From 8c44fcb9215f8eed00a64fe894737e6047f0a22d Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Fri, 11 Sep 2015 17:03:04 +0000 Subject: Nuke ssl3_change_cipher_state(). ok "flensing knife" --- lib/libssl/src/ssl/s3_enc.c | 110 +----------------------------------------- lib/libssl/src/ssl/ssl_locl.h | 3 +- 2 files changed, 2 insertions(+), 111 deletions(-) diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index ced10834974..14c29e4eddd 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_enc.c,v 1.66 2015/09/11 17:01:19 jsing Exp $ */ +/* $OpenBSD: s3_enc.c,v 1.67 2015/09/11 17:03:03 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -163,114 +163,6 @@ static unsigned char ssl3_pad_2[48] = { static int ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len, unsigned char *p); -int -ssl3_change_cipher_state(SSL *s, int which) -{ - const unsigned char *client_write_mac_secret, *server_write_mac_secret; - const unsigned char *client_write_key, *server_write_key; - const unsigned char *client_write_iv, *server_write_iv; - const unsigned char *mac_secret, *key, *iv; - unsigned char *key_block; - int mac_len, key_len, iv_len; - char is_read, use_client_keys; - EVP_CIPHER_CTX *cipher_ctx; - const EVP_CIPHER *cipher; - const EVP_MD *mac; - - - cipher = s->s3->tmp.new_sym_enc; - mac = s->s3->tmp.new_hash; - - /* mac == NULL will lead to a crash later */ - OPENSSL_assert(mac); - - /* - * is_read is true if we have just read a ChangeCipherSpec message, - * that is we need to update the read cipherspec. Otherwise we have - * just written one. - */ - is_read = (which & SSL3_CC_READ) != 0; - - /* - * use_client_keys is true if we wish to use the keys for the "client - * write" direction. This is the case if we're a client sending a - * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. - */ - use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)); - - - if (is_read) { - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_read_ctx = cipher_ctx; - - if (ssl_replace_hash(&s->read_hash, mac) == NULL) - goto err; - } else { - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto err; - s->enc_write_ctx = cipher_ctx; - - if (ssl_replace_hash(&s->write_hash, mac) == NULL) - goto err; - } - - memset(is_read ? s->s3->read_sequence : s->s3->write_sequence, - 0, SSL3_SEQUENCE_SIZE); - - mac_len = EVP_MD_size(mac); - key_len = EVP_CIPHER_key_length(cipher); - iv_len = EVP_CIPHER_iv_length(cipher); - - if (mac_len < 0) - goto err2; - - key_block = s->s3->tmp.key_block; - client_write_mac_secret = key_block; - key_block += mac_len; - server_write_mac_secret = key_block; - key_block += mac_len; - client_write_key = key_block; - key_block += key_len; - server_write_key = key_block; - key_block += key_len; - client_write_iv = key_block; - key_block += iv_len; - server_write_iv = key_block; - key_block += iv_len; - - if (use_client_keys) { - mac_secret = client_write_mac_secret; - key = client_write_key; - iv = client_write_iv; - } else { - mac_secret = server_write_mac_secret; - key = server_write_key; - iv = server_write_iv; - } - - if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err2; - } - - memcpy(is_read ? s->s3->read_mac_secret : s->s3->write_mac_secret, - mac_secret, mac_len); - - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); - - return (1); -err: - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); -err2: - return (0); -} - void ssl3_cleanup_key_block(SSL *s) { diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index ec30c9cb6a1..e4c6c451961 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.109 2015/09/11 17:01:19 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.110 2015/09/11 17:03:03 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -603,7 +603,6 @@ int ssl3_send_newsession_ticket(SSL *s); int ssl3_send_cert_status(SSL *s); int ssl3_get_finished(SSL *s, int state_a, int state_b); int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b); -int ssl3_change_cipher_state(SSL *s, int which); void ssl3_cleanup_key_block(SSL *s); int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); -- cgit v1.2.3