move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and

other perversions touches them sickly and unnaturally.

src/lib/libssl/d1_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.13 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.14 2017/01/23 08:08:06 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -162,16 +162,16 @@ dtls1_enc(SSL *s, int send)
 			}
 		}
 	} else {
-		if (EVP_MD_CTX_md(s->internal->read_hash)) {
-			mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+		if (EVP_MD_CTX_md(s->read_hash)) {
+			mac_size = EVP_MD_CTX_size(s->read_hash);
 			OPENSSL_assert(mac_size >= 0);
 		}
-		ds = s->internal->enc_read_ctx;
+		ds = s->enc_read_ctx;
 		rec = &(S3I(s)->rrec);
-		if (s->internal->enc_read_ctx == NULL)
+		if (s->enc_read_ctx == NULL)
 			enc = NULL;
 		else
-			enc = EVP_CIPHER_CTX_cipher(s->internal->enc_read_ctx);
+			enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
 	}
 
 

src/lib/libssl/d1_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.54 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.55 2017/01/23 08:08:06 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -375,12 +375,12 @@ dtls1_process_record(SSL *s)
 
 
 	/* r->length is now the compressed data plus mac */
-	if ((sess != NULL) && (s->internal->enc_read_ctx != NULL) &&
-	    (EVP_MD_CTX_md(s->internal->read_hash) != NULL)) {
-		/* s->internal->read_hash != NULL => mac_size != -1 */
+	if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+	    (EVP_MD_CTX_md(s->read_hash) != NULL)) {
+		/* s->read_hash != NULL => mac_size != -1 */
 		unsigned char *mac = NULL;
 		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-		mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+		mac_size = EVP_MD_CTX_size(s->read_hash);
 		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
 		/* kludge: *_cbc_remove_padding passes padding length in rr->type */
@@ -393,14 +393,14 @@ dtls1_process_record(SSL *s)
 		 */
 		if (orig_len < mac_size ||
 			/* CBC records must have a padding length byte too. */
-		    (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
 		    orig_len < mac_size + 1)) {
 			al = SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
 		}
 
-		if (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
+		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
 			/* We update the length so that the TLS header bytes
 			 * can be constructed correctly but we need to extract
 			 * the MAC in constant time from within the record,
@@ -759,7 +759,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		/* make sure that we are not getting application data when we
 		 * are doing a handshake for the first time */
 		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-			(s->internal->enc_read_ctx == NULL)) {
+			(s->enc_read_ctx == NULL)) {
 			al = SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
 			goto f_err;

src/lib/libssl/s3_cbc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.15 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -135,7 +135,7 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
 
 	padding_length = rec->data[rec->length - 1];
 
-	if (EVP_CIPHER_flags(s->internal->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
 		/* padding is already verified */
 		rec->length -= padding_length + 1;
 		return 1;

src/lib/libssl/s3_pkt.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.64 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.65 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -395,13 +395,13 @@ ssl3_get_record(SSL *s)
 
 
 	/* r->length is now the compressed data plus mac */
-	if ((sess != NULL) && (s->internal->enc_read_ctx != NULL) &&
-	    (EVP_MD_CTX_md(s->internal->read_hash) != NULL)) {
-		/* s->internal->read_hash != NULL => mac_size != -1 */
+	if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+	    (EVP_MD_CTX_md(s->read_hash) != NULL)) {
+		/* s->read_hash != NULL => mac_size != -1 */
 		unsigned char *mac = NULL;
 		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
 
-		mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+		mac_size = EVP_MD_CTX_size(s->read_hash);
 		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
 		/* kludge: *_cbc_remove_padding passes padding length in rr->type */
@@ -414,14 +414,14 @@ ssl3_get_record(SSL *s)
 		 */
 		if (orig_len < mac_size ||
 			/* CBC records must have a padding length byte too. */
-		    (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
 		    orig_len < mac_size + 1)) {
 			al = SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
 		}
 
-		if (EVP_CIPHER_CTX_mode(s->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
+		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
 			/* We update the length so that the TLS header bytes
 			 * can be constructed correctly but we need to extract
 			 * the MAC in constant time from within the record,
@@ -960,7 +960,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		/* make sure that we are not getting application data when we
 		 * are doing a handshake for the first time */
 		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-			(s->internal->enc_read_ctx == NULL)) {
+			(s->enc_read_ctx == NULL)) {
 			al = SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_SSL3_READ_BYTES,
 			    SSL_R_APP_DATA_IN_HANDSHAKE);

src/lib/libssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.114 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl.h,v 1.115 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -894,6 +894,14 @@ struct ssl_st {
 	SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
 #define session_ctx initial_ctx
 
+	/*
+	 * XXX really should be internal, but is
+	 * touched unnaturally by wpa-supplicant
+	 * and freeradius and other perversions
+	 */
+	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
+	EVP_MD_CTX *read_hash;			/* used for mac generation */
+
 	struct ssl_internal_st *internal;
 };
 

src/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.135 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.136 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -221,7 +221,7 @@ SSL_clear(SSL *s)
 	s->internal->init_buf = NULL;
 
 	ssl_clear_cipher_ctx(s);
-	ssl_clear_hash_ctx(&s->internal->read_hash);
+	ssl_clear_hash_ctx(&s->read_hash);
 	ssl_clear_hash_ctx(&s->internal->write_hash);
 
 	s->internal->first_packet = 0;
@@ -528,7 +528,7 @@ SSL_free(SSL *s)
 	}
 
 	ssl_clear_cipher_ctx(s);
-	ssl_clear_hash_ctx(&s->internal->read_hash);
+	ssl_clear_hash_ctx(&s->read_hash);
 	ssl_clear_hash_ctx(&s->internal->write_hash);
 
 	if (s->cert != NULL)
@@ -2434,7 +2434,7 @@ SSL_set_accept_state(SSL *s)
 	s->internal->handshake_func = s->method->ssl_accept;
 	/* clear the current cipher */
 	ssl_clear_cipher_ctx(s);
-	ssl_clear_hash_ctx(&s->internal->read_hash);
+	ssl_clear_hash_ctx(&s->read_hash);
 	ssl_clear_hash_ctx(&s->internal->write_hash);
 }
 
@@ -2447,7 +2447,7 @@ SSL_set_connect_state(SSL *s)
 	s->internal->handshake_func = s->method->ssl_connect;
 	/* clear the current cipher */
 	ssl_clear_cipher_ctx(s);
-	ssl_clear_hash_ctx(&s->internal->read_hash);
+	ssl_clear_hash_ctx(&s->read_hash);
 	ssl_clear_hash_ctx(&s->internal->write_hash);
 }
 
@@ -2732,8 +2732,8 @@ SSL_dup(SSL *s)
 void
 ssl_clear_cipher_ctx(SSL *s)
 {
-	EVP_CIPHER_CTX_free(s->internal->enc_read_ctx);
-	s->internal->enc_read_ctx = NULL;
+	EVP_CIPHER_CTX_free(s->enc_read_ctx);
+	s->enc_read_ctx = NULL;
 	EVP_CIPHER_CTX_free(s->internal->enc_write_ctx);
 	s->internal->enc_write_ctx = NULL;
 

src/lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.158 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.159 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -670,9 +670,6 @@ typedef struct ssl_internal_st {
 					   enc_read_ctx and read_hash are
 					   ignored. */
 
-	EVP_CIPHER_CTX *enc_read_ctx;		/* cryptographic state */
-	EVP_MD_CTX *read_hash;			/* used for mac generation */
-
 	SSL_AEAD_CTX *aead_write_ctx;	/* AEAD context. If non-NULL, then
 					   enc_write_ctx and write_hash are
 					   ignored. */

src/lib/libssl/t1_enc.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.90 2017/01/23 06:45:30 beck Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.91 2017/01/23 08:08:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -536,17 +536,17 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
 		else
 			s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
 
-		EVP_CIPHER_CTX_free(s->internal->enc_read_ctx);
-		s->internal->enc_read_ctx = NULL;
-		EVP_MD_CTX_destroy(s->internal->read_hash);
-		s->internal->read_hash = NULL;
+		EVP_CIPHER_CTX_free(s->enc_read_ctx);
+		s->enc_read_ctx = NULL;
+		EVP_MD_CTX_destroy(s->read_hash);
+		s->read_hash = NULL;
 
 		if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
 			goto err;
-		s->internal->enc_read_ctx = cipher_ctx;
+		s->enc_read_ctx = cipher_ctx;
 		if ((mac_ctx = EVP_MD_CTX_create()) == NULL)
 			goto err;
-		s->internal->read_hash = mac_ctx;
+		s->read_hash = mac_ctx;
 	} else {
 		if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
 			s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -1016,15 +1016,15 @@ tls1_enc(SSL *s, int send)
 			}
 		}
 	} else {
-		if (EVP_MD_CTX_md(s->internal->read_hash)) {
-			int n = EVP_MD_CTX_size(s->internal->read_hash);
+		if (EVP_MD_CTX_md(s->read_hash)) {
+			int n = EVP_MD_CTX_size(s->read_hash);
 			OPENSSL_assert(n >= 0);
 		}
-		ds = s->internal->enc_read_ctx;
-		if (s->internal->enc_read_ctx == NULL)
+		ds = s->enc_read_ctx;
+		if (s->enc_read_ctx == NULL)
 			enc = NULL;
 		else
-			enc = EVP_CIPHER_CTX_cipher(s->internal->enc_read_ctx);
+			enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
 	}
 
 	if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
@@ -1085,8 +1085,8 @@ tls1_enc(SSL *s, int send)
 		}
 
 		ret = 1;
-		if (EVP_MD_CTX_md(s->internal->read_hash) != NULL)
-			mac_size = EVP_MD_CTX_size(s->internal->read_hash);
+		if (EVP_MD_CTX_md(s->read_hash) != NULL)
+			mac_size = EVP_MD_CTX_size(s->read_hash);
 		if ((bs != 1) && !send)
 			ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
 		if (pad && !send)
@@ -1199,7 +1199,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
 	} else {
 		rec = &(ssl->s3->internal->rrec);
 		seq = &(ssl->s3->internal->read_sequence[0]);
-		hash = ssl->internal->read_hash;
+		hash = ssl->read_hash;
 	}
 
 	t = EVP_MD_CTX_size(hash);
@@ -1232,7 +1232,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
 	header[12] = (rec->length) & 0xff;
 
 	if (!send &&
-	    EVP_CIPHER_CTX_mode(ssl->internal->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+	    EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
 	    ssl3_cbc_record_digest_supported(mac_ctx)) {
 		/* This is a CBC-encrypted record. We must avoid leaking any
 		 * timing-side channel information about how many blocks of