6 files changed, 300 insertions, 186 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index bd4267238f..f27588fcff 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.22 2014/07/02 20:45:26 miod Exp $ */
+/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -233,8 +233,11 @@ dtls1_do_write(SSL *s, int type)
                s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
                    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
-                /* I've seen the kernel return bogus numbers when it doesn't know
+                /*
-                 * (initial write), so just make sure we have a reasonable number */
+                 * I've seen the kernel return bogus numbers when it
+                 * doesn't know the MTU (ie., the initial write), so just
+                 * make sure we have a reasonable number
+                 */
                if (s->d1->mtu < dtls1_min_mtu()) {
                        s->d1->mtu = 0;
                        s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -306,11 +309,12 @@ dtls1_do_write(SSL *s, int type)
                ret = dtls1_write_bytes(s, type,
                    &s->init_buf->data[s->init_off], len);
                if (ret < 0) {
-                        /* might need to update MTU here, but we don't know
+                        /*
-                         * which previous packet caused the failure -- so can't
+                         * Might need to update MTU here, but we don't know
-                         * really retransmit anything.  continue as if everything
+                         * which previous packet caused the failure -- so
-                         * is fine and wait for an alert to handle the
+                         * can't really retransmit anything.  continue as
-                         * retransmit
+                         * if everything is fine and wait for an alert to
+                         * handle the retransmit
                         */
                        if (BIO_ctrl(SSL_get_wbio(s),
                            BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
@@ -320,22 +324,30 @@ dtls1_do_write(SSL *s, int type)
                                return (-1);
                } else {
-                        /* bad if this assert fails, only part of the handshake
+                        /*
-                         * message got sent.  but why would this happen? */
+                         * Bad if this assert fails, only part of the
+                         * handshake message got sent.  but why would
+                         * this happen?
+                         */
                        OPENSSL_assert(len == (unsigned int)ret);
                        if (type == SSL3_RT_HANDSHAKE &&
                            !s->d1->retransmitting) {
-                                /* should not be done for 'Hello Request's, but in that case
+                                /*
-                                 * we'll ignore the result anyway */
+                                 * Should not be done for 'Hello Request's,
+                                 * but in that case we'll ignore the result
+                                 * anyway
+                                 */
                                unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
                                const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
                                int xlen;
                                if (frag_off == 0 &&
                                    s->version != DTLS1_BAD_VER) {
-                                        /* reconstruct message header is if it
+                                        /*
-                                         * is being sent in single fragment */
+                                         * Reconstruct message header is if it
+                                         * is being sent in single fragment
+                                         */
                                        *p++ = msg_hdr->type;
                                        l2n3(msg_hdr->msg_len, p);
                                        s2n (msg_hdr->seq, p);
@@ -373,7 +385,8 @@ dtls1_do_write(SSL *s, int type)
 }
-/* Obtain handshake message of message type 'mt' (any if mt == -1),
+/*
+ * Obtain handshake message of message type 'mt' (any if mt == -1),
 * maximum acceptable body length 'max'.
 * Read an entire handshake message.  Handshake messages arrive in
 * fragments.
@@ -386,8 +399,10 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
        unsigned char *p;
        unsigned long msg_len;
-        /* s3->tmp is used to store messages that are unexpected, caused
+        /*
-         * by the absence of an optional handshake message */
+         * s3->tmp is used to store messages that are unexpected, caused
+         * by the absence of an optional handshake message
+         */
        if (s->s3->tmp.reuse_message) {
                s->s3->tmp.reuse_message = 0;
                if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
@@ -472,8 +487,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
        if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
        {
-                /* msg_len is limited to 2^24, but is effectively checked
+                /*
-                 * against max above */
+                 * msg_len is limited to 2^24, but is effectively checked
+                 * against max above
+                 */
                if (!BUF_MEM_grow_clean(s->init_buf,
                    msg_len + DTLS1_HM_HEADER_LENGTH)) {
                        SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
@@ -486,8 +503,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
                s->d1->r_msg_hdr.type = msg_hdr->type;
                s->d1->r_msg_hdr.seq = msg_hdr->seq;
        } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
-                /* They must be playing with us! BTW, failure to enforce
+                /*
-                 * upper limit would open possibility for buffer overrun. */
+                 * They must be playing with us! BTW, failure to enforce
+                 * upper limit would open possibility for buffer overrun.
+                 */
                SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
                    SSL_R_EXCESSIVE_MESSAGE_SIZE);
                return SSL_AD_ILLEGAL_PARAMETER;
@@ -499,7 +518,8 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 {
-        /* (0) check whether the desired fragment is available
+        /*
+         * (0) check whether the desired fragment is available
         * if so:
         * (1) copy over the fragment to s->init_buf->data[]
         * (2) update s->init_num
@@ -561,7 +581,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
                goto err;
-        /* Determine maximum allowed message size. Depends on (user set)
+        /*
+         * Determine maximum allowed message size. Depends on (user set)
         * maximum certificate length, but 16k is minimum.
         */
        if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <
@@ -595,7 +616,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                }
        }
-        /* If message is already reassembled, this must be a
+        /*
+         * If message is already reassembled, this must be a
         * retransmit and can be dropped.
         */
        if (frag->reassembly == NULL) {
@@ -672,13 +694,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        seq64be[7] = (unsigned char) msg_hdr->seq;
        item = pqueue_find(s->d1->buffered_messages, seq64be);
-        /* If we already have an entry and this one is a fragment,
+        /*
+         * If we already have an entry and this one is a fragment,
         * don't discard it and rather try to reassemble it.
         */
        if (item != NULL && frag_len < msg_hdr->msg_len)
                item = NULL;
-        /* Discard the message if sequence number was already there, is
+        /*
+         * Discard the message if sequence number was already there, is
         * too far in the future, already in the queue or if we received
         * a FINISHED before the SERVER_HELLO, which then must be a stale
         * retransmit.
@@ -791,10 +815,12 @@ again:
        if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
            wire[0] == SSL3_MT_HELLO_REQUEST) {
-                /* The server may always send 'Hello Request' messages --
+                /*
+                 * The server may always send 'Hello Request' messages --
                 * we are doing a handshake anyway now, so ignore them
                 * if their format is correct. Does not count for
-                 * 'Finished' MAC. */
+                 * 'Finished' MAC.
+                 */
                if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
                        if (s->msg_callback)
                                s->msg_callback(0, s->version,
@@ -834,8 +860,10 @@ again:
        } else
                i = 0;
-        /* XDTLS:  an incorrectly formatted fragment should cause the
+        /*
-         * handshake to fail */
+         * XDTLS:  an incorrectly formatted fragment should cause the
+         * handshake to fail
+         */
        if (i != (int)frag_len) {
                al = SSL3_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
@@ -845,10 +873,12 @@ again:
        *ok = 1;
-        /* Note that s->init_num is *not* used as current offset in
+        /*
+         * Note that s->init_num is *not* used as current offset in
         * s->init_buf->data, but as a counter summing up fragments'
         * lengths: as soon as they sum up to handshake packet
-         * length, we assume we have got all the fragments. */
+         * length, we assume we have got all the fragments.
+         */
        s->init_num = frag_len;
        return frag_len;
@@ -878,7 +908,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
                p += i;
                l = i;
-                /* Copy the finished so we can use it for
+                /*
+                 * Copy the finished so we can use it for
                 * renegotiation checks
                 */
                if (s->type == SSL_ST_CONNECT) {
@@ -907,7 +938,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
 }
-/* for these 2 messages, we need to
+/*
+ * for these 2 messages, we need to
 * ssl->enc_read_ctx                    re-init
 * ssl->s3->read_sequence               zero
 * ssl->s3->read_mac_secret             re-init
@@ -1031,8 +1063,10 @@ dtls1_read_failed(SSL *s, int code)
        }
        if (!dtls1_is_timer_expired(s)) {
-                /* not a timeout, none of our business,
+                /*
-                   let higher layers handle this.  in fact it's probably an error */
+                 * not a timeout, none of our business, let higher layers
+                 * handle this.  in fact it's probably an error
+                 */
                return code;
        }
@@ -1048,13 +1082,16 @@ dtls1_read_failed(SSL *s, int code)
 int
 dtls1_get_queue_priority(unsigned short seq, int is_ccs)
 {
-        /* The index of the retransmission queue actually is the message sequence number,
+        /*
-         * since the queue only contains messages of a single handshake. However, the
+         * The index of the retransmission queue actually is the message
-         * ChangeCipherSpec has no message sequence number and so using only the sequence
+         * sequence number, since the queue only contains messages of a
-         * will result in the CCS and Finished having the same index. To prevent this,
+         * single handshake. However, the ChangeCipherSpec has no message
-         * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted.
+         * sequence number and so using only the sequence will result in
-         * This does not only differ CSS and Finished, it also maintains the order of the
+         * the CCS and Finished having the same index. To prevent this, the
-         * index (important for priority queues) and fits in the unsigned short variable.
+         * sequence number is multiplied by 2. In case of a CCS 1 is
+         * subtracted.  This does not only differ CSS and Finished, it also
+         * maintains the order of the index (important for priority queues)
+         * and fits in the unsigned short variable.
         */
        return seq * 2 - is_ccs;
 }
@@ -1092,8 +1129,10 @@ dtls1_buffer_message(SSL *s, int is_ccs)
        hm_fragment *frag;
        unsigned char seq64be[8];
-        /* this function is called immediately after a message has
+        /*
-         * been serialized */
+         * This function is called immediately after a message has
+         * been serialized
+         */
        OPENSSL_assert(s->init_off == 0);
        frag = dtls1_hm_fragment_new(s->init_num, 0);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f24d0f9cf8..a3e62ea323 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
                                ret = -1;
                                goto end;
                        } else {
-                                /* s->state == SSL_ST_RENEGOTIATE,
+                                /*
-                                 * we will just send a HelloRequest */
+                                 * s->state == SSL_ST_RENEGOTIATE,
+                                 * we will just send a HelloRequest
+                                 */
                                s->ctx->stats.sess_accept_renegotiate++;
                                s->state = SSL3_ST_SW_HELLO_REQ_A;
                        }
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
                            )
                                /*
                                 * option SSL_OP_EPHEMERAL_RSA sends temporary
-                                 * RSA key even when forbidden by protocol specs
+                                 * RSA key even when forbidden by protocol
-                                 * (handshake may fail as clients are not
+                                 * specs (handshake may fail as clients are
-                                 * required to be able to handle this)
+                                 * not required to be able to handle this)
                                 */
                                s->s3->tmp.use_rsa_tmp = 1;
                        else
                                s->s3->tmp.use_rsa_tmp = 0;
-                        /* only send if a DH key exchange, fortezza or
+                        /*
+                         * Only send if a DH key exchange, fortezza or
                         * RSA but we have a sign only certificate
                         *
-                         * PSK: may send PSK identity hints
+                         * PSK: send ServerKeyExchange if PSK identity
+                         * hint is provided
                         *
                         * For ECC ciphersuites, we send a serverKeyExchange
                         * message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
                         * public key for key exchange.
                         */
                        if (s->s3->tmp.use_rsa_tmp
-                        /* PSK: send ServerKeyExchange if PSK identity
-                         * hint if provided */
 #ifndef OPENSSL_NO_PSK
                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
 #endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
                        }
                }
                if (j == 0) {
-                        /* we need to have the cipher in the cipher
+                        /*
-                         * list if we are asked to reuse it */
+                         * We need to have the cipher in the cipher
+                         * list if we are asked to reuse it
+                         */
                        al = SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                            SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
                *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
        }
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
                *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
        EC_POINT *clnt_ecpoint = NULL;
        BN_CTX *bn_ctx = NULL;
+        /* 2048 maxlen is a guess.  How long a key does that permit? */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
-            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
+            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
-            2048, /* ??? */ &ok);
        if (!ok)
                return ((int)n);
        p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
                if (s->s3->tmp.use_rsa_tmp) {
                        if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
                                rsa = s->cert->rsa_tmp;
-                        /* Don't do a callback because rsa_tmp should
+                        /*
-                         * be sent already */
+                         * Don't do a callback because rsa_tmp should
+                         * be sent already
+                         */
                        if (rsa == NULL) {
                                al = SSL_AD_HANDSHAKE_FAILURE;
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
                                al = SSL_AD_DECODE_ERROR;
                                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                                /* The Klima-Pokorny-Rosa extension of
+                                /*
+                                 * The Klima-Pokorny-Rosa extension of
                                 * Bleichenbacher's attack
                                 * (http://eprint.iacr.org/2003/052/) exploits
                                 * the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
                        }
                        ret = 2; /* Skip certificate verify processing */
                } else {
-                        /* Get client's public key from encoded point
+                        /*
+                         * Get client's public key from encoded point
                         * in the ClientKeyExchange message.
                         */
                        if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
        EVP_MD_CTX mctx;
        EVP_MD_CTX_init(&mctx);
+        /* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
-            SSL3_ST_SR_CERT_VRFY_B, -1,
+            SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
-            516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
        if (!ok)
                return ((int)n);
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
        s->session->peer = sk_X509_shift(sk);
        s->session->verify_result = s->verify_result;
-        /* With the current implementation, sess_cert will always be NULL
+        /*
-         * when we arrive here. */
+         * With the current implementation, sess_cert will always be NULL
+         * when we arrive here
+         */
        if (s->session->sess_cert == NULL) {
                s->session->sess_cert = ssl_sess_cert_new();
                if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
        if (s->session->sess_cert->cert_chain != NULL)
                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
        s->session->sess_cert->cert_chain = sk;
-        /* Inconsistency alert: cert_chain does *not* include the
-         * peer's own certificate, while we do include it in s3_clnt.c */
+        /*
+         * Inconsistency alert: cert_chain does *not* include the
+         * peer's own certificate, while we do include it in s3_clnt.c
+         */
        sk = NULL;
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
                return (-1);
        }
+        /* 514 maxlen is enough for the payload format below */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
+            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-            514,  /* See the payload format below */ &ok);
        if (!ok)
                return ((int)n);
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index bd4267238f..f27588fcff 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.22 2014/07/02 20:45:26 miod Exp $ */
+/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -233,8 +233,11 @@ dtls1_do_write(SSL *s, int type)
                s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
                    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
-                /* I've seen the kernel return bogus numbers when it doesn't know
+                /*
-                 * (initial write), so just make sure we have a reasonable number */
+                 * I've seen the kernel return bogus numbers when it
+                 * doesn't know the MTU (ie., the initial write), so just
+                 * make sure we have a reasonable number
+                 */
                if (s->d1->mtu < dtls1_min_mtu()) {
                        s->d1->mtu = 0;
                        s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -306,11 +309,12 @@ dtls1_do_write(SSL *s, int type)
                ret = dtls1_write_bytes(s, type,
                    &s->init_buf->data[s->init_off], len);
                if (ret < 0) {
-                        /* might need to update MTU here, but we don't know
+                        /*
-                         * which previous packet caused the failure -- so can't
+                         * Might need to update MTU here, but we don't know
-                         * really retransmit anything.  continue as if everything
+                         * which previous packet caused the failure -- so
-                         * is fine and wait for an alert to handle the
+                         * can't really retransmit anything.  continue as
-                         * retransmit
+                         * if everything is fine and wait for an alert to
+                         * handle the retransmit
                         */
                        if (BIO_ctrl(SSL_get_wbio(s),
                            BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
@@ -320,22 +324,30 @@ dtls1_do_write(SSL *s, int type)
                                return (-1);
                } else {
-                        /* bad if this assert fails, only part of the handshake
+                        /*
-                         * message got sent.  but why would this happen? */
+                         * Bad if this assert fails, only part of the
+                         * handshake message got sent.  but why would
+                         * this happen?
+                         */
                        OPENSSL_assert(len == (unsigned int)ret);
                        if (type == SSL3_RT_HANDSHAKE &&
                            !s->d1->retransmitting) {
-                                /* should not be done for 'Hello Request's, but in that case
+                                /*
-                                 * we'll ignore the result anyway */
+                                 * Should not be done for 'Hello Request's,
+                                 * but in that case we'll ignore the result
+                                 * anyway
+                                 */
                                unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
                                const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
                                int xlen;
                                if (frag_off == 0 &&
                                    s->version != DTLS1_BAD_VER) {
-                                        /* reconstruct message header is if it
+                                        /*
-                                         * is being sent in single fragment */
+                                         * Reconstruct message header is if it
+                                         * is being sent in single fragment
+                                         */
                                        *p++ = msg_hdr->type;
                                        l2n3(msg_hdr->msg_len, p);
                                        s2n (msg_hdr->seq, p);
@@ -373,7 +385,8 @@ dtls1_do_write(SSL *s, int type)
 }
-/* Obtain handshake message of message type 'mt' (any if mt == -1),
+/*
+ * Obtain handshake message of message type 'mt' (any if mt == -1),
 * maximum acceptable body length 'max'.
 * Read an entire handshake message.  Handshake messages arrive in
 * fragments.
@@ -386,8 +399,10 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
        unsigned char *p;
        unsigned long msg_len;
-        /* s3->tmp is used to store messages that are unexpected, caused
+        /*
-         * by the absence of an optional handshake message */
+         * s3->tmp is used to store messages that are unexpected, caused
+         * by the absence of an optional handshake message
+         */
        if (s->s3->tmp.reuse_message) {
                s->s3->tmp.reuse_message = 0;
                if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
@@ -472,8 +487,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
        if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
        {
-                /* msg_len is limited to 2^24, but is effectively checked
+                /*
-                 * against max above */
+                 * msg_len is limited to 2^24, but is effectively checked
+                 * against max above
+                 */
                if (!BUF_MEM_grow_clean(s->init_buf,
                    msg_len + DTLS1_HM_HEADER_LENGTH)) {
                        SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
@@ -486,8 +503,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
                s->d1->r_msg_hdr.type = msg_hdr->type;
                s->d1->r_msg_hdr.seq = msg_hdr->seq;
        } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
-                /* They must be playing with us! BTW, failure to enforce
+                /*
-                 * upper limit would open possibility for buffer overrun. */
+                 * They must be playing with us! BTW, failure to enforce
+                 * upper limit would open possibility for buffer overrun.
+                 */
                SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
                    SSL_R_EXCESSIVE_MESSAGE_SIZE);
                return SSL_AD_ILLEGAL_PARAMETER;
@@ -499,7 +518,8 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 {
-        /* (0) check whether the desired fragment is available
+        /*
+         * (0) check whether the desired fragment is available
         * if so:
         * (1) copy over the fragment to s->init_buf->data[]
         * (2) update s->init_num
@@ -561,7 +581,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
                goto err;
-        /* Determine maximum allowed message size. Depends on (user set)
+        /*
+         * Determine maximum allowed message size. Depends on (user set)
         * maximum certificate length, but 16k is minimum.
         */
        if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <
@@ -595,7 +616,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                }
        }
-        /* If message is already reassembled, this must be a
+        /*
+         * If message is already reassembled, this must be a
         * retransmit and can be dropped.
         */
        if (frag->reassembly == NULL) {
@@ -672,13 +694,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        seq64be[7] = (unsigned char) msg_hdr->seq;
        item = pqueue_find(s->d1->buffered_messages, seq64be);
-        /* If we already have an entry and this one is a fragment,
+        /*
+         * If we already have an entry and this one is a fragment,
         * don't discard it and rather try to reassemble it.
         */
        if (item != NULL && frag_len < msg_hdr->msg_len)
                item = NULL;
-        /* Discard the message if sequence number was already there, is
+        /*
+         * Discard the message if sequence number was already there, is
         * too far in the future, already in the queue or if we received
         * a FINISHED before the SERVER_HELLO, which then must be a stale
         * retransmit.
@@ -791,10 +815,12 @@ again:
        if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
            wire[0] == SSL3_MT_HELLO_REQUEST) {
-                /* The server may always send 'Hello Request' messages --
+                /*
+                 * The server may always send 'Hello Request' messages --
                 * we are doing a handshake anyway now, so ignore them
                 * if their format is correct. Does not count for
-                 * 'Finished' MAC. */
+                 * 'Finished' MAC.
+                 */
                if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
                        if (s->msg_callback)
                                s->msg_callback(0, s->version,
@@ -834,8 +860,10 @@ again:
        } else
                i = 0;
-        /* XDTLS:  an incorrectly formatted fragment should cause the
+        /*
-         * handshake to fail */
+         * XDTLS:  an incorrectly formatted fragment should cause the
+         * handshake to fail
+         */
        if (i != (int)frag_len) {
                al = SSL3_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
@@ -845,10 +873,12 @@ again:
        *ok = 1;
-        /* Note that s->init_num is *not* used as current offset in
+        /*
+         * Note that s->init_num is *not* used as current offset in
         * s->init_buf->data, but as a counter summing up fragments'
         * lengths: as soon as they sum up to handshake packet
-         * length, we assume we have got all the fragments. */
+         * length, we assume we have got all the fragments.
+         */
        s->init_num = frag_len;
        return frag_len;
@@ -878,7 +908,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
                p += i;
                l = i;
-                /* Copy the finished so we can use it for
+                /*
+                 * Copy the finished so we can use it for
                 * renegotiation checks
                 */
                if (s->type == SSL_ST_CONNECT) {
@@ -907,7 +938,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
 }
-/* for these 2 messages, we need to
+/*
+ * for these 2 messages, we need to
 * ssl->enc_read_ctx                    re-init
 * ssl->s3->read_sequence               zero
 * ssl->s3->read_mac_secret             re-init
@@ -1031,8 +1063,10 @@ dtls1_read_failed(SSL *s, int code)
        }
        if (!dtls1_is_timer_expired(s)) {
-                /* not a timeout, none of our business,
+                /*
-                   let higher layers handle this.  in fact it's probably an error */
+                 * not a timeout, none of our business, let higher layers
+                 * handle this.  in fact it's probably an error
+                 */
                return code;
        }
@@ -1048,13 +1082,16 @@ dtls1_read_failed(SSL *s, int code)
 int
 dtls1_get_queue_priority(unsigned short seq, int is_ccs)
 {
-        /* The index of the retransmission queue actually is the message sequence number,
+        /*
-         * since the queue only contains messages of a single handshake. However, the
+         * The index of the retransmission queue actually is the message
-         * ChangeCipherSpec has no message sequence number and so using only the sequence
+         * sequence number, since the queue only contains messages of a
-         * will result in the CCS and Finished having the same index. To prevent this,
+         * single handshake. However, the ChangeCipherSpec has no message
-         * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted.
+         * sequence number and so using only the sequence will result in
-         * This does not only differ CSS and Finished, it also maintains the order of the
+         * the CCS and Finished having the same index. To prevent this, the
-         * index (important for priority queues) and fits in the unsigned short variable.
+         * sequence number is multiplied by 2. In case of a CCS 1 is
+         * subtracted.  This does not only differ CSS and Finished, it also
+         * maintains the order of the index (important for priority queues)
+         * and fits in the unsigned short variable.
         */
        return seq * 2 - is_ccs;
 }
@@ -1092,8 +1129,10 @@ dtls1_buffer_message(SSL *s, int is_ccs)
        hm_fragment *frag;
        unsigned char seq64be[8];
-        /* this function is called immediately after a message has
+        /*
-         * been serialized */
+         * This function is called immediately after a message has
+         * been serialized
+         */
        OPENSSL_assert(s->init_off == 0);
        frag = dtls1_hm_fragment_new(s->init_num, 0);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index f24d0f9cf8..a3e62ea323 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
                                ret = -1;
                                goto end;
                        } else {
-                                /* s->state == SSL_ST_RENEGOTIATE,
+                                /*
-                                 * we will just send a HelloRequest */
+                                 * s->state == SSL_ST_RENEGOTIATE,
+                                 * we will just send a HelloRequest
+                                 */
                                s->ctx->stats.sess_accept_renegotiate++;
                                s->state = SSL3_ST_SW_HELLO_REQ_A;
                        }
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
                            )
                                /*
                                 * option SSL_OP_EPHEMERAL_RSA sends temporary
-                                 * RSA key even when forbidden by protocol specs
+                                 * RSA key even when forbidden by protocol
-                                 * (handshake may fail as clients are not
+                                 * specs (handshake may fail as clients are
-                                 * required to be able to handle this)
+                                 * not required to be able to handle this)
                                 */
                                s->s3->tmp.use_rsa_tmp = 1;
                        else
                                s->s3->tmp.use_rsa_tmp = 0;
-                        /* only send if a DH key exchange, fortezza or
+                        /*
+                         * Only send if a DH key exchange, fortezza or
                         * RSA but we have a sign only certificate
                         *
-                         * PSK: may send PSK identity hints
+                         * PSK: send ServerKeyExchange if PSK identity
+                         * hint is provided
                         *
                         * For ECC ciphersuites, we send a serverKeyExchange
                         * message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
                         * public key for key exchange.
                         */
                        if (s->s3->tmp.use_rsa_tmp
-                        /* PSK: send ServerKeyExchange if PSK identity
-                         * hint if provided */
 #ifndef OPENSSL_NO_PSK
                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
 #endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
                        }
                }
                if (j == 0) {
-                        /* we need to have the cipher in the cipher
+                        /*
-                         * list if we are asked to reuse it */
+                         * We need to have the cipher in the cipher
+                         * list if we are asked to reuse it
+                         */
                        al = SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                            SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
                *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
        }
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
                *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
        EC_POINT *clnt_ecpoint = NULL;
        BN_CTX *bn_ctx = NULL;
+        /* 2048 maxlen is a guess.  How long a key does that permit? */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
-            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
+            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
-            2048, /* ??? */ &ok);
        if (!ok)
                return ((int)n);
        p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
                if (s->s3->tmp.use_rsa_tmp) {
                        if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
                                rsa = s->cert->rsa_tmp;
-                        /* Don't do a callback because rsa_tmp should
+                        /*
-                         * be sent already */
+                         * Don't do a callback because rsa_tmp should
+                         * be sent already
+                         */
                        if (rsa == NULL) {
                                al = SSL_AD_HANDSHAKE_FAILURE;
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
                                al = SSL_AD_DECODE_ERROR;
                                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                                /* The Klima-Pokorny-Rosa extension of
+                                /*
+                                 * The Klima-Pokorny-Rosa extension of
                                 * Bleichenbacher's attack
                                 * (http://eprint.iacr.org/2003/052/) exploits
                                 * the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
                        }
                        ret = 2; /* Skip certificate verify processing */
                } else {
-                        /* Get client's public key from encoded point
+                        /*
+                         * Get client's public key from encoded point
                         * in the ClientKeyExchange message.
                         */
                        if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
        EVP_MD_CTX mctx;
        EVP_MD_CTX_init(&mctx);
+        /* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
-            SSL3_ST_SR_CERT_VRFY_B, -1,
+            SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
-            516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
        if (!ok)
                return ((int)n);
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
        s->session->peer = sk_X509_shift(sk);
        s->session->verify_result = s->verify_result;
-        /* With the current implementation, sess_cert will always be NULL
+        /*
-         * when we arrive here. */
+         * With the current implementation, sess_cert will always be NULL
+         * when we arrive here
+         */
        if (s->session->sess_cert == NULL) {
                s->session->sess_cert = ssl_sess_cert_new();
                if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
        if (s->session->sess_cert->cert_chain != NULL)
                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
        s->session->sess_cert->cert_chain = sk;
-        /* Inconsistency alert: cert_chain does *not* include the
-         * peer's own certificate, while we do include it in s3_clnt.c */
+        /*
+         * Inconsistency alert: cert_chain does *not* include the
+         * peer's own certificate, while we do include it in s3_clnt.c
+         */
        sk = NULL;
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
                return (-1);
        }
+        /* 514 maxlen is enough for the payload format below */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
+            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-            514,  /* See the payload format below */ &ok);
        if (!ok)
                return ((int)n);
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 5b5ffac06f..6aae59e310 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.40 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -195,9 +195,11 @@ ssl_cert_dup(CERT *cert)
                return (NULL);
        }
+        /*
+         * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
+         * if you find that more readable
+         */
        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
-        /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
-         * if you find that more readable */
        ret->valid = cert->valid;
        ret->mask_k = cert->mask_k;
@@ -256,9 +258,11 @@ ssl_cert_dup(CERT *cert)
                        CRYPTO_LOCK_EVP_PKEY);
                        switch (i) {
-                                /* If there was anything special to do for
+                                /*
+                                 * If there was anything special to do for
                                 * certain types of keys, we'd do it here.
-                                 * (Nothing at the moment, I think.) */
+                                 * (Nothing at the moment, I think.)
+                                 */
                        case SSL_PKEY_RSA_ENC:
                        case SSL_PKEY_RSA_SIGN:
@@ -285,12 +289,15 @@ ssl_cert_dup(CERT *cert)
                }
        }
-        /* ret->extra_certs *should* exist, but currently the own certificate
+        /*
-         * chain is held inside SSL_CTX */
+         * ret->extra_certs *should* exist, but currently the own certificate
+         * chain is held inside SSL_CTX
+         */
        ret->references = 1;
-        /* Set digests to defaults. NB: we don't copy existing values as they
+        /*
-         * will be set during handshake.
+         * Set digests to defaults. NB: we don't copy existing values
+         * as they will be set during handshake.
         */
        ssl_cert_set_default_md(ret);
@@ -339,7 +346,8 @@ ssl_cert_free(CERT *c)
 int
 ssl_cert_inst(CERT **o)
 {
-        /* Create a CERT if there isn't already one
+        /*
+         * Create a CERT if there isn't already one
         * (which cannot really happen, as it is initially created in
         * SSL_CTX_new; but the earlier code usually allows for that one
         * being non-existant, so we follow that behaviour, as it might
@@ -431,16 +439,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
        X509_STORE_CTX_set_ex_data(&ctx,
            SSL_get_ex_data_X509_STORE_CTX_idx(), s);
-        /* We need to inherit the verify parameters. These can be determined by
+        /*
-         * the context: if its a server it will verify SSL client certificates
+         * We need to inherit the verify parameters. These can be
-         * or vice versa.
+         * determined by the context: if its a server it will verify
+         * SSL client certificates or vice versa.
         */
        X509_STORE_CTX_set_default(&ctx,
            s->server ? "ssl_client" : "ssl_server");
-        /* Anything non-default in "param" should overwrite anything in the
+        /*
-         * ctx.
+         * Anything non-default in "param" should overwrite anything
+         * in the ctx.
         */
        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 5b5ffac06f..6aae59e310 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.40 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -195,9 +195,11 @@ ssl_cert_dup(CERT *cert)
                return (NULL);
        }
+        /*
+         * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
+         * if you find that more readable
+         */
        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
-        /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
-         * if you find that more readable */
        ret->valid = cert->valid;
        ret->mask_k = cert->mask_k;
@@ -256,9 +258,11 @@ ssl_cert_dup(CERT *cert)
                        CRYPTO_LOCK_EVP_PKEY);
                        switch (i) {
-                                /* If there was anything special to do for
+                                /*
+                                 * If there was anything special to do for
                                 * certain types of keys, we'd do it here.
-                                 * (Nothing at the moment, I think.) */
+                                 * (Nothing at the moment, I think.)
+                                 */
                        case SSL_PKEY_RSA_ENC:
                        case SSL_PKEY_RSA_SIGN:
@@ -285,12 +289,15 @@ ssl_cert_dup(CERT *cert)
                }
        }
-        /* ret->extra_certs *should* exist, but currently the own certificate
+        /*
-         * chain is held inside SSL_CTX */
+         * ret->extra_certs *should* exist, but currently the own certificate
+         * chain is held inside SSL_CTX
+         */
        ret->references = 1;
-        /* Set digests to defaults. NB: we don't copy existing values as they
+        /*
-         * will be set during handshake.
+         * Set digests to defaults. NB: we don't copy existing values
+         * as they will be set during handshake.
         */
        ssl_cert_set_default_md(ret);
@@ -339,7 +346,8 @@ ssl_cert_free(CERT *c)
 int
 ssl_cert_inst(CERT **o)
 {
-        /* Create a CERT if there isn't already one
+        /*
+         * Create a CERT if there isn't already one
         * (which cannot really happen, as it is initially created in
         * SSL_CTX_new; but the earlier code usually allows for that one
         * being non-existant, so we follow that behaviour, as it might
@@ -431,16 +439,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
        X509_STORE_CTX_set_ex_data(&ctx,
            SSL_get_ex_data_X509_STORE_CTX_idx(), s);
-        /* We need to inherit the verify parameters. These can be determined by
+        /*
-         * the context: if its a server it will verify SSL client certificates
+         * We need to inherit the verify parameters. These can be
-         * or vice versa.
+         * determined by the context: if its a server it will verify
+         * SSL client certificates or vice versa.
         */
        X509_STORE_CTX_set_default(&ctx,
            s->server ? "ssl_client" : "ssl_server");
-        /* Anything non-default in "param" should overwrite anything in the
+        /*
-         * ctx.
+         * Anything non-default in "param" should overwrite anything
+         * in the ctx.
         */
        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);