1 files changed, 22 insertions, 15 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 860a5fc4e3..508e131730 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.84 2017/02/07 02:08:38 beck Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.85 2017/03/05 14:24:12 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -693,31 +693,38 @@ end:
 int
 dtls1_send_hello_verify_request(SSL *s)
 {
-        unsigned char *d, *p;
+        CBB cbb, verify, cookie;
-        if (s->internal->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
+        memset(&cbb, 0, sizeof(cbb));
-                d = p = ssl3_handshake_msg_start(s,
-                    DTLS1_MT_HELLO_VERIFY_REQUEST);
-                *(p++) = s->version >> 8;
-                *(p++) = s->version & 0xFF;
+        if (s->internal->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
                if (s->ctx->internal->app_gen_cookie_cb == NULL ||
-                    s->ctx->internal->app_gen_cookie_cb(s,
+                    s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie,
-                        D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {
+                        &(D1I(s)->cookie_len)) == 0) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        return 0;
                }
-                *(p++) = (unsigned char) D1I(s)->cookie_len;
+                if (!ssl3_handshake_msg_start_cbb(s, &cbb, &verify,
-                memcpy(p, D1I(s)->cookie, D1I(s)->cookie_len);
+                    DTLS1_MT_HELLO_VERIFY_REQUEST))
-                p += D1I(s)->cookie_len;
+                        goto err;
+                if (!CBB_add_u16(&verify, s->version))
-                ssl3_handshake_msg_finish(s, p - d);
+                        goto err;
+                if (!CBB_add_u8_length_prefixed(&verify, &cookie))
+                        goto err;
+                if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len))
+                        goto err;
+                if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
+                        goto err;
                s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
        }
        /* s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
        return (ssl3_handshake_write(s));
+ err:
+        CBB_cleanup(&cbb);
+        return (-1);
 }

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 860a5fc4e3..508e131730 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_srvr.c,v 1.84 2017/02/07 02:08:38 beck Exp $ */	1	/* $OpenBSD: d1_srvr.c,v 1.85 2017/03/05 14:24:12 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -693,31 +693,38 @@ end:
693	int	693	int
694	dtls1_send_hello_verify_request(SSL *s)	694	dtls1_send_hello_verify_request(SSL *s)
695	{	695	{
696	unsigned char d, p;	696	CBB cbb, verify, cookie;
697		697
698	if (s->internal->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {	698	memset(&cbb, 0, sizeof(cbb));
699	d = p = ssl3_handshake_msg_start(s,
700	DTLS1_MT_HELLO_VERIFY_REQUEST);
701
702	*(p++) = s->version >> 8;
703	*(p++) = s->version & 0xFF;
704		699
		700	if (s->internal->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
705	if (s->ctx->internal->app_gen_cookie_cb == NULL \|\|	701	if (s->ctx->internal->app_gen_cookie_cb == NULL \|\|
706	s->ctx->internal->app_gen_cookie_cb(s,	702	s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie,
707	D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {	703	&(D1I(s)->cookie_len)) == 0) {
708	SSLerror(s, ERR_R_INTERNAL_ERROR);	704	SSLerror(s, ERR_R_INTERNAL_ERROR);
709	return 0;	705	return 0;
710	}	706	}
711		707
712	*(p++) = (unsigned char) D1I(s)->cookie_len;	708	if (!ssl3_handshake_msg_start_cbb(s, &cbb, &verify,
713	memcpy(p, D1I(s)->cookie, D1I(s)->cookie_len);	709	DTLS1_MT_HELLO_VERIFY_REQUEST))
714	p += D1I(s)->cookie_len;	710	goto err;
715		711	if (!CBB_add_u16(&verify, s->version))
716	ssl3_handshake_msg_finish(s, p - d);	712	goto err;
		713	if (!CBB_add_u8_length_prefixed(&verify, &cookie))
		714	goto err;
		715	if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len))
		716	goto err;
		717	if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
		718	goto err;
717		719
718	s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;	720	s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
719	}	721	}
720		722
721	/* s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */	723	/* s->internal->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
722	return (ssl3_handshake_write(s));	724	return (ssl3_handshake_write(s));
		725
		726	err:
		727	CBB_cleanup(&cbb);
		728
		729	return (-1);
723	}	730	}