1 files changed, 41 insertions, 32 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f24d0f9cf8..a3e62ea323 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
                                ret = -1;
                                goto end;
                        } else {
-                                /* s->state == SSL_ST_RENEGOTIATE,
+                                /*
-                                 * we will just send a HelloRequest */
+                                 * s->state == SSL_ST_RENEGOTIATE,
+                                 * we will just send a HelloRequest
+                                 */
                                s->ctx->stats.sess_accept_renegotiate++;
                                s->state = SSL3_ST_SW_HELLO_REQ_A;
                        }
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
                            )
                                /*
                                 * option SSL_OP_EPHEMERAL_RSA sends temporary
-                                 * RSA key even when forbidden by protocol specs
+                                 * RSA key even when forbidden by protocol
-                                 * (handshake may fail as clients are not
+                                 * specs (handshake may fail as clients are
-                                 * required to be able to handle this)
+                                 * not required to be able to handle this)
                                 */
                                s->s3->tmp.use_rsa_tmp = 1;
                        else
                                s->s3->tmp.use_rsa_tmp = 0;
-                        /* only send if a DH key exchange, fortezza or
+                        /*
+                         * Only send if a DH key exchange, fortezza or
                         * RSA but we have a sign only certificate
                         *
-                         * PSK: may send PSK identity hints
+                         * PSK: send ServerKeyExchange if PSK identity
+                         * hint is provided
                         *
                         * For ECC ciphersuites, we send a serverKeyExchange
                         * message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
                         * public key for key exchange.
                         */
                        if (s->s3->tmp.use_rsa_tmp
-                        /* PSK: send ServerKeyExchange if PSK identity
-                         * hint if provided */
 #ifndef OPENSSL_NO_PSK
                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
 #endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
                        }
                }
                if (j == 0) {
-                        /* we need to have the cipher in the cipher
+                        /*
-                         * list if we are asked to reuse it */
+                         * We need to have the cipher in the cipher
+                         * list if we are asked to reuse it
+                         */
                        al = SSL_AD_ILLEGAL_PARAMETER;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                            SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
                *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
        }
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
                *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
                l2n3(n, d);
-                /* we should now have things packed up, so lets send
+                /* we should now have things packed up, so lets send it off */
-                 * it off */
                s->init_num = n + 4;
                s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
        EC_POINT *clnt_ecpoint = NULL;
        BN_CTX *bn_ctx = NULL;
+        /* 2048 maxlen is a guess.  How long a key does that permit? */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
-            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
+            SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
-            2048, /* ??? */ &ok);
        if (!ok)
                return ((int)n);
        p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
                if (s->s3->tmp.use_rsa_tmp) {
                        if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
                                rsa = s->cert->rsa_tmp;
-                        /* Don't do a callback because rsa_tmp should
+                        /*
-                         * be sent already */
+                         * Don't do a callback because rsa_tmp should
+                         * be sent already
+                         */
                        if (rsa == NULL) {
                                al = SSL_AD_HANDSHAKE_FAILURE;
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
                                al = SSL_AD_DECODE_ERROR;
                                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                                /* The Klima-Pokorny-Rosa extension of
+                                /*
+                                 * The Klima-Pokorny-Rosa extension of
                                 * Bleichenbacher's attack
                                 * (http://eprint.iacr.org/2003/052/) exploits
                                 * the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
                        }
                        ret = 2; /* Skip certificate verify processing */
                } else {
-                        /* Get client's public key from encoded point
+                        /*
+                         * Get client's public key from encoded point
                         * in the ClientKeyExchange message.
                         */
                        if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
        EVP_MD_CTX mctx;
        EVP_MD_CTX_init(&mctx);
+        /* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
-            SSL3_ST_SR_CERT_VRFY_B, -1,
+            SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
-            516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
        if (!ok)
                return ((int)n);
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
        s->session->peer = sk_X509_shift(sk);
        s->session->verify_result = s->verify_result;
-        /* With the current implementation, sess_cert will always be NULL
+        /*
-         * when we arrive here. */
+         * With the current implementation, sess_cert will always be NULL
+         * when we arrive here
+         */
        if (s->session->sess_cert == NULL) {
                s->session->sess_cert = ssl_sess_cert_new();
                if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
        if (s->session->sess_cert->cert_chain != NULL)
                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
        s->session->sess_cert->cert_chain = sk;
-        /* Inconsistency alert: cert_chain does *not* include the
-         * peer's own certificate, while we do include it in s3_clnt.c */
+        /*
+         * Inconsistency alert: cert_chain does *not* include the
+         * peer's own certificate, while we do include it in s3_clnt.c
+         */
        sk = NULL;
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
                return (-1);
        }
+        /* 514 maxlen is enough for the payload format below */
        n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
-            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
+            SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
-            514,  /* See the payload format below */ &ok);
        if (!ok)
                return ((int)n);

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index f24d0f9cf8..a3e62ea323 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
312	ret = -1;	312	ret = -1;
313	goto end;	313	goto end;
314	} else {	314	} else {
315	/* s->state == SSL_ST_RENEGOTIATE,	315	/*
316	* we will just send a HelloRequest */	316	* s->state == SSL_ST_RENEGOTIATE,
		317	* we will just send a HelloRequest
		318	*/
317	s->ctx->stats.sess_accept_renegotiate++;	319	s->ctx->stats.sess_accept_renegotiate++;
318	s->state = SSL3_ST_SW_HELLO_REQ_A;	320	s->state = SSL3_ST_SW_HELLO_REQ_A;
319	}	321	}
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
404	)	406	)
405	/*	407	/*
406	* option SSL_OP_EPHEMERAL_RSA sends temporary	408	* option SSL_OP_EPHEMERAL_RSA sends temporary
407	* RSA key even when forbidden by protocol specs	409	* RSA key even when forbidden by protocol
408	* (handshake may fail as clients are not	410	* specs (handshake may fail as clients are
409	* required to be able to handle this)	411	* not required to be able to handle this)
410	*/	412	*/
411	s->s3->tmp.use_rsa_tmp = 1;	413	s->s3->tmp.use_rsa_tmp = 1;
412	else	414	else
413	s->s3->tmp.use_rsa_tmp = 0;	415	s->s3->tmp.use_rsa_tmp = 0;
414		416
415		417
416	/* only send if a DH key exchange, fortezza or	418	/*
		419	* Only send if a DH key exchange, fortezza or
417	* RSA but we have a sign only certificate	420	* RSA but we have a sign only certificate
418	*	421	*
419	* PSK: may send PSK identity hints	422	* PSK: send ServerKeyExchange if PSK identity
		423	* hint is provided
420	*	424	*
421	* For ECC ciphersuites, we send a serverKeyExchange	425	* For ECC ciphersuites, we send a serverKeyExchange
422	* message only if the cipher suite is either	426	* message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
425	* public key for key exchange.	429	* public key for key exchange.
426	*/	430	*/
427	if (s->s3->tmp.use_rsa_tmp	431	if (s->s3->tmp.use_rsa_tmp
428	/* PSK: send ServerKeyExchange if PSK identity
429	* hint if provided */
430	#ifndef OPENSSL_NO_PSK	432	#ifndef OPENSSL_NO_PSK
431	\|\| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)	433	\|\| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
432	#endif	434	#endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
1070	}	1072	}
1071	}	1073	}
1072	if (j == 0) {	1074	if (j == 0) {
1073	/* we need to have the cipher in the cipher	1075	/*
1074	* list if we are asked to reuse it */	1076	* We need to have the cipher in the cipher
		1077	* list if we are asked to reuse it
		1078	*/
1075	al = SSL_AD_ILLEGAL_PARAMETER;	1079	al = SSL_AD_ILLEGAL_PARAMETER;
1076	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,	1080	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1077	SSL_R_REQUIRED_CIPHER_MISSING);	1081	SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
1841	*(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;	1845	*(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
1842	l2n3(n, d);	1846	l2n3(n, d);
1843		1847
1844	/* we should now have things packed up, so lets send	1848	/* we should now have things packed up, so lets send it off */
1845	* it off */
1846	s->init_num = n + 4;	1849	s->init_num = n + 4;
1847	s->init_off = 0;	1850	s->init_off = 0;
1848	}	1851	}
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
1928	*(d++) = SSL3_MT_CERTIFICATE_REQUEST;	1931	*(d++) = SSL3_MT_CERTIFICATE_REQUEST;
1929	l2n3(n, d);	1932	l2n3(n, d);
1930		1933
1931	/* we should now have things packed up, so lets send	1934	/* we should now have things packed up, so lets send it off */
1932	* it off */
1933
1934	s->init_num = n + 4;	1935	s->init_num = n + 4;
1935	s->init_off = 0;	1936	s->init_off = 0;
1936	#ifdef NETSCAPE_HANG_BUG	1937	#ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
1975	EC_POINT *clnt_ecpoint = NULL;	1976	EC_POINT *clnt_ecpoint = NULL;
1976	BN_CTX *bn_ctx = NULL;	1977	BN_CTX *bn_ctx = NULL;
1977		1978
1978		1979	/* 2048 maxlen is a guess. How long a key does that permit? */
1979	n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,	1980	n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1980	SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,	1981	SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
1981	2048, /* ??? */ &ok);
1982	if (!ok)	1982	if (!ok)
1983	return ((int)n);	1983	return ((int)n);
1984	p = (unsigned char *)s->init_msg;	1984	p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
1990	if (s->s3->tmp.use_rsa_tmp) {	1990	if (s->s3->tmp.use_rsa_tmp) {
1991	if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))	1991	if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1992	rsa = s->cert->rsa_tmp;	1992	rsa = s->cert->rsa_tmp;
1993	/* Don't do a callback because rsa_tmp should	1993	/*
1994	* be sent already */	1994	* Don't do a callback because rsa_tmp should
		1995	* be sent already
		1996	*/
1995	if (rsa == NULL) {	1997	if (rsa == NULL) {
1996	al = SSL_AD_HANDSHAKE_FAILURE;	1998	al = SSL_AD_HANDSHAKE_FAILURE;
1997	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,	1999	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
2054	al = SSL_AD_DECODE_ERROR;	2056	al = SSL_AD_DECODE_ERROR;
2055	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */	2057	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2056		2058
2057	/* The Klima-Pokorny-Rosa extension of	2059	/*
		2060	* The Klima-Pokorny-Rosa extension of
2058	* Bleichenbacher's attack	2061	* Bleichenbacher's attack
2059	* (http://eprint.iacr.org/2003/052/) exploits	2062	* (http://eprint.iacr.org/2003/052/) exploits
2060	* the version number check as a "bad version	2063	* the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
2227	}	2230	}
2228	ret = 2; /* Skip certificate verify processing */	2231	ret = 2; /* Skip certificate verify processing */
2229	} else {	2232	} else {
2230	/* Get client's public key from encoded point	2233	/*
		2234	* Get client's public key from encoded point
2231	* in the ClientKeyExchange message.	2235	* in the ClientKeyExchange message.
2232	*/	2236	*/
2233	if ((bn_ctx = BN_CTX_new()) == NULL) {	2237	if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
2474	EVP_MD_CTX mctx;	2478	EVP_MD_CTX mctx;
2475	EVP_MD_CTX_init(&mctx);	2479	EVP_MD_CTX_init(&mctx);
2476		2480
		2481	/* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
2477	n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,	2482	n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2478	SSL3_ST_SR_CERT_VRFY_B, -1,	2483	SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
2479	516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2480	if (!ok)	2484	if (!ok)
2481	return ((int)n);	2485	return ((int)n);
2482		2486
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
2815	s->session->peer = sk_X509_shift(sk);	2819	s->session->peer = sk_X509_shift(sk);
2816	s->session->verify_result = s->verify_result;	2820	s->session->verify_result = s->verify_result;
2817		2821
2818	/* With the current implementation, sess_cert will always be NULL	2822	/*
2819	* when we arrive here. */	2823	* With the current implementation, sess_cert will always be NULL
		2824	* when we arrive here
		2825	*/
2820	if (s->session->sess_cert == NULL) {	2826	if (s->session->sess_cert == NULL) {
2821	s->session->sess_cert = ssl_sess_cert_new();	2827	s->session->sess_cert = ssl_sess_cert_new();
2822	if (s->session->sess_cert == NULL) {	2828	if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
2828	if (s->session->sess_cert->cert_chain != NULL)	2834	if (s->session->sess_cert->cert_chain != NULL)
2829	sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);	2835	sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2830	s->session->sess_cert->cert_chain = sk;	2836	s->session->sess_cert->cert_chain = sk;
2831	/* Inconsistency alert: cert_chain does not include the	2837
2832	* peer's own certificate, while we do include it in s3_clnt.c */	2838	/*
		2839	* Inconsistency alert: cert_chain does not include the
		2840	* peer's own certificate, while we do include it in s3_clnt.c
		2841	*/
2833		2842
2834	sk = NULL;	2843	sk = NULL;
2835		2844
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
3080	return (-1);	3089	return (-1);
3081	}	3090	}
3082		3091
		3092	/* 514 maxlen is enough for the payload format below */
3083	n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,	3093	n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3084	SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,	3094	SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
3085	514, /* See the payload format below */ &ok);
3086	if (!ok)	3095	if (!ok)
3087	return ((int)n);	3096	return ((int)n);
3088		3097