1 files changed, 38 insertions, 32 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index c9447138d5..5a5e17699d 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.77 2017/10/08 16:24:02 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.78 2017/10/08 16:54:28 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -196,7 +196,6 @@ dtls1_connect(SSL *s)
        if (!SSL_in_init(s) || SSL_in_before(s))
                SSL_clear(s);
        for (;;) {
                state = S3I(s)->hs.state;
@@ -215,7 +214,7 @@ dtls1_connect(SSL *s)
                        if (cb != NULL)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
-                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {
+                        if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
                                SSLerror(s, ERR_R_INTERNAL_ERROR);
                                ret = -1;
                                goto end;
@@ -249,7 +248,6 @@ dtls1_connect(SSL *s)
                        s->internal->hit = 0;
                        break;
                case SSL3_ST_CW_CLNT_HELLO_A:
                case SSL3_ST_CW_CLNT_HELLO_B:
@@ -285,13 +283,10 @@ dtls1_connect(SSL *s)
                        ret = ssl3_get_server_hello(s);
                        if (ret <= 0)
                                goto end;
-                        else {
+                        if (s->internal->hit)
-                                if (s->internal->hit) {
+                                S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A;
+                        else
-                                        S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A;
+                                S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
-                                } else
-                                        S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
-                        }
                        s->internal->init_num = 0;
                        break;
@@ -323,7 +318,7 @@ dtls1_connect(SSL *s)
                                s->internal->init_num = 0;
                                break;
                        }
-                        /* Check if it is anon DH. */
+                        /* Check if it is anon DH/ECDH. */
                        if (!(S3I(s)->hs.new_cipher->algorithm_auth &
                            SSL_aNULL)) {
                                ret = ssl3_get_server_certificate(s);
@@ -348,8 +343,10 @@ dtls1_connect(SSL *s)
                        S3I(s)->hs.state = SSL3_ST_CR_CERT_REQ_A;
                        s->internal->init_num = 0;
-                        /* at this point we check that we have the
+                        /*
-                         * required stuff from the server */
+                         * At this point we check that we have the
+                         * required stuff from the server.
+                         */
                        if (!ssl3_check_cert_and_algorithm(s)) {
                                ret = -1;
                                goto end;
@@ -372,11 +369,10 @@ dtls1_connect(SSL *s)
                                goto end;
                        dtls1_stop_timer(s);
                        if (S3I(s)->tmp.cert_req)
-                                S3I(s)->hs.next_state = SSL3_ST_CW_CERT_A;
+                                S3I(s)->hs.state = SSL3_ST_CW_CERT_A;
                        else
-                                S3I(s)->hs.next_state = SSL3_ST_CW_KEY_EXCH_A;
+                                S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A;
                        s->internal->init_num = 0;
-                        S3I(s)->hs.state = S3I(s)->hs.next_state;
                        break;
                case SSL3_ST_CW_CERT_A:
@@ -397,11 +393,22 @@ dtls1_connect(SSL *s)
                        ret = ssl3_send_client_key_exchange(s);
                        if (ret <= 0)
                                goto end;
+                        /*
-                        /* EAY EAY EAY need to check for DH fix cert
+                         * EAY EAY EAY need to check for DH fix cert
-                         * sent back */
+                         * sent back
-                        /* For TLS, cert_req is set to 2, so a cert chain
+                         */
-                         * of nothing is sent, but no verify packet is sent */
+                        /*
+                         * For TLS, cert_req is set to 2, so a cert chain
+                         * of nothing is sent, but no verify packet is sent
+                         */
+                        /*
+                         * XXX: For now, we do not support client
+                         * authentication in ECDH cipher suites with
+                         * ECDH (rather than ECDSA) certificates.
+                         * We need to skip the certificate verify
+                         * message when client's ECDH public key is sent
+                         * inside the client certificate.
+                         */
                        if (S3I(s)->tmp.cert_req == 1) {
                                S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A;
                        } else {
@@ -447,7 +454,6 @@ dtls1_connect(SSL *s)
                                goto end;
                        }
                        dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
                        break;
@@ -455,25 +461,24 @@ dtls1_connect(SSL *s)
                case SSL3_ST_CW_FINISHED_B:
                        if (!s->internal->hit)
                                dtls1_start_timer(s);
-                        ret = ssl3_send_finished(s,
+                        ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
-                            SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
+                            SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST,
-                            TLS_MD_CLIENT_FINISH_CONST,
                            TLS_MD_CLIENT_FINISH_CONST_SIZE);
                        if (ret <= 0)
                                goto end;
                        S3I(s)->hs.state = SSL3_ST_CW_FLUSH;
                        /* clear flags */
-                        s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
+                        s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
                        if (s->internal->hit) {
                                S3I(s)->hs.next_state = SSL_ST_OK;
-                                if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
+                                if (s->s3->flags &
+                                    SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
                                        S3I(s)->hs.state = SSL_ST_OK;
                                        s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
                                        S3I(s)->delay_buf_pop_ret = 0;
                                }
                        } else {
                                /* Allow NewSessionTicket if ticket expected */
                                if (s->internal->tlsext_ticket_expected)
                                        S3I(s)->hs.next_state =
@@ -517,7 +522,6 @@ dtls1_connect(SSL *s)
                        else
                                S3I(s)->hs.state = SSL_ST_OK;
                        s->internal->init_num = 0;
                        break;
@@ -541,8 +545,10 @@ dtls1_connect(SSL *s)
                        /* clean a few things up */
                        tls1_cleanup_key_block(s);
-                        /* If we are not 'joining' the last two packets,
+                        /*
-                         * remove the buffering now */
+                         * If we are not 'joining' the last two packets,
+                         * remove the buffering now
+                         */
                        if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
                                ssl_free_wbio_buffer(s);
                        /* else do it later in ssl3_write */

diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index c9447138d5..5a5e17699d 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_clnt.c,v 1.77 2017/10/08 16:24:02 jsing Exp $ */	1	/* $OpenBSD: d1_clnt.c,v 1.78 2017/10/08 16:54:28 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -196,7 +196,6 @@ dtls1_connect(SSL *s)
196	if (!SSL_in_init(s) \|\| SSL_in_before(s))	196	if (!SSL_in_init(s) \|\| SSL_in_before(s))
197	SSL_clear(s);	197	SSL_clear(s);
198		198
199
200	for (;;) {	199	for (;;) {
201	state = S3I(s)->hs.state;	200	state = S3I(s)->hs.state;
202		201
@@ -215,7 +214,7 @@ dtls1_connect(SSL *s)
215	if (cb != NULL)	214	if (cb != NULL)
216	cb(s, SSL_CB_HANDSHAKE_START, 1);	215	cb(s, SSL_CB_HANDSHAKE_START, 1);
217		216
218	if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {	217	if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
219	SSLerror(s, ERR_R_INTERNAL_ERROR);	218	SSLerror(s, ERR_R_INTERNAL_ERROR);
220	ret = -1;	219	ret = -1;
221	goto end;	220	goto end;
@@ -249,7 +248,6 @@ dtls1_connect(SSL *s)
249	s->internal->hit = 0;	248	s->internal->hit = 0;
250	break;	249	break;
251		250
252
253	case SSL3_ST_CW_CLNT_HELLO_A:	251	case SSL3_ST_CW_CLNT_HELLO_A:
254	case SSL3_ST_CW_CLNT_HELLO_B:	252	case SSL3_ST_CW_CLNT_HELLO_B:
255		253
@@ -285,13 +283,10 @@ dtls1_connect(SSL *s)
285	ret = ssl3_get_server_hello(s);	283	ret = ssl3_get_server_hello(s);
286	if (ret <= 0)	284	if (ret <= 0)
287	goto end;	285	goto end;
288	else {	286	if (s->internal->hit)
289	if (s->internal->hit) {	287	S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A;
290		288	else
291	S3I(s)->hs.state = SSL3_ST_CR_FINISHED_A;	289	S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
292	} else
293	S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
294	}
295	s->internal->init_num = 0;	290	s->internal->init_num = 0;
296	break;	291	break;
297		292
@@ -323,7 +318,7 @@ dtls1_connect(SSL *s)
323	s->internal->init_num = 0;	318	s->internal->init_num = 0;
324	break;	319	break;
325	}	320	}
326	/* Check if it is anon DH. */	321	/* Check if it is anon DH/ECDH. */
327	if (!(S3I(s)->hs.new_cipher->algorithm_auth &	322	if (!(S3I(s)->hs.new_cipher->algorithm_auth &
328	SSL_aNULL)) {	323	SSL_aNULL)) {
329	ret = ssl3_get_server_certificate(s);	324	ret = ssl3_get_server_certificate(s);
@@ -348,8 +343,10 @@ dtls1_connect(SSL *s)
348	S3I(s)->hs.state = SSL3_ST_CR_CERT_REQ_A;	343	S3I(s)->hs.state = SSL3_ST_CR_CERT_REQ_A;
349	s->internal->init_num = 0;	344	s->internal->init_num = 0;
350		345
351	/* at this point we check that we have the	346	/*
352	* required stuff from the server */	347	* At this point we check that we have the
		348	* required stuff from the server.
		349	*/
353	if (!ssl3_check_cert_and_algorithm(s)) {	350	if (!ssl3_check_cert_and_algorithm(s)) {
354	ret = -1;	351	ret = -1;
355	goto end;	352	goto end;
@@ -372,11 +369,10 @@ dtls1_connect(SSL *s)
372	goto end;	369	goto end;
373	dtls1_stop_timer(s);	370	dtls1_stop_timer(s);
374	if (S3I(s)->tmp.cert_req)	371	if (S3I(s)->tmp.cert_req)
375	S3I(s)->hs.next_state = SSL3_ST_CW_CERT_A;	372	S3I(s)->hs.state = SSL3_ST_CW_CERT_A;
376	else	373	else
377	S3I(s)->hs.next_state = SSL3_ST_CW_KEY_EXCH_A;	374	S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A;
378	s->internal->init_num = 0;	375	s->internal->init_num = 0;
379	S3I(s)->hs.state = S3I(s)->hs.next_state;
380	break;	376	break;
381		377
382	case SSL3_ST_CW_CERT_A:	378	case SSL3_ST_CW_CERT_A:
@@ -397,11 +393,22 @@ dtls1_connect(SSL *s)
397	ret = ssl3_send_client_key_exchange(s);	393	ret = ssl3_send_client_key_exchange(s);
398	if (ret <= 0)	394	if (ret <= 0)
399	goto end;	395	goto end;
400		396	/*
401	/* EAY EAY EAY need to check for DH fix cert	397	* EAY EAY EAY need to check for DH fix cert
402	* sent back */	398	* sent back
403	/* For TLS, cert_req is set to 2, so a cert chain	399	*/
404	* of nothing is sent, but no verify packet is sent */	400	/*
		401	* For TLS, cert_req is set to 2, so a cert chain
		402	* of nothing is sent, but no verify packet is sent
		403	*/
		404	/*
		405	* XXX: For now, we do not support client
		406	* authentication in ECDH cipher suites with
		407	* ECDH (rather than ECDSA) certificates.
		408	* We need to skip the certificate verify
		409	* message when client's ECDH public key is sent
		410	* inside the client certificate.
		411	*/
405	if (S3I(s)->tmp.cert_req == 1) {	412	if (S3I(s)->tmp.cert_req == 1) {
406	S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A;	413	S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A;
407	} else {	414	} else {
@@ -447,7 +454,6 @@ dtls1_connect(SSL *s)
447	goto end;	454	goto end;
448	}	455	}
449		456
450
451	dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);	457	dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
452	break;	458	break;
453		459
@@ -455,25 +461,24 @@ dtls1_connect(SSL *s)
455	case SSL3_ST_CW_FINISHED_B:	461	case SSL3_ST_CW_FINISHED_B:
456	if (!s->internal->hit)	462	if (!s->internal->hit)
457	dtls1_start_timer(s);	463	dtls1_start_timer(s);
458	ret = ssl3_send_finished(s,	464	ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
459	SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,	465	SSL3_ST_CW_FINISHED_B, TLS_MD_CLIENT_FINISH_CONST,
460	TLS_MD_CLIENT_FINISH_CONST,
461	TLS_MD_CLIENT_FINISH_CONST_SIZE);	466	TLS_MD_CLIENT_FINISH_CONST_SIZE);
462	if (ret <= 0)	467	if (ret <= 0)
463	goto end;	468	goto end;
464	S3I(s)->hs.state = SSL3_ST_CW_FLUSH;	469	S3I(s)->hs.state = SSL3_ST_CW_FLUSH;
465		470
466	/* clear flags */	471	/* clear flags */
467	s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;	472	s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
468	if (s->internal->hit) {	473	if (s->internal->hit) {
469	S3I(s)->hs.next_state = SSL_ST_OK;	474	S3I(s)->hs.next_state = SSL_ST_OK;
470	if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {	475	if (s->s3->flags &
		476	SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
471	S3I(s)->hs.state = SSL_ST_OK;	477	S3I(s)->hs.state = SSL_ST_OK;
472	s->s3->flags \|= SSL3_FLAGS_POP_BUFFER;	478	s->s3->flags \|= SSL3_FLAGS_POP_BUFFER;
473	S3I(s)->delay_buf_pop_ret = 0;	479	S3I(s)->delay_buf_pop_ret = 0;
474	}	480	}
475	} else {	481	} else {
476
477	/* Allow NewSessionTicket if ticket expected */	482	/* Allow NewSessionTicket if ticket expected */
478	if (s->internal->tlsext_ticket_expected)	483	if (s->internal->tlsext_ticket_expected)
479	S3I(s)->hs.next_state =	484	S3I(s)->hs.next_state =
@@ -517,7 +522,6 @@ dtls1_connect(SSL *s)
517	else	522	else
518	S3I(s)->hs.state = SSL_ST_OK;	523	S3I(s)->hs.state = SSL_ST_OK;
519		524
520
521	s->internal->init_num = 0;	525	s->internal->init_num = 0;
522	break;	526	break;
523		527
@@ -541,8 +545,10 @@ dtls1_connect(SSL *s)
541	/* clean a few things up */	545	/* clean a few things up */
542	tls1_cleanup_key_block(s);	546	tls1_cleanup_key_block(s);
543		547
544	/* If we are not 'joining' the last two packets,	548	/*
545	* remove the buffering now */	549	* If we are not 'joining' the last two packets,
		550	* remove the buffering now
		551	*/
546	if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))	552	if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
547	ssl_free_wbio_buffer(s);	553	ssl_free_wbio_buffer(s);
548	/* else do it later in ssl3_write */	554	/* else do it later in ssl3_write */