From 95a901d22cb8e548a73bd42d95b1bdf70996f7f2 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 6 Dec 2016 13:38:11 +0000
Subject: Now that ssl3_send_{client,server}_certificate() are using the common
 handshake functions, we can remove more copied code from DTLS.

---
 src/lib/libssl/d1_both.c  | 76 +----------------------------------------------
 src/lib/libssl/d1_clnt.c  | 69 ++----------------------------------------
 src/lib/libssl/d1_srvr.c  | 31 ++-----------------
 src/lib/libssl/ssl_locl.h |  6 +---
 4 files changed, 6 insertions(+), 176 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index bce084f1ee..7f9d5af4ce 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.39 2016/03/06 14:52:15 beck Exp $ */
+/* $OpenBSD: d1_both.c,v 1.40 2016/12/06 13:38:11 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -936,80 +936,6 @@ dtls1_send_change_cipher_spec(SSL *s, int a, int b)
 	return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));
 }
 
-static int
-dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
-{
-	int n;
-	unsigned char *p;
-
-	n = i2d_X509(x, NULL);
-	if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) {
-		SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
-		return 0;
-	}
-	p = (unsigned char *)&(buf->data[*l]);
-	l2n3(n, p);
-	i2d_X509(x, &p);
-	*l += n + 3;
-
-	return 1;
-}
-
-unsigned long
-dtls1_output_cert_chain(SSL *s, X509 *x)
-{
-	unsigned char *p;
-	int i;
-	unsigned long l = 3 + DTLS1_HM_HEADER_LENGTH;
-	BUF_MEM *buf;
-
-	/* TLSv1 sends a chain with nothing in it, instead of an alert */
-	buf = s->init_buf;
-	if (!BUF_MEM_grow_clean(buf, 10)) {
-		SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
-		return (0);
-	}
-	if (x != NULL) {
-		X509_STORE_CTX xs_ctx;
-
-		if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
-		    x, NULL)) {
-			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB);
-			return (0);
-		}
-
-		X509_verify_cert(&xs_ctx);
-		/* Don't leave errors in the queue */
-		ERR_clear_error();
-		for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
-			x = sk_X509_value(xs_ctx.chain, i);
-
-			if (!dtls1_add_cert_to_buf(buf, &l, x)) {
-				X509_STORE_CTX_cleanup(&xs_ctx);
-				return 0;
-			}
-		}
-		X509_STORE_CTX_cleanup(&xs_ctx);
-	}
-	/* Thawte special :-) */
-	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
-		x = sk_X509_value(s->ctx->extra_certs, i);
-		if (!dtls1_add_cert_to_buf(buf, &l, x))
-			return 0;
-	}
-
-	l -= (3 + DTLS1_HM_HEADER_LENGTH);
-
-	p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
-	l2n3(l, p);
-	l += 3;
-	p = (unsigned char *)&(buf->data[0]);
-	p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
-
-	l += DTLS1_HM_HEADER_LENGTH;
-	return (l);
-}
-
 int
 dtls1_read_failed(SSL *s, int code)
 {
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 07ae92f4c9..42e149f864 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.58 2016/11/04 19:11:43 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.59 2016/12/06 13:38:11 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -384,7 +384,7 @@ dtls1_connect(SSL *s)
 		case SSL3_ST_CW_CERT_C:
 		case SSL3_ST_CW_CERT_D:
 			dtls1_start_timer(s);
-			ret = dtls1_send_client_certificate(s);
+			ret = ssl3_send_client_certificate(s);
 			if (ret <= 0)
 				goto end;
 			s->state = SSL3_ST_CW_KEY_EXCH_A;
@@ -657,68 +657,3 @@ f_err:
 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 	return -1;
 }
-
-int
-dtls1_send_client_certificate(SSL *s)
-{
-	X509 *x509 = NULL;
-	EVP_PKEY *pkey = NULL;
-	int i;
-	unsigned long l;
-
-	if (s->state ==	SSL3_ST_CW_CERT_A) {
-		if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
-		    (s->cert->key->privatekey == NULL))
-			s->state = SSL3_ST_CW_CERT_B;
-		else
-			s->state = SSL3_ST_CW_CERT_C;
-	}
-
-	/* We need to get a client cert */
-	if (s->state == SSL3_ST_CW_CERT_B) {
-		/* If we get an error, we need to
-		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
-		 * We then get retied later */
-		i = 0;
-		i = ssl_do_client_cert_cb(s, &x509, &pkey);
-		if (i < 0) {
-			s->rwstate = SSL_X509_LOOKUP;
-			return (-1);
-		}
-		s->rwstate = SSL_NOTHING;
-		if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
-			s->state = SSL3_ST_CW_CERT_B;
-			if (!SSL_use_certificate(s, x509) ||
-			    !SSL_use_PrivateKey(s, pkey))
-				i = 0;
-		} else if (i == 1) {
-			i = 0;
-			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,
-			    SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-		}
-
-		X509_free(x509);
-		EVP_PKEY_free(pkey);
-		if (i == 0)
-			s->s3->tmp.cert_req = 2;
-
-		/* Ok, we have a cert */
-		s->state = SSL3_ST_CW_CERT_C;
-	}
-
-	if (s->state == SSL3_ST_CW_CERT_C) {
-		s->state = SSL3_ST_CW_CERT_D;
-		l = dtls1_output_cert_chain(s,
-		    (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
-		s->init_num = (int)l;
-		s->init_off = 0;
-
-		/* set header called by dtls1_output_cert_chain() */
-
-		/* buffer the message to handle re-xmits */
-		dtls1_buffer_message(s, 0);
-	}
-
-	/* SSL3_ST_CW_CERT_D */
-	return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
-}
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 8027e44123..472d0de9dd 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.68 2016/11/04 18:30:21 guenther Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.69 2016/12/06 13:38:11 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -368,7 +368,7 @@ dtls1_accept(SSL *s)
 			if (!(s->s3->tmp.new_cipher->algorithm_auth &
 			    SSL_aNULL)) {
 				dtls1_start_timer(s);
-				ret = dtls1_send_server_certificate(s);
+				ret = ssl3_send_server_certificate(s);
 				if (ret <= 0)
 					goto end;
 				if (s->tlsext_status_expected)
@@ -722,30 +722,3 @@ dtls1_send_hello_verify_request(SSL *s)
 	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
 	return (ssl3_handshake_write(s));
 }
-
-int
-dtls1_send_server_certificate(SSL *s)
-{
-	unsigned long l;
-	X509 *x;
-
-	if (s->state == SSL3_ST_SW_CERT_A) {
-		x = ssl_get_server_send_cert(s);
-		if (x == NULL) {
-			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
-			    ERR_R_INTERNAL_ERROR);
-			return (0);
-		}
-
-		l = dtls1_output_cert_chain(s, x);
-		s->state = SSL3_ST_SW_CERT_B;
-		s->init_num = (int)l;
-		s->init_off = 0;
-
-		/* buffer the message to handle re-xmits */
-		dtls1_buffer_message(s, 0);
-	}
-
-	/* SSL3_ST_SW_CERT_B */
-	return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
-}
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 89fb83eb9a..3de5571985 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.138 2016/12/06 13:17:52 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.139 2016/12/06 13:38:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -715,8 +715,6 @@ int ssl3_check_cert_and_algorithm(SSL *s);
 int ssl3_check_finished(SSL *s);
 int ssl3_send_next_proto(SSL *s);
 
-int dtls1_send_client_certificate(SSL *s);
-
 /* some server-only functions */
 int ssl3_get_client_hello(SSL *s);
 int ssl3_send_server_hello(SSL *s);
@@ -729,8 +727,6 @@ int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
 int ssl3_get_next_proto(SSL *s);
 
-int dtls1_send_server_certificate(SSL *s);
-
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
 int ssl23_read_bytes(SSL *s, int n);
-- 
cgit v1.2.3-55-g6feb