summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/d1_both.c129
-rw-r--r--src/lib/libssl/s3_srvr.c73
-rw-r--r--src/lib/libssl/src/ssl/d1_both.c129
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c73
-rw-r--r--src/lib/libssl/src/ssl/ssl_cert.c41
-rw-r--r--src/lib/libssl/ssl_cert.c41
6 files changed, 300 insertions, 186 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index bd4267238f..f27588fcff 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.22 2014/07/02 20:45:26 miod Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -233,8 +233,11 @@ dtls1_do_write(SSL *s, int type)
233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), 233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
235 235
236 /* I've seen the kernel return bogus numbers when it doesn't know 236 /*
237 * (initial write), so just make sure we have a reasonable number */ 237 * I've seen the kernel return bogus numbers when it
238 * doesn't know the MTU (ie., the initial write), so just
239 * make sure we have a reasonable number
240 */
238 if (s->d1->mtu < dtls1_min_mtu()) { 241 if (s->d1->mtu < dtls1_min_mtu()) {
239 s->d1->mtu = 0; 242 s->d1->mtu = 0;
240 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); 243 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -306,11 +309,12 @@ dtls1_do_write(SSL *s, int type)
306 ret = dtls1_write_bytes(s, type, 309 ret = dtls1_write_bytes(s, type,
307 &s->init_buf->data[s->init_off], len); 310 &s->init_buf->data[s->init_off], len);
308 if (ret < 0) { 311 if (ret < 0) {
309 /* might need to update MTU here, but we don't know 312 /*
310 * which previous packet caused the failure -- so can't 313 * Might need to update MTU here, but we don't know
311 * really retransmit anything. continue as if everything 314 * which previous packet caused the failure -- so
312 * is fine and wait for an alert to handle the 315 * can't really retransmit anything. continue as
313 * retransmit 316 * if everything is fine and wait for an alert to
317 * handle the retransmit
314 */ 318 */
315 if (BIO_ctrl(SSL_get_wbio(s), 319 if (BIO_ctrl(SSL_get_wbio(s),
316 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) 320 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
@@ -320,22 +324,30 @@ dtls1_do_write(SSL *s, int type)
320 return (-1); 324 return (-1);
321 } else { 325 } else {
322 326
323 /* bad if this assert fails, only part of the handshake 327 /*
324 * message got sent. but why would this happen? */ 328 * Bad if this assert fails, only part of the
329 * handshake message got sent. but why would
330 * this happen?
331 */
325 OPENSSL_assert(len == (unsigned int)ret); 332 OPENSSL_assert(len == (unsigned int)ret);
326 333
327 if (type == SSL3_RT_HANDSHAKE && 334 if (type == SSL3_RT_HANDSHAKE &&
328 !s->d1->retransmitting) { 335 !s->d1->retransmitting) {
329 /* should not be done for 'Hello Request's, but in that case 336 /*
330 * we'll ignore the result anyway */ 337 * Should not be done for 'Hello Request's,
338 * but in that case we'll ignore the result
339 * anyway
340 */
331 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; 341 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
332 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 342 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
333 int xlen; 343 int xlen;
334 344
335 if (frag_off == 0 && 345 if (frag_off == 0 &&
336 s->version != DTLS1_BAD_VER) { 346 s->version != DTLS1_BAD_VER) {
337 /* reconstruct message header is if it 347 /*
338 * is being sent in single fragment */ 348 * Reconstruct message header is if it
349 * is being sent in single fragment
350 */
339 *p++ = msg_hdr->type; 351 *p++ = msg_hdr->type;
340 l2n3(msg_hdr->msg_len, p); 352 l2n3(msg_hdr->msg_len, p);
341 s2n (msg_hdr->seq, p); 353 s2n (msg_hdr->seq, p);
@@ -373,7 +385,8 @@ dtls1_do_write(SSL *s, int type)
373} 385}
374 386
375 387
376/* Obtain handshake message of message type 'mt' (any if mt == -1), 388/*
389 * Obtain handshake message of message type 'mt' (any if mt == -1),
377 * maximum acceptable body length 'max'. 390 * maximum acceptable body length 'max'.
378 * Read an entire handshake message. Handshake messages arrive in 391 * Read an entire handshake message. Handshake messages arrive in
379 * fragments. 392 * fragments.
@@ -386,8 +399,10 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
386 unsigned char *p; 399 unsigned char *p;
387 unsigned long msg_len; 400 unsigned long msg_len;
388 401
389 /* s3->tmp is used to store messages that are unexpected, caused 402 /*
390 * by the absence of an optional handshake message */ 403 * s3->tmp is used to store messages that are unexpected, caused
404 * by the absence of an optional handshake message
405 */
391 if (s->s3->tmp.reuse_message) { 406 if (s->s3->tmp.reuse_message) {
392 s->s3->tmp.reuse_message = 0; 407 s->s3->tmp.reuse_message = 0;
393 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 408 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
@@ -472,8 +487,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
472 487
473 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ 488 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
474 { 489 {
475 /* msg_len is limited to 2^24, but is effectively checked 490 /*
476 * against max above */ 491 * msg_len is limited to 2^24, but is effectively checked
492 * against max above
493 */
477 if (!BUF_MEM_grow_clean(s->init_buf, 494 if (!BUF_MEM_grow_clean(s->init_buf,
478 msg_len + DTLS1_HM_HEADER_LENGTH)) { 495 msg_len + DTLS1_HM_HEADER_LENGTH)) {
479 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); 496 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
@@ -486,8 +503,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
486 s->d1->r_msg_hdr.type = msg_hdr->type; 503 s->d1->r_msg_hdr.type = msg_hdr->type;
487 s->d1->r_msg_hdr.seq = msg_hdr->seq; 504 s->d1->r_msg_hdr.seq = msg_hdr->seq;
488 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 505 } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
489 /* They must be playing with us! BTW, failure to enforce 506 /*
490 * upper limit would open possibility for buffer overrun. */ 507 * They must be playing with us! BTW, failure to enforce
508 * upper limit would open possibility for buffer overrun.
509 */
491 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, 510 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
492 SSL_R_EXCESSIVE_MESSAGE_SIZE); 511 SSL_R_EXCESSIVE_MESSAGE_SIZE);
493 return SSL_AD_ILLEGAL_PARAMETER; 512 return SSL_AD_ILLEGAL_PARAMETER;
@@ -499,7 +518,8 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
499static int 518static int
500dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) 519dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
501{ 520{
502 /* (0) check whether the desired fragment is available 521 /*
522 * (0) check whether the desired fragment is available
503 * if so: 523 * if so:
504 * (1) copy over the fragment to s->init_buf->data[] 524 * (1) copy over the fragment to s->init_buf->data[]
505 * (2) update s->init_num 525 * (2) update s->init_num
@@ -561,7 +581,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
561 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 581 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
562 goto err; 582 goto err;
563 583
564 /* Determine maximum allowed message size. Depends on (user set) 584 /*
585 * Determine maximum allowed message size. Depends on (user set)
565 * maximum certificate length, but 16k is minimum. 586 * maximum certificate length, but 16k is minimum.
566 */ 587 */
567 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < 588 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <
@@ -595,7 +616,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
595 } 616 }
596 } 617 }
597 618
598 /* If message is already reassembled, this must be a 619 /*
620 * If message is already reassembled, this must be a
599 * retransmit and can be dropped. 621 * retransmit and can be dropped.
600 */ 622 */
601 if (frag->reassembly == NULL) { 623 if (frag->reassembly == NULL) {
@@ -672,13 +694,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
672 seq64be[7] = (unsigned char) msg_hdr->seq; 694 seq64be[7] = (unsigned char) msg_hdr->seq;
673 item = pqueue_find(s->d1->buffered_messages, seq64be); 695 item = pqueue_find(s->d1->buffered_messages, seq64be);
674 696
675 /* If we already have an entry and this one is a fragment, 697 /*
698 * If we already have an entry and this one is a fragment,
676 * don't discard it and rather try to reassemble it. 699 * don't discard it and rather try to reassemble it.
677 */ 700 */
678 if (item != NULL && frag_len < msg_hdr->msg_len) 701 if (item != NULL && frag_len < msg_hdr->msg_len)
679 item = NULL; 702 item = NULL;
680 703
681 /* Discard the message if sequence number was already there, is 704 /*
705 * Discard the message if sequence number was already there, is
682 * too far in the future, already in the queue or if we received 706 * too far in the future, already in the queue or if we received
683 * a FINISHED before the SERVER_HELLO, which then must be a stale 707 * a FINISHED before the SERVER_HELLO, which then must be a stale
684 * retransmit. 708 * retransmit.
@@ -791,10 +815,12 @@ again:
791 815
792 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 816 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
793 wire[0] == SSL3_MT_HELLO_REQUEST) { 817 wire[0] == SSL3_MT_HELLO_REQUEST) {
794 /* The server may always send 'Hello Request' messages -- 818 /*
819 * The server may always send 'Hello Request' messages --
795 * we are doing a handshake anyway now, so ignore them 820 * we are doing a handshake anyway now, so ignore them
796 * if their format is correct. Does not count for 821 * if their format is correct. Does not count for
797 * 'Finished' MAC. */ 822 * 'Finished' MAC.
823 */
798 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 824 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
799 if (s->msg_callback) 825 if (s->msg_callback)
800 s->msg_callback(0, s->version, 826 s->msg_callback(0, s->version,
@@ -834,8 +860,10 @@ again:
834 } else 860 } else
835 i = 0; 861 i = 0;
836 862
837 /* XDTLS: an incorrectly formatted fragment should cause the 863 /*
838 * handshake to fail */ 864 * XDTLS: an incorrectly formatted fragment should cause the
865 * handshake to fail
866 */
839 if (i != (int)frag_len) { 867 if (i != (int)frag_len) {
840 al = SSL3_AD_ILLEGAL_PARAMETER; 868 al = SSL3_AD_ILLEGAL_PARAMETER;
841 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, 869 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
@@ -845,10 +873,12 @@ again:
845 873
846 *ok = 1; 874 *ok = 1;
847 875
848 /* Note that s->init_num is *not* used as current offset in 876 /*
877 * Note that s->init_num is *not* used as current offset in
849 * s->init_buf->data, but as a counter summing up fragments' 878 * s->init_buf->data, but as a counter summing up fragments'
850 * lengths: as soon as they sum up to handshake packet 879 * lengths: as soon as they sum up to handshake packet
851 * length, we assume we have got all the fragments. */ 880 * length, we assume we have got all the fragments.
881 */
852 s->init_num = frag_len; 882 s->init_num = frag_len;
853 return frag_len; 883 return frag_len;
854 884
@@ -878,7 +908,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
878 p += i; 908 p += i;
879 l = i; 909 l = i;
880 910
881 /* Copy the finished so we can use it for 911 /*
912 * Copy the finished so we can use it for
882 * renegotiation checks 913 * renegotiation checks
883 */ 914 */
884 if (s->type == SSL_ST_CONNECT) { 915 if (s->type == SSL_ST_CONNECT) {
@@ -907,7 +938,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
907 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 938 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
908} 939}
909 940
910/* for these 2 messages, we need to 941/*
942 * for these 2 messages, we need to
911 * ssl->enc_read_ctx re-init 943 * ssl->enc_read_ctx re-init
912 * ssl->s3->read_sequence zero 944 * ssl->s3->read_sequence zero
913 * ssl->s3->read_mac_secret re-init 945 * ssl->s3->read_mac_secret re-init
@@ -1031,8 +1063,10 @@ dtls1_read_failed(SSL *s, int code)
1031 } 1063 }
1032 1064
1033 if (!dtls1_is_timer_expired(s)) { 1065 if (!dtls1_is_timer_expired(s)) {
1034 /* not a timeout, none of our business, 1066 /*
1035 let higher layers handle this. in fact it's probably an error */ 1067 * not a timeout, none of our business, let higher layers
1068 * handle this. in fact it's probably an error
1069 */
1036 return code; 1070 return code;
1037 } 1071 }
1038 1072
@@ -1048,13 +1082,16 @@ dtls1_read_failed(SSL *s, int code)
1048int 1082int
1049dtls1_get_queue_priority(unsigned short seq, int is_ccs) 1083dtls1_get_queue_priority(unsigned short seq, int is_ccs)
1050{ 1084{
1051 /* The index of the retransmission queue actually is the message sequence number, 1085 /*
1052 * since the queue only contains messages of a single handshake. However, the 1086 * The index of the retransmission queue actually is the message
1053 * ChangeCipherSpec has no message sequence number and so using only the sequence 1087 * sequence number, since the queue only contains messages of a
1054 * will result in the CCS and Finished having the same index. To prevent this, 1088 * single handshake. However, the ChangeCipherSpec has no message
1055 * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted. 1089 * sequence number and so using only the sequence will result in
1056 * This does not only differ CSS and Finished, it also maintains the order of the 1090 * the CCS and Finished having the same index. To prevent this, the
1057 * index (important for priority queues) and fits in the unsigned short variable. 1091 * sequence number is multiplied by 2. In case of a CCS 1 is
1092 * subtracted. This does not only differ CSS and Finished, it also
1093 * maintains the order of the index (important for priority queues)
1094 * and fits in the unsigned short variable.
1058 */ 1095 */
1059 return seq * 2 - is_ccs; 1096 return seq * 2 - is_ccs;
1060} 1097}
@@ -1092,8 +1129,10 @@ dtls1_buffer_message(SSL *s, int is_ccs)
1092 hm_fragment *frag; 1129 hm_fragment *frag;
1093 unsigned char seq64be[8]; 1130 unsigned char seq64be[8];
1094 1131
1095 /* this function is called immediately after a message has 1132 /*
1096 * been serialized */ 1133 * This function is called immediately after a message has
1134 * been serialized
1135 */
1097 OPENSSL_assert(s->init_off == 0); 1136 OPENSSL_assert(s->init_off == 0);
1098 1137
1099 frag = dtls1_hm_fragment_new(s->init_num, 0); 1138 frag = dtls1_hm_fragment_new(s->init_num, 0);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f24d0f9cf8..a3e62ea323 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
312 ret = -1; 312 ret = -1;
313 goto end; 313 goto end;
314 } else { 314 } else {
315 /* s->state == SSL_ST_RENEGOTIATE, 315 /*
316 * we will just send a HelloRequest */ 316 * s->state == SSL_ST_RENEGOTIATE,
317 * we will just send a HelloRequest
318 */
317 s->ctx->stats.sess_accept_renegotiate++; 319 s->ctx->stats.sess_accept_renegotiate++;
318 s->state = SSL3_ST_SW_HELLO_REQ_A; 320 s->state = SSL3_ST_SW_HELLO_REQ_A;
319 } 321 }
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
404 ) 406 )
405 /* 407 /*
406 * option SSL_OP_EPHEMERAL_RSA sends temporary 408 * option SSL_OP_EPHEMERAL_RSA sends temporary
407 * RSA key even when forbidden by protocol specs 409 * RSA key even when forbidden by protocol
408 * (handshake may fail as clients are not 410 * specs (handshake may fail as clients are
409 * required to be able to handle this) 411 * not required to be able to handle this)
410 */ 412 */
411 s->s3->tmp.use_rsa_tmp = 1; 413 s->s3->tmp.use_rsa_tmp = 1;
412 else 414 else
413 s->s3->tmp.use_rsa_tmp = 0; 415 s->s3->tmp.use_rsa_tmp = 0;
414 416
415 417
416 /* only send if a DH key exchange, fortezza or 418 /*
419 * Only send if a DH key exchange, fortezza or
417 * RSA but we have a sign only certificate 420 * RSA but we have a sign only certificate
418 * 421 *
419 * PSK: may send PSK identity hints 422 * PSK: send ServerKeyExchange if PSK identity
423 * hint is provided
420 * 424 *
421 * For ECC ciphersuites, we send a serverKeyExchange 425 * For ECC ciphersuites, we send a serverKeyExchange
422 * message only if the cipher suite is either 426 * message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
425 * public key for key exchange. 429 * public key for key exchange.
426 */ 430 */
427 if (s->s3->tmp.use_rsa_tmp 431 if (s->s3->tmp.use_rsa_tmp
428 /* PSK: send ServerKeyExchange if PSK identity
429 * hint if provided */
430#ifndef OPENSSL_NO_PSK 432#ifndef OPENSSL_NO_PSK
431 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 433 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
432#endif 434#endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
1070 } 1072 }
1071 } 1073 }
1072 if (j == 0) { 1074 if (j == 0) {
1073 /* we need to have the cipher in the cipher 1075 /*
1074 * list if we are asked to reuse it */ 1076 * We need to have the cipher in the cipher
1077 * list if we are asked to reuse it
1078 */
1075 al = SSL_AD_ILLEGAL_PARAMETER; 1079 al = SSL_AD_ILLEGAL_PARAMETER;
1076 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1080 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1077 SSL_R_REQUIRED_CIPHER_MISSING); 1081 SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
1841 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE; 1845 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
1842 l2n3(n, d); 1846 l2n3(n, d);
1843 1847
1844 /* we should now have things packed up, so lets send 1848 /* we should now have things packed up, so lets send it off */
1845 * it off */
1846 s->init_num = n + 4; 1849 s->init_num = n + 4;
1847 s->init_off = 0; 1850 s->init_off = 0;
1848 } 1851 }
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
1928 *(d++) = SSL3_MT_CERTIFICATE_REQUEST; 1931 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
1929 l2n3(n, d); 1932 l2n3(n, d);
1930 1933
1931 /* we should now have things packed up, so lets send 1934 /* we should now have things packed up, so lets send it off */
1932 * it off */
1933
1934 s->init_num = n + 4; 1935 s->init_num = n + 4;
1935 s->init_off = 0; 1936 s->init_off = 0;
1936#ifdef NETSCAPE_HANG_BUG 1937#ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
1975 EC_POINT *clnt_ecpoint = NULL; 1976 EC_POINT *clnt_ecpoint = NULL;
1976 BN_CTX *bn_ctx = NULL; 1977 BN_CTX *bn_ctx = NULL;
1977 1978
1978 1979 /* 2048 maxlen is a guess. How long a key does that permit? */
1979 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, 1980 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1980 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 1981 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
1981 2048, /* ??? */ &ok);
1982 if (!ok) 1982 if (!ok)
1983 return ((int)n); 1983 return ((int)n);
1984 p = (unsigned char *)s->init_msg; 1984 p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
1990 if (s->s3->tmp.use_rsa_tmp) { 1990 if (s->s3->tmp.use_rsa_tmp) {
1991 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1991 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1992 rsa = s->cert->rsa_tmp; 1992 rsa = s->cert->rsa_tmp;
1993 /* Don't do a callback because rsa_tmp should 1993 /*
1994 * be sent already */ 1994 * Don't do a callback because rsa_tmp should
1995 * be sent already
1996 */
1995 if (rsa == NULL) { 1997 if (rsa == NULL) {
1996 al = SSL_AD_HANDSHAKE_FAILURE; 1998 al = SSL_AD_HANDSHAKE_FAILURE;
1997 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1999 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
2054 al = SSL_AD_DECODE_ERROR; 2056 al = SSL_AD_DECODE_ERROR;
2055 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2057 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2056 2058
2057 /* The Klima-Pokorny-Rosa extension of 2059 /*
2060 * The Klima-Pokorny-Rosa extension of
2058 * Bleichenbacher's attack 2061 * Bleichenbacher's attack
2059 * (http://eprint.iacr.org/2003/052/) exploits 2062 * (http://eprint.iacr.org/2003/052/) exploits
2060 * the version number check as a "bad version 2063 * the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
2227 } 2230 }
2228 ret = 2; /* Skip certificate verify processing */ 2231 ret = 2; /* Skip certificate verify processing */
2229 } else { 2232 } else {
2230 /* Get client's public key from encoded point 2233 /*
2234 * Get client's public key from encoded point
2231 * in the ClientKeyExchange message. 2235 * in the ClientKeyExchange message.
2232 */ 2236 */
2233 if ((bn_ctx = BN_CTX_new()) == NULL) { 2237 if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
2474 EVP_MD_CTX mctx; 2478 EVP_MD_CTX mctx;
2475 EVP_MD_CTX_init(&mctx); 2479 EVP_MD_CTX_init(&mctx);
2476 2480
2481 /* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
2477 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, 2482 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2478 SSL3_ST_SR_CERT_VRFY_B, -1, 2483 SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
2479 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2480 if (!ok) 2484 if (!ok)
2481 return ((int)n); 2485 return ((int)n);
2482 2486
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
2815 s->session->peer = sk_X509_shift(sk); 2819 s->session->peer = sk_X509_shift(sk);
2816 s->session->verify_result = s->verify_result; 2820 s->session->verify_result = s->verify_result;
2817 2821
2818 /* With the current implementation, sess_cert will always be NULL 2822 /*
2819 * when we arrive here. */ 2823 * With the current implementation, sess_cert will always be NULL
2824 * when we arrive here
2825 */
2820 if (s->session->sess_cert == NULL) { 2826 if (s->session->sess_cert == NULL) {
2821 s->session->sess_cert = ssl_sess_cert_new(); 2827 s->session->sess_cert = ssl_sess_cert_new();
2822 if (s->session->sess_cert == NULL) { 2828 if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
2828 if (s->session->sess_cert->cert_chain != NULL) 2834 if (s->session->sess_cert->cert_chain != NULL)
2829 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2835 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2830 s->session->sess_cert->cert_chain = sk; 2836 s->session->sess_cert->cert_chain = sk;
2831 /* Inconsistency alert: cert_chain does *not* include the 2837
2832 * peer's own certificate, while we do include it in s3_clnt.c */ 2838 /*
2839 * Inconsistency alert: cert_chain does *not* include the
2840 * peer's own certificate, while we do include it in s3_clnt.c
2841 */
2833 2842
2834 sk = NULL; 2843 sk = NULL;
2835 2844
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
3080 return (-1); 3089 return (-1);
3081 } 3090 }
3082 3091
3092 /* 514 maxlen is enough for the payload format below */
3083 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, 3093 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3084 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 3094 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
3085 514, /* See the payload format below */ &ok);
3086 if (!ok) 3095 if (!ok)
3087 return ((int)n); 3096 return ((int)n);
3088 3097
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index bd4267238f..f27588fcff 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.22 2014/07/02 20:45:26 miod Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -233,8 +233,11 @@ dtls1_do_write(SSL *s, int type)
233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), 233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
235 235
236 /* I've seen the kernel return bogus numbers when it doesn't know 236 /*
237 * (initial write), so just make sure we have a reasonable number */ 237 * I've seen the kernel return bogus numbers when it
238 * doesn't know the MTU (ie., the initial write), so just
239 * make sure we have a reasonable number
240 */
238 if (s->d1->mtu < dtls1_min_mtu()) { 241 if (s->d1->mtu < dtls1_min_mtu()) {
239 s->d1->mtu = 0; 242 s->d1->mtu = 0;
240 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); 243 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -306,11 +309,12 @@ dtls1_do_write(SSL *s, int type)
306 ret = dtls1_write_bytes(s, type, 309 ret = dtls1_write_bytes(s, type,
307 &s->init_buf->data[s->init_off], len); 310 &s->init_buf->data[s->init_off], len);
308 if (ret < 0) { 311 if (ret < 0) {
309 /* might need to update MTU here, but we don't know 312 /*
310 * which previous packet caused the failure -- so can't 313 * Might need to update MTU here, but we don't know
311 * really retransmit anything. continue as if everything 314 * which previous packet caused the failure -- so
312 * is fine and wait for an alert to handle the 315 * can't really retransmit anything. continue as
313 * retransmit 316 * if everything is fine and wait for an alert to
317 * handle the retransmit
314 */ 318 */
315 if (BIO_ctrl(SSL_get_wbio(s), 319 if (BIO_ctrl(SSL_get_wbio(s),
316 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) 320 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
@@ -320,22 +324,30 @@ dtls1_do_write(SSL *s, int type)
320 return (-1); 324 return (-1);
321 } else { 325 } else {
322 326
323 /* bad if this assert fails, only part of the handshake 327 /*
324 * message got sent. but why would this happen? */ 328 * Bad if this assert fails, only part of the
329 * handshake message got sent. but why would
330 * this happen?
331 */
325 OPENSSL_assert(len == (unsigned int)ret); 332 OPENSSL_assert(len == (unsigned int)ret);
326 333
327 if (type == SSL3_RT_HANDSHAKE && 334 if (type == SSL3_RT_HANDSHAKE &&
328 !s->d1->retransmitting) { 335 !s->d1->retransmitting) {
329 /* should not be done for 'Hello Request's, but in that case 336 /*
330 * we'll ignore the result anyway */ 337 * Should not be done for 'Hello Request's,
338 * but in that case we'll ignore the result
339 * anyway
340 */
331 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; 341 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
332 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 342 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
333 int xlen; 343 int xlen;
334 344
335 if (frag_off == 0 && 345 if (frag_off == 0 &&
336 s->version != DTLS1_BAD_VER) { 346 s->version != DTLS1_BAD_VER) {
337 /* reconstruct message header is if it 347 /*
338 * is being sent in single fragment */ 348 * Reconstruct message header is if it
349 * is being sent in single fragment
350 */
339 *p++ = msg_hdr->type; 351 *p++ = msg_hdr->type;
340 l2n3(msg_hdr->msg_len, p); 352 l2n3(msg_hdr->msg_len, p);
341 s2n (msg_hdr->seq, p); 353 s2n (msg_hdr->seq, p);
@@ -373,7 +385,8 @@ dtls1_do_write(SSL *s, int type)
373} 385}
374 386
375 387
376/* Obtain handshake message of message type 'mt' (any if mt == -1), 388/*
389 * Obtain handshake message of message type 'mt' (any if mt == -1),
377 * maximum acceptable body length 'max'. 390 * maximum acceptable body length 'max'.
378 * Read an entire handshake message. Handshake messages arrive in 391 * Read an entire handshake message. Handshake messages arrive in
379 * fragments. 392 * fragments.
@@ -386,8 +399,10 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
386 unsigned char *p; 399 unsigned char *p;
387 unsigned long msg_len; 400 unsigned long msg_len;
388 401
389 /* s3->tmp is used to store messages that are unexpected, caused 402 /*
390 * by the absence of an optional handshake message */ 403 * s3->tmp is used to store messages that are unexpected, caused
404 * by the absence of an optional handshake message
405 */
391 if (s->s3->tmp.reuse_message) { 406 if (s->s3->tmp.reuse_message) {
392 s->s3->tmp.reuse_message = 0; 407 s->s3->tmp.reuse_message = 0;
393 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 408 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
@@ -472,8 +487,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
472 487
473 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ 488 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
474 { 489 {
475 /* msg_len is limited to 2^24, but is effectively checked 490 /*
476 * against max above */ 491 * msg_len is limited to 2^24, but is effectively checked
492 * against max above
493 */
477 if (!BUF_MEM_grow_clean(s->init_buf, 494 if (!BUF_MEM_grow_clean(s->init_buf,
478 msg_len + DTLS1_HM_HEADER_LENGTH)) { 495 msg_len + DTLS1_HM_HEADER_LENGTH)) {
479 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); 496 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
@@ -486,8 +503,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
486 s->d1->r_msg_hdr.type = msg_hdr->type; 503 s->d1->r_msg_hdr.type = msg_hdr->type;
487 s->d1->r_msg_hdr.seq = msg_hdr->seq; 504 s->d1->r_msg_hdr.seq = msg_hdr->seq;
488 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 505 } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
489 /* They must be playing with us! BTW, failure to enforce 506 /*
490 * upper limit would open possibility for buffer overrun. */ 507 * They must be playing with us! BTW, failure to enforce
508 * upper limit would open possibility for buffer overrun.
509 */
491 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, 510 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
492 SSL_R_EXCESSIVE_MESSAGE_SIZE); 511 SSL_R_EXCESSIVE_MESSAGE_SIZE);
493 return SSL_AD_ILLEGAL_PARAMETER; 512 return SSL_AD_ILLEGAL_PARAMETER;
@@ -499,7 +518,8 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
499static int 518static int
500dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) 519dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
501{ 520{
502 /* (0) check whether the desired fragment is available 521 /*
522 * (0) check whether the desired fragment is available
503 * if so: 523 * if so:
504 * (1) copy over the fragment to s->init_buf->data[] 524 * (1) copy over the fragment to s->init_buf->data[]
505 * (2) update s->init_num 525 * (2) update s->init_num
@@ -561,7 +581,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
561 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 581 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
562 goto err; 582 goto err;
563 583
564 /* Determine maximum allowed message size. Depends on (user set) 584 /*
585 * Determine maximum allowed message size. Depends on (user set)
565 * maximum certificate length, but 16k is minimum. 586 * maximum certificate length, but 16k is minimum.
566 */ 587 */
567 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < 588 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <
@@ -595,7 +616,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
595 } 616 }
596 } 617 }
597 618
598 /* If message is already reassembled, this must be a 619 /*
620 * If message is already reassembled, this must be a
599 * retransmit and can be dropped. 621 * retransmit and can be dropped.
600 */ 622 */
601 if (frag->reassembly == NULL) { 623 if (frag->reassembly == NULL) {
@@ -672,13 +694,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
672 seq64be[7] = (unsigned char) msg_hdr->seq; 694 seq64be[7] = (unsigned char) msg_hdr->seq;
673 item = pqueue_find(s->d1->buffered_messages, seq64be); 695 item = pqueue_find(s->d1->buffered_messages, seq64be);
674 696
675 /* If we already have an entry and this one is a fragment, 697 /*
698 * If we already have an entry and this one is a fragment,
676 * don't discard it and rather try to reassemble it. 699 * don't discard it and rather try to reassemble it.
677 */ 700 */
678 if (item != NULL && frag_len < msg_hdr->msg_len) 701 if (item != NULL && frag_len < msg_hdr->msg_len)
679 item = NULL; 702 item = NULL;
680 703
681 /* Discard the message if sequence number was already there, is 704 /*
705 * Discard the message if sequence number was already there, is
682 * too far in the future, already in the queue or if we received 706 * too far in the future, already in the queue or if we received
683 * a FINISHED before the SERVER_HELLO, which then must be a stale 707 * a FINISHED before the SERVER_HELLO, which then must be a stale
684 * retransmit. 708 * retransmit.
@@ -791,10 +815,12 @@ again:
791 815
792 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 816 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
793 wire[0] == SSL3_MT_HELLO_REQUEST) { 817 wire[0] == SSL3_MT_HELLO_REQUEST) {
794 /* The server may always send 'Hello Request' messages -- 818 /*
819 * The server may always send 'Hello Request' messages --
795 * we are doing a handshake anyway now, so ignore them 820 * we are doing a handshake anyway now, so ignore them
796 * if their format is correct. Does not count for 821 * if their format is correct. Does not count for
797 * 'Finished' MAC. */ 822 * 'Finished' MAC.
823 */
798 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 824 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
799 if (s->msg_callback) 825 if (s->msg_callback)
800 s->msg_callback(0, s->version, 826 s->msg_callback(0, s->version,
@@ -834,8 +860,10 @@ again:
834 } else 860 } else
835 i = 0; 861 i = 0;
836 862
837 /* XDTLS: an incorrectly formatted fragment should cause the 863 /*
838 * handshake to fail */ 864 * XDTLS: an incorrectly formatted fragment should cause the
865 * handshake to fail
866 */
839 if (i != (int)frag_len) { 867 if (i != (int)frag_len) {
840 al = SSL3_AD_ILLEGAL_PARAMETER; 868 al = SSL3_AD_ILLEGAL_PARAMETER;
841 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, 869 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
@@ -845,10 +873,12 @@ again:
845 873
846 *ok = 1; 874 *ok = 1;
847 875
848 /* Note that s->init_num is *not* used as current offset in 876 /*
877 * Note that s->init_num is *not* used as current offset in
849 * s->init_buf->data, but as a counter summing up fragments' 878 * s->init_buf->data, but as a counter summing up fragments'
850 * lengths: as soon as they sum up to handshake packet 879 * lengths: as soon as they sum up to handshake packet
851 * length, we assume we have got all the fragments. */ 880 * length, we assume we have got all the fragments.
881 */
852 s->init_num = frag_len; 882 s->init_num = frag_len;
853 return frag_len; 883 return frag_len;
854 884
@@ -878,7 +908,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
878 p += i; 908 p += i;
879 l = i; 909 l = i;
880 910
881 /* Copy the finished so we can use it for 911 /*
912 * Copy the finished so we can use it for
882 * renegotiation checks 913 * renegotiation checks
883 */ 914 */
884 if (s->type == SSL_ST_CONNECT) { 915 if (s->type == SSL_ST_CONNECT) {
@@ -907,7 +938,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
907 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 938 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
908} 939}
909 940
910/* for these 2 messages, we need to 941/*
942 * for these 2 messages, we need to
911 * ssl->enc_read_ctx re-init 943 * ssl->enc_read_ctx re-init
912 * ssl->s3->read_sequence zero 944 * ssl->s3->read_sequence zero
913 * ssl->s3->read_mac_secret re-init 945 * ssl->s3->read_mac_secret re-init
@@ -1031,8 +1063,10 @@ dtls1_read_failed(SSL *s, int code)
1031 } 1063 }
1032 1064
1033 if (!dtls1_is_timer_expired(s)) { 1065 if (!dtls1_is_timer_expired(s)) {
1034 /* not a timeout, none of our business, 1066 /*
1035 let higher layers handle this. in fact it's probably an error */ 1067 * not a timeout, none of our business, let higher layers
1068 * handle this. in fact it's probably an error
1069 */
1036 return code; 1070 return code;
1037 } 1071 }
1038 1072
@@ -1048,13 +1082,16 @@ dtls1_read_failed(SSL *s, int code)
1048int 1082int
1049dtls1_get_queue_priority(unsigned short seq, int is_ccs) 1083dtls1_get_queue_priority(unsigned short seq, int is_ccs)
1050{ 1084{
1051 /* The index of the retransmission queue actually is the message sequence number, 1085 /*
1052 * since the queue only contains messages of a single handshake. However, the 1086 * The index of the retransmission queue actually is the message
1053 * ChangeCipherSpec has no message sequence number and so using only the sequence 1087 * sequence number, since the queue only contains messages of a
1054 * will result in the CCS and Finished having the same index. To prevent this, 1088 * single handshake. However, the ChangeCipherSpec has no message
1055 * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted. 1089 * sequence number and so using only the sequence will result in
1056 * This does not only differ CSS and Finished, it also maintains the order of the 1090 * the CCS and Finished having the same index. To prevent this, the
1057 * index (important for priority queues) and fits in the unsigned short variable. 1091 * sequence number is multiplied by 2. In case of a CCS 1 is
1092 * subtracted. This does not only differ CSS and Finished, it also
1093 * maintains the order of the index (important for priority queues)
1094 * and fits in the unsigned short variable.
1058 */ 1095 */
1059 return seq * 2 - is_ccs; 1096 return seq * 2 - is_ccs;
1060} 1097}
@@ -1092,8 +1129,10 @@ dtls1_buffer_message(SSL *s, int is_ccs)
1092 hm_fragment *frag; 1129 hm_fragment *frag;
1093 unsigned char seq64be[8]; 1130 unsigned char seq64be[8];
1094 1131
1095 /* this function is called immediately after a message has 1132 /*
1096 * been serialized */ 1133 * This function is called immediately after a message has
1134 * been serialized
1135 */
1097 OPENSSL_assert(s->init_off == 0); 1136 OPENSSL_assert(s->init_off == 0);
1098 1137
1099 frag = dtls1_hm_fragment_new(s->init_num, 0); 1138 frag = dtls1_hm_fragment_new(s->init_num, 0);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index f24d0f9cf8..a3e62ea323 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.68 2014/07/09 11:25:42 jsing Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -312,8 +312,10 @@ ssl3_accept(SSL *s)
312 ret = -1; 312 ret = -1;
313 goto end; 313 goto end;
314 } else { 314 } else {
315 /* s->state == SSL_ST_RENEGOTIATE, 315 /*
316 * we will just send a HelloRequest */ 316 * s->state == SSL_ST_RENEGOTIATE,
317 * we will just send a HelloRequest
318 */
317 s->ctx->stats.sess_accept_renegotiate++; 319 s->ctx->stats.sess_accept_renegotiate++;
318 s->state = SSL3_ST_SW_HELLO_REQ_A; 320 s->state = SSL3_ST_SW_HELLO_REQ_A;
319 } 321 }
@@ -404,19 +406,21 @@ ssl3_accept(SSL *s)
404 ) 406 )
405 /* 407 /*
406 * option SSL_OP_EPHEMERAL_RSA sends temporary 408 * option SSL_OP_EPHEMERAL_RSA sends temporary
407 * RSA key even when forbidden by protocol specs 409 * RSA key even when forbidden by protocol
408 * (handshake may fail as clients are not 410 * specs (handshake may fail as clients are
409 * required to be able to handle this) 411 * not required to be able to handle this)
410 */ 412 */
411 s->s3->tmp.use_rsa_tmp = 1; 413 s->s3->tmp.use_rsa_tmp = 1;
412 else 414 else
413 s->s3->tmp.use_rsa_tmp = 0; 415 s->s3->tmp.use_rsa_tmp = 0;
414 416
415 417
416 /* only send if a DH key exchange, fortezza or 418 /*
419 * Only send if a DH key exchange, fortezza or
417 * RSA but we have a sign only certificate 420 * RSA but we have a sign only certificate
418 * 421 *
419 * PSK: may send PSK identity hints 422 * PSK: send ServerKeyExchange if PSK identity
423 * hint is provided
420 * 424 *
421 * For ECC ciphersuites, we send a serverKeyExchange 425 * For ECC ciphersuites, we send a serverKeyExchange
422 * message only if the cipher suite is either 426 * message only if the cipher suite is either
@@ -425,8 +429,6 @@ ssl3_accept(SSL *s)
425 * public key for key exchange. 429 * public key for key exchange.
426 */ 430 */
427 if (s->s3->tmp.use_rsa_tmp 431 if (s->s3->tmp.use_rsa_tmp
428 /* PSK: send ServerKeyExchange if PSK identity
429 * hint if provided */
430#ifndef OPENSSL_NO_PSK 432#ifndef OPENSSL_NO_PSK
431 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 433 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
432#endif 434#endif
@@ -1070,8 +1072,10 @@ ssl3_get_client_hello(SSL *s)
1070 } 1072 }
1071 } 1073 }
1072 if (j == 0) { 1074 if (j == 0) {
1073 /* we need to have the cipher in the cipher 1075 /*
1074 * list if we are asked to reuse it */ 1076 * We need to have the cipher in the cipher
1077 * list if we are asked to reuse it
1078 */
1075 al = SSL_AD_ILLEGAL_PARAMETER; 1079 al = SSL_AD_ILLEGAL_PARAMETER;
1076 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1080 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1077 SSL_R_REQUIRED_CIPHER_MISSING); 1081 SSL_R_REQUIRED_CIPHER_MISSING);
@@ -1841,8 +1845,7 @@ ssl3_send_server_key_exchange(SSL *s)
1841 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE; 1845 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
1842 l2n3(n, d); 1846 l2n3(n, d);
1843 1847
1844 /* we should now have things packed up, so lets send 1848 /* we should now have things packed up, so lets send it off */
1845 * it off */
1846 s->init_num = n + 4; 1849 s->init_num = n + 4;
1847 s->init_off = 0; 1850 s->init_off = 0;
1848 } 1851 }
@@ -1928,9 +1931,7 @@ ssl3_send_certificate_request(SSL *s)
1928 *(d++) = SSL3_MT_CERTIFICATE_REQUEST; 1931 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
1929 l2n3(n, d); 1932 l2n3(n, d);
1930 1933
1931 /* we should now have things packed up, so lets send 1934 /* we should now have things packed up, so lets send it off */
1932 * it off */
1933
1934 s->init_num = n + 4; 1935 s->init_num = n + 4;
1935 s->init_off = 0; 1936 s->init_off = 0;
1936#ifdef NETSCAPE_HANG_BUG 1937#ifdef NETSCAPE_HANG_BUG
@@ -1975,10 +1976,9 @@ ssl3_get_client_key_exchange(SSL *s)
1975 EC_POINT *clnt_ecpoint = NULL; 1976 EC_POINT *clnt_ecpoint = NULL;
1976 BN_CTX *bn_ctx = NULL; 1977 BN_CTX *bn_ctx = NULL;
1977 1978
1978 1979 /* 2048 maxlen is a guess. How long a key does that permit? */
1979 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, 1980 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
1980 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 1981 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
1981 2048, /* ??? */ &ok);
1982 if (!ok) 1982 if (!ok)
1983 return ((int)n); 1983 return ((int)n);
1984 p = (unsigned char *)s->init_msg; 1984 p = (unsigned char *)s->init_msg;
@@ -1990,8 +1990,10 @@ ssl3_get_client_key_exchange(SSL *s)
1990 if (s->s3->tmp.use_rsa_tmp) { 1990 if (s->s3->tmp.use_rsa_tmp) {
1991 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1991 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1992 rsa = s->cert->rsa_tmp; 1992 rsa = s->cert->rsa_tmp;
1993 /* Don't do a callback because rsa_tmp should 1993 /*
1994 * be sent already */ 1994 * Don't do a callback because rsa_tmp should
1995 * be sent already
1996 */
1995 if (rsa == NULL) { 1997 if (rsa == NULL) {
1996 al = SSL_AD_HANDSHAKE_FAILURE; 1998 al = SSL_AD_HANDSHAKE_FAILURE;
1997 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1999 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2054,7 +2056,8 @@ ssl3_get_client_key_exchange(SSL *s)
2054 al = SSL_AD_DECODE_ERROR; 2056 al = SSL_AD_DECODE_ERROR;
2055 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2057 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2056 2058
2057 /* The Klima-Pokorny-Rosa extension of 2059 /*
2060 * The Klima-Pokorny-Rosa extension of
2058 * Bleichenbacher's attack 2061 * Bleichenbacher's attack
2059 * (http://eprint.iacr.org/2003/052/) exploits 2062 * (http://eprint.iacr.org/2003/052/) exploits
2060 * the version number check as a "bad version 2063 * the version number check as a "bad version
@@ -2227,7 +2230,8 @@ ssl3_get_client_key_exchange(SSL *s)
2227 } 2230 }
2228 ret = 2; /* Skip certificate verify processing */ 2231 ret = 2; /* Skip certificate verify processing */
2229 } else { 2232 } else {
2230 /* Get client's public key from encoded point 2233 /*
2234 * Get client's public key from encoded point
2231 * in the ClientKeyExchange message. 2235 * in the ClientKeyExchange message.
2232 */ 2236 */
2233 if ((bn_ctx = BN_CTX_new()) == NULL) { 2237 if ((bn_ctx = BN_CTX_new()) == NULL) {
@@ -2474,9 +2478,9 @@ ssl3_get_cert_verify(SSL *s)
2474 EVP_MD_CTX mctx; 2478 EVP_MD_CTX mctx;
2475 EVP_MD_CTX_init(&mctx); 2479 EVP_MD_CTX_init(&mctx);
2476 2480
2481 /* 516 maxlen is enough for 4096 bit RSA key with TLS v1.2 */
2477 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, 2482 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2478 SSL3_ST_SR_CERT_VRFY_B, -1, 2483 SSL3_ST_SR_CERT_VRFY_B, -1, 516, &ok);
2479 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2480 if (!ok) 2484 if (!ok)
2481 return ((int)n); 2485 return ((int)n);
2482 2486
@@ -2815,8 +2819,10 @@ ssl3_get_client_certificate(SSL *s)
2815 s->session->peer = sk_X509_shift(sk); 2819 s->session->peer = sk_X509_shift(sk);
2816 s->session->verify_result = s->verify_result; 2820 s->session->verify_result = s->verify_result;
2817 2821
2818 /* With the current implementation, sess_cert will always be NULL 2822 /*
2819 * when we arrive here. */ 2823 * With the current implementation, sess_cert will always be NULL
2824 * when we arrive here
2825 */
2820 if (s->session->sess_cert == NULL) { 2826 if (s->session->sess_cert == NULL) {
2821 s->session->sess_cert = ssl_sess_cert_new(); 2827 s->session->sess_cert = ssl_sess_cert_new();
2822 if (s->session->sess_cert == NULL) { 2828 if (s->session->sess_cert == NULL) {
@@ -2828,8 +2834,11 @@ ssl3_get_client_certificate(SSL *s)
2828 if (s->session->sess_cert->cert_chain != NULL) 2834 if (s->session->sess_cert->cert_chain != NULL)
2829 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2835 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
2830 s->session->sess_cert->cert_chain = sk; 2836 s->session->sess_cert->cert_chain = sk;
2831 /* Inconsistency alert: cert_chain does *not* include the 2837
2832 * peer's own certificate, while we do include it in s3_clnt.c */ 2838 /*
2839 * Inconsistency alert: cert_chain does *not* include the
2840 * peer's own certificate, while we do include it in s3_clnt.c
2841 */
2833 2842
2834 sk = NULL; 2843 sk = NULL;
2835 2844
@@ -3080,9 +3089,9 @@ ssl3_get_next_proto(SSL *s)
3080 return (-1); 3089 return (-1);
3081 } 3090 }
3082 3091
3092 /* 514 maxlen is enough for the payload format below */
3083 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, 3093 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3084 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 3094 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO, 514, &ok);
3085 514, /* See the payload format below */ &ok);
3086 if (!ok) 3095 if (!ok)
3087 return ((int)n); 3096 return ((int)n);
3088 3097
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 5b5ffac06f..6aae59e310 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.40 2014/07/09 11:25:42 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -195,9 +195,11 @@ ssl_cert_dup(CERT *cert)
195 return (NULL); 195 return (NULL);
196 } 196 }
197 197
198 /*
199 * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable
201 */
198 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; 202 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
199 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable */
201 203
202 ret->valid = cert->valid; 204 ret->valid = cert->valid;
203 ret->mask_k = cert->mask_k; 205 ret->mask_k = cert->mask_k;
@@ -256,9 +258,11 @@ ssl_cert_dup(CERT *cert)
256 CRYPTO_LOCK_EVP_PKEY); 258 CRYPTO_LOCK_EVP_PKEY);
257 259
258 switch (i) { 260 switch (i) {
259 /* If there was anything special to do for 261 /*
262 * If there was anything special to do for
260 * certain types of keys, we'd do it here. 263 * certain types of keys, we'd do it here.
261 * (Nothing at the moment, I think.) */ 264 * (Nothing at the moment, I think.)
265 */
262 266
263 case SSL_PKEY_RSA_ENC: 267 case SSL_PKEY_RSA_ENC:
264 case SSL_PKEY_RSA_SIGN: 268 case SSL_PKEY_RSA_SIGN:
@@ -285,12 +289,15 @@ ssl_cert_dup(CERT *cert)
285 } 289 }
286 } 290 }
287 291
288 /* ret->extra_certs *should* exist, but currently the own certificate 292 /*
289 * chain is held inside SSL_CTX */ 293 * ret->extra_certs *should* exist, but currently the own certificate
294 * chain is held inside SSL_CTX
295 */
290 296
291 ret->references = 1; 297 ret->references = 1;
292 /* Set digests to defaults. NB: we don't copy existing values as they 298 /*
293 * will be set during handshake. 299 * Set digests to defaults. NB: we don't copy existing values
300 * as they will be set during handshake.
294 */ 301 */
295 ssl_cert_set_default_md(ret); 302 ssl_cert_set_default_md(ret);
296 303
@@ -339,7 +346,8 @@ ssl_cert_free(CERT *c)
339int 346int
340ssl_cert_inst(CERT **o) 347ssl_cert_inst(CERT **o)
341{ 348{
342 /* Create a CERT if there isn't already one 349 /*
350 * Create a CERT if there isn't already one
343 * (which cannot really happen, as it is initially created in 351 * (which cannot really happen, as it is initially created in
344 * SSL_CTX_new; but the earlier code usually allows for that one 352 * SSL_CTX_new; but the earlier code usually allows for that one
345 * being non-existant, so we follow that behaviour, as it might 353 * being non-existant, so we follow that behaviour, as it might
@@ -431,16 +439,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
431 X509_STORE_CTX_set_ex_data(&ctx, 439 X509_STORE_CTX_set_ex_data(&ctx,
432 SSL_get_ex_data_X509_STORE_CTX_idx(), s); 440 SSL_get_ex_data_X509_STORE_CTX_idx(), s);
433 441
434 /* We need to inherit the verify parameters. These can be determined by 442 /*
435 * the context: if its a server it will verify SSL client certificates 443 * We need to inherit the verify parameters. These can be
436 * or vice versa. 444 * determined by the context: if its a server it will verify
445 * SSL client certificates or vice versa.
437 */ 446 */
438
439 X509_STORE_CTX_set_default(&ctx, 447 X509_STORE_CTX_set_default(&ctx,
440 s->server ? "ssl_client" : "ssl_server"); 448 s->server ? "ssl_client" : "ssl_server");
441 449
442 /* Anything non-default in "param" should overwrite anything in the 450 /*
443 * ctx. 451 * Anything non-default in "param" should overwrite anything
452 * in the ctx.
444 */ 453 */
445 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); 454 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
446 455
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 5b5ffac06f..6aae59e310 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.40 2014/07/09 11:25:42 jsing Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -195,9 +195,11 @@ ssl_cert_dup(CERT *cert)
195 return (NULL); 195 return (NULL);
196 } 196 }
197 197
198 /*
199 * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable
201 */
198 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]]; 202 ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
199 /* or ret->key = ret->pkeys + (cert->key - cert->pkeys),
200 * if you find that more readable */
201 203
202 ret->valid = cert->valid; 204 ret->valid = cert->valid;
203 ret->mask_k = cert->mask_k; 205 ret->mask_k = cert->mask_k;
@@ -256,9 +258,11 @@ ssl_cert_dup(CERT *cert)
256 CRYPTO_LOCK_EVP_PKEY); 258 CRYPTO_LOCK_EVP_PKEY);
257 259
258 switch (i) { 260 switch (i) {
259 /* If there was anything special to do for 261 /*
262 * If there was anything special to do for
260 * certain types of keys, we'd do it here. 263 * certain types of keys, we'd do it here.
261 * (Nothing at the moment, I think.) */ 264 * (Nothing at the moment, I think.)
265 */
262 266
263 case SSL_PKEY_RSA_ENC: 267 case SSL_PKEY_RSA_ENC:
264 case SSL_PKEY_RSA_SIGN: 268 case SSL_PKEY_RSA_SIGN:
@@ -285,12 +289,15 @@ ssl_cert_dup(CERT *cert)
285 } 289 }
286 } 290 }
287 291
288 /* ret->extra_certs *should* exist, but currently the own certificate 292 /*
289 * chain is held inside SSL_CTX */ 293 * ret->extra_certs *should* exist, but currently the own certificate
294 * chain is held inside SSL_CTX
295 */
290 296
291 ret->references = 1; 297 ret->references = 1;
292 /* Set digests to defaults. NB: we don't copy existing values as they 298 /*
293 * will be set during handshake. 299 * Set digests to defaults. NB: we don't copy existing values
300 * as they will be set during handshake.
294 */ 301 */
295 ssl_cert_set_default_md(ret); 302 ssl_cert_set_default_md(ret);
296 303
@@ -339,7 +346,8 @@ ssl_cert_free(CERT *c)
339int 346int
340ssl_cert_inst(CERT **o) 347ssl_cert_inst(CERT **o)
341{ 348{
342 /* Create a CERT if there isn't already one 349 /*
350 * Create a CERT if there isn't already one
343 * (which cannot really happen, as it is initially created in 351 * (which cannot really happen, as it is initially created in
344 * SSL_CTX_new; but the earlier code usually allows for that one 352 * SSL_CTX_new; but the earlier code usually allows for that one
345 * being non-existant, so we follow that behaviour, as it might 353 * being non-existant, so we follow that behaviour, as it might
@@ -431,16 +439,17 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
431 X509_STORE_CTX_set_ex_data(&ctx, 439 X509_STORE_CTX_set_ex_data(&ctx,
432 SSL_get_ex_data_X509_STORE_CTX_idx(), s); 440 SSL_get_ex_data_X509_STORE_CTX_idx(), s);
433 441
434 /* We need to inherit the verify parameters. These can be determined by 442 /*
435 * the context: if its a server it will verify SSL client certificates 443 * We need to inherit the verify parameters. These can be
436 * or vice versa. 444 * determined by the context: if its a server it will verify
445 * SSL client certificates or vice versa.
437 */ 446 */
438
439 X509_STORE_CTX_set_default(&ctx, 447 X509_STORE_CTX_set_default(&ctx,
440 s->server ? "ssl_client" : "ssl_server"); 448 s->server ? "ssl_client" : "ssl_server");
441 449
442 /* Anything non-default in "param" should overwrite anything in the 450 /*
443 * ctx. 451 * Anything non-default in "param" should overwrite anything
452 * in the ctx.
444 */ 453 */
445 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param); 454 X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
446 455
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 20:51:17 +0000