summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c10
-rw-r--r--src/lib/libssl/ssl_both.c10
-rw-r--r--src/lib/libssl/ssl_clnt.c50
-rw-r--r--src/lib/libssl/ssl_lib.c6
-rw-r--r--src/lib/libssl/ssl_locl.h6
-rw-r--r--src/lib/libssl/ssl_packet.c4
-rw-r--r--src/lib/libssl/ssl_pkt.c12
-rw-r--r--src/lib/libssl/ssl_srvr.c52
-rw-r--r--src/lib/libssl/ssl_tlsext.c22
-rw-r--r--src/lib/libssl/ssl_versions.c8
-rw-r--r--src/lib/libssl/t1_enc.c8
11 files changed, 92 insertions, 96 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 3bd7d65522..0d10fdfe63 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.200 2020/10/11 12:45:51 guenther Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.201 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1447,7 +1447,7 @@ ssl3_pending(const SSL *s)
1447int 1447int
1448ssl3_handshake_msg_hdr_len(SSL *s) 1448ssl3_handshake_msg_hdr_len(SSL *s)
1449{ 1449{
1450 return (SSL_IS_DTLS(s) ? DTLS1_HM_HEADER_LENGTH : 1450 return (SSL_is_dtls(s) ? DTLS1_HM_HEADER_LENGTH :
1451 SSL3_HM_HEADER_LENGTH); 1451 SSL3_HM_HEADER_LENGTH);
1452} 1452}
1453 1453
@@ -1460,7 +1460,7 @@ ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type)
1460 goto err; 1460 goto err;
1461 if (!CBB_add_u8(handshake, msg_type)) 1461 if (!CBB_add_u8(handshake, msg_type))
1462 goto err; 1462 goto err;
1463 if (SSL_IS_DTLS(s)) { 1463 if (SSL_is_dtls(s)) {
1464 unsigned char *data; 1464 unsigned char *data;
1465 1465
1466 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH - 1466 if (!CBB_add_space(handshake, &data, DTLS1_HM_HEADER_LENGTH -
@@ -1497,7 +1497,7 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake)
1497 s->internal->init_num = (int)outlen; 1497 s->internal->init_num = (int)outlen;
1498 s->internal->init_off = 0; 1498 s->internal->init_off = 0;
1499 1499
1500 if (SSL_IS_DTLS(s)) { 1500 if (SSL_is_dtls(s)) {
1501 unsigned long len; 1501 unsigned long len;
1502 uint8_t msg_type; 1502 uint8_t msg_type;
1503 CBS cbs; 1503 CBS cbs;
@@ -1529,7 +1529,7 @@ ssl3_handshake_write(SSL *s)
1529int 1529int
1530ssl3_record_write(SSL *s, int type) 1530ssl3_record_write(SSL *s, int type)
1531{ 1531{
1532 if (SSL_IS_DTLS(s)) 1532 if (SSL_is_dtls(s))
1533 return dtls1_do_write(s, type); 1533 return dtls1_do_write(s, type);
1534 1534
1535 return ssl3_do_write(s, type); 1535 return ssl3_do_write(s, type);
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 5da450b5ce..081b374396 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_both.c,v 1.20 2020/09/24 18:12:00 jsing Exp $ */ 1/* $OpenBSD: ssl_both.c,v 1.21 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -331,7 +331,7 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b)
331 s->internal->init_num = (int)outlen; 331 s->internal->init_num = (int)outlen;
332 s->internal->init_off = 0; 332 s->internal->init_off = 0;
333 333
334 if (SSL_IS_DTLS(s)) { 334 if (SSL_is_dtls(s)) {
335 D1I(s)->handshake_write_seq = 335 D1I(s)->handshake_write_seq =
336 D1I(s)->next_handshake_write_seq; 336 D1I(s)->next_handshake_write_seq;
337 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 337 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
@@ -447,7 +447,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
447 CBS cbs; 447 CBS cbs;
448 uint8_t u8; 448 uint8_t u8;
449 449
450 if (SSL_IS_DTLS(s)) 450 if (SSL_is_dtls(s))
451 return (dtls1_get_message(s, st1, stn, mt, max, ok)); 451 return (dtls1_get_message(s, st1, stn, mt, max, ok));
452 452
453 if (S3I(s)->tmp.reuse_message) { 453 if (S3I(s)->tmp.reuse_message) {
@@ -702,7 +702,7 @@ ssl3_setup_read_buffer(SSL *s)
702 unsigned char *p; 702 unsigned char *p;
703 size_t len, align, headerlen; 703 size_t len, align, headerlen;
704 704
705 if (SSL_IS_DTLS(s)) 705 if (SSL_is_dtls(s))
706 headerlen = DTLS1_RT_HEADER_LENGTH; 706 headerlen = DTLS1_RT_HEADER_LENGTH;
707 else 707 else
708 headerlen = SSL3_RT_HEADER_LENGTH; 708 headerlen = SSL3_RT_HEADER_LENGTH;
@@ -732,7 +732,7 @@ ssl3_setup_write_buffer(SSL *s)
732 unsigned char *p; 732 unsigned char *p;
733 size_t len, align, headerlen; 733 size_t len, align, headerlen;
734 734
735 if (SSL_IS_DTLS(s)) 735 if (SSL_is_dtls(s))
736 headerlen = DTLS1_RT_HEADER_LENGTH + 1; 736 headerlen = DTLS1_RT_HEADER_LENGTH + 1;
737 else 737 else
738 headerlen = SSL3_RT_HEADER_LENGTH; 738 headerlen = SSL3_RT_HEADER_LENGTH;
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 88b82c4400..4a6e8b06a8 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_clnt.c,v 1.75 2020/10/11 02:22:27 jsing Exp $ */ 1/* $OpenBSD: ssl_clnt.c,v 1.76 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -212,7 +212,7 @@ ssl3_connect(SSL *s)
212 if (cb != NULL) 212 if (cb != NULL)
213 cb(s, SSL_CB_HANDSHAKE_START, 1); 213 cb(s, SSL_CB_HANDSHAKE_START, 1);
214 214
215 if (SSL_IS_DTLS(s)) { 215 if (SSL_is_dtls(s)) {
216 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { 216 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
217 SSLerror(s, ERR_R_INTERNAL_ERROR); 217 SSLerror(s, ERR_R_INTERNAL_ERROR);
218 ret = -1; 218 ret = -1;
@@ -253,7 +253,7 @@ ssl3_connect(SSL *s)
253 s->ctx->internal->stats.sess_connect++; 253 s->ctx->internal->stats.sess_connect++;
254 s->internal->init_num = 0; 254 s->internal->init_num = 0;
255 255
256 if (SSL_IS_DTLS(s)) { 256 if (SSL_is_dtls(s)) {
257 /* mark client_random uninitialized */ 257 /* mark client_random uninitialized */
258 memset(s->s3->client_random, 0, 258 memset(s->s3->client_random, 0,
259 sizeof(s->s3->client_random)); 259 sizeof(s->s3->client_random));
@@ -266,7 +266,7 @@ ssl3_connect(SSL *s)
266 case SSL3_ST_CW_CLNT_HELLO_B: 266 case SSL3_ST_CW_CLNT_HELLO_B:
267 s->internal->shutdown = 0; 267 s->internal->shutdown = 0;
268 268
269 if (SSL_IS_DTLS(s)) { 269 if (SSL_is_dtls(s)) {
270 /* every DTLS ClientHello resets Finished MAC */ 270 /* every DTLS ClientHello resets Finished MAC */
271 tls1_transcript_reset(s); 271 tls1_transcript_reset(s);
272 272
@@ -277,7 +277,7 @@ ssl3_connect(SSL *s)
277 if (ret <= 0) 277 if (ret <= 0)
278 goto end; 278 goto end;
279 279
280 if (SSL_IS_DTLS(s) && D1I(s)->send_cookie) { 280 if (SSL_is_dtls(s) && D1I(s)->send_cookie) {
281 S3I(s)->hs.state = SSL3_ST_CW_FLUSH; 281 S3I(s)->hs.state = SSL3_ST_CW_FLUSH;
282 S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A; 282 S3I(s)->hs.next_state = SSL3_ST_CR_SRVR_HELLO_A;
283 } else 283 } else
@@ -299,7 +299,7 @@ ssl3_connect(SSL *s)
299 299
300 if (s->internal->hit) { 300 if (s->internal->hit) {
301 S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A; 301 S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A;
302 if (!SSL_IS_DTLS(s)) { 302 if (!SSL_is_dtls(s)) {
303 if (s->internal->tlsext_ticket_expected) { 303 if (s->internal->tlsext_ticket_expected) {
304 /* receive renewed session ticket */ 304 /* receive renewed session ticket */
305 S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; 305 S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
@@ -308,7 +308,7 @@ ssl3_connect(SSL *s)
308 /* No client certificate verification. */ 308 /* No client certificate verification. */
309 tls1_transcript_free(s); 309 tls1_transcript_free(s);
310 } 310 }
311 } else if (SSL_IS_DTLS(s)) { 311 } else if (SSL_is_dtls(s)) {
312 S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 312 S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
313 } else { 313 } else {
314 S3I(s)->hs.state = SSL3_ST_CR_CERT_A; 314 S3I(s)->hs.state = SSL3_ST_CR_CERT_A;
@@ -392,7 +392,7 @@ ssl3_connect(SSL *s)
392 ret = ssl3_get_server_done(s); 392 ret = ssl3_get_server_done(s);
393 if (ret <= 0) 393 if (ret <= 0)
394 goto end; 394 goto end;
395 if (SSL_IS_DTLS(s)) 395 if (SSL_is_dtls(s))
396 dtls1_stop_timer(s); 396 dtls1_stop_timer(s);
397 if (S3I(s)->tmp.cert_req) 397 if (S3I(s)->tmp.cert_req)
398 S3I(s)->hs.state = SSL3_ST_CW_CERT_A; 398 S3I(s)->hs.state = SSL3_ST_CW_CERT_A;
@@ -406,7 +406,7 @@ ssl3_connect(SSL *s)
406 case SSL3_ST_CW_CERT_B: 406 case SSL3_ST_CW_CERT_B:
407 case SSL3_ST_CW_CERT_C: 407 case SSL3_ST_CW_CERT_C:
408 case SSL3_ST_CW_CERT_D: 408 case SSL3_ST_CW_CERT_D:
409 if (SSL_IS_DTLS(s)) 409 if (SSL_is_dtls(s))
410 dtls1_start_timer(s); 410 dtls1_start_timer(s);
411 ret = ssl3_send_client_certificate(s); 411 ret = ssl3_send_client_certificate(s);
412 if (ret <= 0) 412 if (ret <= 0)
@@ -417,7 +417,7 @@ ssl3_connect(SSL *s)
417 417
418 case SSL3_ST_CW_KEY_EXCH_A: 418 case SSL3_ST_CW_KEY_EXCH_A:
419 case SSL3_ST_CW_KEY_EXCH_B: 419 case SSL3_ST_CW_KEY_EXCH_B:
420 if (SSL_IS_DTLS(s)) 420 if (SSL_is_dtls(s))
421 dtls1_start_timer(s); 421 dtls1_start_timer(s);
422 ret = ssl3_send_client_key_exchange(s); 422 ret = ssl3_send_client_key_exchange(s);
423 if (ret <= 0) 423 if (ret <= 0)
@@ -444,7 +444,7 @@ ssl3_connect(SSL *s)
444 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 444 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A;
445 S3I(s)->change_cipher_spec = 0; 445 S3I(s)->change_cipher_spec = 0;
446 } 446 }
447 if (!SSL_IS_DTLS(s)) { 447 if (!SSL_is_dtls(s)) {
448 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 448 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
449 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A; 449 S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A;
450 S3I(s)->change_cipher_spec = 0; 450 S3I(s)->change_cipher_spec = 0;
@@ -456,7 +456,7 @@ ssl3_connect(SSL *s)
456 456
457 case SSL3_ST_CW_CERT_VRFY_A: 457 case SSL3_ST_CW_CERT_VRFY_A:
458 case SSL3_ST_CW_CERT_VRFY_B: 458 case SSL3_ST_CW_CERT_VRFY_B:
459 if (SSL_IS_DTLS(s)) 459 if (SSL_is_dtls(s))
460 dtls1_start_timer(s); 460 dtls1_start_timer(s);
461 ret = ssl3_send_client_verify(s); 461 ret = ssl3_send_client_verify(s);
462 if (ret <= 0) 462 if (ret <= 0)
@@ -468,7 +468,7 @@ ssl3_connect(SSL *s)
468 468
469 case SSL3_ST_CW_CHANGE_A: 469 case SSL3_ST_CW_CHANGE_A:
470 case SSL3_ST_CW_CHANGE_B: 470 case SSL3_ST_CW_CHANGE_B:
471 if (SSL_IS_DTLS(s) && !s->internal->hit) 471 if (SSL_is_dtls(s) && !s->internal->hit)
472 dtls1_start_timer(s); 472 dtls1_start_timer(s);
473 ret = ssl3_send_change_cipher_spec(s, 473 ret = ssl3_send_change_cipher_spec(s,
474 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); 474 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
@@ -490,21 +490,21 @@ ssl3_connect(SSL *s)
490 goto end; 490 goto end;
491 } 491 }
492 492
493 if (SSL_IS_DTLS(s)) 493 if (SSL_is_dtls(s))
494 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 494 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
495 495
496 break; 496 break;
497 497
498 case SSL3_ST_CW_FINISHED_A: 498 case SSL3_ST_CW_FINISHED_A:
499 case SSL3_ST_CW_FINISHED_B: 499 case SSL3_ST_CW_FINISHED_B:
500 if (SSL_IS_DTLS(s) && !s->internal->hit) 500 if (SSL_is_dtls(s) && !s->internal->hit)
501 dtls1_start_timer(s); 501 dtls1_start_timer(s);
502 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, 502 ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
503 SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST, 503 SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST,
504 TLS_MD_CLIENT_FINISH_CONST_SIZE); 504 TLS_MD_CLIENT_FINISH_CONST_SIZE);
505 if (ret <= 0) 505 if (ret <= 0)
506 goto end; 506 goto end;
507 if (!SSL_IS_DTLS(s)) 507 if (!SSL_is_dtls(s))
508 s->s3->flags |= SSL3_FLAGS_CCS_OK; 508 s->s3->flags |= SSL3_FLAGS_CCS_OK;
509 S3I(s)->hs.state = SSL3_ST_CW_FLUSH; 509 S3I(s)->hs.state = SSL3_ST_CW_FLUSH;
510 510
@@ -543,7 +543,7 @@ ssl3_connect(SSL *s)
543 543
544 case SSL3_ST_CR_FINISHED_A: 544 case SSL3_ST_CR_FINISHED_A:
545 case SSL3_ST_CR_FINISHED_B: 545 case SSL3_ST_CR_FINISHED_B:
546 if (SSL_IS_DTLS(s)) 546 if (SSL_is_dtls(s))
547 D1I(s)->change_cipher_spec_ok = 1; 547 D1I(s)->change_cipher_spec_ok = 1;
548 else 548 else
549 s->s3->flags |= SSL3_FLAGS_CCS_OK; 549 s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -551,7 +551,7 @@ ssl3_connect(SSL *s)
551 SSL3_ST_CR_FINISHED_B); 551 SSL3_ST_CR_FINISHED_B);
552 if (ret <= 0) 552 if (ret <= 0)
553 goto end; 553 goto end;
554 if (SSL_IS_DTLS(s)) 554 if (SSL_is_dtls(s))
555 dtls1_stop_timer(s); 555 dtls1_stop_timer(s);
556 556
557 if (s->internal->hit) 557 if (s->internal->hit)
@@ -564,7 +564,7 @@ ssl3_connect(SSL *s)
564 case SSL3_ST_CW_FLUSH: 564 case SSL3_ST_CW_FLUSH:
565 s->internal->rwstate = SSL_WRITING; 565 s->internal->rwstate = SSL_WRITING;
566 if (BIO_flush(s->wbio) <= 0) { 566 if (BIO_flush(s->wbio) <= 0) {
567 if (SSL_IS_DTLS(s)) { 567 if (SSL_is_dtls(s)) {
568 /* If the write error was fatal, stop trying */ 568 /* If the write error was fatal, stop trying */
569 if (!BIO_should_retry(s->wbio)) { 569 if (!BIO_should_retry(s->wbio)) {
570 s->internal->rwstate = SSL_NOTHING; 570 s->internal->rwstate = SSL_NOTHING;
@@ -588,7 +588,7 @@ ssl3_connect(SSL *s)
588 goto end; 588 goto end;
589 } 589 }
590 590
591 if (!SSL_IS_DTLS(s)) 591 if (!SSL_is_dtls(s))
592 ssl3_release_init_buffer(s); 592 ssl3_release_init_buffer(s);
593 593
594 ssl_free_wbio_buffer(s); 594 ssl_free_wbio_buffer(s);
@@ -609,7 +609,7 @@ ssl3_connect(SSL *s)
609 if (cb != NULL) 609 if (cb != NULL)
610 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 610 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
611 611
612 if (SSL_IS_DTLS(s)) { 612 if (SSL_is_dtls(s)) {
613 /* done with handshaking */ 613 /* done with handshaking */
614 D1I(s)->handshake_read_seq = 0; 614 D1I(s)->handshake_read_seq = 0;
615 D1I(s)->next_handshake_write_seq = 0; 615 D1I(s)->next_handshake_write_seq = 0;
@@ -683,7 +683,7 @@ ssl3_send_client_hello(SSL *s)
683 * HelloVerifyRequest, we must retain the original client 683 * HelloVerifyRequest, we must retain the original client
684 * random value. 684 * random value.
685 */ 685 */
686 if (!SSL_IS_DTLS(s) || D1I(s)->send_cookie == 0) 686 if (!SSL_is_dtls(s) || D1I(s)->send_cookie == 0)
687 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 687 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
688 688
689 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello, 689 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
@@ -744,7 +744,7 @@ ssl3_send_client_hello(SSL *s)
744 } 744 }
745 745
746 /* DTLS Cookie. */ 746 /* DTLS Cookie. */
747 if (SSL_IS_DTLS(s)) { 747 if (SSL_is_dtls(s)) {
748 if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) { 748 if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) {
749 SSLerror(s, ERR_R_INTERNAL_ERROR); 749 SSLerror(s, ERR_R_INTERNAL_ERROR);
750 goto err; 750 goto err;
@@ -875,7 +875,7 @@ ssl3_get_server_hello(SSL *s)
875 875
876 CBS_init(&cbs, s->internal->init_msg, n); 876 CBS_init(&cbs, s->internal->init_msg, n);
877 877
878 if (SSL_IS_DTLS(s)) { 878 if (SSL_is_dtls(s)) {
879 if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 879 if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
880 if (D1I(s)->send_cookie == 0) { 880 if (D1I(s)->send_cookie == 0) {
881 S3I(s)->tmp.reuse_message = 1; 881 S3I(s)->tmp.reuse_message = 1;
@@ -926,7 +926,7 @@ ssl3_get_server_hello(SSL *s)
926 926
927 if (!ssl_downgrade_max_version(s, &max_version)) 927 if (!ssl_downgrade_max_version(s, &max_version))
928 goto err; 928 goto err;
929 if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && 929 if (!SSL_is_dtls(s) && max_version >= TLS1_2_VERSION &&
930 s->version < max_version) { 930 s->version < max_version) {
931 /* 931 /*
932 * RFC 8446 section 4.1.3. We must not downgrade if the server 932 * RFC 8446 section 4.1.3. We must not downgrade if the server
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 399af7c769..d92ccd8029 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.236 2020/10/14 16:49:57 jsing Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.237 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1151,7 +1151,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1151 if (larg < (long)dtls1_min_mtu()) 1151 if (larg < (long)dtls1_min_mtu())
1152 return (0); 1152 return (0);
1153#endif 1153#endif
1154 if (SSL_IS_DTLS(s)) { 1154 if (SSL_is_dtls(s)) {
1155 D1I(s)->mtu = larg; 1155 D1I(s)->mtu = larg;
1156 return (larg); 1156 return (larg);
1157 } 1157 }
@@ -1166,7 +1166,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1166 return (S3I(s)->send_connection_binding); 1166 return (S3I(s)->send_connection_binding);
1167 else return (0); 1167 else return (0);
1168 default: 1168 default:
1169 if (SSL_IS_DTLS(s)) 1169 if (SSL_is_dtls(s))
1170 return dtls1_ctrl(s, cmd, larg, parg); 1170 return dtls1_ctrl(s, cmd, larg, parg);
1171 return ssl3_ctrl(s, cmd, larg, parg); 1171 return ssl3_ctrl(s, cmd, larg, parg);
1172 } 1172 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 12838bf294..9c8310b83c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.305 2020/10/14 16:44:15 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.306 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -313,10 +313,6 @@ __BEGIN_HIDDEN_DECLS
313 */ 313 */
314#define SSL_C_PKEYLENGTH(c) 1024 314#define SSL_C_PKEYLENGTH(c) 1024
315 315
316/* Check if an SSL structure is using DTLS. */
317#define SSL_IS_DTLS(s) \
318 (s->method->internal->dtls)
319
320/* See if we use signature algorithms extension. */ 316/* See if we use signature algorithms extension. */
321#define SSL_USE_SIGALGS(s) \ 317#define SSL_USE_SIGALGS(s) \
322 (s->method->internal->enc_flags & SSL_ENC_FLAG_SIGALGS) 318 (s->method->internal->enc_flags & SSL_ENC_FLAG_SIGALGS)
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index d8fb409d81..fc1c3c07de 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */ 1/* $OpenBSD: ssl_packet.c,v 1.9 2020/10/14 16:57:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -238,7 +238,7 @@ ssl_server_legacy_first_packet(SSL *s)
238 const char *data; 238 const char *data;
239 CBS header; 239 CBS header;
240 240
241 if (SSL_IS_DTLS(s)) 241 if (SSL_is_dtls(s))
242 return 1; 242 return 1;
243 243
244 CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); 244 CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH);
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 02a476ea82..4cc1914ecd 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.32 2020/10/03 17:35:16 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.33 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,7 +194,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
194 /* For DTLS/UDP reads should not span multiple packets 194 /* For DTLS/UDP reads should not span multiple packets
195 * because the read operation returns the whole packet 195 * because the read operation returns the whole packet
196 * at once (as long as it fits into the buffer). */ 196 * at once (as long as it fits into the buffer). */
197 if (SSL_IS_DTLS(s)) { 197 if (SSL_is_dtls(s)) {
198 if (left > 0 && n > left) 198 if (left > 0 && n > left)
199 n = left; 199 n = left;
200 } 200 }
@@ -254,7 +254,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
254 if (i <= 0) { 254 if (i <= 0) {
255 rb->left = left; 255 rb->left = left;
256 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && 256 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
257 !SSL_IS_DTLS(s)) { 257 !SSL_is_dtls(s)) {
258 if (len + left == 0) 258 if (len + left == 0)
259 ssl3_release_read_buffer(s); 259 ssl3_release_read_buffer(s);
260 } 260 }
@@ -267,7 +267,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
267 * the underlying transport protocol is message oriented as 267 * the underlying transport protocol is message oriented as
268 * opposed to byte oriented as in the TLS case. 268 * opposed to byte oriented as in the TLS case.
269 */ 269 */
270 if (SSL_IS_DTLS(s)) { 270 if (SSL_is_dtls(s)) {
271 if (n > left) 271 if (n > left)
272 n = left; /* makes the while condition false */ 272 n = left; /* makes the while condition false */
273 } 273 }
@@ -655,7 +655,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
655 wb->left = 0; 655 wb->left = 0;
656 wb->offset += i; 656 wb->offset += i;
657 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && 657 if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS &&
658 !SSL_IS_DTLS(s)) 658 !SSL_is_dtls(s))
659 ssl3_release_write_buffer(s); 659 ssl3_release_write_buffer(s);
660 s->internal->rwstate = SSL_NOTHING; 660 s->internal->rwstate = SSL_NOTHING;
661 return (S3I(s)->wpend_ret); 661 return (S3I(s)->wpend_ret);
@@ -664,7 +664,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
664 * For DTLS, just drop it. That's kind of the 664 * For DTLS, just drop it. That's kind of the
665 * whole point in using a datagram service. 665 * whole point in using a datagram service.
666 */ 666 */
667 if (SSL_IS_DTLS(s)) 667 if (SSL_is_dtls(s))
668 wb->left = 0; 668 wb->left = 0;
669 return (i); 669 return (i);
670 } 670 }
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 3b848f4b40..ac3669550c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.87 2020/10/11 02:22:27 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.88 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -186,7 +186,7 @@ ssl3_accept(SSL *s)
186 else if (s->ctx->internal->info_callback != NULL) 186 else if (s->ctx->internal->info_callback != NULL)
187 cb = s->ctx->internal->info_callback; 187 cb = s->ctx->internal->info_callback;
188 188
189 if (SSL_IS_DTLS(s)) 189 if (SSL_is_dtls(s))
190 listen = D1I(s)->listen; 190 listen = D1I(s)->listen;
191 191
192 /* init things to blank */ 192 /* init things to blank */
@@ -194,7 +194,7 @@ ssl3_accept(SSL *s)
194 if (!SSL_in_init(s) || SSL_in_before(s)) 194 if (!SSL_in_init(s) || SSL_in_before(s))
195 SSL_clear(s); 195 SSL_clear(s);
196 196
197 if (SSL_IS_DTLS(s)) 197 if (SSL_is_dtls(s))
198 D1I(s)->listen = listen; 198 D1I(s)->listen = listen;
199 199
200 for (;;) { 200 for (;;) {
@@ -213,7 +213,7 @@ ssl3_accept(SSL *s)
213 if (cb != NULL) 213 if (cb != NULL)
214 cb(s, SSL_CB_HANDSHAKE_START, 1); 214 cb(s, SSL_CB_HANDSHAKE_START, 1);
215 215
216 if (SSL_IS_DTLS(s)) { 216 if (SSL_is_dtls(s)) {
217 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { 217 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
218 SSLerror(s, ERR_R_INTERNAL_ERROR); 218 SSLerror(s, ERR_R_INTERNAL_ERROR);
219 ret = -1; 219 ret = -1;
@@ -257,7 +257,7 @@ ssl3_accept(SSL *s)
257 257
258 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 258 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
259 s->ctx->internal->stats.sess_accept++; 259 s->ctx->internal->stats.sess_accept++;
260 } else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) { 260 } else if (!SSL_is_dtls(s) && !S3I(s)->send_connection_binding) {
261 /* 261 /*
262 * Server attempting to renegotiate with 262 * Server attempting to renegotiate with
263 * client that doesn't support secure 263 * client that doesn't support secure
@@ -281,14 +281,14 @@ ssl3_accept(SSL *s)
281 case SSL3_ST_SW_HELLO_REQ_A: 281 case SSL3_ST_SW_HELLO_REQ_A:
282 case SSL3_ST_SW_HELLO_REQ_B: 282 case SSL3_ST_SW_HELLO_REQ_B:
283 s->internal->shutdown = 0; 283 s->internal->shutdown = 0;
284 if (SSL_IS_DTLS(s)) { 284 if (SSL_is_dtls(s)) {
285 dtls1_clear_record_buffer(s); 285 dtls1_clear_record_buffer(s);
286 dtls1_start_timer(s); 286 dtls1_start_timer(s);
287 } 287 }
288 ret = ssl3_send_hello_request(s); 288 ret = ssl3_send_hello_request(s);
289 if (ret <= 0) 289 if (ret <= 0)
290 goto end; 290 goto end;
291 if (SSL_IS_DTLS(s)) 291 if (SSL_is_dtls(s))
292 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; 292 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
293 else 293 else
294 S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; 294 S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C;
@@ -309,7 +309,7 @@ ssl3_accept(SSL *s)
309 case SSL3_ST_SR_CLNT_HELLO_B: 309 case SSL3_ST_SR_CLNT_HELLO_B:
310 case SSL3_ST_SR_CLNT_HELLO_C: 310 case SSL3_ST_SR_CLNT_HELLO_C:
311 s->internal->shutdown = 0; 311 s->internal->shutdown = 0;
312 if (SSL_IS_DTLS(s)) { 312 if (SSL_is_dtls(s)) {
313 ret = ssl3_get_client_hello(s); 313 ret = ssl3_get_client_hello(s);
314 if (ret <= 0) 314 if (ret <= 0)
315 goto end; 315 goto end;
@@ -373,7 +373,7 @@ ssl3_accept(SSL *s)
373 373
374 case SSL3_ST_SW_SRVR_HELLO_A: 374 case SSL3_ST_SW_SRVR_HELLO_A:
375 case SSL3_ST_SW_SRVR_HELLO_B: 375 case SSL3_ST_SW_SRVR_HELLO_B:
376 if (SSL_IS_DTLS(s)) { 376 if (SSL_is_dtls(s)) {
377 s->internal->renegotiate = 2; 377 s->internal->renegotiate = 2;
378 dtls1_start_timer(s); 378 dtls1_start_timer(s);
379 } 379 }
@@ -396,7 +396,7 @@ ssl3_accept(SSL *s)
396 /* Check if it is anon DH or anon ECDH. */ 396 /* Check if it is anon DH or anon ECDH. */
397 if (!(S3I(s)->hs.new_cipher->algorithm_auth & 397 if (!(S3I(s)->hs.new_cipher->algorithm_auth &
398 SSL_aNULL)) { 398 SSL_aNULL)) {
399 if (SSL_IS_DTLS(s)) 399 if (SSL_is_dtls(s))
400 dtls1_start_timer(s); 400 dtls1_start_timer(s);
401 ret = ssl3_send_server_certificate(s); 401 ret = ssl3_send_server_certificate(s);
402 if (ret <= 0) 402 if (ret <= 0)
@@ -425,7 +425,7 @@ ssl3_accept(SSL *s)
425 * public key for key exchange. 425 * public key for key exchange.
426 */ 426 */
427 if (alg_k & (SSL_kDHE|SSL_kECDHE)) { 427 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
428 if (SSL_IS_DTLS(s)) 428 if (SSL_is_dtls(s))
429 dtls1_start_timer(s); 429 dtls1_start_timer(s);
430 ret = ssl3_send_server_key_exchange(s); 430 ret = ssl3_send_server_key_exchange(s);
431 if (ret <= 0) 431 if (ret <= 0)
@@ -467,11 +467,11 @@ ssl3_accept(SSL *s)
467 S3I(s)->tmp.cert_request = 0; 467 S3I(s)->tmp.cert_request = 0;
468 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 468 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
469 469
470 if (!SSL_IS_DTLS(s)) 470 if (!SSL_is_dtls(s))
471 tls1_transcript_free(s); 471 tls1_transcript_free(s);
472 } else { 472 } else {
473 S3I(s)->tmp.cert_request = 1; 473 S3I(s)->tmp.cert_request = 1;
474 if (SSL_IS_DTLS(s)) 474 if (SSL_is_dtls(s))
475 dtls1_start_timer(s); 475 dtls1_start_timer(s);
476 ret = ssl3_send_certificate_request(s); 476 ret = ssl3_send_certificate_request(s);
477 if (ret <= 0) 477 if (ret <= 0)
@@ -483,7 +483,7 @@ ssl3_accept(SSL *s)
483 483
484 case SSL3_ST_SW_SRVR_DONE_A: 484 case SSL3_ST_SW_SRVR_DONE_A:
485 case SSL3_ST_SW_SRVR_DONE_B: 485 case SSL3_ST_SW_SRVR_DONE_B:
486 if (SSL_IS_DTLS(s)) 486 if (SSL_is_dtls(s))
487 dtls1_start_timer(s); 487 dtls1_start_timer(s);
488 ret = ssl3_send_server_done(s); 488 ret = ssl3_send_server_done(s);
489 if (ret <= 0) 489 if (ret <= 0)
@@ -506,7 +506,7 @@ ssl3_accept(SSL *s)
506 */ 506 */
507 s->internal->rwstate = SSL_WRITING; 507 s->internal->rwstate = SSL_WRITING;
508 if (BIO_flush(s->wbio) <= 0) { 508 if (BIO_flush(s->wbio) <= 0) {
509 if (SSL_IS_DTLS(s)) { 509 if (SSL_is_dtls(s)) {
510 /* If the write error was fatal, stop trying. */ 510 /* If the write error was fatal, stop trying. */
511 if (!BIO_should_retry(s->wbio)) { 511 if (!BIO_should_retry(s->wbio)) {
512 s->internal->rwstate = SSL_NOTHING; 512 s->internal->rwstate = SSL_NOTHING;
@@ -537,7 +537,7 @@ ssl3_accept(SSL *s)
537 if (ret <= 0) 537 if (ret <= 0)
538 goto end; 538 goto end;
539 539
540 if (SSL_IS_DTLS(s)) { 540 if (SSL_is_dtls(s)) {
541 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 541 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
542 s->internal->init_num = 0; 542 s->internal->init_num = 0;
543 } 543 }
@@ -587,7 +587,7 @@ ssl3_accept(SSL *s)
587 587
588 case SSL3_ST_SR_CERT_VRFY_A: 588 case SSL3_ST_SR_CERT_VRFY_A:
589 case SSL3_ST_SR_CERT_VRFY_B: 589 case SSL3_ST_SR_CERT_VRFY_B:
590 if (SSL_IS_DTLS(s)) 590 if (SSL_is_dtls(s))
591 D1I(s)->change_cipher_spec_ok = 1; 591 D1I(s)->change_cipher_spec_ok = 1;
592 else 592 else
593 s->s3->flags |= SSL3_FLAGS_CCS_OK; 593 s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -602,7 +602,7 @@ ssl3_accept(SSL *s)
602 602
603 case SSL3_ST_SR_FINISHED_A: 603 case SSL3_ST_SR_FINISHED_A:
604 case SSL3_ST_SR_FINISHED_B: 604 case SSL3_ST_SR_FINISHED_B:
605 if (SSL_IS_DTLS(s)) 605 if (SSL_is_dtls(s))
606 D1I(s)->change_cipher_spec_ok = 1; 606 D1I(s)->change_cipher_spec_ok = 1;
607 else 607 else
608 s->s3->flags |= SSL3_FLAGS_CCS_OK; 608 s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -610,7 +610,7 @@ ssl3_accept(SSL *s)
610 SSL3_ST_SR_FINISHED_B); 610 SSL3_ST_SR_FINISHED_B);
611 if (ret <= 0) 611 if (ret <= 0)
612 goto end; 612 goto end;
613 if (SSL_IS_DTLS(s)) 613 if (SSL_is_dtls(s))
614 dtls1_stop_timer(s); 614 dtls1_stop_timer(s);
615 if (s->internal->hit) 615 if (s->internal->hit)
616 S3I(s)->hs.state = SSL_ST_OK; 616 S3I(s)->hs.state = SSL_ST_OK;
@@ -660,7 +660,7 @@ ssl3_accept(SSL *s)
660 goto end; 660 goto end;
661 } 661 }
662 662
663 if (SSL_IS_DTLS(s)) 663 if (SSL_is_dtls(s))
664 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 664 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
665 break; 665 break;
666 666
@@ -691,7 +691,7 @@ ssl3_accept(SSL *s)
691 goto end; 691 goto end;
692 } 692 }
693 693
694 if (!SSL_IS_DTLS(s)) 694 if (!SSL_is_dtls(s))
695 ssl3_release_init_buffer(s); 695 ssl3_release_init_buffer(s);
696 696
697 /* remove buffering on output */ 697 /* remove buffering on output */
@@ -716,7 +716,7 @@ ssl3_accept(SSL *s)
716 716
717 ret = 1; 717 ret = 1;
718 718
719 if (SSL_IS_DTLS(s)) { 719 if (SSL_is_dtls(s)) {
720 /* Done handshaking, next message is client hello. */ 720 /* Done handshaking, next message is client hello. */
721 D1I(s)->handshake_read_seq = 0; 721 D1I(s)->handshake_read_seq = 0;
722 /* Next message is server hello. */ 722 /* Next message is server hello. */
@@ -837,7 +837,7 @@ ssl3_get_client_hello(SSL *s)
837 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); 837 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
838 goto f_err; 838 goto f_err;
839 } 839 }
840 if (SSL_IS_DTLS(s)) { 840 if (SSL_is_dtls(s)) {
841 if (!CBS_get_u8_length_prefixed(&cbs, &cookie)) 841 if (!CBS_get_u8_length_prefixed(&cbs, &cookie))
842 goto truncated; 842 goto truncated;
843 } 843 }
@@ -879,7 +879,7 @@ ssl3_get_client_hello(SSL *s)
879 * one, just return since we do not want to allocate any memory yet. 879 * one, just return since we do not want to allocate any memory yet.
880 * So check cookie length... 880 * So check cookie length...
881 */ 881 */
882 if (SSL_IS_DTLS(s)) { 882 if (SSL_is_dtls(s)) {
883 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { 883 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
884 if (CBS_len(&cookie) == 0) 884 if (CBS_len(&cookie) == 0)
885 return (1); 885 return (1);
@@ -928,7 +928,7 @@ ssl3_get_client_hello(SSL *s)
928 } 928 }
929 } 929 }
930 930
931 if (SSL_IS_DTLS(s)) { 931 if (SSL_is_dtls(s)) {
932 /* 932 /*
933 * The ClientHello may contain a cookie even if the HelloVerify 933 * The ClientHello may contain a cookie even if the HelloVerify
934 * message has not been sent - make sure that it does not cause 934 * message has not been sent - make sure that it does not cause
@@ -1045,7 +1045,7 @@ ssl3_get_client_hello(SSL *s)
1045 */ 1045 */
1046 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 1046 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
1047 1047
1048 if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && 1048 if (!SSL_is_dtls(s) && max_version >= TLS1_2_VERSION &&
1049 s->version < max_version) { 1049 s->version < max_version) {
1050 /* 1050 /*
1051 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 1051 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 1767104963..e12820ba62 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_tlsext.c,v 1.84 2020/10/11 01:16:31 guenther Exp $ */ 1/* $OpenBSD: ssl_tlsext.c,v 1.85 2020/10/14 16:57:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -854,7 +854,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
854int 854int
855tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) 855tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
856{ 856{
857 if (SSL_IS_DTLS(s)) 857 if (SSL_is_dtls(s))
858 return 0; 858 return 0;
859 if (msg_type != SSL_TLSEXT_MSG_CH) 859 if (msg_type != SSL_TLSEXT_MSG_CH)
860 return 0; 860 return 0;
@@ -1204,7 +1204,7 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
1204int 1204int
1205tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) 1205tlsext_srtp_client_needs(SSL *s, uint16_t msg_type)
1206{ 1206{
1207 return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; 1207 return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL;
1208} 1208}
1209 1209
1210int 1210int
@@ -1327,7 +1327,7 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1327int 1327int
1328tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) 1328tlsext_srtp_server_needs(SSL *s, uint16_t msg_type)
1329{ 1329{
1330 return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; 1330 return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL;
1331} 1331}
1332 1332
1333int 1333int
@@ -1414,7 +1414,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
1414 /* XXX once this gets initialized when we get tls13_client.c */ 1414 /* XXX once this gets initialized when we get tls13_client.c */
1415 if (S3I(s)->hs_tls13.max_version == 0) 1415 if (S3I(s)->hs_tls13.max_version == 0)
1416 return 0; 1416 return 0;
1417 return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= 1417 return (!SSL_is_dtls(s) && S3I(s)->hs_tls13.max_version >=
1418 TLS1_3_VERSION); 1418 TLS1_3_VERSION);
1419} 1419}
1420 1420
@@ -1490,7 +1490,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1490int 1490int
1491tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) 1491tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type)
1492{ 1492{
1493 if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) 1493 if (SSL_is_dtls(s) || s->version < TLS1_3_VERSION)
1494 return 0; 1494 return 0;
1495 1495
1496 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); 1496 return tlsext_extension_seen(s, TLSEXT_TYPE_key_share);
@@ -1555,7 +1555,7 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1555int 1555int
1556tlsext_versions_client_needs(SSL *s, uint16_t msg_type) 1556tlsext_versions_client_needs(SSL *s, uint16_t msg_type)
1557{ 1557{
1558 if (SSL_IS_DTLS(s)) 1558 if (SSL_is_dtls(s))
1559 return 0; 1559 return 0;
1560 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); 1560 return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION);
1561} 1561}
@@ -1638,7 +1638,7 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1638int 1638int
1639tlsext_versions_server_needs(SSL *s, uint16_t msg_type) 1639tlsext_versions_server_needs(SSL *s, uint16_t msg_type)
1640{ 1640{
1641 return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); 1641 return (!SSL_is_dtls(s) && s->version >= TLS1_3_VERSION);
1642} 1642}
1643 1643
1644int 1644int
@@ -1680,7 +1680,7 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
1680int 1680int
1681tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) 1681tlsext_cookie_client_needs(SSL *s, uint16_t msg_type)
1682{ 1682{
1683 if (SSL_IS_DTLS(s)) 1683 if (SSL_is_dtls(s))
1684 return 0; 1684 return 0;
1685 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1685 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1686 return 0; 1686 return 0;
@@ -1740,7 +1740,7 @@ int
1740tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) 1740tlsext_cookie_server_needs(SSL *s, uint16_t msg_type)
1741{ 1741{
1742 1742
1743 if (SSL_IS_DTLS(s)) 1743 if (SSL_is_dtls(s))
1744 return 0; 1744 return 0;
1745 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) 1745 if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION)
1746 return 0; 1746 return 0;
@@ -2148,7 +2148,7 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert)
2148 CBS_len(&extension_data), 2148 CBS_len(&extension_data),
2149 s->internal->tlsext_debug_arg); 2149 s->internal->tlsext_debug_arg);
2150 2150
2151 if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server && 2151 if (!SSL_is_dtls(s) && version >= TLS1_3_VERSION && is_server &&
2152 msg_type == SSL_TLSEXT_MSG_CH) { 2152 msg_type == SSL_TLSEXT_MSG_CH) {
2153 if (!tlsext_clienthello_hash_extension(s, type, 2153 if (!tlsext_clienthello_hash_extension(s, type,
2154 &extension_data)) 2154 &extension_data))
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index b21fa7198c..99f538b937 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */ 1/* $OpenBSD: ssl_versions.c,v 1.7 2020/10/14 16:57:33 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -137,7 +137,7 @@ ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
137 uint16_t min_version, max_version; 137 uint16_t min_version, max_version;
138 138
139 /* DTLS cannot currently be disabled... */ 139 /* DTLS cannot currently be disabled... */
140 if (SSL_IS_DTLS(s)) { 140 if (SSL_is_dtls(s)) {
141 min_version = max_version = DTLS1_VERSION; 141 min_version = max_version = DTLS1_VERSION;
142 goto done; 142 goto done;
143 } 143 }
@@ -167,7 +167,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
167 167
168 *max_ver = 0; 168 *max_ver = 0;
169 169
170 if (SSL_IS_DTLS(s)) { 170 if (SSL_is_dtls(s)) {
171 if (peer_ver >= DTLS1_VERSION) { 171 if (peer_ver >= DTLS1_VERSION) {
172 *max_ver = DTLS1_VERSION; 172 *max_ver = DTLS1_VERSION;
173 return 1; 173 return 1;
@@ -214,7 +214,7 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
214 * context. 214 * context.
215 */ 215 */
216 216
217 if (SSL_IS_DTLS(s)) { 217 if (SSL_is_dtls(s)) {
218 *max_ver = DTLS1_VERSION; 218 *max_ver = DTLS1_VERSION;
219 return 1; 219 return 1;
220 } 220 }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index debbf286f6..c5ff2c2435 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.125 2020/10/07 08:43:34 jsing Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.126 2020/10/14 16:57:33 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -342,7 +342,7 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
342 SSL_AEAD_CTX *aead_ctx; 342 SSL_AEAD_CTX *aead_ctx;
343 343
344 /* XXX - Need to avoid clearing write state for DTLS. */ 344 /* XXX - Need to avoid clearing write state for DTLS. */
345 if (SSL_IS_DTLS(s)) 345 if (SSL_is_dtls(s))
346 return 0; 346 return 0;
347 347
348 if (is_read) { 348 if (is_read) {
@@ -447,7 +447,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
447 * contexts that are used for DTLS - these are instead freed 447 * contexts that are used for DTLS - these are instead freed
448 * by DTLS when its frees a ChangeCipherSpec fragment. 448 * by DTLS when its frees a ChangeCipherSpec fragment.
449 */ 449 */
450 if (!SSL_IS_DTLS(s)) 450 if (!SSL_is_dtls(s))
451 ssl_clear_cipher_write_state(s); 451 ssl_clear_cipher_write_state(s);
452 452
453 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 453 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL)
@@ -524,7 +524,7 @@ tls1_change_cipher_state(SSL *s, int which)
524 * Reset sequence number to zero - for DTLS this is handled in 524 * Reset sequence number to zero - for DTLS this is handled in
525 * dtls1_reset_seq_numbers(). 525 * dtls1_reset_seq_numbers().
526 */ 526 */
527 if (!SSL_IS_DTLS(s)) { 527 if (!SSL_is_dtls(s)) {
528 seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence; 528 seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence;
529 memset(seq, 0, SSL3_SEQUENCE_SIZE); 529 memset(seq, 0, SSL3_SEQUENCE_SIZE);
530 } 530 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-16 10:25:25 +0000