From b0ed34bb3747533bf0286779b2dbe48eaf1a77c1 Mon Sep 17 00:00:00 2001
From: Joel Sing <jsing@cvs.openbsd.org>
Date: Wed, 24 Mar 2021 18:40:04 +0000
Subject: Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.

Move TLSv1.2 specific components over from SSL_HANDSHAKE.

ok inoguchi@ tb@
---
 lib/libssl/ssl_clnt.c | 14 +++++++-------
 lib/libssl/ssl_locl.h | 33 ++++++++++++++++++++-------------
 lib/libssl/ssl_pkt.c  |  4 ++--
 lib/libssl/ssl_srvr.c | 18 +++++++++---------
 lib/libssl/t1_enc.c   | 19 ++++++++++---------
 5 files changed, 48 insertions(+), 40 deletions(-)

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 06941530c6e..0f602bef7e4 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.86 2021/03/11 17:14:46 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.87 2021/03/24 18:40:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -278,7 +278,7 @@ ssl3_connect(SSL *s)
 
 			if (SSL_is_dtls(s) && D1I(s)->send_cookie) {
 				S3I(s)->hs.state = SSL3_ST_CW_FLUSH;
-				S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A;
+				S3I(s)->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
 			} else
 				S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
 
@@ -509,14 +509,14 @@ ssl3_connect(SSL *s)
 
 			/* clear flags */
 			if (s->internal->hit) {
-				S3I(s)->hs.next_state = SSL_ST_OK;
+				S3I(s)->hs.tls12.next_state = SSL_ST_OK;
 			} else {
 				/* Allow NewSessionTicket if ticket expected */
 				if (s->internal->tlsext_ticket_expected)
-					S3I(s)->hs.next_state =
+					S3I(s)->hs.tls12.next_state =
 					    SSL3_ST_CR_SESSION_TICKET_A;
 				else
-					S3I(s)->hs.next_state =
+					S3I(s)->hs.tls12.next_state =
 					    SSL3_ST_CR_FINISHED_A;
 			}
 			s->internal->init_num = 0;
@@ -567,14 +567,14 @@ ssl3_connect(SSL *s)
 					/* If the write error was fatal, stop trying */
 					if (!BIO_should_retry(s->wbio)) {
 						s->internal->rwstate = SSL_NOTHING;
-						S3I(s)->hs.state = S3I(s)->hs.next_state;
+						S3I(s)->hs.state = S3I(s)->hs.tls12.next_state;
 					}
 				}
 				ret = -1;
 				goto end;
 			}
 			s->internal->rwstate = SSL_NOTHING;
-			S3I(s)->hs.state = S3I(s)->hs.next_state;
+			S3I(s)->hs.state = S3I(s)->hs.tls12.next_state;
 			break;
 
 		case SSL_ST_OK:
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 33eb3bba7df..5f953b8e64e 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.328 2021/03/21 18:36:34 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.329 2021/03/24 18:40:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -416,6 +416,15 @@ typedef struct cert_pkey_st {
 	STACK_OF(X509) *chain;
 } CERT_PKEY;
 
+typedef struct ssl_handshake_tls12_st {
+	/* Used when SSL_ST_FLUSH_DATA is entered. */
+	int next_state;
+
+	/* Record-layer key block for TLS 1.2 and earlier. */
+	unsigned char *key_block;
+	size_t key_block_len;
+} SSL_HANDSHAKE_TLS12;
+
 typedef struct ssl_handshake_tls13_st {
 	int use_legacy;
 	int hrr;
@@ -466,27 +475,25 @@ typedef struct ssl_handshake_st {
 	 */
 	uint16_t negotiated_tls_version;
 
-	SSL_HANDSHAKE_TLS13 tls13;
-
-	/* state contains one of the SSL3_ST_* values. */
+	/*
+	 * Current handshake state - contains one of the SSL3_ST_* values and
+	 * is used by the TLSv1.2 state machine, as well as being updated by
+	 * the TLSv1.3 stack due to it being exposed externally.
+	 */
 	int state;
 
-	/* used when SSL_ST_FLUSH_DATA is entered */
-	int next_state;
-
-	/*  new_cipher is the cipher being negotiated in this handshake. */
+	/* Cipher being negotiated in this handshake. */
 	const SSL_CIPHER *new_cipher;
 
-	/* key_block is the record-layer key block for TLS 1.2 and earlier. */
-	size_t key_block_len;
-	unsigned char *key_block;
-
 	/* Extensions seen in this handshake. */
 	uint32_t extensions_seen;
 
 	/* sigalgs offered in this handshake in wire form */
-	size_t sigalgs_len;
 	uint8_t *sigalgs;
+	size_t sigalgs_len;
+
+	SSL_HANDSHAKE_TLS12 tls12;
+	SSL_HANDSHAKE_TLS13 tls13;
 } SSL_HANDSHAKE;
 
 struct tls12_record_layer;
diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index 5b1af504fb5..37bee9e69f0 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.37 2021/03/10 18:27:02 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.38 2021/03/24 18:40:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1163,7 +1163,7 @@ ssl3_do_change_cipher_spec(SSL *s)
 	else
 		i = SSL3_CHANGE_CIPHER_CLIENT_READ;
 
-	if (S3I(s)->hs.key_block == NULL) {
+	if (S3I(s)->hs.tls12.key_block == NULL) {
 		if (s->session == NULL || s->session->master_key_length == 0) {
 			/* might happen if dtls1_read_bytes() calls this */
 			SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 19fedde87ab..3dc87a00c80 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.97 2021/03/11 17:14:47 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.98 2021/03/24 18:40:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -290,9 +290,9 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 			if (SSL_is_dtls(s))
-				S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
+				S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
 			else
-				S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C;
+				S3I(s)->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
 			s->internal->init_num = 0;
 
@@ -365,7 +365,7 @@ ssl3_accept(SSL *s)
 			if (ret <= 0)
 				goto end;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-			S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
+			S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
 
 			/* HelloVerifyRequest resets Finished MAC. */
 			tls1_transcript_reset(s);
@@ -488,7 +488,7 @@ ssl3_accept(SSL *s)
 			ret = ssl3_send_server_done(s);
 			if (ret <= 0)
 				goto end;
-			S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
+			S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
 			s->internal->init_num = 0;
 			break;
@@ -510,14 +510,14 @@ ssl3_accept(SSL *s)
 					/* If the write error was fatal, stop trying. */
 					if (!BIO_should_retry(s->wbio)) {
 						s->internal->rwstate = SSL_NOTHING;
-						S3I(s)->hs.state = S3I(s)->hs.next_state;
+						S3I(s)->hs.state = S3I(s)->hs.tls12.next_state;
 					}
 				}
 				ret = -1;
 				goto end;
 			}
 			s->internal->rwstate = SSL_NOTHING;
-			S3I(s)->hs.state = S3I(s)->hs.next_state;
+			S3I(s)->hs.state = S3I(s)->hs.tls12.next_state;
 			break;
 
 		case SSL3_ST_SR_CERT_A:
@@ -674,10 +674,10 @@ ssl3_accept(SSL *s)
 				goto end;
 			S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
 			if (s->internal->hit) {
-				S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
+				S3I(s)->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
 				tls1_transcript_free(s);
 			} else
-				S3I(s)->hs.next_state = SSL_ST_OK;
+				S3I(s)->hs.tls12.next_state = SSL_ST_OK;
 			s->internal->init_num = 0;
 			break;
 
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 05a5b1d9534..5d889fa6654 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.133 2021/02/27 14:20:50 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.134 2021/03/24 18:40:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -152,9 +152,9 @@ int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
 void
 tls1_cleanup_key_block(SSL *s)
 {
-	freezero(S3I(s)->hs.key_block, S3I(s)->hs.key_block_len);
-	S3I(s)->hs.key_block = NULL;
-	S3I(s)->hs.key_block_len = 0;
+	freezero(S3I(s)->hs.tls12.key_block, S3I(s)->hs.tls12.key_block_len);
+	S3I(s)->hs.tls12.key_block = NULL;
+	S3I(s)->hs.tls12.key_block_len = 0;
 }
 
 void
@@ -351,7 +351,7 @@ tls1_change_cipher_state(SSL *s, int which)
 
 	mac_secret_size = S3I(s)->tmp.new_mac_secret_size;
 
-	key_block = S3I(s)->hs.key_block;
+	key_block = S3I(s)->hs.tls12.key_block;
 	client_write_mac_secret = key_block;
 	key_block += mac_secret_size;
 	server_write_mac_secret = key_block;
@@ -375,7 +375,8 @@ tls1_change_cipher_state(SSL *s, int which)
 		iv = server_write_iv;
 	}
 
-	if (key_block - S3I(s)->hs.key_block != S3I(s)->hs.key_block_len) {
+	if (key_block - S3I(s)->hs.tls12.key_block !=
+	    S3I(s)->hs.tls12.key_block_len) {
 		SSLerror(s, ERR_R_INTERNAL_ERROR);
 		goto err;
 	}
@@ -410,7 +411,7 @@ tls1_setup_key_block(SSL *s)
 	const EVP_MD *mac_hash = NULL;
 	int ret = 0;
 
-	if (S3I(s)->hs.key_block_len != 0)
+	if (S3I(s)->hs.tls12.key_block_len != 0)
 		return (1);
 
 	if (s->session->cipher &&
@@ -451,8 +452,8 @@ tls1_setup_key_block(SSL *s)
 	}
 	key_block_len = (mac_secret_size + key_len + iv_len) * 2;
 
-	S3I(s)->hs.key_block_len = key_block_len;
-	S3I(s)->hs.key_block = key_block;
+	S3I(s)->hs.tls12.key_block_len = key_block_len;
+	S3I(s)->hs.tls12.key_block = key_block;
 
 	if (!tls1_generate_key_block(s, key_block, key_block_len))
 		goto err;
-- 
cgit v1.2.3