4 files changed, 6 insertions, 176 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index bce084f1ee..7f9d5af4ce 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.39 2016/03/06 14:52:15 beck Exp $ */
+/* $OpenBSD: d1_both.c,v 1.40 2016/12/06 13:38:11 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -936,80 +936,6 @@ dtls1_send_change_cipher_spec(SSL *s, int a, int b)
        return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));
 }
-static int
-dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
-{
-        int n;
-        unsigned char *p;
-        n = i2d_X509(x, NULL);
-        if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) {
-                SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
-                return 0;
-        }
-        p = (unsigned char *)&(buf->data[*l]);
-        l2n3(n, p);
-        i2d_X509(x, &p);
-        *l += n + 3;
-        return 1;
-}
-unsigned long
-dtls1_output_cert_chain(SSL *s, X509 *x)
-{
-        unsigned char *p;
-        int i;
-        unsigned long l = 3 + DTLS1_HM_HEADER_LENGTH;
-        BUF_MEM *buf;
-        /* TLSv1 sends a chain with nothing in it, instead of an alert */
-        buf = s->init_buf;
-        if (!BUF_MEM_grow_clean(buf, 10)) {
-                SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
-                return (0);
-        }
-        if (x != NULL) {
-                X509_STORE_CTX xs_ctx;
-                if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
-                    x, NULL)) {
-                        SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB);
-                        return (0);
-                }
-                X509_verify_cert(&xs_ctx);
-                /* Don't leave errors in the queue */
-                ERR_clear_error();
-                for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
-                        x = sk_X509_value(xs_ctx.chain, i);
-                        if (!dtls1_add_cert_to_buf(buf, &l, x)) {
-                                X509_STORE_CTX_cleanup(&xs_ctx);
-                                return 0;
-                        }
-                }
-                X509_STORE_CTX_cleanup(&xs_ctx);
-        }
-        /* Thawte special :-) */
-        for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
-                x = sk_X509_value(s->ctx->extra_certs, i);
-                if (!dtls1_add_cert_to_buf(buf, &l, x))
-                        return 0;
-        }
-        l -= (3 + DTLS1_HM_HEADER_LENGTH);
-        p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
-        l2n3(l, p);
-        l += 3;
-        p = (unsigned char *)&(buf->data[0]);
-        p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
-        l += DTLS1_HM_HEADER_LENGTH;
-        return (l);
-}
 int
 dtls1_read_failed(SSL *s, int code)
 {
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 07ae92f4c9..42e149f864 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.58 2016/11/04 19:11:43 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.59 2016/12/06 13:38:11 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -384,7 +384,7 @@ dtls1_connect(SSL *s)
                case SSL3_ST_CW_CERT_C:
                case SSL3_ST_CW_CERT_D:
                        dtls1_start_timer(s);
-                        ret = dtls1_send_client_certificate(s);
+                        ret = ssl3_send_client_certificate(s);
                        if (ret <= 0)
                                goto end;
                        s->state = SSL3_ST_CW_KEY_EXCH_A;
@@ -657,68 +657,3 @@ f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        return -1;
 }
-int
-dtls1_send_client_certificate(SSL *s)
-{
-        X509 *x509 = NULL;
-        EVP_PKEY *pkey = NULL;
-        int i;
-        unsigned long l;
-        if (s->state == SSL3_ST_CW_CERT_A) {
-                if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
-                    (s->cert->key->privatekey == NULL))
-                        s->state = SSL3_ST_CW_CERT_B;
-                else
-                        s->state = SSL3_ST_CW_CERT_C;
-        }
-        /* We need to get a client cert */
-        if (s->state == SSL3_ST_CW_CERT_B) {
-                /* If we get an error, we need to
-                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
-                 * We then get retied later */
-                i = 0;
-                i = ssl_do_client_cert_cb(s, &x509, &pkey);
-                if (i < 0) {
-                        s->rwstate = SSL_X509_LOOKUP;
-                        return (-1);
-                }
-                s->rwstate = SSL_NOTHING;
-                if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
-                        s->state = SSL3_ST_CW_CERT_B;
-                        if (!SSL_use_certificate(s, x509) ||
-                            !SSL_use_PrivateKey(s, pkey))
-                                i = 0;
-                } else if (i == 1) {
-                        i = 0;
-                        SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,
-                            SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-                }
-                X509_free(x509);
-                EVP_PKEY_free(pkey);
-                if (i == 0)
-                        s->s3->tmp.cert_req = 2;
-                /* Ok, we have a cert */
-                s->state = SSL3_ST_CW_CERT_C;
-        }
-        if (s->state == SSL3_ST_CW_CERT_C) {
-                s->state = SSL3_ST_CW_CERT_D;
-                l = dtls1_output_cert_chain(s,
-                    (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
-                s->init_num = (int)l;
-                s->init_off = 0;
-                /* set header called by dtls1_output_cert_chain() */
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
-        }
-        /* SSL3_ST_CW_CERT_D */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
-}
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 8027e44123..472d0de9dd 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.68 2016/11/04 18:30:21 guenther Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.69 2016/12/06 13:38:11 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -368,7 +368,7 @@ dtls1_accept(SSL *s)
                        if (!(s->s3->tmp.new_cipher->algorithm_auth &
                            SSL_aNULL)) {
                                dtls1_start_timer(s);
-                                ret = dtls1_send_server_certificate(s);
+                                ret = ssl3_send_server_certificate(s);
                                if (ret <= 0)
                                        goto end;
                                if (s->tlsext_status_expected)
@@ -722,30 +722,3 @@ dtls1_send_hello_verify_request(SSL *s)
        /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
        return (ssl3_handshake_write(s));
 }
-int
-dtls1_send_server_certificate(SSL *s)
-{
-        unsigned long l;
-        X509 *x;
-        if (s->state == SSL3_ST_SW_CERT_A) {
-                x = ssl_get_server_send_cert(s);
-                if (x == NULL) {
-                        SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
-                            ERR_R_INTERNAL_ERROR);
-                        return (0);
-                }
-                l = dtls1_output_cert_chain(s, x);
-                s->state = SSL3_ST_SW_CERT_B;
-                s->init_num = (int)l;
-                s->init_off = 0;
-                /* buffer the message to handle re-xmits */
-                dtls1_buffer_message(s, 0);
-        }
-        /* SSL3_ST_SW_CERT_B */
-        return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
-}
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 89fb83eb9a..3de5571985 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.138 2016/12/06 13:17:52 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.139 2016/12/06 13:38:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -715,8 +715,6 @@ int ssl3_check_cert_and_algorithm(SSL *s);
 int ssl3_check_finished(SSL *s);
 int ssl3_send_next_proto(SSL *s);
-int dtls1_send_client_certificate(SSL *s);
 /* some server-only functions */
 int ssl3_get_client_hello(SSL *s);
 int ssl3_send_server_hello(SSL *s);
@@ -729,8 +727,6 @@ int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
 int ssl3_get_next_proto(SSL *s);
-int dtls1_send_server_certificate(SSL *s);
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
 int ssl23_read_bytes(SSL *s, int n);

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index bce084f1ee..7f9d5af4ce 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_both.c,v 1.39 2016/03/06 14:52:15 beck Exp $ */	1	/* $OpenBSD: d1_both.c,v 1.40 2016/12/06 13:38:11 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -936,80 +936,6 @@ dtls1_send_change_cipher_spec(SSL *s, int a, int b)
936	return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));	936	return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));
937	}	937	}
938		938
939	static int
940	dtls1_add_cert_to_buf(BUF_MEM buf, unsigned long l, X509 *x)
941	{
942	int n;
943	unsigned char *p;
944
945	n = i2d_X509(x, NULL);
946	if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) {
947	SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
948	return 0;
949	}
950	p = (unsigned char )&(buf->data[l]);
951	l2n3(n, p);
952	i2d_X509(x, &p);
953	*l += n + 3;
954
955	return 1;
956	}
957
958	unsigned long
959	dtls1_output_cert_chain(SSL s, X509 x)
960	{
961	unsigned char *p;
962	int i;
963	unsigned long l = 3 + DTLS1_HM_HEADER_LENGTH;
964	BUF_MEM *buf;
965
966	/* TLSv1 sends a chain with nothing in it, instead of an alert */
967	buf = s->init_buf;
968	if (!BUF_MEM_grow_clean(buf, 10)) {
969	SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
970	return (0);
971	}
972	if (x != NULL) {
973	X509_STORE_CTX xs_ctx;
974
975	if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
976	x, NULL)) {
977	SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB);
978	return (0);
979	}
980
981	X509_verify_cert(&xs_ctx);
982	/* Don't leave errors in the queue */
983	ERR_clear_error();
984	for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
985	x = sk_X509_value(xs_ctx.chain, i);
986
987	if (!dtls1_add_cert_to_buf(buf, &l, x)) {
988	X509_STORE_CTX_cleanup(&xs_ctx);
989	return 0;
990	}
991	}
992	X509_STORE_CTX_cleanup(&xs_ctx);
993	}
994	/* Thawte special :-) */
995	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
996	x = sk_X509_value(s->ctx->extra_certs, i);
997	if (!dtls1_add_cert_to_buf(buf, &l, x))
998	return 0;
999	}
1000
1001	l -= (3 + DTLS1_HM_HEADER_LENGTH);
1002
1003	p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
1004	l2n3(l, p);
1005	l += 3;
1006	p = (unsigned char *)&(buf->data[0]);
1007	p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
1008
1009	l += DTLS1_HM_HEADER_LENGTH;
1010	return (l);
1011	}
1012
1013	int	939	int
1014	dtls1_read_failed(SSL *s, int code)	940	dtls1_read_failed(SSL *s, int code)
1015	{	941	{


diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 07ae92f4c9..42e149f864 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_clnt.c,v 1.58 2016/11/04 19:11:43 jsing Exp $ */	1	/* $OpenBSD: d1_clnt.c,v 1.59 2016/12/06 13:38:11 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -384,7 +384,7 @@ dtls1_connect(SSL *s)
384	case SSL3_ST_CW_CERT_C:	384	case SSL3_ST_CW_CERT_C:
385	case SSL3_ST_CW_CERT_D:	385	case SSL3_ST_CW_CERT_D:
386	dtls1_start_timer(s);	386	dtls1_start_timer(s);
387	ret = dtls1_send_client_certificate(s);	387	ret = ssl3_send_client_certificate(s);
388	if (ret <= 0)	388	if (ret <= 0)
389	goto end;	389	goto end;
390	s->state = SSL3_ST_CW_KEY_EXCH_A;	390	s->state = SSL3_ST_CW_KEY_EXCH_A;
@@ -657,68 +657,3 @@ f_err:
657	ssl3_send_alert(s, SSL3_AL_FATAL, al);	657	ssl3_send_alert(s, SSL3_AL_FATAL, al);
658	return -1;	658	return -1;
659	}	659	}
660
661	int
662	dtls1_send_client_certificate(SSL *s)
663	{
664	X509 *x509 = NULL;
665	EVP_PKEY *pkey = NULL;
666	int i;
667	unsigned long l;
668
669	if (s->state == SSL3_ST_CW_CERT_A) {
670	if ((s->cert == NULL) \|\| (s->cert->key->x509 == NULL) \|\|
671	(s->cert->key->privatekey == NULL))
672	s->state = SSL3_ST_CW_CERT_B;
673	else
674	s->state = SSL3_ST_CW_CERT_C;
675	}
676
677	/* We need to get a client cert */
678	if (s->state == SSL3_ST_CW_CERT_B) {
679	/* If we get an error, we need to
680	* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
681	* We then get retied later */
682	i = 0;
683	i = ssl_do_client_cert_cb(s, &x509, &pkey);
684	if (i < 0) {
685	s->rwstate = SSL_X509_LOOKUP;
686	return (-1);
687	}
688	s->rwstate = SSL_NOTHING;
689	if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
690	s->state = SSL3_ST_CW_CERT_B;
691	if (!SSL_use_certificate(s, x509) \|\|
692	!SSL_use_PrivateKey(s, pkey))
693	i = 0;
694	} else if (i == 1) {
695	i = 0;
696	SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,
697	SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
698	}
699
700	X509_free(x509);
701	EVP_PKEY_free(pkey);
702	if (i == 0)
703	s->s3->tmp.cert_req = 2;
704
705	/* Ok, we have a cert */
706	s->state = SSL3_ST_CW_CERT_C;
707	}
708
709	if (s->state == SSL3_ST_CW_CERT_C) {
710	s->state = SSL3_ST_CW_CERT_D;
711	l = dtls1_output_cert_chain(s,
712	(s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
713	s->init_num = (int)l;
714	s->init_off = 0;
715
716	/* set header called by dtls1_output_cert_chain() */
717
718	/* buffer the message to handle re-xmits */
719	dtls1_buffer_message(s, 0);
720	}
721
722	/* SSL3_ST_CW_CERT_D */
723	return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
724	}


diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 8027e44123..472d0de9dd 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_srvr.c,v 1.68 2016/11/04 18:30:21 guenther Exp $ */	1	/* $OpenBSD: d1_srvr.c,v 1.69 2016/12/06 13:38:11 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -368,7 +368,7 @@ dtls1_accept(SSL *s)
368	if (!(s->s3->tmp.new_cipher->algorithm_auth &	368	if (!(s->s3->tmp.new_cipher->algorithm_auth &
369	SSL_aNULL)) {	369	SSL_aNULL)) {
370	dtls1_start_timer(s);	370	dtls1_start_timer(s);
371	ret = dtls1_send_server_certificate(s);	371	ret = ssl3_send_server_certificate(s);
372	if (ret <= 0)	372	if (ret <= 0)
373	goto end;	373	goto end;
374	if (s->tlsext_status_expected)	374	if (s->tlsext_status_expected)
@@ -722,30 +722,3 @@ dtls1_send_hello_verify_request(SSL *s)
722	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */	722	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
723	return (ssl3_handshake_write(s));	723	return (ssl3_handshake_write(s));
724	}	724	}
725
726	int
727	dtls1_send_server_certificate(SSL *s)
728	{
729	unsigned long l;
730	X509 *x;
731
732	if (s->state == SSL3_ST_SW_CERT_A) {
733	x = ssl_get_server_send_cert(s);
734	if (x == NULL) {
735	SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
736	ERR_R_INTERNAL_ERROR);
737	return (0);
738	}
739
740	l = dtls1_output_cert_chain(s, x);
741	s->state = SSL3_ST_SW_CERT_B;
742	s->init_num = (int)l;
743	s->init_off = 0;
744
745	/* buffer the message to handle re-xmits */
746	dtls1_buffer_message(s, 0);
747	}
748
749	/* SSL3_ST_SW_CERT_B */
750	return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
751	}


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 89fb83eb9a..3de5571985 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.138 2016/12/06 13:17:52 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.139 2016/12/06 13:38:11 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -715,8 +715,6 @@ int ssl3_check_cert_and_algorithm(SSL *s);
715	int ssl3_check_finished(SSL *s);	715	int ssl3_check_finished(SSL *s);
716	int ssl3_send_next_proto(SSL *s);	716	int ssl3_send_next_proto(SSL *s);
717		717
718	int dtls1_send_client_certificate(SSL *s);
719
720	/* some server-only functions */	718	/* some server-only functions */
721	int ssl3_get_client_hello(SSL *s);	719	int ssl3_get_client_hello(SSL *s);
722	int ssl3_send_server_hello(SSL *s);	720	int ssl3_send_server_hello(SSL *s);
@@ -729,8 +727,6 @@ int ssl3_get_client_key_exchange(SSL *s);
729	int ssl3_get_cert_verify(SSL *s);	727	int ssl3_get_cert_verify(SSL *s);
730	int ssl3_get_next_proto(SSL *s);	728	int ssl3_get_next_proto(SSL *s);
731		729
732	int dtls1_send_server_certificate(SSL *s);
733
734	int ssl23_accept(SSL *s);	730	int ssl23_accept(SSL *s);
735	int ssl23_connect(SSL *s);	731	int ssl23_connect(SSL *s);
736	int ssl23_read_bytes(SSL *s, int n);	732	int ssl23_read_bytes(SSL *s, int n);