Convert all of the straight forward client handshake handling code to use

the new handshake functions.

ok miod@

6 files changed, 134 insertions, 212 deletions

diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 490e2849f1..3687f5917c 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.40 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.41 2014/12/14 16:19:38 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -759,14 +759,12 @@ end:
 int
 dtls1_client_hello(SSL *s)
 {
-        unsigned char *buf;
-        unsigned char *p, *d;
+        unsigned char *bufend, *d, *p;
         unsigned int i;
-        unsigned long l;
 
-        buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
                 SSL_SESSION *sess = s->session;
+
                 if ((s->session == NULL) ||
                     (s->session->ssl_version != s->version) ||
                     (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -785,8 +783,7 @@ dtls1_client_hello(SSL *s)
                 if (i == sizeof(s->s3->client_random))
                         arc4random_buf(p, sizeof(s->s3->client_random));
 
-                /* Do the message type and length last */
-                d = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
 
                 *(p++) = s->version >> 8;
                 *(p++) = s->version&0xff;
@@ -835,29 +832,20 @@ dtls1_client_hello(SSL *s)
                 *(p++) = 1;
                 *(p++) = 0; /* Add the NULL method */
 
-                if ((p = ssl_add_clienthello_tlsext(s, p,
-                    buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
+                bufend = (unsigned char *)s->init_buf->data +
+                    SSL3_RT_MAX_PLAIN_LENGTH;
+                if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
                         SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                l = (p - d);
-                d = buf;
-
-                d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO,
-                    l, 0, l);
+                ssl3_handshake_msg_finish(s, p - d);
 
                 s->state = SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num = p - buf;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
         }
 
         /* SSL3_ST_CW_CLNT_HELLO_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 err:
         return (-1);
 }
@@ -919,10 +907,9 @@ f_err:
 int
 dtls1_send_client_key_exchange(SSL *s)
 {
-        unsigned char *p, *d;
+        unsigned char *p, *q;
         int n;
         unsigned long alg_k;
-        unsigned char *q;
         EVP_PKEY *pkey = NULL;
         EC_KEY *clnt_ecdh = NULL;
         const EC_POINT *srvr_ecpoint = NULL;
@@ -932,8 +919,7 @@ dtls1_send_client_key_exchange(SSL *s)
         BN_CTX * bn_ctx = NULL;
 
         if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[DTLS1_HM_HEADER_LENGTH]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
 
                 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
@@ -1217,26 +1203,13 @@ dtls1_send_client_key_exchange(SSL *s)
                         goto err;
                 }
 
-                d = dtls1_set_message_header(s, d,
-                    SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
-                /*
-                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
-                 l2n3(n,d);
-                 l2n(s->d1->handshake_write_seq,d);
-                 s->d1->handshake_write_seq++;
-                */
+                ssl3_handshake_msg_finish(s, n);
 
                 s->state = SSL3_ST_CW_KEY_EXCH_B;
-                /* number of bytes to write */
-                s->init_num = n + DTLS1_HM_HEADER_LENGTH;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
         }
 
         /* SSL3_ST_CW_KEY_EXCH_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 
 err:
         BN_CTX_free(bn_ctx);
@@ -1249,7 +1222,7 @@ err:
 int
 dtls1_send_client_verify(SSL *s)
 {
-        unsigned char *p, *d;
+        unsigned char *p;
         unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
         EVP_PKEY *pkey;
         unsigned u = 0;
@@ -1257,8 +1230,8 @@ dtls1_send_client_verify(SSL *s)
         int j;
 
         if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[DTLS1_HM_HEADER_LENGTH]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
+
                 pkey = s->cert->key->privatekey;
 
                 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
@@ -1304,20 +1277,14 @@ dtls1_send_client_verify(SSL *s)
                         goto err;
                 }
 
-                d = dtls1_set_message_header(s, d,
-                    SSL3_MT_CERTIFICATE_VERIFY, n, 0, n);
-
-                s->init_num = (int)n + DTLS1_HM_HEADER_LENGTH;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
+                ssl3_handshake_msg_finish(s, n);
 
                 s->state = SSL3_ST_CW_CERT_VRFY_B;
         }
 
         /* s->state = SSL3_ST_CW_CERT_VRFY_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
+
 err:
         return (-1);
 }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 8e7c19f2f0..47b6824533 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.101 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.102 2014/12/14 16:19:38 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -642,14 +642,12 @@ end:
 int
 ssl3_client_hello(SSL *s)
 {
-        unsigned char   *buf;
-        unsigned char   *p, *d;
+        unsigned char   *bufend, *p, *d;
         int              i;
-        unsigned long    l;
 
-        buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
                 SSL_SESSION *sess = s->session;
+
                 if ((sess == NULL) ||
                     (sess->ssl_version != s->version) ||
                     (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -661,8 +659,7 @@ ssl3_client_hello(SSL *s)
 
                 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
-                /* Do the message type and length last */
-                d = p = &buf[4];
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
 
                 /*
                  * Version indicates the negotiated version: for example from
@@ -747,26 +744,22 @@ ssl3_client_hello(SSL *s)
                             SSL_R_CLIENTHELLO_TLSEXT);
                         goto err;
                 }
-                if ((p = ssl_add_clienthello_tlsext(s, p,
-                    buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
+                bufend = (unsigned char *)s->init_buf->data +
+                    SSL3_RT_MAX_PLAIN_LENGTH;
+                if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                l = (p - d);
-                d = buf;
-                *(d++) = SSL3_MT_CLIENT_HELLO;
-                l2n3(l, d);
-
                 s->state = SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num = p - buf;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, p - d);
         }
 
         /* SSL3_ST_CW_CLNT_HELLO_B */
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
+
 err:
         return (-1);
 }
@@ -1884,10 +1877,9 @@ ssl3_get_server_done(SSL *s)
 int
 ssl3_send_client_key_exchange(SSL *s)
 {
-        unsigned char   *p, *d;
+        unsigned char   *p, *q;
         int              n;
         unsigned long    alg_k;
-        unsigned char   *q;
         EVP_PKEY        *pkey = NULL;
         EC_KEY          *clnt_ecdh = NULL;
         const EC_POINT  *srvr_ecpoint = NULL;
@@ -1897,8 +1889,7 @@ ssl3_send_client_key_exchange(SSL *s)
         BN_CTX          *bn_ctx = NULL;
 
         if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[4]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
 
                 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
@@ -1999,7 +1990,8 @@ ssl3_send_client_key_exchange(SSL *s)
                         /* Generate master key from the result. */
                         s->session->master_key_length =
                         s->method->ssl3_enc->generate_master_secret(s,
-                        s->session->master_key, p, n);
+                            s->session->master_key, p, n);
+
                         /* Clean up. */
                         memset(p, 0, n);
 
@@ -2299,26 +2291,21 @@ ssl3_send_client_key_exchange(SSL *s)
                             s->session->master_key, premaster_secret, 32);
                         EVP_PKEY_free(pub_key);
 
-                }
-                else {
+                } else {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
-                        SSL_AD_HANDSHAKE_FAILURE);
+                            SSL_AD_HANDSHAKE_FAILURE);
                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
-                l2n3(n, d);
-
                 s->state = SSL3_ST_CW_KEY_EXCH_B;
-                /* number of bytes to write */
-                s->init_num = n + 4;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, n);
         }
 
         /* SSL3_ST_CW_KEY_EXCH_B */
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 
 err:
         BN_CTX_free(bn_ctx);
@@ -2331,7 +2318,7 @@ err:
 int
 ssl3_send_client_verify(SSL *s)
 {
-        unsigned char   *p, *d;
+        unsigned char   *p;
         unsigned char    data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
         EVP_PKEY        *pkey;
         EVP_PKEY_CTX    *pctx = NULL;
@@ -2343,13 +2330,13 @@ ssl3_send_client_verify(SSL *s)
         EVP_MD_CTX_init(&mctx);
 
         if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[4]);
-                pkey = s->cert->key->privatekey;
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
+
                 /*
                  * Create context from key and test if sha1 is allowed as
                  * digest.
                  */
+                pkey = s->cert->key->privatekey;
                 pctx = EVP_PKEY_CTX_new(pkey, NULL);
                 EVP_PKEY_sign_init(pctx);
                 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
@@ -2468,16 +2455,17 @@ ssl3_send_client_verify(SSL *s)
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
-                *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
-                l2n3(n, d);
 
                 s->state = SSL3_ST_CW_CERT_VRFY_B;
-                s->init_num = (int)n + 4;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, n);
         }
+
         EVP_MD_CTX_cleanup(&mctx);
         EVP_PKEY_CTX_free(pctx);
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+
+        return (ssl3_handshake_write(s));
+
 err:
         EVP_MD_CTX_cleanup(&mctx);
         EVP_PKEY_CTX_free(pctx);
@@ -2632,24 +2620,26 @@ int
 ssl3_send_next_proto(SSL *s)
 {
         unsigned int     len, padding_len;
-        unsigned char   *d;
+        unsigned char   *d, *p;
 
         if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEXT_PROTO);
+
                 len = s->next_proto_negotiated_len;
                 padding_len = 32 - ((len + 2) % 32);
-                d = (unsigned char *)s->init_buf->data;
-                d[4] = len;
-                memcpy(d + 5, s->next_proto_negotiated, len);
-                d[5 + len] = padding_len;
-                memset(d + 6 + len, 0, padding_len);
-                *(d++) = SSL3_MT_NEXT_PROTO;
-                l2n3(2 + len + padding_len, d);
+                *(p++) = len;
+                memcpy(p, s->next_proto_negotiated, len);
+                p += len;
+                *(p++) = padding_len;
+                memset(p, 0, padding_len);
+                p += padding_len;
+
+                ssl3_handshake_msg_finish(s, p - d);
+
                 s->state = SSL3_ST_CW_NEXT_PROTO_B;
-                s->init_num = 4 + 2 + len + padding_len;
-                s->init_off = 0;
         }
 
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 }
 
 /*
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 490e2849f1..3687f5917c 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.40 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.41 2014/12/14 16:19:38 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -759,14 +759,12 @@ end:
 int
 dtls1_client_hello(SSL *s)
 {
-        unsigned char *buf;
-        unsigned char *p, *d;
+        unsigned char *bufend, *d, *p;
         unsigned int i;
-        unsigned long l;
 
-        buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
                 SSL_SESSION *sess = s->session;
+
                 if ((s->session == NULL) ||
                     (s->session->ssl_version != s->version) ||
                     (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -785,8 +783,7 @@ dtls1_client_hello(SSL *s)
                 if (i == sizeof(s->s3->client_random))
                         arc4random_buf(p, sizeof(s->s3->client_random));
 
-                /* Do the message type and length last */
-                d = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
 
                 *(p++) = s->version >> 8;
                 *(p++) = s->version&0xff;
@@ -835,29 +832,20 @@ dtls1_client_hello(SSL *s)
                 *(p++) = 1;
                 *(p++) = 0; /* Add the NULL method */
 
-                if ((p = ssl_add_clienthello_tlsext(s, p,
-                    buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
+                bufend = (unsigned char *)s->init_buf->data +
+                    SSL3_RT_MAX_PLAIN_LENGTH;
+                if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
                         SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                l = (p - d);
-                d = buf;
-
-                d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO,
-                    l, 0, l);
+                ssl3_handshake_msg_finish(s, p - d);
 
                 s->state = SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num = p - buf;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
         }
 
         /* SSL3_ST_CW_CLNT_HELLO_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 err:
         return (-1);
 }
@@ -919,10 +907,9 @@ f_err:
 int
 dtls1_send_client_key_exchange(SSL *s)
 {
-        unsigned char *p, *d;
+        unsigned char *p, *q;
         int n;
         unsigned long alg_k;
-        unsigned char *q;
         EVP_PKEY *pkey = NULL;
         EC_KEY *clnt_ecdh = NULL;
         const EC_POINT *srvr_ecpoint = NULL;
@@ -932,8 +919,7 @@ dtls1_send_client_key_exchange(SSL *s)
         BN_CTX * bn_ctx = NULL;
 
         if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[DTLS1_HM_HEADER_LENGTH]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
 
                 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
@@ -1217,26 +1203,13 @@ dtls1_send_client_key_exchange(SSL *s)
                         goto err;
                 }
 
-                d = dtls1_set_message_header(s, d,
-                    SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
-                /*
-                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
-                 l2n3(n,d);
-                 l2n(s->d1->handshake_write_seq,d);
-                 s->d1->handshake_write_seq++;
-                */
+                ssl3_handshake_msg_finish(s, n);
 
                 s->state = SSL3_ST_CW_KEY_EXCH_B;
-                /* number of bytes to write */
-                s->init_num = n + DTLS1_HM_HEADER_LENGTH;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
         }
 
         /* SSL3_ST_CW_KEY_EXCH_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 
 err:
         BN_CTX_free(bn_ctx);
@@ -1249,7 +1222,7 @@ err:
 int
 dtls1_send_client_verify(SSL *s)
 {
-        unsigned char *p, *d;
+        unsigned char *p;
         unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
         EVP_PKEY *pkey;
         unsigned u = 0;
@@ -1257,8 +1230,8 @@ dtls1_send_client_verify(SSL *s)
         int j;
 
         if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[DTLS1_HM_HEADER_LENGTH]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
+
                 pkey = s->cert->key->privatekey;
 
                 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
@@ -1304,20 +1277,14 @@ dtls1_send_client_verify(SSL *s)
                         goto err;
                 }
 
-                d = dtls1_set_message_header(s, d,
-                    SSL3_MT_CERTIFICATE_VERIFY, n, 0, n);
-
-                s->init_num = (int)n + DTLS1_HM_HEADER_LENGTH;
-                s->init_off = 0;
-
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
+                ssl3_handshake_msg_finish(s, n);
 
                 s->state = SSL3_ST_CW_CERT_VRFY_B;
         }
 
         /* s->state = SSL3_ST_CW_CERT_VRFY_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
+
 err:
         return (-1);
 }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 8e7c19f2f0..47b6824533 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.101 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.102 2014/12/14 16:19:38 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -642,14 +642,12 @@ end:
 int
 ssl3_client_hello(SSL *s)
 {
-        unsigned char   *buf;
-        unsigned char   *p, *d;
+        unsigned char   *bufend, *p, *d;
         int              i;
-        unsigned long    l;
 
-        buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
                 SSL_SESSION *sess = s->session;
+
                 if ((sess == NULL) ||
                     (sess->ssl_version != s->version) ||
                     (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -661,8 +659,7 @@ ssl3_client_hello(SSL *s)
 
                 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
-                /* Do the message type and length last */
-                d = p = &buf[4];
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
 
                 /*
                  * Version indicates the negotiated version: for example from
@@ -747,26 +744,22 @@ ssl3_client_hello(SSL *s)
                             SSL_R_CLIENTHELLO_TLSEXT);
                         goto err;
                 }
-                if ((p = ssl_add_clienthello_tlsext(s, p,
-                    buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
+                bufend = (unsigned char *)s->init_buf->data +
+                    SSL3_RT_MAX_PLAIN_LENGTH;
+                if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                l = (p - d);
-                d = buf;
-                *(d++) = SSL3_MT_CLIENT_HELLO;
-                l2n3(l, d);
-
                 s->state = SSL3_ST_CW_CLNT_HELLO_B;
-                /* number of bytes to write */
-                s->init_num = p - buf;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, p - d);
         }
 
         /* SSL3_ST_CW_CLNT_HELLO_B */
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
+
 err:
         return (-1);
 }
@@ -1884,10 +1877,9 @@ ssl3_get_server_done(SSL *s)
 int
 ssl3_send_client_key_exchange(SSL *s)
 {
-        unsigned char   *p, *d;
+        unsigned char   *p, *q;
         int              n;
         unsigned long    alg_k;
-        unsigned char   *q;
         EVP_PKEY        *pkey = NULL;
         EC_KEY          *clnt_ecdh = NULL;
         const EC_POINT  *srvr_ecpoint = NULL;
@@ -1897,8 +1889,7 @@ ssl3_send_client_key_exchange(SSL *s)
         BN_CTX          *bn_ctx = NULL;
 
         if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[4]);
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
 
                 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
@@ -1999,7 +1990,8 @@ ssl3_send_client_key_exchange(SSL *s)
                         /* Generate master key from the result. */
                         s->session->master_key_length =
                         s->method->ssl3_enc->generate_master_secret(s,
-                        s->session->master_key, p, n);
+                            s->session->master_key, p, n);
+
                         /* Clean up. */
                         memset(p, 0, n);
 
@@ -2299,26 +2291,21 @@ ssl3_send_client_key_exchange(SSL *s)
                             s->session->master_key, premaster_secret, 32);
                         EVP_PKEY_free(pub_key);
 
-                }
-                else {
+                } else {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
-                        SSL_AD_HANDSHAKE_FAILURE);
+                            SSL_AD_HANDSHAKE_FAILURE);
                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
 
-                *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
-                l2n3(n, d);
-
                 s->state = SSL3_ST_CW_KEY_EXCH_B;
-                /* number of bytes to write */
-                s->init_num = n + 4;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, n);
         }
 
         /* SSL3_ST_CW_KEY_EXCH_B */
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 
 err:
         BN_CTX_free(bn_ctx);
@@ -2331,7 +2318,7 @@ err:
 int
 ssl3_send_client_verify(SSL *s)
 {
-        unsigned char   *p, *d;
+        unsigned char   *p;
         unsigned char    data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
         EVP_PKEY        *pkey;
         EVP_PKEY_CTX    *pctx = NULL;
@@ -2343,13 +2330,13 @@ ssl3_send_client_verify(SSL *s)
         EVP_MD_CTX_init(&mctx);
 
         if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
-                d = (unsigned char *)s->init_buf->data;
-                p = &(d[4]);
-                pkey = s->cert->key->privatekey;
+                p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
+
                 /*
                  * Create context from key and test if sha1 is allowed as
                  * digest.
                  */
+                pkey = s->cert->key->privatekey;
                 pctx = EVP_PKEY_CTX_new(pkey, NULL);
                 EVP_PKEY_sign_init(pctx);
                 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
@@ -2468,16 +2455,17 @@ ssl3_send_client_verify(SSL *s)
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
-                *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
-                l2n3(n, d);
 
                 s->state = SSL3_ST_CW_CERT_VRFY_B;
-                s->init_num = (int)n + 4;
-                s->init_off = 0;
+
+                ssl3_handshake_msg_finish(s, n);
         }
+
         EVP_MD_CTX_cleanup(&mctx);
         EVP_PKEY_CTX_free(pctx);
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+
+        return (ssl3_handshake_write(s));
+
 err:
         EVP_MD_CTX_cleanup(&mctx);
         EVP_PKEY_CTX_free(pctx);
@@ -2632,24 +2620,26 @@ int
 ssl3_send_next_proto(SSL *s)
 {
         unsigned int     len, padding_len;
-        unsigned char   *d;
+        unsigned char   *d, *p;
 
         if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
+                d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEXT_PROTO);
+
                 len = s->next_proto_negotiated_len;
                 padding_len = 32 - ((len + 2) % 32);
-                d = (unsigned char *)s->init_buf->data;
-                d[4] = len;
-                memcpy(d + 5, s->next_proto_negotiated, len);
-                d[5 + len] = padding_len;
-                memset(d + 6 + len, 0, padding_len);
-                *(d++) = SSL3_MT_NEXT_PROTO;
-                l2n3(2 + len + padding_len, d);
+                *(p++) = len;
+                memcpy(p, s->next_proto_negotiated, len);
+                p += len;
+                *(p++) = padding_len;
+                memset(p, 0, padding_len);
+                p += padding_len;
+
+                ssl3_handshake_msg_finish(s, p - d);
+
                 s->state = SSL3_ST_CW_NEXT_PROTO_B;
-                s->init_num = 4 + 2 + len + padding_len;
-                s->init_off = 0;
         }
 
-        return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
+        return (ssl3_handshake_write(s));
 }
 
 /*
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 20ccaf1675..97e32de380 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.82 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.83 2014/12/14 16:19:38 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -653,6 +653,10 @@ long	ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
 long    ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
 int     ssl3_pending(const SSL *s);
 
+unsigned char *ssl3_handshake_msg_start(SSL *s, uint8_t htype);
+void ssl3_handshake_msg_finish(SSL *s, unsigned int len);
+int ssl3_handshake_write(SSL *s);
+
 void ssl3_record_sequence_increment(unsigned char *seq);
 int ssl3_do_change_cipher_spec(SSL *ssl);
 long ssl3_default_timeout(void);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 20ccaf1675..97e32de380 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.82 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.83 2014/12/14 16:19:38 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -653,6 +653,10 @@ long	ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
 long    ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
 int     ssl3_pending(const SSL *s);
 
+unsigned char *ssl3_handshake_msg_start(SSL *s, uint8_t htype);
+void ssl3_handshake_msg_finish(SSL *s, unsigned int len);
+int ssl3_handshake_write(SSL *s);
+
 void ssl3_record_sequence_increment(unsigned char *seq);
 int ssl3_do_change_cipher_spec(SSL *ssl);
 long ssl3_default_timeout(void);