diff options
| author |   jsing <jsing@openbsd.org> | 2020-10-15 18:00:31 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-10-15 18:00:31 +0000 |
| commit | 8ae961d92def59843c3162d5e77eb466e0a342aa (patch) | |
| tree | 49ed1a33554a91fcc1e3660c2271e01e3a03e594 | |
| parent | Improve poll and event handling. (diff) | |
| download | wireguard-openbsd-8ae961d92def59843c3162d5e77eb466e0a342aa.tar.xz wireguard-openbsd-8ae961d92def59843c3162d5e77eb466e0a342aa.zip | |
Unbreak DTLS retransmissions for flights that include a CCS.
When retransmitting a flight that includes a CCS, the record protection
from the previous epoch has to be used to send the messages up to and
including the CCS, with messages after the CCS using record protection
from the current epoch. The code that restores the record protection state
failed to work correctly with the new TLSv1.2 record layer.
ok tb@
| -rw-r--r-- | lib/libssl/d1_both.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 64b9818f522..f5548347654 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.61 2020/10/11 03:47:59 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.62 2020/10/15 18:00:31 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -1055,18 +1055,18 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, frag->msg_header.frag_len); /* save current state */ - saved_state.enc_write_ctx = s->internal->enc_write_ctx; - saved_state.write_hash = s->internal->write_hash; saved_state.session = s->session; saved_state.epoch = D1I(s)->w_epoch; D1I(s)->retransmitting = 1; /* restore state in which the message was originally sent */ - s->internal->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; - s->internal->write_hash = frag->msg_header.saved_retransmit_state.write_hash; s->session = frag->msg_header.saved_retransmit_state.session; D1I(s)->w_epoch = frag->msg_header.saved_retransmit_state.epoch; + if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, + frag->msg_header.saved_retransmit_state.enc_write_ctx, + frag->msg_header.saved_retransmit_state.write_hash, 0)) + return 0; if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { @@ -1080,10 +1080,11 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); /* restore current state */ - s->internal->enc_write_ctx = saved_state.enc_write_ctx; - s->internal->write_hash = saved_state.write_hash; s->session = saved_state.session; D1I(s)->w_epoch = saved_state.epoch; + if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, + s->internal->enc_write_ctx, s->internal->write_hash, 0)) + return 0; if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) { |