1 files changed, 28 insertions, 18 deletions
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index cfe82a05fc..d3a372fc6d 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.18 2020/02/21 16:06:00 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.19 2020/02/21 16:16:59 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -625,8 +625,11 @@ ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
 {
        SSL3_RECORD *wr = &(S3I(s)->wrec);
        SSL_SESSION *sess = s->session;
-        unsigned char *plen;
        int eivlen, mac_size;
+        uint16_t version;
+        CBB cbb;
+        memset(&cbb, 0, sizeof(cbb));
        if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) ||
            (EVP_MD_CTX_md(s->internal->write_hash) == NULL)) {
@@ -637,24 +640,25 @@ ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
                        goto err;
        }
-        /* write the header */
+        /*
+         * Some servers hang if initial client hello is larger than 256
-        *(p++) = type&0xff;
+         * bytes and record version number > TLS 1.0.
-        wr->type = type;
-        *(p++) = (s->version >> 8);
-        /* Some servers hang if iniatial client hello is larger than 256
-         * bytes and record version number > TLS 1.0
         */
+        version = s->version;
        if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate &&
            TLS1_get_version(s) > TLS1_VERSION)
-                *(p++) = 0x1;
+                version = TLS1_VERSION;
-        else
-                *(p++) = s->version&0xff;
-        /* field where we are to write out packet length */
+        if (!CBB_init_fixed(&cbb, p, SSL3_RT_HEADER_LENGTH))
-        plen = p;
+                goto err;
-        p += 2;
+        /* Write the header. */
+        if (!CBB_add_u8(&cbb, type))
+                goto err;
+        if (!CBB_add_u16(&cbb, version))
+                goto err;
+        p += SSL3_RT_HEADER_LENGTH;
        /* Explicit IV length. */
        eivlen = 0;
@@ -671,6 +675,7 @@ ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
        }
        /* lets setup the record stuff. */
+        wr->type = type;
        wr->data = p + eivlen;
        wr->length = (int)len;
        wr->input = (unsigned char *)buf;
@@ -704,17 +709,22 @@ ssl3_create_record(SSL *s, unsigned char *p, int type, const unsigned char *buf,
        s->method->internal->ssl3_enc->enc(s, 1);
        /* record length after mac and block padding */
-        s2n(wr->length, plen);
+        if (!CBB_add_u16(&cbb, wr->length))
+                goto err;
+        if (!CBB_finish(&cbb, NULL, NULL))
+                goto err;
        /* we should now have
         * wr->data pointing to the encrypted data, which is
         * wr->length long */
-        wr->type=type; /* not needed but helps for debugging */
+        wr->type = type; /* not needed but helps for debugging */
        wr->length += SSL3_RT_HEADER_LENGTH;
        return 1;
 err:
+        CBB_cleanup(&cbb);
        return 0;
 }

diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index cfe82a05fc..d3a372fc6d 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.18 2020/02/21 16:06:00 jsing Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.19 2020/02/21 16:16:59 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -625,8 +625,11 @@ ssl3_create_record(SSL s, unsigned char p, int type, const unsigned char *buf,
625	{	625	{
626	SSL3_RECORD *wr = &(S3I(s)->wrec);	626	SSL3_RECORD *wr = &(S3I(s)->wrec);
627	SSL_SESSION *sess = s->session;	627	SSL_SESSION *sess = s->session;
628	unsigned char *plen;
629	int eivlen, mac_size;	628	int eivlen, mac_size;
		629	uint16_t version;
		630	CBB cbb;
		631
		632	memset(&cbb, 0, sizeof(cbb));
630		633
631	if ((sess == NULL) \|\| (s->internal->enc_write_ctx == NULL) \|\|	634	if ((sess == NULL) \|\| (s->internal->enc_write_ctx == NULL) \|\|
632	(EVP_MD_CTX_md(s->internal->write_hash) == NULL)) {	635	(EVP_MD_CTX_md(s->internal->write_hash) == NULL)) {
@@ -637,24 +640,25 @@ ssl3_create_record(SSL s, unsigned char p, int type, const unsigned char *buf,
637	goto err;	640	goto err;
638	}	641	}
639		642
640	/* write the header */	643	/*
641		644	* Some servers hang if initial client hello is larger than 256
642	*(p++) = type&0xff;	645	* bytes and record version number > TLS 1.0.
643	wr->type = type;
644
645	*(p++) = (s->version >> 8);
646	/* Some servers hang if iniatial client hello is larger than 256
647	* bytes and record version number > TLS 1.0
648	*/	646	*/
		647	version = s->version;
649	if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate &&	648	if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate &&
650	TLS1_get_version(s) > TLS1_VERSION)	649	TLS1_get_version(s) > TLS1_VERSION)
651	*(p++) = 0x1;	650	version = TLS1_VERSION;
652	else
653	*(p++) = s->version&0xff;
654		651
655	/* field where we are to write out packet length */	652	if (!CBB_init_fixed(&cbb, p, SSL3_RT_HEADER_LENGTH))
656	plen = p;	653	goto err;
657	p += 2;	654
		655	/* Write the header. */
		656	if (!CBB_add_u8(&cbb, type))
		657	goto err;
		658	if (!CBB_add_u16(&cbb, version))
		659	goto err;
		660
		661	p += SSL3_RT_HEADER_LENGTH;
658		662
659	/* Explicit IV length. */	663	/* Explicit IV length. */
660	eivlen = 0;	664	eivlen = 0;
@@ -671,6 +675,7 @@ ssl3_create_record(SSL s, unsigned char p, int type, const unsigned char *buf,
671	}	675	}
672		676
673	/* lets setup the record stuff. */	677	/* lets setup the record stuff. */
		678	wr->type = type;
674	wr->data = p + eivlen;	679	wr->data = p + eivlen;
675	wr->length = (int)len;	680	wr->length = (int)len;
676	wr->input = (unsigned char *)buf;	681	wr->input = (unsigned char *)buf;
@@ -704,17 +709,22 @@ ssl3_create_record(SSL s, unsigned char p, int type, const unsigned char *buf,
704	s->method->internal->ssl3_enc->enc(s, 1);	709	s->method->internal->ssl3_enc->enc(s, 1);
705		710
706	/* record length after mac and block padding */	711	/* record length after mac and block padding */
707	s2n(wr->length, plen);	712	if (!CBB_add_u16(&cbb, wr->length))
		713	goto err;
		714	if (!CBB_finish(&cbb, NULL, NULL))
		715	goto err;
708		716
709	/* we should now have	717	/* we should now have
710	* wr->data pointing to the encrypted data, which is	718	* wr->data pointing to the encrypted data, which is
711	* wr->length long */	719	* wr->length long */
712	wr->type=type; /* not needed but helps for debugging */	720	wr->type = type; /* not needed but helps for debugging */
713	wr->length += SSL3_RT_HEADER_LENGTH;	721	wr->length += SSL3_RT_HEADER_LENGTH;
714		722
715	return 1;	723	return 1;
716		724
717	err:	725	err:
		726	CBB_cleanup(&cbb);
		727
718	return 0;	728	return 0;
719	}	729	}
720		730