsing@openbsd.org> | 2017-01-22 09:02:07 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-01-22 09:02:07 +0000 |
| commit | 719c92636ab3a15a968955ec2d9ea9612a7e1e65 (patch) | |
| tree | ed02fada02be1e46d4bbe27795b87861e18578a9 | |
| parent | Disable session cache and tickets by default. (diff) | |
| download | wireguard-openbsd-719c92636ab3a15a968955ec2d9ea9612a7e1e65.tar.xz wireguard-openbsd-719c92636ab3a15a968955ec2d9ea9612a7e1e65.zip | |
Move most of the SSL3_STATE fields to internal - the ones that remain are
known to be used by ports.
ok beck@
| -rw-r--r-- | lib/libssl/d1_both.c | 36 | ||||
| -rw-r--r-- | lib/libssl/d1_clnt.c | 40 | ||||
| -rw-r--r-- | lib/libssl/d1_enc.c | 6 | ||||
| -rw-r--r-- | lib/libssl/d1_pkt.c | 92 | ||||
| -rw-r--r-- | lib/libssl/d1_srvr.c | 40 | ||||
| -rw-r--r-- | lib/libssl/s23_srvr.c | 8 | ||||
| -rw-r--r-- | lib/libssl/s3_both.c | 64 | ||||
| -rw-r--r-- | lib/libssl/s3_clnt.c | 112 | ||||
| -rw-r--r-- | lib/libssl/s3_lib.c | 110 | ||||
| -rw-r--r-- | lib/libssl/s3_pkt.c | 148 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 152 | ||||
| -rw-r--r-- | lib/libssl/ssl3.h | 117 | ||||
| -rw-r--r-- | lib/libssl/ssl_cert.c | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 32 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 120 | ||||
| -rw-r--r-- | lib/libssl/t1_enc.c | 152 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 78 | ||||
| -rw-r--r-- | lib/libssl/t1_reneg.c | 60 |
18 files changed, 690 insertions, 681 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index d83df1c9a03..2ee4a7ffcf1 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.41 2017/01/22 07:16:38 beck Exp $ */ +/* $OpenBSD: d1_both.c,v 1.42 2017/01/22 09:02:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -403,12 +403,12 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) unsigned long msg_len; /* - * s3->tmp is used to store messages that are unexpected, caused + * s3->internal->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ - if (s->s3->tmp.reuse_message) { - s->s3->tmp.reuse_message = 0; - if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { + if (S3I(s)->tmp.reuse_message) { + S3I(s)->tmp.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); @@ -416,7 +416,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } *ok = 1; s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->init_num = (int)s->s3->tmp.message_size; + s->init_num = (int)S3I(s)->tmp.message_size; return s->init_num; } @@ -499,9 +499,9 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) return SSL_AD_INTERNAL_ERROR; } - s->s3->tmp.message_size = msg_len; + S3I(s)->tmp.message_size = msg_len; D1I(s)->r_msg_hdr.msg_len = msg_len; - s->s3->tmp.message_type = msg_hdr->type; + S3I(s)->tmp.message_type = msg_hdr->type; D1I(s)->r_msg_hdr.type = msg_hdr->type; D1I(s)->r_msg_hdr.seq = msg_hdr->seq; } else if (msg_len != D1I(s)->r_msg_hdr.msg_len) { @@ -905,8 +905,8 @@ f_err: /* * for these 2 messages, we need to * ssl->enc_read_ctx re-init - * ssl->s3->read_sequence zero - * ssl->s3->read_mac_secret re-init + * ssl->s3->internal->read_sequence zero + * ssl->s3->internal->read_mac_secret re-init * ssl->session->read_sym_enc assign * ssl->session->read_hash assign */ @@ -1132,10 +1132,10 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { - memcpy(save_write_sequence, s->s3->write_sequence, - sizeof(s->s3->write_sequence)); - memcpy(s->s3->write_sequence, D1I(s)->last_write_sequence, - sizeof(s->s3->write_sequence)); + memcpy(save_write_sequence, S3I(s)->write_sequence, + sizeof(S3I(s)->write_sequence)); + memcpy(S3I(s)->write_sequence, D1I(s)->last_write_sequence, + sizeof(S3I(s)->write_sequence)); } ret = dtls1_do_write(s, frag->msg_header.is_ccs ? @@ -1149,10 +1149,10 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { - memcpy(D1I(s)->last_write_sequence, s->s3->write_sequence, - sizeof(s->s3->write_sequence)); - memcpy(s->s3->write_sequence, save_write_sequence, - sizeof(s->s3->write_sequence)); + memcpy(D1I(s)->last_write_sequence, S3I(s)->write_sequence, + sizeof(S3I(s)->write_sequence)); + memcpy(S3I(s)->write_sequence, save_write_sequence, + sizeof(S3I(s)->write_sequence)); } D1I(s)->retransmitting = 0; diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index d4b80311503..af3196ff173 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.61 2017/01/22 07:16:38 beck Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.62 2017/01/22 09:02:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -270,7 +270,7 @@ dtls1_connect(SSL *s) if (D1I(s)->send_cookie) { s->state = SSL3_ST_CW_FLUSH; - s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; + S3I(s)->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; } else s->state = SSL3_ST_CR_SRVR_HELLO_A; @@ -326,7 +326,7 @@ dtls1_connect(SSL *s) break; } /* Check if it is anon DH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & + if (!(S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) @@ -373,12 +373,12 @@ dtls1_connect(SSL *s) if (ret <= 0) goto end; dtls1_stop_timer(s); - if (s->s3->tmp.cert_req) - s->s3->tmp.next_state = SSL3_ST_CW_CERT_A; + if (S3I(s)->tmp.cert_req) + S3I(s)->tmp.next_state = SSL3_ST_CW_CERT_A; else - s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; + S3I(s)->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; s->init_num = 0; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; break; case SSL3_ST_CW_CERT_A: @@ -404,11 +404,11 @@ dtls1_connect(SSL *s) * sent back */ /* For TLS, cert_req is set to 2, so a cert chain * of nothing is sent, but no verify packet is sent */ - if (s->s3->tmp.cert_req == 1) { + if (S3I(s)->tmp.cert_req == 1) { s->state = SSL3_ST_CW_CERT_VRFY_A; } else { s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; } s->init_num = 0; @@ -422,7 +422,7 @@ dtls1_connect(SSL *s) goto end; s->state = SSL3_ST_CW_CHANGE_A; s->init_num = 0; - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; break; case SSL3_ST_CW_CHANGE_A: @@ -437,7 +437,7 @@ dtls1_connect(SSL *s) s->state = SSL3_ST_CW_FINISHED_A; s->init_num = 0; - s->session->cipher = s->s3->tmp.new_cipher; + s->session->cipher = S3I(s)->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; goto end; @@ -468,20 +468,20 @@ dtls1_connect(SSL *s) /* clear flags */ s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; if (s->hit) { - s->s3->tmp.next_state = SSL_ST_OK; + S3I(s)->tmp.next_state = SSL_ST_OK; if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { s->state = SSL_ST_OK; s->s3->flags |= SSL3_FLAGS_POP_BUFFER; - s->s3->delay_buf_pop_ret = 0; + S3I(s)->delay_buf_pop_ret = 0; } } else { /* Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) - s->s3->tmp.next_state = + S3I(s)->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else - s->s3->tmp.next_state = + S3I(s)->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; @@ -529,14 +529,14 @@ dtls1_connect(SSL *s) /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; } ret = -1; goto end; } s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; break; case SSL_ST_OK: @@ -579,7 +579,7 @@ dtls1_connect(SSL *s) } /* did we do anything */ - if (!s->s3->tmp.reuse_message && !skip) { + if (!S3I(s)->tmp.reuse_message && !skip) { if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; @@ -618,9 +618,9 @@ dtls1_get_hello_verify(SSL *s) if (!ok) return ((int)n); - if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (S3I(s)->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { D1I(s)->send_cookie = 0; - s->s3->tmp.reuse_message = 1; + S3I(s)->tmp.reuse_message = 1; return (1); } diff --git a/lib/libssl/d1_enc.c b/lib/libssl/d1_enc.c index 8445ceb10f7..4b13e094fe6 100644 --- a/lib/libssl/d1_enc.c +++ b/lib/libssl/d1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_enc.c,v 1.11 2016/03/06 14:52:15 beck Exp $ */ +/* $OpenBSD: d1_enc.c,v 1.12 2017/01/22 09:02:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -145,7 +145,7 @@ dtls1_enc(SSL *s, int send) return -1; } ds = s->enc_write_ctx; - rec = &(s->s3->wrec); + rec = &(S3I(s)->wrec); if (s->enc_write_ctx == NULL) enc = NULL; else { @@ -167,7 +167,7 @@ dtls1_enc(SSL *s, int send) OPENSSL_assert(mac_size >= 0); } ds = s->enc_read_ctx; - rec = &(s->s3->rrec); + rec = &(S3I(s)->rrec); if (s->enc_read_ctx == NULL) enc = NULL; else diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index c44f8f0f58b..315960b5873 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.50 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -205,10 +205,10 @@ dtls1_copy_record(SSL *s, pitem *item) s->packet = rdata->packet; s->packet_length = rdata->packet_length; memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); + memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); /* Set proper sequence number for mac calculation */ - memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); + memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6); return (1); } @@ -232,7 +232,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) rdata->packet = s->packet; rdata->packet_length = s->packet_length; memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); + memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD)); item->data = rdata; @@ -240,7 +240,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) s->packet = NULL; s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); - memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); + memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD)); if (!ssl3_setup_buffers(s)) goto err; @@ -310,7 +310,7 @@ dtls1_process_buffered_records(SSL *s) if (! dtls1_process_record(s)) return (0); if (dtls1_buffer_record(s, &(D1I(s)->processed_rcds), - s->s3->rrec.seq_num) < 0) + S3I(s)->rrec.seq_num) < 0) return (-1); } } @@ -333,7 +333,7 @@ dtls1_process_record(SSL *s) unsigned int mac_size, orig_len; unsigned char md[EVP_MAX_MD_SIZE]; - rr = &(s->s3->rrec); + rr = &(S3I(s)->rrec); sess = s->session; /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, @@ -439,10 +439,10 @@ dtls1_process_record(SSL *s) rr->off = 0; /* So at this point the following is true - * ssl->s3->rrec.type is the type of record - * ssl->s3->rrec.length == number of bytes in record - * ssl->s3->rrec.off == offset to first valid byte - * ssl->s3->rrec.data == where to take bytes from, increment + * ssl->s3->internal->rrec.type is the type of record + * ssl->s3->internal->rrec.length == number of bytes in record + * ssl->s3->internal->rrec.off == offset to first valid byte + * ssl->s3->internal->rrec.data == where to take bytes from, increment * after use :-). */ @@ -461,9 +461,9 @@ err: * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->rrec.type - is the type of record - * ssl->s3->rrec.data, - data - * ssl->s3->rrec.length, - number of bytes + * ssl->s3->internal->rrec.type - is the type of record + * ssl->s3->internal->rrec.data, - data + * ssl->s3->internal->rrec.length, - number of bytes */ /* used only by dtls1_read_bytes */ int @@ -475,7 +475,7 @@ dtls1_get_record(SSL *s) DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; - rr = &(s->s3->rrec); + rr = &(S3I(s)->rrec); /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ @@ -525,8 +525,8 @@ again: !CBS_get_bytes(&header, &seq_no, 6)) goto again; - if (!CBS_write_bytes(&seq_no, &(s->s3->read_sequence[2]), - sizeof(s->s3->read_sequence) - 2, NULL)) + if (!CBS_write_bytes(&seq_no, &(S3I(s)->read_sequence[2]), + sizeof(S3I(s)->read_sequence) - 2, NULL)) goto again; if (!CBS_get_u16(&header, &len)) goto again; @@ -682,11 +682,11 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) start: s->rwstate = SSL_NOTHING; - /* s->s3->rrec.type - is the type of record - * s->s3->rrec.data, - data - * s->s3->rrec.off, - offset into 'data' for next read - * s->s3->rrec.length, - number of bytes. */ - rr = &(s->s3->rrec); + /* S3I(s)->rrec.type - is the type of record + * S3I(s)->rrec.data, - data + * S3I(s)->rrec.off, - offset into 'data' for next read + * S3I(s)->rrec.length, - number of bytes. */ + rr = &(S3I(s)->rrec); /* We are not handshaking and have no data yet, * so process data buffered during the last handshake @@ -728,7 +728,7 @@ start: /* we now have a packet which can be read and processed */ - if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, + if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, * reset by ssl3_get_finished */ && (rr->type != SSL3_RT_HANDSHAKE)) { /* We now have application data between CCS and Finished. @@ -814,7 +814,7 @@ start: */ if (rr->type == SSL3_RT_APPLICATION_DATA) { BIO *bio; - s->s3->in_read_app_data = 2; + S3I(s)->in_read_app_data = 2; bio = SSL_get_rbio(s); s->rwstate = SSL_READING; BIO_clear_retry_flags(bio); @@ -881,7 +881,7 @@ start: if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { + !S3I(s)->renegotiate) { D1I(s)->handshake_read_seq++; s->new_session = 1; ssl3_renegotiate(s); @@ -938,7 +938,7 @@ start: if (alert_level == 1) /* warning */ { - s->s3->warn_alert = alert_descr; + S3I(s)->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; return (0); @@ -946,7 +946,7 @@ start: } else if (alert_level == 2) /* fatal */ { s->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; + S3I(s)->fatal_alert = alert_descr; SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", alert_descr); @@ -1000,7 +1000,7 @@ start: D1I(s)->change_cipher_spec_ok = 0; - s->s3->change_cipher_spec = 1; + S3I(s)->change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) goto err; @@ -1094,15 +1094,15 @@ start: * at this point (session renegotiation not yet started), * we will indulge it. */ - if (s->s3->in_read_app_data && - (s->s3->total_renegotiations != 0) && + if (S3I(s)->in_read_app_data && + (S3I(s)->total_renegotiations != 0) && (((s->state & SSL_ST_CONNECT) && (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) || ( (s->state & SSL_ST_ACCEPT) && (s->state <= SSL3_ST_SW_HELLO_REQ_A) && (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) { - s->s3->in_read_app_data = 2; + S3I(s)->in_read_app_data = 2; return (-1); } else { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -1219,7 +1219,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (len == 0) return 0; - wr = &(s->s3->wrec); + wr = &(S3I(s)->wrec); wb = &(s->s3->wbuf); sess = s->session; @@ -1313,7 +1313,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) s2n(D1I(s)->handshake_epoch, pseq); */ - memcpy(pseq, &(s->s3->write_sequence[2]), 6); + memcpy(pseq, &(S3I(s)->write_sequence[2]), 6); pseq += 6; s2n(wr->length, pseq); @@ -1323,17 +1323,17 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) wr->type=type; /* not needed but helps for debugging */ wr->length += DTLS1_RT_HEADER_LENGTH; - tls1_record_sequence_increment(s->s3->write_sequence); + tls1_record_sequence_increment(S3I(s)->write_sequence); /* now let's set up wb */ wb->left = prefix_len + wr->length; wb->offset = 0; /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; + S3I(s)->wpend_tot = len; + S3I(s)->wpend_buf = buf; + S3I(s)->wpend_type = type; + S3I(s)->wpend_ret = len; /* we now just need to write the buffer */ return ssl3_write_pending(s, type, buf, len); @@ -1348,11 +1348,11 @@ dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) { int cmp; unsigned int shift; - const unsigned char *seq = s->s3->read_sequence; + const unsigned char *seq = S3I(s)->read_sequence; cmp = satsub64be(seq, bitmap->max_seq_num); if (cmp > 0) { - memcpy (s->s3->rrec.seq_num, seq, 8); + memcpy (S3I(s)->rrec.seq_num, seq, 8); return 1; /* this record in new */ } shift = -cmp; @@ -1361,7 +1361,7 @@ dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) else if (bitmap->map & (1UL << shift)) return 0; /* record previously received */ - memcpy(s->s3->rrec.seq_num, seq, 8); + memcpy(S3I(s)->rrec.seq_num, seq, 8); return 1; } @@ -1371,7 +1371,7 @@ dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) { int cmp; unsigned int shift; - const unsigned char *seq = s->s3->read_sequence; + const unsigned char *seq = S3I(s)->read_sequence; cmp = satsub64be(seq, bitmap->max_seq_num); if (cmp > 0) { @@ -1464,16 +1464,16 @@ void dtls1_reset_seq_numbers(SSL *s, int rw) { unsigned char *seq; - unsigned int seq_bytes = sizeof(s->s3->read_sequence); + unsigned int seq_bytes = sizeof(S3I(s)->read_sequence); if (rw & SSL3_CC_READ) { - seq = s->s3->read_sequence; + seq = S3I(s)->read_sequence; D1I(s)->r_epoch++; memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); memset(&(D1I(s)->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); } else { - seq = s->s3->write_sequence; - memcpy(D1I(s)->last_write_sequence, seq, sizeof(s->s3->write_sequence)); + seq = S3I(s)->write_sequence; + memcpy(D1I(s)->last_write_sequence, seq, sizeof(S3I(s)->write_sequence)); D1I(s)->w_epoch++; } diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index 6990e39f604..8722c1690db 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.71 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.72 2017/01/22 09:02:07 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -278,7 +278,7 @@ dtls1_accept(SSL *s) ret = ssl3_send_hello_request(s); if (ret <= 0) goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; + S3I(s)->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; s->state = SSL3_ST_SW_FLUSH; s->init_num = 0; @@ -311,7 +311,7 @@ dtls1_accept(SSL *s) /* Reflect ClientHello sequence to remain stateless while listening */ if (listen) { - memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence)); + memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence)); } /* If we're just listening, stop here */ @@ -336,7 +336,7 @@ dtls1_accept(SSL *s) if (ret <= 0) goto end; s->state = SSL3_ST_SW_FLUSH; - s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; + S3I(s)->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; /* HelloVerifyRequest resets Finished MAC */ if (!tls1_init_finished_mac(s)) { @@ -367,7 +367,7 @@ dtls1_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & + if (!(S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { dtls1_start_timer(s); ret = ssl3_send_server_certificate(s); @@ -386,7 +386,7 @@ dtls1_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; /* Only send if using a DH key exchange. */ if (alg_k & (SSL_kDHE|SSL_kECDHE)) { @@ -423,15 +423,15 @@ dtls1_accept(SSL *s) if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((s->s3->tmp.new_cipher->algorithm_auth & + ((S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { /* no cert request */ skip = 1; - s->s3->tmp.cert_request = 0; + S3I(s)->tmp.cert_request = 0; s->state = SSL3_ST_SW_SRVR_DONE_A; } else { - s->s3->tmp.cert_request = 1; + S3I(s)->tmp.cert_request = 1; dtls1_start_timer(s); ret = ssl3_send_certificate_request(s); if (ret <= 0) @@ -447,7 +447,7 @@ dtls1_accept(SSL *s) ret = ssl3_send_server_done(s); if (ret <= 0) goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; + S3I(s)->tmp.next_state = SSL3_ST_SR_CERT_A; s->state = SSL3_ST_SW_FLUSH; s->init_num = 0; break; @@ -458,19 +458,19 @@ dtls1_accept(SSL *s) /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; } ret = -1; goto end; } s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; break; case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - if (s->s3->tmp.cert_request) { + if (S3I(s)->tmp.cert_request) { ret = ssl3_get_client_certificate(s); if (ret <= 0) goto end; @@ -506,7 +506,7 @@ dtls1_accept(SSL *s) * For sigalgs freeze the handshake buffer * at this point and digest cached records. */ - if (!s->s3->handshake_buffer) { + if (!S3I(s)->handshake_buffer) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); ret = -1; @@ -524,10 +524,10 @@ dtls1_accept(SSL *s) /* We need to get hashes here so if there is * a client cert, it can be verified */ s->method->ssl3_enc->cert_verify_mac(s, - NID_md5, &(s->s3->tmp.cert_verify_md[0])); + NID_md5, &(S3I(s)->tmp.cert_verify_md[0])); s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); + &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); } break; @@ -582,7 +582,7 @@ dtls1_accept(SSL *s) case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - s->session->cipher = s->s3->tmp.new_cipher; + s->session->cipher = S3I(s)->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; goto end; @@ -617,10 +617,10 @@ dtls1_accept(SSL *s) goto end; s->state = SSL3_ST_SW_FLUSH; if (s->hit) { - s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; + S3I(s)->tmp.next_state = SSL3_ST_SR_FINISHED_A; } else { - s->s3->tmp.next_state = SSL_ST_OK; + S3I(s)->tmp.next_state = SSL_ST_OK; } s->init_num = 0; break; @@ -666,7 +666,7 @@ dtls1_accept(SSL *s) /* break; */ } - if (!s->s3->tmp.reuse_message && !skip) { + if (!S3I(s)->tmp.reuse_message && !skip) { if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c index 35bc271f004..a80d1962900 100644 --- a/lib/libssl/s23_srvr.c +++ b/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.49 2017/01/03 16:57:15 jsing Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.50 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -407,9 +407,9 @@ ssl23_get_client_hello(SSL *s) l2n3((long)i, d_len); /* get the data reused from the init_buf */ - s->s3->tmp.reuse_message = 1; - s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO; - s->s3->tmp.message_size = i; + S3I(s)->tmp.reuse_message = 1; + S3I(s)->tmp.message_type = SSL3_MT_CLIENT_HELLO; + S3I(s)->tmp.message_size = i; } /* imaginary new state (for program structure): */ diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c index 51429d907ac..73812863260 100644 --- a/lib/libssl/s3_both.c +++ b/lib/libssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.50 2016/12/30 15:12:45 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.51 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -174,23 +174,23 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); if (s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.finish_md) != md_len) + S3I(s)->tmp.finish_md) != md_len) return (0); - s->s3->tmp.finish_md_len = md_len; + S3I(s)->tmp.finish_md_len = md_len; /* Copy finished so we can use it for renegotiation checks. */ if (s->type == SSL_ST_CONNECT) { - memcpy(s->s3->previous_client_finished, - s->s3->tmp.finish_md, md_len); - s->s3->previous_client_finished_len = md_len; + memcpy(S3I(s)->previous_client_finished, + S3I(s)->tmp.finish_md, md_len); + S3I(s)->previous_client_finished_len = md_len; } else { - memcpy(s->s3->previous_server_finished, - s->s3->tmp.finish_md, md_len); - s->s3->previous_server_finished_len = md_len; + memcpy(S3I(s)->previous_server_finished, + S3I(s)->tmp.finish_md, md_len); + S3I(s)->previous_server_finished_len = md_len; } p = ssl3_handshake_msg_start(s, SSL3_MT_FINISHED); - memcpy(p, s->s3->tmp.finish_md, md_len); + memcpy(p, S3I(s)->tmp.finish_md, md_len); ssl3_handshake_msg_finish(s, md_len); s->state = b; @@ -213,7 +213,7 @@ ssl3_take_mac(SSL *s) * If no new cipher setup return immediately: other functions will * set the appropriate error. */ - if (s->s3->tmp.new_cipher == NULL) + if (S3I(s)->tmp.new_cipher == NULL) return; if (s->state & SSL_ST_CONNECT) { @@ -224,9 +224,9 @@ ssl3_take_mac(SSL *s) slen = s->method->ssl3_enc->client_finished_label_len; } - s->s3->tmp.peer_finish_md_len = + S3I(s)->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.peer_finish_md); + S3I(s)->tmp.peer_finish_md); } int @@ -242,12 +242,12 @@ ssl3_get_finished(SSL *s, int a, int b) return ((int)n); /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { + if (!S3I(s)->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); goto f_err; } - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; md_len = s->method->ssl3_enc->finish_mac_length; @@ -259,14 +259,14 @@ ssl3_get_finished(SSL *s, int a, int b) CBS_init(&cbs, s->init_msg, n); - if (s->s3->tmp.peer_finish_md_len != md_len || + if (S3I(s)->tmp.peer_finish_md_len != md_len || CBS_len(&cbs) != md_len) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); goto f_err; } - if (!CBS_mem_equal(&cbs, s->s3->tmp.peer_finish_md, CBS_len(&cbs))) { + if (!CBS_mem_equal(&cbs, S3I(s)->tmp.peer_finish_md, CBS_len(&cbs))) { al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); goto f_err; @@ -275,13 +275,13 @@ ssl3_get_finished(SSL *s, int a, int b) /* Copy finished so we can use it for renegotiation checks. */ OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); if (s->type == SSL_ST_ACCEPT) { - memcpy(s->s3->previous_client_finished, - s->s3->tmp.peer_finish_md, md_len); - s->s3->previous_client_finished_len = md_len; + memcpy(S3I(s)->previous_client_finished, + S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->previous_client_finished_len = md_len; } else { - memcpy(s->s3->previous_server_finished, - s->s3->tmp.peer_finish_md, md_len); - s->s3->previous_server_finished_len = md_len; + memcpy(S3I(s)->previous_server_finished, + S3I(s)->tmp.peer_finish_md, md_len); + S3I(s)->previous_server_finished_len = md_len; } return (1); @@ -292,8 +292,8 @@ f_err: /* for these 2 messages, we need to * ssl->enc_read_ctx re-init - * ssl->s3->read_sequence zero - * ssl->s3->read_mac_secret re-init + * ssl->s3->internal->read_sequence zero + * ssl->s3->internal->read_mac_secret re-init * ssl->session->read_sym_enc assign * ssl->session->read_hash assign */ @@ -416,9 +416,9 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) CBS cbs; uint8_t u8; - if (s->s3->tmp.reuse_message) { - s->s3->tmp.reuse_message = 0; - if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { + if (S3I(s)->tmp.reuse_message) { + S3I(s)->tmp.reuse_message = 0; + if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); @@ -426,7 +426,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } *ok = 1; s->init_msg = s->init_buf->data + 4; - s->init_num = (int)s->s3->tmp.message_size; + s->init_num = (int)S3I(s)->tmp.message_size; return s->init_num; } @@ -484,7 +484,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); goto err; } - s->s3->tmp.message_type = u8; + S3I(s)->tmp.message_type = u8; if (l > (unsigned long)max) { al = SSL_AD_ILLEGAL_PARAMETER; @@ -496,7 +496,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); goto err; } - s->s3->tmp.message_size = l; + S3I(s)->tmp.message_size = l; s->state = stn; s->init_msg = s->init_buf->data + 4; @@ -505,7 +505,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) /* next state (stn) */ p = s->init_msg; - n = s->s3->tmp.message_size - s->init_num; + n = S3I(s)->tmp.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], n, 0); diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index d75ceb9d2d5..0d3f09728ec 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.161 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.162 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -293,7 +293,7 @@ ssl3_connect(SSL *s) break; } /* Check if it is anon DH/ECDH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & + if (!(S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) @@ -341,7 +341,7 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_done(s); if (ret <= 0) goto end; - if (s->s3->tmp.cert_req) + if (S3I(s)->tmp.cert_req) s->state = SSL3_ST_CW_CERT_A; else s->state = SSL3_ST_CW_KEY_EXCH_A; @@ -381,15 +381,15 @@ ssl3_connect(SSL *s) * message when client's ECDH public key is sent * inside the client certificate. */ - if (s->s3->tmp.cert_req == 1) { + if (S3I(s)->tmp.cert_req == 1) { s->state = SSL3_ST_CW_CERT_VRFY_A; } else { s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; } if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { s->state = SSL3_ST_CW_CHANGE_A; - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; } s->init_num = 0; @@ -402,7 +402,7 @@ ssl3_connect(SSL *s) goto end; s->state = SSL3_ST_CW_CHANGE_A; s->init_num = 0; - s->s3->change_cipher_spec = 0; + S3I(s)->change_cipher_spec = 0; break; case SSL3_ST_CW_CHANGE_A: @@ -412,13 +412,13 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; - if (s->s3->next_proto_neg_seen) + if (S3I(s)->next_proto_neg_seen) s->state = SSL3_ST_CW_NEXT_PROTO_A; else s->state = SSL3_ST_CW_FINISHED_A; s->init_num = 0; - s->session->cipher = s->s3->tmp.new_cipher; + s->session->cipher = S3I(s)->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; goto end; @@ -454,21 +454,21 @@ ssl3_connect(SSL *s) /* clear flags */ s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; if (s->hit) { - s->s3->tmp.next_state = SSL_ST_OK; + S3I(s)->tmp.next_state = SSL_ST_OK; if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { s->state = SSL_ST_OK; s->s3->flags|=SSL3_FLAGS_POP_BUFFER; - s->s3->delay_buf_pop_ret = 0; + S3I(s)->delay_buf_pop_ret = 0; } } else { /* Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) - s->s3->tmp.next_state = + S3I(s)->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; else - s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; + S3I(s)->tmp.next_state = SSL3_ST_CR_FINISHED_A; } s->init_num = 0; break; @@ -513,7 +513,7 @@ ssl3_connect(SSL *s) goto end; } s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; break; case SSL_ST_OK: @@ -561,7 +561,7 @@ ssl3_connect(SSL *s) } /* did we do anything */ - if (!s->s3->tmp.reuse_message && !skip) { + if (!S3I(s)->tmp.reuse_message && !skip) { if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; @@ -742,9 +742,9 @@ ssl3_get_server_hello(SSL *s) CBS_init(&cbs, s->init_msg, n); if (SSL_IS_DTLS(s)) { - if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { if (D1I(s)->send_cookie == 0) { - s->s3->tmp.reuse_message = 1; + S3I(s)->tmp.reuse_message = 1; return (1); } else { /* Already sent a cookie. */ @@ -756,7 +756,7 @@ ssl3_get_server_hello(SSL *s) } } - if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) { + if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE); @@ -887,13 +887,13 @@ ssl3_get_server_hello(SSL *s) SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto f_err; } - s->s3->tmp.new_cipher = cipher; + S3I(s)->tmp.new_cipher = cipher; /* * Don't digest cached records if no sigalgs: we may need them for * client authentication. */ - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && !tls1_digest_cached_records(s)) { al = SSL_AD_INTERNAL_ERROR; @@ -956,12 +956,12 @@ ssl3_get_server_certificate(SSL *s) if (!ok) return ((int)n); - if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { - s->s3->tmp.reuse_message = 1; + if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { + S3I(s)->tmp.reuse_message = 1; return (1); } - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE); @@ -1113,7 +1113,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) long alg_a; int al; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; sc = s->session->sess_cert; if (*nn < 0) @@ -1280,7 +1280,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) int nid; int al; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; sc = s->session->sess_cert; if (*nn < 0) @@ -1366,8 +1366,8 @@ ssl3_get_server_key_exchange(SSL *s) const EVP_MD *md = NULL; RSA *rsa = NULL; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; /* * Use same message size as in ssl3_get_certificate_request() @@ -1380,7 +1380,7 @@ ssl3_get_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); - if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* * Do not skip server key exchange if this cipher suite uses * ephemeral keys. @@ -1392,7 +1392,7 @@ ssl3_get_server_key_exchange(SSL *s) goto f_err; } - s->s3->tmp.reuse_message = 1; + S3I(s)->tmp.reuse_message = 1; EVP_MD_CTX_cleanup(&md_ctx); return (1); } @@ -1585,22 +1585,22 @@ ssl3_get_certificate_request(SSL *s) if (!ok) return ((int)n); - s->s3->tmp.cert_req = 0; + S3I(s)->tmp.cert_req = 0; - if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) { - s->s3->tmp.reuse_message = 1; + if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_DONE) { + S3I(s)->tmp.reuse_message = 1; /* * If we get here we don't need any cached handshake records * as we wont be doing client auth. */ - if (s->s3->handshake_buffer) { + if (S3I(s)->handshake_buffer) { if (!tls1_digest_cached_records(s)) goto err; } return (1); } - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { + if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE); @@ -1608,7 +1608,7 @@ ssl3_get_certificate_request(SSL *s) } /* TLS does not like anon-DH with client cert */ - if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { + if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); @@ -1632,8 +1632,8 @@ ssl3_get_certificate_request(SSL *s) if (ctype_num > SSL3_CT_NUMBER) ctype_num = SSL3_CT_NUMBER; if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || - !CBS_write_bytes(&ctypes, (uint8_t *)s->s3->tmp.ctype, - sizeof(s->s3->tmp.ctype), NULL)) { + !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype, + sizeof(S3I(s)->tmp.ctype), NULL)) { SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG); goto err; @@ -1722,11 +1722,11 @@ ssl3_get_certificate_request(SSL *s) } /* we should setup a certificate to return.... */ - s->s3->tmp.cert_req = 1; - s->s3->tmp.ctype_num = ctype_num; - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - s->s3->tmp.ca_names = ca_sk; + S3I(s)->tmp.cert_req = 1; + S3I(s)->tmp.ctype_num = ctype_num; + if (S3I(s)->tmp.ca_names != NULL) + sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); + S3I(s)->tmp.ca_names = ca_sk; ca_sk = NULL; ret = 1; @@ -1761,11 +1761,11 @@ ssl3_get_new_session_ticket(SSL *s) if (!ok) return ((int)n); - if (s->s3->tmp.message_type == SSL3_MT_FINISHED) { - s->s3->tmp.reuse_message = 1; + if (S3I(s)->tmp.message_type == SSL3_MT_FINISHED) { + S3I(s)->tmp.reuse_message = 1; return (1); } - if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { + if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE); @@ -2255,7 +2255,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) /* * If we have client certificate, use its secret as peer key. */ - if (s->s3->tmp.cert_req && s->cert->key->privatekey) { + if (S3I(s)->tmp.cert_req && s->cert->key->privatekey) { if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) { /* @@ -2339,7 +2339,7 @@ ssl3_send_client_key_exchange(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->state == SSL3_ST_CW_KEY_EXCH_A) { - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; if ((sess_cert = s->session->sess_cert) == NULL) { ssl3_send_alert(s, SSL3_AL_FATAL, @@ -2427,7 +2427,7 @@ ssl3_send_client_verify(SSL *s) long hdatalen = 0; void *hdata; const EVP_MD *md = s->cert->key->digest; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, + hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) { @@ -2491,7 +2491,7 @@ ssl3_send_client_verify(SSL *s) int nid; size_t sigsize; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); @@ -2590,7 +2590,7 @@ ssl3_send_client_certificate(SSL *s) X509_free(x509); EVP_PKEY_free(pkey); if (i == 0) - s->s3->tmp.cert_req = 2; + S3I(s)->tmp.cert_req = 2; /* Ok, we have a cert */ s->state = SSL3_ST_CW_CERT_C; @@ -2601,7 +2601,7 @@ ssl3_send_client_certificate(SSL *s) SSL3_MT_CERTIFICATE)) goto err; if (!ssl3_output_cert_chain(s, &client_cert, - (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509)) + (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key->x509)) goto err; if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) goto err; @@ -2629,8 +2629,8 @@ ssl3_check_cert_and_algorithm(SSL *s) SESS_CERT *sc; DH *dh; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; /* We don't have a certificate. */ if (alg_a & SSL_aNULL) @@ -2740,9 +2740,9 @@ ssl3_check_finished(SSL *s) SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); if (!ok) return ((int)n); - s->s3->tmp.reuse_message = 1; - if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || - (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) + S3I(s)->tmp.reuse_message = 1; + if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || + (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) return (2); return (1); diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index ef7a368d8f5..990ce2153dc 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.119 2017/01/22 06:36:49 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.120 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1681,8 +1681,8 @@ ssl3_pending(const SSL *s) if (s->rstate == SSL_ST_READ_BODY) return 0; - return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? - s->s3->rrec.length : 0; + return (S3I(s)->rrec.type == SSL3_RT_APPLICATION_DATA) ? + S3I(s)->rrec.length : 0; } int @@ -1811,7 +1811,7 @@ ssl3_new(SSL *s) { if ((s->s3 = calloc(1, sizeof(*s->s3))) == NULL) return (0); - if ((s->s3->internal = calloc(1, sizeof(*s->s3->internal))) == NULL) { + if ((S3I(s) = calloc(1, sizeof(*S3I(s)))) == NULL) { free(s->s3); return (0); } @@ -1831,21 +1831,21 @@ ssl3_free(SSL *s) ssl3_release_read_buffer(s); ssl3_release_write_buffer(s); - DH_free(s->s3->tmp.dh); - EC_KEY_free(s->s3->tmp.ecdh); + DH_free(S3I(s)->tmp.dh); + EC_KEY_free(S3I(s)->tmp.ecdh); - if (s->s3->tmp.x25519 != NULL) - explicit_bzero(s->s3->tmp.x25519, X25519_KEY_LENGTH); - free(s->s3->tmp.x25519); + if (S3I(s)->tmp.x25519 != NULL) + explicit_bzero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); + free(S3I(s)->tmp.x25519); - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - BIO_free(s->s3->handshake_buffer); + if (S3I(s)->tmp.ca_names != NULL) + sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); + BIO_free(S3I(s)->handshake_buffer); tls1_free_digest_list(s); - free(s->s3->alpn_selected); + free(S3I(s)->alpn_selected); - explicit_bzero(s->s3->internal, sizeof(*s->s3->internal)); - free(s->s3->internal); + explicit_bzero(S3I(s), sizeof(*S3I(s))); + free(S3I(s)); explicit_bzero(s->s3, sizeof(*s->s3)); free(s->s3); @@ -1861,36 +1861,36 @@ ssl3_clear(SSL *s) size_t rlen, wlen; tls1_cleanup_key_block(s); - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + if (S3I(s)->tmp.ca_names != NULL) + sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; + DH_free(S3I(s)->tmp.dh); + S3I(s)->tmp.dh = NULL; + EC_KEY_free(S3I(s)->tmp.ecdh); + S3I(s)->tmp.ecdh = NULL; - if (s->s3->tmp.x25519 != NULL) - explicit_bzero(s->s3->tmp.x25519, X25519_KEY_LENGTH); - free(s->s3->tmp.x25519); - s->s3->tmp.x25519 = NULL; + if (S3I(s)->tmp.x25519 != NULL) + explicit_bzero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); + free(S3I(s)->tmp.x25519); + S3I(s)->tmp.x25519 = NULL; rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; + BIO_free(S3I(s)->handshake_buffer); + S3I(s)->handshake_buffer = NULL; tls1_free_digest_list(s); - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = NULL; - memset(s->s3->internal, 0, sizeof(*s->s3->internal)); - internal = s->s3->internal; + memset(S3I(s), 0, sizeof(*S3I(s))); + internal = S3I(s); memset(s->s3, 0, sizeof(*s->s3)); - s->s3->internal = internal; + S3I(s) = internal; s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; @@ -1899,6 +1899,12 @@ ssl3_clear(SSL *s) ssl_free_wbio_buffer(s); + /* Not needed... */ + S3I(s)->renegotiate = 0; + S3I(s)->total_renegotiations = 0; + S3I(s)->num_renegotiations = 0; + S3I(s)->in_read_app_data = 0; + s->packet_length = 0; s->version = TLS1_VERSION; @@ -1989,14 +1995,14 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_CLIENT_CERT_REQUEST: break; case SSL_CTRL_GET_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; + ret = S3I(s)->num_renegotiations; break; case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: - ret = s->s3->num_renegotiations; - s->s3->num_renegotiations = 0; + ret = S3I(s)->num_renegotiations; + S3I(s)->num_renegotiations = 0; break; case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: - ret = s->s3->total_renegotiations; + ret = S3I(s)->total_renegotiations; break; case SSL_CTRL_GET_FLAGS: ret = (int)(s->s3->flags); @@ -2463,7 +2469,7 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ret = 0; unsigned long alg_k; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST if ((alg_k & SSL_kGOST)) { @@ -2552,7 +2558,7 @@ ssl3_write(SSL *s, const void *buf, int len) } #endif errno = 0; - if (s->s3->renegotiate) + if (S3I(s)->renegotiate) ssl3_renegotiate_check(s); /* @@ -2564,13 +2570,13 @@ ssl3_write(SSL *s, const void *buf, int len) /* The second test is because the buffer may have been removed */ if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { /* First time through, we write into the buffer */ - if (s->s3->delay_buf_pop_ret == 0) { + if (S3I(s)->delay_buf_pop_ret == 0) { ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len); if (ret <= 0) return (ret); - s->s3->delay_buf_pop_ret = ret; + S3I(s)->delay_buf_pop_ret = ret; } s->rwstate = SSL_WRITING; @@ -2583,8 +2589,8 @@ ssl3_write(SSL *s, const void *buf, int len) ssl_free_wbio_buffer(s); s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; - ret = s->s3->delay_buf_pop_ret; - s->s3->delay_buf_pop_ret = 0; + ret = S3I(s)->delay_buf_pop_ret; + S3I(s)->delay_buf_pop_ret = 0; } else { ret = s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len); @@ -2601,12 +2607,12 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) int ret; errno = 0; - if (s->s3->renegotiate) + if (S3I(s)->renegotiate) ssl3_renegotiate_check(s); - s->s3->in_read_app_data = 1; + S3I(s)->in_read_app_data = 1; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); - if ((ret == -1) && (s->s3->in_read_app_data == 2)) { + if ((ret == -1) && (S3I(s)->in_read_app_data == 2)) { /* * ssl3_read_bytes decided to call s->handshake_func, which * called ssl3_read_bytes to read handshake data. @@ -2619,7 +2625,7 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) SSL3_RT_APPLICATION_DATA, buf, len, peek); s->in_handshake--; } else - s->s3->in_read_app_data = 0; + S3I(s)->in_read_app_data = 0; return (ret); } @@ -2645,7 +2651,7 @@ ssl3_renegotiate(SSL *s) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return (0); - s->s3->renegotiate = 1; + S3I(s)->renegotiate = 1; return (1); } @@ -2654,7 +2660,7 @@ ssl3_renegotiate_check(SSL *s) { int ret = 0; - if (s->s3->renegotiate) { + if (S3I(s)->renegotiate) { if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && !SSL_in_init(s)) { /* @@ -2664,9 +2670,9 @@ ssl3_renegotiate_check(SSL *s) */ /* SSL_ST_ACCEPT */ s->state = SSL_ST_RENEGOTIATE; - s->s3->renegotiate = 0; - s->s3->num_renegotiations++; - s->s3->total_renegotiations++; + S3I(s)->renegotiate = 0; + S3I(s)->num_renegotiations++; + S3I(s)->total_renegotiations++; ret = 1; } } @@ -2679,7 +2685,7 @@ ssl3_renegotiate_check(SSL *s) long ssl_get_algorithm2(SSL *s) { - long alg2 = s->s3->tmp.new_cipher->algorithm2; + long alg2 = S3I(s)->tmp.new_cipher->algorithm2; if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index 20e66a707c0..857d35b5a87 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_pkt.c,v 1.60 2016/11/17 15:06:22 jsing Exp $ */ +/* $OpenBSD: s3_pkt.c,v 1.61 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -270,9 +270,9 @@ ssl3_read_n(SSL *s, int n, int max, int extend) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->rrec.type - is the type of record - * ssl->s3->rrec.data, - data - * ssl->s3->rrec.length, - number of bytes + * ssl->s3->internal->rrec.type - is the type of record + * ssl->s3->internal->rrec.data, - data + * ssl->s3->internal->rrec.length, - number of bytes */ /* used only by ssl3_read_bytes */ static int @@ -285,7 +285,7 @@ ssl3_get_record(SSL *s) unsigned char md[EVP_MAX_MD_SIZE]; unsigned mac_size, orig_len; - rr = &(s->s3->rrec); + rr = &(S3I(s)->rrec); sess = s->session; again: @@ -472,10 +472,10 @@ again: /* * So at this point the following is true * - * ssl->s3->rrec.type is the type of record - * ssl->s3->rrec.length == number of bytes in record - * ssl->s3->rrec.off == offset to first valid byte - * ssl->s3->rrec.data == where to take bytes from, increment + * ssl->s3->internal->rrec.type is the type of record + * ssl->s3->internal->rrec.length == number of bytes in record + * ssl->s3->internal->rrec.off == offset to first valid byte + * ssl->s3->internal->rrec.data == where to take bytes from, increment * after use :-). */ @@ -510,8 +510,8 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } s->rwstate = SSL_NOTHING; - tot = s->s3->wnum; - s->s3->wnum = 0; + tot = S3I(s)->wnum; + S3I(s)->wnum = 0; if (SSL_in_init(s) && !s->in_handshake) { i = s->handshake_func(s); @@ -535,7 +535,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); if (i <= 0) { - s->s3->wnum = tot; + S3I(s)->wnum = tot; return i; } @@ -546,7 +546,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * empty fragment in ciphersuites with known-IV * weakness. */ - s->s3->empty_fragment_done = 0; + S3I(s)->empty_fragment_done = 0; return tot + i; } @@ -593,7 +593,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (len == 0 && !create_empty_fragment) return 0; - wr = &(s->s3->wrec); + wr = &(S3I(s)->wrec); sess = s->session; if ((sess == NULL) || (s->enc_write_ctx == NULL) || @@ -610,12 +610,12 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, * 'create_empty_fragment' is true only when this function calls * itself. */ - if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done) { + if (!clear && !create_empty_fragment && !S3I(s)->empty_fragment_done) { /* * Countermeasure against known-IV weakness in CBC ciphersuites * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ - if (s->s3->need_empty_fragments && + if (S3I(s)->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) { /* recursive function call with 'create_empty_fragment' set; * this prepares and buffers the data for an empty fragment @@ -634,7 +634,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, } } - s->s3->empty_fragment_done = 1; + S3I(s)->empty_fragment_done = 1; } if (create_empty_fragment) { @@ -750,10 +750,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* memorize arguments so that ssl3_write_pending can detect * bad write retries later */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; + S3I(s)->wpend_tot = len; + S3I(s)->wpend_buf = buf; + S3I(s)->wpend_type = type; + S3I(s)->wpend_ret = len; /* we now just need to write the buffer */ return ssl3_write_pending(s, type, buf, len); @@ -769,9 +769,9 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) SSL3_BUFFER *wb = &(s->s3->wbuf); /* XXXX */ - if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) && + if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || - (s->s3->wpend_type != type)) { + (S3I(s)->wpend_type != type)) { SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); return (-1); } @@ -794,7 +794,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) !SSL_IS_DTLS(s)) ssl3_release_write_buffer(s); s->rwstate = SSL_NOTHING; - return (s->s3->wpend_ret); + return (S3I(s)->wpend_ret); } else if (i <= 0) { /* * For DTLS, just drop it. That's kind of the @@ -862,28 +862,28 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } if ((type == SSL3_RT_HANDSHAKE) && - (s->s3->handshake_fragment_len > 0)) { + (S3I(s)->handshake_fragment_len > 0)) { /* (partially) satisfy request from storage */ - unsigned char *src = s->s3->handshake_fragment; + unsigned char *src = S3I(s)->handshake_fragment; unsigned char *dst = buf; unsigned int k; /* peek == 0 */ n = 0; - while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { + while ((len > 0) && (S3I(s)->handshake_fragment_len > 0)) { *dst++ = *src++; len--; - s->s3->handshake_fragment_len--; + S3I(s)->handshake_fragment_len--; n++; } /* move any remaining fragment bytes: */ - for (k = 0; k < s->s3->handshake_fragment_len; k++) - s->s3->handshake_fragment[k] = *src++; + for (k = 0; k < S3I(s)->handshake_fragment_len; k++) + S3I(s)->handshake_fragment[k] = *src++; return n; } /* - * Now s->s3->handshake_fragment_len == 0 if + * Now S3I(s)->handshake_fragment_len == 0 if * type == SSL3_RT_HANDSHAKE. */ if (!s->in_handshake && SSL_in_init(s)) { @@ -921,12 +921,12 @@ start: s->rwstate = SSL_NOTHING; /* - * s->s3->rrec.type - is the type of record - * s->s3->rrec.data, - data - * s->s3->rrec.off, - offset into 'data' for next read - * s->s3->rrec.length, - number of bytes. + * S3I(s)->rrec.type - is the type of record + * S3I(s)->rrec.data, - data + * S3I(s)->rrec.off, - offset into 'data' for next read + * S3I(s)->rrec.length, - number of bytes. */ - rr = &(s->s3->rrec); + rr = &(S3I(s)->rrec); /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { @@ -937,7 +937,7 @@ start: /* we now have a packet which can be read and processed */ - if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, + if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, * reset by ssl3_get_finished */ && (rr->type != SSL3_RT_HANDSHAKE)) { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -1006,13 +1006,13 @@ start: unsigned int *dest_len = NULL; if (rr->type == SSL3_RT_HANDSHAKE) { - dest_maxlen = sizeof s->s3->handshake_fragment; - dest = s->s3->handshake_fragment; - dest_len = &s->s3->handshake_fragment_len; + dest_maxlen = sizeof S3I(s)->handshake_fragment; + dest = S3I(s)->handshake_fragment; + dest_len = &S3I(s)->handshake_fragment_len; } else if (rr->type == SSL3_RT_ALERT) { - dest_maxlen = sizeof s->s3->alert_fragment; - dest = s->s3->alert_fragment; - dest_len = &s->s3->alert_fragment_len; + dest_maxlen = sizeof S3I(s)->alert_fragment; + dest = S3I(s)->alert_fragment; + dest_len = &S3I(s)->alert_fragment_len; } if (dest_maxlen > 0) { /* available space in 'dest' */ @@ -1031,19 +1031,19 @@ start: } } - /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; - * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. + /* S3I(s)->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; + * S3I(s)->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ /* If we are a client, check for an incoming 'Hello Request': */ - if ((!s->server) && (s->s3->handshake_fragment_len >= 4) && - (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && + if ((!s->server) && (S3I(s)->handshake_fragment_len >= 4) && + (S3I(s)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && (s->session != NULL) && (s->session->cipher != NULL)) { - s->s3->handshake_fragment_len = 0; + S3I(s)->handshake_fragment_len = 0; - if ((s->s3->handshake_fragment[1] != 0) || - (s->s3->handshake_fragment[2] != 0) || - (s->s3->handshake_fragment[3] != 0)) { + if ((S3I(s)->handshake_fragment[1] != 0) || + (S3I(s)->handshake_fragment[2] != 0) || + (S3I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); goto f_err; @@ -1051,12 +1051,12 @@ start: if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - s->s3->handshake_fragment, 4, s, + S3I(s)->handshake_fragment, 4, s, s->msg_callback_arg); if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && - !s->s3->renegotiate) { + !S3I(s)->renegotiate) { ssl3_renegotiate(s); if (ssl3_renegotiate_check(s)) { i = s->handshake_func(s); @@ -1094,24 +1094,24 @@ start: */ if (s->server && SSL_is_init_finished(s) && - !s->s3->send_connection_binding && - (s->s3->handshake_fragment_len >= 4) && - (s->s3->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && + !S3I(s)->send_connection_binding && + (S3I(s)->handshake_fragment_len >= 4) && + (S3I(s)->handshake_fragment[0] == SSL3_MT_CLIENT_HELLO) && (s->session != NULL) && (s->session->cipher != NULL)) { - /*s->s3->handshake_fragment_len = 0;*/ + /*S3I(s)->handshake_fragment_len = 0;*/ rr->length = 0; ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } - if (s->s3->alert_fragment_len >= 2) { - int alert_level = s->s3->alert_fragment[0]; - int alert_descr = s->s3->alert_fragment[1]; + if (S3I(s)->alert_fragment_len >= 2) { + int alert_level = S3I(s)->alert_fragment[0]; + int alert_descr = S3I(s)->alert_fragment[1]; - s->s3->alert_fragment_len = 0; + S3I(s)->alert_fragment_len = 0; if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_ALERT, - s->s3->alert_fragment, 2, s, s->msg_callback_arg); + S3I(s)->alert_fragment, 2, s, s->msg_callback_arg); if (s->info_callback != NULL) cb = s->info_callback; @@ -1124,7 +1124,7 @@ start: } if (alert_level == SSL3_AL_WARNING) { - s->s3->warn_alert = alert_descr; + S3I(s)->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; return (0); @@ -1146,7 +1146,7 @@ start: } } else if (alert_level == SSL3_AL_FATAL) { s->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; + S3I(s)->fatal_alert = alert_descr; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", @@ -1182,7 +1182,7 @@ start: } /* Check we have a cipher to change to */ - if (s->s3->tmp.new_cipher == NULL) { + if (S3I(s)->tmp.new_cipher == NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY); @@ -1206,7 +1206,7 @@ start: s->msg_callback_arg); } - s->s3->change_cipher_spec = 1; + S3I(s)->change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) goto err; else @@ -1214,7 +1214,7 @@ start: } /* Unexpected handshake message (Client Hello, or protocol violation) */ - if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { + if ((S3I(s)->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; @@ -1278,15 +1278,15 @@ start: * at this point (session renegotiation not yet started), * we will indulge it. */ - if (s->s3->in_read_app_data && - (s->s3->total_renegotiations != 0) && + if (S3I(s)->in_read_app_data && + (S3I(s)->total_renegotiations != 0) && (((s->state & SSL_ST_CONNECT) && (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) || ((s->state & SSL_ST_ACCEPT) && (s->state <= SSL3_ST_SW_HELLO_REQ_A) && (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) { - s->s3->in_read_app_data = 2; + S3I(s)->in_read_app_data = 2; return (-1); } else { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -1314,7 +1314,7 @@ ssl3_do_change_cipher_spec(SSL *s) else i = SSL3_CHANGE_CIPHER_CLIENT_READ; - if (s->s3->tmp.key_block == NULL) { + if (S3I(s)->tmp.key_block == NULL) { if (s->session == NULL || s->session->master_key_length == 0) { /* might happen if dtls1_read_bytes() calls this */ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, @@ -1322,7 +1322,7 @@ ssl3_do_change_cipher_spec(SSL *s) return (0); } - s->session->cipher = s->s3->tmp.new_cipher; + s->session->cipher = S3I(s)->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) return (0); } @@ -1342,12 +1342,12 @@ ssl3_do_change_cipher_spec(SSL *s) } i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.peer_finish_md); + S3I(s)->tmp.peer_finish_md); if (i == 0) { SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); return 0; } - s->s3->tmp.peer_finish_md_len = i; + S3I(s)->tmp.peer_finish_md_len = i; return (1); } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 7912206785a..099537f7eaf 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.140 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.141 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -247,7 +247,7 @@ ssl3_accept(SSL *s) s->state = SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; - } else if (!s->s3->send_connection_binding) { + } else if (!S3I(s)->send_connection_binding) { /* * Server attempting to renegotiate with * client that doesn't support secure @@ -276,7 +276,7 @@ ssl3_accept(SSL *s) ret = ssl3_send_hello_request(s); if (ret <= 0) goto end; - s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C; + S3I(s)->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C; s->state = SSL3_ST_SW_FLUSH; s->init_num = 0; @@ -325,7 +325,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH or anon ECDH. */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & + if (!(S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret = ssl3_send_server_certificate(s); if (ret <= 0) @@ -343,7 +343,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; /* * Only send if using a DH key exchange. @@ -386,21 +386,21 @@ ssl3_accept(SSL *s) if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - ((s->s3->tmp.new_cipher->algorithm_auth & + ((S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { /* No cert request */ skip = 1; - s->s3->tmp.cert_request = 0; + S3I(s)->tmp.cert_request = 0; s->state = SSL3_ST_SW_SRVR_DONE_A; - if (s->s3->handshake_buffer) { + if (S3I(s)->handshake_buffer) { if (!tls1_digest_cached_records(s)) { ret = -1; goto end; } } } else { - s->s3->tmp.cert_request = 1; + S3I(s)->tmp.cert_request = 1; ret = ssl3_send_certificate_request(s); if (ret <= 0) goto end; @@ -414,7 +414,7 @@ ssl3_accept(SSL *s) ret = ssl3_send_server_done(s); if (ret <= 0) goto end; - s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; + S3I(s)->tmp.next_state = SSL3_ST_SR_CERT_A; s->state = SSL3_ST_SW_FLUSH; s->init_num = 0; break; @@ -439,12 +439,12 @@ ssl3_accept(SSL *s) } s->rwstate = SSL_NOTHING; - s->state = s->s3->tmp.next_state; + s->state = S3I(s)->tmp.next_state; break; case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - if (s->s3->tmp.cert_request) { + if (S3I(s)->tmp.cert_request) { ret = ssl3_get_client_certificate(s); if (ret <= 0) goto end; @@ -458,7 +458,7 @@ ssl3_accept(SSL *s) ret = ssl3_get_client_key_exchange(s); if (ret <= 0) goto end; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; if (ret == 2) { /* * For the ECDH ciphersuites when @@ -469,7 +469,7 @@ ssl3_accept(SSL *s) * the client uses its key from the certificate * for key exchange. */ - if (s->s3->next_proto_neg_seen) + if (S3I(s)->next_proto_neg_seen) s->state = SSL3_ST_SR_NEXT_PROTO_A; else s->state = SSL3_ST_SR_FINISHED_A; @@ -483,7 +483,7 @@ ssl3_accept(SSL *s) * For sigalgs freeze the handshake buffer * at this point and digest cached records. */ - if (!s->s3->handshake_buffer) { + if (!S3I(s)->handshake_buffer) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); ret = -1; @@ -508,7 +508,7 @@ ssl3_accept(SSL *s) * CertificateVerify should be generalized. * But it is next step */ - if (s->s3->handshake_buffer) { + if (S3I(s)->handshake_buffer) { if (!tls1_digest_cached_records(s)) { ret = -1; goto end; @@ -516,15 +516,15 @@ ssl3_accept(SSL *s) } for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) - if (s->s3->handshake_dgst[dgst_num]) { + if (S3I(s)->handshake_dgst[dgst_num]) { int dgst_size; s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type( - s->s3->handshake_dgst[dgst_num]), - &(s->s3->tmp.cert_verify_md[offset])); + S3I(s)->handshake_dgst[dgst_num]), + &(S3I(s)->tmp.cert_verify_md[offset])); dgst_size = EVP_MD_CTX_size( - s->s3->handshake_dgst[dgst_num]); + S3I(s)->handshake_dgst[dgst_num]); if (dgst_size < 0) { ret = -1; goto end; @@ -543,7 +543,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; - if (s->s3->next_proto_neg_seen) + if (S3I(s)->next_proto_neg_seen) s->state = SSL3_ST_SR_NEXT_PROTO_A; else s->state = SSL3_ST_SR_FINISHED_A; @@ -597,7 +597,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - s->session->cipher = s->s3->tmp.new_cipher; + s->session->cipher = S3I(s)->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; goto end; @@ -629,15 +629,15 @@ ssl3_accept(SSL *s) goto end; s->state = SSL3_ST_SW_FLUSH; if (s->hit) { - if (s->s3->next_proto_neg_seen) { + if (S3I(s)->next_proto_neg_seen) { s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->s3->tmp.next_state = + S3I(s)->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A; } else - s->s3->tmp.next_state = + S3I(s)->tmp.next_state = SSL3_ST_SR_FINISHED_A; } else - s->s3->tmp.next_state = SSL_ST_OK; + S3I(s)->tmp.next_state = SSL_ST_OK; s->init_num = 0; break; @@ -680,7 +680,7 @@ ssl3_accept(SSL *s) /* break; */ } - if (!s->s3->tmp.reuse_message && !skip) { + if (!S3I(s)->tmp.reuse_message && !skip) { if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; @@ -1039,12 +1039,12 @@ ssl3_get_client_hello(SSL *s) SSL_R_NO_SHARED_CIPHER); goto f_err; } - s->s3->tmp.new_cipher = c; + S3I(s)->tmp.new_cipher = c; } else { - s->s3->tmp.new_cipher = s->session->cipher; + S3I(s)->tmp.new_cipher = s->session->cipher; } - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || !(s->verify_mode & SSL_VERIFY_PEER)) { if (!tls1_digest_cached_records(s)) { @@ -1147,7 +1147,7 @@ ssl3_send_server_hello(SSL *s) /* Cipher suite. */ if (!CBB_add_u16(&cbb, - ssl3_cipher_get_value(s->s3->tmp.new_cipher))) + ssl3_cipher_get_value(S3I(s)->tmp.new_cipher))) goto err; /* Compression method. */ @@ -1210,7 +1210,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if (dhp == NULL && s->cert->dh_tmp_cb != NULL) dhp = s->cert->dh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); + SSL_C_PKEYLENGTH(S3I(s)->tmp.new_cipher)); if (dhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1219,7 +1219,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) goto f_err; } - if (s->s3->tmp.dh != NULL) { + if (S3I(s)->tmp.dh != NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -1231,7 +1231,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); goto err; } - s->s3->tmp.dh = dh; + S3I(s)->tmp.dh = dh; if (!DH_generate_key(dh)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); goto err; @@ -1288,7 +1288,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) ecdhp = EC_KEY_new_by_curve_name(nid); } else if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL) { ecdhp = s->cert->ecdh_tmp_cb(s, 0, - SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher)); + SSL_C_PKEYLENGTH(S3I(s)->tmp.new_cipher)); } if (ecdhp == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1297,7 +1297,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) goto f_err; } - if (s->s3->tmp.ecdh != NULL) { + if (S3I(s)->tmp.ecdh != NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -1311,7 +1311,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) ERR_R_ECDH_LIB); goto err; } - s->s3->tmp.ecdh = ecdh; + S3I(s)->tmp.ecdh = ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || (EC_KEY_get0_private_key(ecdh) == NULL) || @@ -1413,16 +1413,16 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) int ret = -1; /* Generate an X25519 key pair. */ - if (s->s3->tmp.x25519 != NULL) { + if (S3I(s)->tmp.x25519 != NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } - if ((s->s3->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL) + if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL) goto err; if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; - X25519_keypair(public_key, s->s3->tmp.x25519); + X25519_keypair(public_key, S3I(s)->tmp.x25519); /* Serialize public key. */ if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) { @@ -1488,7 +1488,7 @@ ssl3_send_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { - type = s->s3->tmp.new_cipher->algorithm_mkey; + type = S3I(s)->tmp.new_cipher->algorithm_mkey; cert = s->cert; buf = s->init_buf; @@ -1512,9 +1512,9 @@ ssl3_send_server_key_exchange(SSL *s) if (!CBB_finish(&cbb, ¶ms, ¶ms_len)) goto err; - if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { + if (!(S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { if ((pkey = ssl_get_sign_pkey( - s, s->s3->tmp.new_cipher, &md)) == NULL) { + s, S3I(s)->tmp.new_cipher, &md)) == NULL) { al = SSL_AD_DECODE_ERROR; goto f_err; } @@ -1837,13 +1837,13 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) if (CBS_len(&cbs) != 0) goto truncated; - if (s->s3->tmp.dh == NULL) { + if (S3I(s)->tmp.dh == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); goto f_err; } - dh = s->s3->tmp.dh; + dh = S3I(s)->tmp.dh; if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, @@ -1864,8 +1864,8 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) explicit_bzero(p, key_size); - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; + DH_free(S3I(s)->tmp.dh); + S3I(s)->tmp.dh = NULL; BN_clear_free(bn); @@ -1906,7 +1906,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) * Use the ephemeral values we saved when * generating the ServerKeyExchange message. */ - tkey = s->s3->tmp.ecdh; + tkey = S3I(s)->tmp.ecdh; group = EC_KEY_get0_group(tkey); priv_key = EC_KEY_get0_private_key(tkey); @@ -2008,8 +2008,8 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) EC_POINT_free(clnt_ecpoint); EC_KEY_free(srvr_ecdh); BN_CTX_free(bn_ctx); - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; + EC_KEY_free(S3I(s)->tmp.ecdh); + S3I(s)->tmp.ecdh = NULL; /* Compute the master secret */ s->session->master_key_length = @@ -2047,12 +2047,12 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n) if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; - if (!X25519(shared_key, s->s3->tmp.x25519, CBS_data(&ecpoint))) + if (!X25519(shared_key, S3I(s)->tmp.x25519, CBS_data(&ecpoint))) goto err; - explicit_bzero(s->s3->tmp.x25519, X25519_KEY_LENGTH); - free(s->s3->tmp.x25519); - s->s3->tmp.x25519 = NULL; + explicit_bzero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); + free(S3I(s)->tmp.x25519); + S3I(s)->tmp.x25519 = NULL; s->session->master_key_length = s->method->ssl3_enc->generate_master_secret( @@ -2071,7 +2071,7 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n) static int ssl3_get_client_kex_ecdhe(SSL *s, unsigned char *p, long n) { - if (s->s3->tmp.x25519 != NULL) + if (S3I(s)->tmp.x25519 != NULL) return ssl3_get_client_kex_ecdhe_ecx(s, p, n); return ssl3_get_client_kex_ecdhe_ecp(s, p, n); @@ -2092,7 +2092,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) int ret = 0; /* Get our certificate private key*/ - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; if (alg_a & SSL_aGOST01) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; @@ -2171,7 +2171,7 @@ ssl3_get_client_key_exchange(SSL *s) p = (unsigned char *)s->init_msg; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; if (alg_k & SSL_kRSA) { if (ssl3_get_client_kex_rsa(s, p, n) != 1) @@ -2227,8 +2227,8 @@ ssl3_get_cert_verify(SSL *s) pkey = NULL; } - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { - s->s3->tmp.reuse_message = 1; + if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { + S3I(s)->tmp.reuse_message = 1; if (peer != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, @@ -2253,7 +2253,7 @@ ssl3_get_cert_verify(SSL *s) goto f_err; } - if (s->s3->change_cipher_spec) { + if (S3I(s)->change_cipher_spec) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY); al = SSL_AD_UNEXPECTED_MESSAGE; @@ -2318,7 +2318,7 @@ ssl3_get_cert_verify(SSL *s) if (SSL_USE_SIGALGS(s)) { long hdatalen = 0; void *hdata; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); @@ -2341,7 +2341,7 @@ ssl3_get_cert_verify(SSL *s) } } else if (pkey->type == EVP_PKEY_RSA) { - i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, + i = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, pkey->pkey.rsa); if (i < 0) { @@ -2359,7 +2359,7 @@ ssl3_get_cert_verify(SSL *s) } else if (pkey->type == EVP_PKEY_DSA) { j = DSA_verify(pkey->save_type, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), + &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); if (j <= 0) { /* bad signature */ @@ -2371,7 +2371,7 @@ ssl3_get_cert_verify(SSL *s) } else if (pkey->type == EVP_PKEY_EC) { j = ECDSA_verify(pkey->save_type, - &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), + &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec); if (j <= 0) { /* bad signature */ @@ -2391,7 +2391,7 @@ ssl3_get_cert_verify(SSL *s) int nid; EVP_PKEY_CTX *pctx; - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); @@ -2456,9 +2456,9 @@ f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } end: - if (s->s3->handshake_buffer) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; + if (S3I(s)->handshake_buffer) { + BIO_free(S3I(s)->handshake_buffer); + S3I(s)->handshake_buffer = NULL; s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; } EVP_MD_CTX_cleanup(&mctx); @@ -2482,7 +2482,7 @@ ssl3_get_client_certificate(SSL *s) if (!ok) return ((int)n); - if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { + if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, @@ -2494,18 +2494,18 @@ ssl3_get_client_certificate(SSL *s) * If tls asked for a client cert, * the client must return a 0 list. */ - if (s->s3->tmp.cert_request) { + if (S3I(s)->tmp.cert_request) { SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST ); al = SSL_AD_UNEXPECTED_MESSAGE; goto f_err; } - s->s3->tmp.reuse_message = 1; + S3I(s)->tmp.reuse_message = 1; return (1); } - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { + if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE); @@ -2571,7 +2571,7 @@ ssl3_get_client_certificate(SSL *s) goto f_err; } /* No client certificate so digest cached records */ - if (s->s3->handshake_buffer && !tls1_digest_cached_records(s)) { + if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) { al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -2860,7 +2860,7 @@ ssl3_get_next_proto(SSL *s) * Clients cannot send a NextProtocol message if we didn't see the * extension in their ClientHello */ - if (!s->s3->next_proto_neg_seen) { + if (!S3I(s)->next_proto_neg_seen) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); return (-1); @@ -2874,10 +2874,10 @@ ssl3_get_next_proto(SSL *s) /* * s->state doesn't reflect whether ChangeCipherSpec has been received - * in this handshake, but s->s3->change_cipher_spec does (will be reset + * in this handshake, but S3I(s)->change_cipher_spec does (will be reset * by ssl3_get_finished). */ - if (!s->s3->change_cipher_spec) { + if (!S3I(s)->change_cipher_spec) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); return (-1); diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index 63441761050..91cbaf29e34 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.44 2017/01/22 03:50:45 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.45 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -363,135 +363,22 @@ struct ssl3_state_internal_st; typedef struct ssl3_state_st { long flags; - int delay_buf_pop_ret; - - unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; - int read_mac_secret_size; - unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; - unsigned char write_sequence[SSL3_SEQUENCE_SIZE]; - int write_mac_secret_size; - unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; unsigned char server_random[SSL3_RANDOM_SIZE]; unsigned char client_random[SSL3_RANDOM_SIZE]; - /* flags for countermeasure against known-IV weakness */ - int need_empty_fragments; - int empty_fragment_done; - SSL3_BUFFER rbuf; /* read IO goes into here */ SSL3_BUFFER wbuf; /* write IO goes into here */ - SSL3_RECORD rrec; /* each decoded record goes in here */ - SSL3_RECORD wrec; /* goes out from here */ - - /* storage for Alert/Handshake protocol data received but not - * yet processed by ssl3_read_bytes: */ - unsigned char alert_fragment[2]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[4]; - unsigned int handshake_fragment_len; - - /* partial write - check the numbers match */ - unsigned int wnum; /* number of bytes sent so far */ - int wpend_tot; /* number bytes written */ - int wpend_type; - int wpend_ret; /* number of bytes submitted */ - const unsigned char *wpend_buf; - - /* used during startup, digest all incoming/outgoing packets */ - BIO *handshake_buffer; - /* When set of handshake digests is determined, buffer is hashed - * and freed and MD_CTX-es for all required digests are stored in - * this array */ - EVP_MD_CTX **handshake_dgst; - /* this is set whenerver we see a change_cipher_spec message - * come in when we are not looking for one */ - int change_cipher_spec; - - int warn_alert; - int fatal_alert; /* we allow one fatal and one warning alert to be outstanding, * send close alert via the warning alert */ int alert_dispatch; unsigned char send_alert[2]; - /* This flag is set when we should renegotiate ASAP, basically when - * there is no more data in the read or write buffers */ - int renegotiate; - int total_renegotiations; - int num_renegotiations; - - int in_read_app_data; - - struct { - /* actually only needs to be 16+20 */ - unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; - - /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ - unsigned char finish_md[EVP_MAX_MD_SIZE*2]; - int finish_md_len; - unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; - int peer_finish_md_len; - - unsigned long message_size; - int message_type; - - /* used to hold the new cipher we are going to use */ - const SSL_CIPHER *new_cipher; - DH *dh; - - EC_KEY *ecdh; /* holds short lived ECDH key */ - - uint8_t *x25519; - - /* used when SSL_ST_FLUSH_DATA is entered */ - int next_state; - - int reuse_message; - - /* used for certificate requests */ - int cert_req; - int ctype_num; - char ctype[SSL3_CT_NUMBER]; - STACK_OF(X509_NAME) *ca_names; - - int key_block_length; - unsigned char *key_block; - - const EVP_CIPHER *new_sym_enc; - const EVP_AEAD *new_aead; - const EVP_MD *new_hash; - int new_mac_pkey_type; + struct { int new_mac_secret_size; - int cert_request; } tmp; - /* Connection binding to prevent renegotiation attacks */ - unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_client_finished_len; - unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; - unsigned char previous_server_finished_len; - int send_connection_binding; /* TODOEKR */ - - /* Set if we saw the Next Protocol Negotiation extension from our peer. - */ - int next_proto_neg_seen; - - /* - * ALPN information - * (we are in the process of transitioning from NPN to ALPN). - */ - - /* - * In a server these point to the selected ALPN protocol after the - * ClientHello has been processed. In a client these contain the - * protocol that the server selected once the ServerHello has been - * processed. - */ - unsigned char *alpn_selected; - unsigned int alpn_selected_len; - struct ssl3_state_internal_st *internal; } SSL3_STATE; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 294745c9f93..d520a6d249b 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.53 2016/12/21 16:44:31 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.54 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -507,7 +507,7 @@ SSL_get_client_CA_list(const SSL *s) /* We are in the client. */ if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL)) - return (s->s3->tmp.ca_names); + return (S3I(s)->tmp.ca_names); else return (NULL); } else { diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 50c764ae868..96aea4c5dd6 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.128 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.129 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -702,10 +702,10 @@ SSL_get_finished(const SSL *s, void *buf, size_t count) size_t ret = 0; if (s->s3 != NULL) { - ret = s->s3->tmp.finish_md_len; + ret = S3I(s)->tmp.finish_md_len; if (count > ret) count = ret; - memcpy(buf, s->s3->tmp.finish_md, count); + memcpy(buf, S3I(s)->tmp.finish_md, count); } return (ret); } @@ -717,10 +717,10 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count) size_t ret = 0; if (s->s3 != NULL) { - ret = s->s3->tmp.peer_finish_md_len; + ret = S3I(s)->tmp.peer_finish_md_len; if (count > ret) count = ret; - memcpy(buf, s->s3->tmp.peer_finish_md, count); + memcpy(buf, S3I(s)->tmp.peer_finish_md, count); } return (ret); } @@ -1089,7 +1089,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) return (1); case SSL_CTRL_GET_RI_SUPPORT: if (s->s3) - return (s->s3->send_connection_binding); + return (S3I(s)->send_connection_binding); else return (0); default: return (s->method->ssl_ctrl(s, cmd, larg, parg)); @@ -1425,7 +1425,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) uint16_t cipher_value, max_version; if (s->s3) - s->s3->send_connection_binding = 0; + S3I(s)->send_connection_binding = 0; /* * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2]. @@ -1464,7 +1464,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num) goto err; } - s->s3->send_connection_binding = 1; + S3I(s)->send_connection_binding = 1; continue; } @@ -1725,8 +1725,8 @@ SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, *len = 0; if (ssl->s3 != NULL) { - *data = ssl->s3->alpn_selected; - *len = ssl->s3->alpn_selected_len; + *data = ssl->s3->internal->alpn_selected; + *len = ssl->s3->internal->alpn_selected_len; } } @@ -2119,7 +2119,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { - const SSL_CIPHER *cs = s->s3->tmp.new_cipher; + const SSL_CIPHER *cs = S3I(s)->tmp.new_cipher; unsigned long alg_a; alg_a = cs->algorithm_auth; @@ -2148,9 +2148,9 @@ ssl_get_server_send_pkey(const SSL *s) int i; c = s->cert; - ssl_set_cert_masks(c, s->s3->tmp.new_cipher); + ssl_set_cert_masks(c, S3I(s)->tmp.new_cipher); - alg_a = s->s3->tmp.new_cipher->algorithm_auth; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; @@ -2221,9 +2221,9 @@ ssl_get_auto_dh(SSL *s) if (s->cert->dh_tmp_auto == 2) { keylen = 1024; - } else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { + } else if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) { keylen = 1024; - if (s->s3->tmp.new_cipher->strength_bits == 256) + if (S3I(s)->tmp.new_cipher->strength_bits == 256) keylen = 3072; } else { if ((cpk = ssl_get_server_send_pkey(s)) == NULL) @@ -2396,7 +2396,7 @@ SSL_get_error(const SSL *s, int i) if (i == 0) { if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && - (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) + (S3I(s)->warn_alert == SSL_AD_CLOSE_NOTIFY)) return (SSL_ERROR_ZERO_RETURN); } return (SSL_ERROR_SYSCALL); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 5681167242f..a187c8d77a6 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.150 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.151 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -445,8 +445,125 @@ typedef struct ssl_internal_st { } SSL_INTERNAL; typedef struct ssl3_state_internal_st { + int delay_buf_pop_ret; + unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; + int read_mac_secret_size; + unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; + unsigned char write_sequence[SSL3_SEQUENCE_SIZE]; + int write_mac_secret_size; + unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; + + /* flags for countermeasure against known-IV weakness */ + int need_empty_fragments; + int empty_fragment_done; + + SSL3_RECORD rrec; /* each decoded record goes in here */ + SSL3_RECORD wrec; /* goes out from here */ + + /* storage for Alert/Handshake protocol data received but not + * yet processed by ssl3_read_bytes: */ + unsigned char alert_fragment[2]; + unsigned int alert_fragment_len; + unsigned char handshake_fragment[4]; + unsigned int handshake_fragment_len; + + /* partial write - check the numbers match */ + unsigned int wnum; /* number of bytes sent so far */ + int wpend_tot; /* number bytes written */ + int wpend_type; + int wpend_ret; /* number of bytes submitted */ + const unsigned char *wpend_buf; + + /* used during startup, digest all incoming/outgoing packets */ + BIO *handshake_buffer; + /* When set of handshake digests is determined, buffer is hashed + * and freed and MD_CTX-es for all required digests are stored in + * this array */ + EVP_MD_CTX **handshake_dgst; + /* this is set whenerver we see a change_cipher_spec message + * come in when we are not looking for one */ + int change_cipher_spec; + + int warn_alert; + int fatal_alert; + + /* This flag is set when we should renegotiate ASAP, basically when + * there is no more data in the read or write buffers */ + int renegotiate; + int total_renegotiations; + int num_renegotiations; + + int in_read_app_data; + + struct { + /* actually only needs to be 16+20 */ + unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; + + /* actually only need to be 16+20 for SSLv3 and 12 for TLS */ + unsigned char finish_md[EVP_MAX_MD_SIZE*2]; + int finish_md_len; + unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; + int peer_finish_md_len; + + unsigned long message_size; + int message_type; + + /* used to hold the new cipher we are going to use */ + const SSL_CIPHER *new_cipher; + DH *dh; + + EC_KEY *ecdh; /* holds short lived ECDH key */ + + uint8_t *x25519; + + /* used when SSL_ST_FLUSH_DATA is entered */ + int next_state; + + int reuse_message; + + /* used for certificate requests */ + int cert_req; + int ctype_num; + char ctype[SSL3_CT_NUMBER]; + STACK_OF(X509_NAME) *ca_names; + + int key_block_length; + unsigned char *key_block; + + const EVP_CIPHER *new_sym_enc; + const EVP_AEAD *new_aead; + const EVP_MD *new_hash; + int new_mac_pkey_type; + int cert_request; + } tmp; + + /* Connection binding to prevent renegotiation attacks */ + unsigned char previous_client_finished[EVP_MAX_MD_SIZE]; + unsigned char previous_client_finished_len; + unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; + unsigned char previous_server_finished_len; + int send_connection_binding; /* TODOEKR */ + + /* Set if we saw the Next Protocol Negotiation extension from our peer. + */ + int next_proto_neg_seen; + + /* + * ALPN information + * (we are in the process of transitioning from NPN to ALPN). + */ + + /* + * In a server these point to the selected ALPN protocol after the + * ClientHello has been processed. In a client these contain the + * protocol that the server selected once the ServerHello has been + * processed. + */ + unsigned char *alpn_selected; + unsigned int alpn_selected_len; } SSL3_STATE_INTERNAL; +#define S3I(s) (s->s3->internal) typedef struct dtls1_state_internal_st { unsigned int send_cookie; @@ -564,7 +681,6 @@ typedef struct sess_cert_st { int references; /* actually always 1 at the moment */ } SESS_CERT; - /*#define SSL_DEBUG */ /*#define RSA_DEBUG */ diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index 67ad1ae9248..a8998b4dec5 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.88 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.89 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -146,26 +146,26 @@ void tls1_cleanup_key_block(SSL *s) { - if (s->s3->tmp.key_block != NULL) { - explicit_bzero(s->s3->tmp.key_block, - s->s3->tmp.key_block_length); - free(s->s3->tmp.key_block); - s->s3->tmp.key_block = NULL; + if (S3I(s)->tmp.key_block != NULL) { + explicit_bzero(S3I(s)->tmp.key_block, + S3I(s)->tmp.key_block_length); + free(S3I(s)->tmp.key_block); + S3I(s)->tmp.key_block = NULL; } - s->s3->tmp.key_block_length = 0; + S3I(s)->tmp.key_block_length = 0; } int tls1_init_finished_mac(SSL *s) { - BIO_free(s->s3->handshake_buffer); + BIO_free(S3I(s)->handshake_buffer); tls1_free_digest_list(s); - s->s3->handshake_buffer = BIO_new(BIO_s_mem()); - if (s->s3->handshake_buffer == NULL) + S3I(s)->handshake_buffer = BIO_new(BIO_s_mem()); + if (S3I(s)->handshake_buffer == NULL) return (0); - (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); + (void)BIO_set_close(S3I(s)->handshake_buffer, BIO_CLOSE); return (1); } @@ -177,15 +177,15 @@ tls1_free_digest_list(SSL *s) if (s == NULL) return; - if (s->s3->handshake_dgst == NULL) + if (S3I(s)->handshake_dgst == NULL) return; for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i]) - EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); + if (S3I(s)->handshake_dgst[i]) + EVP_MD_CTX_destroy(S3I(s)->handshake_dgst[i]); } - free(s->s3->handshake_dgst); - s->s3->handshake_dgst = NULL; + free(S3I(s)->handshake_dgst); + S3I(s)->handshake_dgst = NULL; } int @@ -193,16 +193,16 @@ tls1_finish_mac(SSL *s, const unsigned char *buf, int len) { int i; - if (s->s3->handshake_buffer && + if (S3I(s)->handshake_buffer && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_write(s->s3->handshake_buffer, (void *)buf, len); + BIO_write(S3I(s)->handshake_buffer, (void *)buf, len); return 1; } for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i] == NULL) + if (S3I(s)->handshake_dgst[i] == NULL) continue; - if (!EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len)) { + if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], buf, len)) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB); return 0; } @@ -221,12 +221,12 @@ tls1_digest_cached_records(SSL *s) tls1_free_digest_list(s); - s->s3->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *)); - if (s->s3->handshake_dgst == NULL) { + S3I(s)->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *)); + if (S3I(s)->handshake_dgst == NULL) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); goto err; } - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); if (hdatalen <= 0) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH); @@ -238,17 +238,17 @@ tls1_digest_cached_records(SSL *s) if ((mask & ssl_get_algorithm2(s)) == 0 || md == NULL) continue; - s->s3->handshake_dgst[i] = EVP_MD_CTX_create(); - if (s->s3->handshake_dgst[i] == NULL) { + S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create(); + if (S3I(s)->handshake_dgst[i] == NULL) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); goto err; } - if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)) { + if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB); goto err; } - if (!EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, + if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], hdata, hdatalen)) { SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB); goto err; @@ -256,8 +256,8 @@ tls1_digest_cached_records(SSL *s) } if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; + BIO_free(S3I(s)->handshake_buffer); + S3I(s)->handshake_buffer = NULL; } return 1; @@ -457,7 +457,7 @@ static int tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, unsigned key_len, const unsigned char *iv, unsigned iv_len) { - const EVP_AEAD *aead = s->s3->tmp.new_aead; + const EVP_AEAD *aead = S3I(s)->tmp.new_aead; SSL_AEAD_CTX *aead_ctx; if (is_read) { @@ -482,10 +482,10 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, aead_ctx->fixed_nonce_len = iv_len; aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ aead_ctx->variable_nonce_in_record = - (s->s3->tmp.new_cipher->algorithm2 & + (S3I(s)->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; aead_ctx->xor_fixed_nonce = - s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; + S3I(s)->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); if (aead_ctx->xor_fixed_nonce) { @@ -526,12 +526,12 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, const EVP_MD *mac; int mac_type; - cipher = s->s3->tmp.new_sym_enc; - mac = s->s3->tmp.new_hash; - mac_type = s->s3->tmp.new_mac_pkey_type; + cipher = S3I(s)->tmp.new_sym_enc; + mac = S3I(s)->tmp.new_hash; + mac_type = S3I(s)->tmp.new_mac_pkey_type; if (is_read) { - if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) + if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; @@ -548,7 +548,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, goto err; s->read_hash = mac_ctx; } else { - if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) + if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; @@ -595,15 +595,15 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, mac_secret_size, (unsigned char *)mac_secret); } - if (s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { + if (S3I(s)->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { int nid; - if (s->s3->tmp.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) + if (S3I(s)->tmp.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; else nid = NID_id_tc26_gost_28147_param_Z; EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0); - if (s->s3->tmp.new_cipher->algorithm_mac == SSL_GOST89MAC) + if (S3I(s)->tmp.new_cipher->algorithm_mac == SSL_GOST89MAC) EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0); } @@ -628,8 +628,8 @@ tls1_change_cipher_state(SSL *s, int which) char is_read, use_client_keys; - cipher = s->s3->tmp.new_sym_enc; - aead = s->s3->tmp.new_aead; + cipher = S3I(s)->tmp.new_sym_enc; + aead = S3I(s)->tmp.new_aead; /* * is_read is true if we have just read a ChangeCipherSpec message, @@ -652,13 +652,13 @@ tls1_change_cipher_state(SSL *s, int which) * dtls1_reset_seq_numbers(). */ if (!SSL_IS_DTLS(s)) { - seq = is_read ? s->s3->read_sequence : s->s3->write_sequence; + seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence; memset(seq, 0, SSL3_SEQUENCE_SIZE); } if (aead != NULL) { key_len = EVP_AEAD_key_length(aead); - iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); + iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->tmp.new_cipher); } else { key_len = EVP_CIPHER_key_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher); @@ -670,7 +670,7 @@ tls1_change_cipher_state(SSL *s, int which) mac_secret_size = s->s3->tmp.new_mac_secret_size; - key_block = s->s3->tmp.key_block; + key_block = S3I(s)->tmp.key_block; client_write_mac_secret = key_block; key_block += mac_secret_size; server_write_mac_secret = key_block; @@ -694,17 +694,17 @@ tls1_change_cipher_state(SSL *s, int which) iv = server_write_iv; } - if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { + if (key_block - S3I(s)->tmp.key_block != S3I(s)->tmp.key_block_length) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } if (is_read) { - memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_size); - s->s3->read_mac_secret_size = mac_secret_size; + memcpy(S3I(s)->read_mac_secret, mac_secret, mac_secret_size); + S3I(s)->read_mac_secret_size = mac_secret_size; } else { - memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_size); - s->s3->write_mac_secret_size = mac_secret_size; + memcpy(S3I(s)->write_mac_secret, mac_secret, mac_secret_size); + S3I(s)->write_mac_secret_size = mac_secret_size; } if (aead != NULL) { @@ -730,7 +730,7 @@ tls1_setup_key_block(SSL *s) const EVP_MD *mac = NULL; int ret = 0; - if (s->s3->tmp.key_block_length != 0) + if (S3I(s)->tmp.key_block_length != 0) return (1); if (s->session->cipher && @@ -757,10 +757,10 @@ tls1_setup_key_block(SSL *s) iv_len = EVP_GCM_TLS_FIXED_IV_LEN; } - s->s3->tmp.new_aead = aead; - s->s3->tmp.new_sym_enc = cipher; - s->s3->tmp.new_hash = mac; - s->s3->tmp.new_mac_pkey_type = mac_type; + S3I(s)->tmp.new_aead = aead; + S3I(s)->tmp.new_sym_enc = cipher; + S3I(s)->tmp.new_hash = mac; + S3I(s)->tmp.new_mac_pkey_type = mac_type; s->s3->tmp.new_mac_secret_size = mac_secret_size; tls1_cleanup_key_block(s); @@ -772,8 +772,8 @@ tls1_setup_key_block(SSL *s) } key_block_len = (mac_secret_size + key_len + iv_len) * 2; - s->s3->tmp.key_block_length = key_block_len; - s->s3->tmp.key_block = key_block; + S3I(s)->tmp.key_block_length = key_block_len; + S3I(s)->tmp.key_block = key_block; if ((tmp_block = malloc(key_block_len)) == NULL) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); @@ -789,15 +789,15 @@ tls1_setup_key_block(SSL *s) * Enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + S3I(s)->need_empty_fragments = 1; if (s->session->cipher != NULL) { if (s->session->cipher->algorithm_enc == SSL_eNULL) - s->s3->need_empty_fragments = 0; + S3I(s)->need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) - s->s3->need_empty_fragments = 0; + S3I(s)->need_empty_fragments = 0; #endif } } @@ -834,12 +834,12 @@ tls1_enc(SSL *s, int send) if (send) { aead = s->aead_write_ctx; - rec = &s->s3->wrec; - seq = s->s3->write_sequence; + rec = &S3I(s)->wrec; + seq = S3I(s)->write_sequence; } else { aead = s->aead_read_ctx; - rec = &s->s3->rrec; - seq = s->s3->read_sequence; + rec = &S3I(s)->rrec; + seq = S3I(s)->read_sequence; } if (aead) { @@ -1102,14 +1102,14 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) unsigned int ret; int i; - if (s->s3->handshake_buffer) + if (S3I(s)->handshake_buffer) if (!tls1_digest_cached_records(s)) return 0; for (i = 0; i < SSL_MAX_DIGEST; i++) { - if (s->s3->handshake_dgst[i] && - EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { - d = s->s3->handshake_dgst[i]; + if (S3I(s)->handshake_dgst[i] && + EVP_MD_CTX_type(S3I(s)->handshake_dgst[i]) == md_nid) { + d = S3I(s)->handshake_dgst[i]; break; } } @@ -1141,7 +1141,7 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) q = buf; - if (s->s3->handshake_buffer) + if (S3I(s)->handshake_buffer) if (!tls1_digest_cached_records(s)) return 0; @@ -1150,7 +1150,7 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { if (ssl_get_algorithm2(s) & mask) { int hashsize = EVP_MD_size(md); - EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; + EVP_MD_CTX *hdgst = S3I(s)->handshake_dgst[idx]; if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { /* internal error: 'buf' is too small for this cipersuite! */ @@ -1193,12 +1193,12 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) int t; if (send) { - rec = &(ssl->s3->wrec); - seq = &(ssl->s3->write_sequence[0]); + rec = &(ssl->s3->internal->wrec); + seq = &(ssl->s3->internal->write_sequence[0]); hash = ssl->write_hash; } else { - rec = &(ssl->s3->rrec); - seq = &(ssl->s3->read_sequence[0]); + rec = &(ssl->s3->internal->rrec); + seq = &(ssl->s3->internal->read_sequence[0]); hash = ssl->read_hash; } @@ -1241,8 +1241,8 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) if (!ssl3_cbc_digest_record(mac_ctx, md, &md_size, header, rec->input, rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size)) + ssl->s3->internal->read_mac_secret, + ssl->s3->internal->read_mac_secret_size)) return -1; } else { EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 55624a2d24e..d1d20b6bda0 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.98 2017/01/22 06:36:49 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.99 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -863,7 +863,7 @@ skip_ext: } if (s->ctx->internal->next_proto_select_cb && - !s->s3->tmp.finish_md_len) { + !S3I(s)->tmp.finish_md_len) { /* The client advertises an emtpy extension to indicate its * support for Next Protocol Negotiation */ if ((size_t)(limit - ret) < 4) @@ -873,7 +873,7 @@ skip_ext: } if (s->internal->alpn_client_proto_list != NULL && - s->s3->tmp.finish_md_len == 0) { + S3I(s)->tmp.finish_md_len == 0) { if ((size_t)(limit - ret) < 6 + s->internal->alpn_client_proto_list_len) return (NULL); @@ -955,8 +955,8 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) unsigned char *ret = p; int next_proto_neg_seen; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; + alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) && SSI(s)->tlsext_ecpointformatlist != NULL; @@ -973,7 +973,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) s2n(0, ret); } - if (s->s3->send_connection_binding) { + if (S3I(s)->send_connection_binding) { int el; if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { @@ -1068,8 +1068,8 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) } #endif - if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || - (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) && + if (((S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x80 || + (S3I(s)->tmp.new_cipher->id & 0xFFFF) == 0x81) && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { static const unsigned char cryptopro_ext[36] = { 0xfd, 0xe8, /*65000*/ @@ -1085,8 +1085,8 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) ret += sizeof(cryptopro_ext); } - next_proto_neg_seen = s->s3->next_proto_neg_seen; - s->s3->next_proto_neg_seen = 0; + next_proto_neg_seen = S3I(s)->next_proto_neg_seen; + S3I(s)->next_proto_neg_seen = 0; if (next_proto_neg_seen && s->ctx->internal->next_protos_advertised_cb) { const unsigned char *npa; unsigned int npalen; @@ -1101,13 +1101,13 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) s2n(npalen, ret); memcpy(ret, npa, npalen); ret += npalen; - s->s3->next_proto_neg_seen = 1; + S3I(s)->next_proto_neg_seen = 1; } } - if (s->s3->alpn_selected != NULL) { - const unsigned char *selected = s->s3->alpn_selected; - unsigned int len = s->s3->alpn_selected_len; + if (S3I(s)->alpn_selected != NULL) { + const unsigned char *selected = S3I(s)->alpn_selected; + unsigned int len = S3I(s)->alpn_selected_len; if ((long)(limit - ret - 4 - 2 - 1 - len) < 0) return (NULL); @@ -1175,13 +1175,13 @@ tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, CBS_data(&alpn), CBS_len(&alpn), s->ctx->internal->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { - free(s->s3->alpn_selected); - if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { + free(S3I(s)->alpn_selected); + if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { *al = SSL_AD_INTERNAL_ERROR; return (-1); } - memcpy(s->s3->alpn_selected, selected, selected_len); - s->s3->alpn_selected_len = selected_len; + memcpy(S3I(s)->alpn_selected, selected, selected_len); + S3I(s)->alpn_selected_len = selected_len; } return (1); @@ -1205,9 +1205,9 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->servername_done = 0; s->tlsext_status_type = -1; - s->s3->next_proto_neg_seen = 0; - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; + S3I(s)->next_proto_neg_seen = 0; + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = NULL; s->srtp_profile = NULL; if (data == end) @@ -1529,8 +1529,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } } else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0 && - s->s3->alpn_selected == NULL) { + S3I(s)->tmp.finish_md_len == 0 && + S3I(s)->alpn_selected == NULL) { /* We shouldn't accept this extension on a * renegotiation. * @@ -1542,21 +1542,21 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, * anything like that, but this might change). * A valid sign that there's been a previous handshake - * in this connection is if s->s3->tmp.finish_md_len > + * in this connection is if S3I(s)->tmp.finish_md_len > * 0. (We are talking about a check that will happen * in the Hello protocol round, well before a new * Finished message could have been computed.) */ - s->s3->next_proto_neg_seen = 1; + S3I(s)->next_proto_neg_seen = 1; } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && s->ctx->internal->alpn_select_cb != NULL && - s->s3->tmp.finish_md_len == 0) { + S3I(s)->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 1) return (0); /* ALPN takes precedence over NPN. */ - s->s3->next_proto_neg_seen = 0; + S3I(s)->next_proto_neg_seen = 0; } /* session ticket processed earlier */ @@ -1624,9 +1624,9 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) int tlsext_servername = 0; int renegotiate_seen = 0; - s->s3->next_proto_neg_seen = 0; - free(s->s3->alpn_selected); - s->s3->alpn_selected = NULL; + S3I(s)->next_proto_neg_seen = 0; + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = NULL; if (data == end) goto ri_check; @@ -1714,7 +1714,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) s->tlsext_status_expected = 1; } else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) { + S3I(s)->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; @@ -1742,7 +1742,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) } memcpy(s->internal->next_proto_negotiated, selected, selected_len); s->internal->next_proto_negotiated_len = selected_len; - s->s3->next_proto_neg_seen = 1; + S3I(s)->next_proto_neg_seen = 1; } else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { @@ -1773,14 +1773,14 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, size_t n, int *al) *al = TLS1_AD_DECODE_ERROR; return (0); } - free(s->s3->alpn_selected); - s->s3->alpn_selected = malloc(len); - if (s->s3->alpn_selected == NULL) { + free(S3I(s)->alpn_selected); + S3I(s)->alpn_selected = malloc(len); + if (S3I(s)->alpn_selected == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return (0); } - memcpy(s->s3->alpn_selected, data + 3, len); - s->s3->alpn_selected_len = len; + memcpy(S3I(s)->alpn_selected, data + 3, len); + S3I(s)->alpn_selected_len = len; } else if (type == TLSEXT_TYPE_renegotiate) { if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) @@ -1948,8 +1948,8 @@ ssl_check_serverhello_tlsext(SSL *s) * suite, then if server returns an EC point formats lists extension * it must contain uncompressed. */ - unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; + unsigned long alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; + unsigned long alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && (SSI(s)->tlsext_ecpointformatlist != NULL) && diff --git a/lib/libssl/t1_reneg.c b/lib/libssl/t1_reneg.c index 294a632b8f3..52f17b7d2ba 100644 --- a/lib/libssl/t1_reneg.c +++ b/lib/libssl/t1_reneg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_reneg.c,v 1.11 2015/06/20 16:42:48 doug Exp $ */ +/* $OpenBSD: t1_reneg.c,v 1.12 2017/01/22 09:02:07 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,22 +122,22 @@ ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, int maxlen) { if (p) { - if ((s->s3->previous_client_finished_len + 1) > maxlen) { + if ((S3I(s)->previous_client_finished_len + 1) > maxlen) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); return 0; } /* Length byte */ - *p = s->s3->previous_client_finished_len; + *p = S3I(s)->previous_client_finished_len; p++; - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); + memcpy(p, S3I(s)->previous_client_finished, + S3I(s)->previous_client_finished_len); } - *len = s->s3->previous_client_finished_len + 1; + *len = S3I(s)->previous_client_finished_len + 1; return 1; } @@ -168,22 +168,22 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len, } /* Check that the extension matches */ - if (CBS_len(&reneg) != s->s3->previous_client_finished_len) { + if (CBS_len(&reneg) != S3I(s)->previous_client_finished_len) { SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } - if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) { + if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished, + S3I(s)->previous_client_finished_len)) { SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } - s->s3->send_connection_binding = 1; + S3I(s)->send_connection_binding = 1; return 1; } @@ -194,29 +194,29 @@ ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, int maxlen) { if (p) { - if ((s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1) > maxlen) { + if ((S3I(s)->previous_client_finished_len + + S3I(s)->previous_server_finished_len + 1) > maxlen) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); return 0; } /* Length byte */ - *p = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len; + *p = S3I(s)->previous_client_finished_len + + S3I(s)->previous_server_finished_len; p++; - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - p += s->s3->previous_client_finished_len; + memcpy(p, S3I(s)->previous_client_finished, + S3I(s)->previous_client_finished_len); + p += S3I(s)->previous_client_finished_len; - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); + memcpy(p, S3I(s)->previous_server_finished, + S3I(s)->previous_server_finished_len); } - *len = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1; + *len = S3I(s)->previous_client_finished_len + + S3I(s)->previous_server_finished_len + 1; return 1; } @@ -227,12 +227,12 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, int *al) { CBS cbs, reneg, previous_client, previous_server; - int expected_len = s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len; + int expected_len = S3I(s)->previous_client_finished_len + + S3I(s)->previous_server_finished_len; /* Check for logic errors */ - OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); - OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); + OPENSSL_assert(!expected_len || S3I(s)->previous_client_finished_len); + OPENSSL_assert(!expected_len || S3I(s)->previous_server_finished_len); if (len < 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, @@ -255,9 +255,9 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i /* Check that the extension matches */ if (CBS_len(&reneg) != expected_len || !CBS_get_bytes(&reneg, &previous_client, - s->s3->previous_client_finished_len) || + S3I(s)->previous_client_finished_len) || !CBS_get_bytes(&reneg, &previous_server, - s->s3->previous_server_finished_len) || + S3I(s)->previous_server_finished_len) || CBS_len(&reneg) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); @@ -265,14 +265,14 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i return 0; } - if (!CBS_mem_equal(&previous_client, s->s3->previous_client_finished, + if (!CBS_mem_equal(&previous_client, S3I(s)->previous_client_finished, CBS_len(&previous_client))) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } - if (!CBS_mem_equal(&previous_server, s->s3->previous_server_finished, + if (!CBS_mem_equal(&previous_server, S3I(s)->previous_server_finished, CBS_len(&previous_server))) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); @@ -280,7 +280,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i return 0; } - s->s3->send_connection_binding = 1; + S3I(s)->send_connection_binding = 1; return 1; } |