From e58fb502ca02fb2bd4f85e5725abd1189d26921c Mon Sep 17 00:00:00 2001
From: miod <>
Date: Thu, 7 Aug 2014 20:02:23 +0000
Subject: Oops, revert changes commited by mistake. The previous commit was
supposed to only apply to s23_srvr.c.
---
src/lib/libssl/d1_both.c | 5 +++--
src/lib/libssl/d1_clnt.c | 8 ++++----
src/lib/libssl/d1_pkt.c | 6 ++----
src/lib/libssl/s3_both.c | 21 ++++++++++++---------
src/lib/libssl/s3_lib.c | 6 ++++--
src/lib/libssl/src/ssl/d1_both.c | 5 +++--
src/lib/libssl/src/ssl/d1_clnt.c | 8 ++++----
src/lib/libssl/src/ssl/d1_pkt.c | 6 ++----
src/lib/libssl/src/ssl/s3_both.c | 21 ++++++++++++---------
src/lib/libssl/src/ssl/s3_enc.c | 6 +++---
src/lib/libssl/src/ssl/s3_lib.c | 6 ++++--
src/lib/libssl/src/ssl/t1_enc.c | 7 +++----
src/lib/libssl/t1_enc.c | 7 +++----
13 files changed, 59 insertions(+), 53 deletions(-)
(limited to 'src/lib')
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 2391d52994..aec6e272bf 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.25 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_both.c,v 1.26 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -903,7 +903,6 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
i = s->method->ssl3_enc->final_finish_mac(s, sender, slen,
s->s3->tmp.finish_md);
- OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
p += i;
@@ -914,10 +913,12 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
* renegotiation checks
*/
if (s->type == SSL_ST_CONNECT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
s->s3->tmp.finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
s->s3->tmp.finish_md, i);
s->s3->previous_server_finished_len = i;
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 165f9441f6..c9ec32173b 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.32 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.33 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -778,9 +778,8 @@ dtls1_client_hello(SSL *s)
/* if client_random is initialized, reuse it, we are
* required to use same upon reply to HelloVerify */
- for (i = 0; i < sizeof(s->s3->client_random); i++)
- if (p[i] != '\0')
- break;
+ for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
+ ;
if (i == sizeof(s->s3->client_random))
RAND_pseudo_bytes(p, sizeof(s->s3->client_random));
@@ -1339,6 +1338,7 @@ dtls1_send_client_certificate(SSL *s)
/* If we get an error, we need to
* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
* We then get retied later */
+ i = 0;
i = ssl_do_client_cert_cb(s, &x509, &pkey);
if (i < 0) {
s->rwstate = SSL_X509_LOOKUP;
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 5be89f0955..7b0d67bf15 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.33 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.34 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -414,12 +414,10 @@ dtls1_process_record(SSL *s)
}
i = s->method->ssl3_enc->mac(s, md, 0 /* not send */);
- if (i < 0 || mac == NULL ||
- timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
+ if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
enc_err = -1;
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
enc_err = -1;
- OPENSSL_cleanse(&md, sizeof md);
}
if (enc_err < 0) {
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index afcaca3c43..6ba3d4bfce 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.27 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: s3_both.c,v 1.28 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -161,7 +161,7 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
p = &(d[4]);
i = s->method->ssl3_enc->final_finish_mac(s,
- sender, slen, s->s3->tmp.finish_md);
+ sender, slen, s->s3->tmp.finish_md);
if (i == 0)
return 0;
s->s3->tmp.finish_md_len = i;
@@ -171,14 +171,15 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
/* Copy the finished so we can use it for
renegotiation checks */
- OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
if (s->type == SSL_ST_CONNECT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
- s->s3->tmp.finish_md, i);
+ s->s3->tmp.finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
- s->s3->tmp.finish_md, i);
+ s->s3->tmp.finish_md, i);
s->s3->previous_server_finished_len = i;
}
@@ -215,7 +216,7 @@ ssl3_take_mac(SSL *s)
}
s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
- sender, slen, s->s3->tmp.peer_finish_md);
+ sender, slen, s->s3->tmp.peer_finish_md);
}
#endif
@@ -249,7 +250,7 @@ ssl3_get_finished(SSL *s, int a, int b)
p = (unsigned char *)s->init_msg;
i = s->s3->tmp.peer_finish_md_len;
- if (i != n || i > EVP_MAX_MD_SIZE) {
+ if (i != n) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
goto f_err;
@@ -264,12 +265,14 @@ ssl3_get_finished(SSL *s, int a, int b)
/* Copy the finished so we can use it for
renegotiation checks */
if (s->type == SSL_ST_ACCEPT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
- s->s3->tmp.peer_finish_md, i);
+ s->s3->tmp.peer_finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
- s->s3->tmp.peer_finish_md, i);
+ s->s3->tmp.peer_finish_md, i);
s->s3->previous_server_finished_len = i;
}
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index aa091f51c7..4631c517cc 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.72 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.73 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2333,7 +2333,7 @@ ssl3_new(SSL *s)
SSL3_STATE *s3;
if ((s3 = calloc(1, sizeof *s3)) == NULL)
- return 0;
+ goto err;
memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
@@ -2341,6 +2341,8 @@ ssl3_new(SSL *s)
s->method->ssl_clear(s);
return (1);
+err:
+ return (0);
}
void
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index 2391d52994..aec6e272bf 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.25 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_both.c,v 1.26 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -903,7 +903,6 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
i = s->method->ssl3_enc->final_finish_mac(s, sender, slen,
s->s3->tmp.finish_md);
- OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
p += i;
@@ -914,10 +913,12 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
* renegotiation checks
*/
if (s->type == SSL_ST_CONNECT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
s->s3->tmp.finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
s->s3->tmp.finish_md, i);
s->s3->previous_server_finished_len = i;
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 165f9441f6..c9ec32173b 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.32 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.33 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -778,9 +778,8 @@ dtls1_client_hello(SSL *s)
/* if client_random is initialized, reuse it, we are
* required to use same upon reply to HelloVerify */
- for (i = 0; i < sizeof(s->s3->client_random); i++)
- if (p[i] != '\0')
- break;
+ for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
+ ;
if (i == sizeof(s->s3->client_random))
RAND_pseudo_bytes(p, sizeof(s->s3->client_random));
@@ -1339,6 +1338,7 @@ dtls1_send_client_certificate(SSL *s)
/* If we get an error, we need to
* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
* We then get retied later */
+ i = 0;
i = ssl_do_client_cert_cb(s, &x509, &pkey);
if (i < 0) {
s->rwstate = SSL_X509_LOOKUP;
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index 5be89f0955..7b0d67bf15 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.33 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.34 2014/08/07 20:02:23 miod Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -414,12 +414,10 @@ dtls1_process_record(SSL *s)
}
i = s->method->ssl3_enc->mac(s, md, 0 /* not send */);
- if (i < 0 || mac == NULL ||
- timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
+ if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0)
enc_err = -1;
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
enc_err = -1;
- OPENSSL_cleanse(&md, sizeof md);
}
if (enc_err < 0) {
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index afcaca3c43..6ba3d4bfce 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.27 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: s3_both.c,v 1.28 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -161,7 +161,7 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
p = &(d[4]);
i = s->method->ssl3_enc->final_finish_mac(s,
- sender, slen, s->s3->tmp.finish_md);
+ sender, slen, s->s3->tmp.finish_md);
if (i == 0)
return 0;
s->s3->tmp.finish_md_len = i;
@@ -171,14 +171,15 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
/* Copy the finished so we can use it for
renegotiation checks */
- OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
if (s->type == SSL_ST_CONNECT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
- s->s3->tmp.finish_md, i);
+ s->s3->tmp.finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
- s->s3->tmp.finish_md, i);
+ s->s3->tmp.finish_md, i);
s->s3->previous_server_finished_len = i;
}
@@ -215,7 +216,7 @@ ssl3_take_mac(SSL *s)
}
s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
- sender, slen, s->s3->tmp.peer_finish_md);
+ sender, slen, s->s3->tmp.peer_finish_md);
}
#endif
@@ -249,7 +250,7 @@ ssl3_get_finished(SSL *s, int a, int b)
p = (unsigned char *)s->init_msg;
i = s->s3->tmp.peer_finish_md_len;
- if (i != n || i > EVP_MAX_MD_SIZE) {
+ if (i != n) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
goto f_err;
@@ -264,12 +265,14 @@ ssl3_get_finished(SSL *s, int a, int b)
/* Copy the finished so we can use it for
renegotiation checks */
if (s->type == SSL_ST_ACCEPT) {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_client_finished,
- s->s3->tmp.peer_finish_md, i);
+ s->s3->tmp.peer_finish_md, i);
s->s3->previous_client_finished_len = i;
} else {
+ OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished,
- s->s3->tmp.peer_finish_md, i);
+ s->s3->tmp.peer_finish_md, i);
s->s3->previous_server_finished_len = i;
}
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 913a256f28..f268a2a265 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.53 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.54 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -607,7 +607,7 @@ ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len,
if (!EVP_MD_CTX_copy_ex(&ctx, d))
return 0;
n = EVP_MD_CTX_size(&ctx);
- if (n <= 0)
+ if (n < 0)
return 0;
npad = (48 / n) * n;
@@ -655,7 +655,7 @@ n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
}
t = EVP_MD_CTX_size(hash);
- if (t <= 0)
+ if (t < 0)
return -1;
md_size = t;
npad = (48 / md_size) * md_size;
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index aa091f51c7..4631c517cc 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.72 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.73 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2333,7 +2333,7 @@ ssl3_new(SSL *s)
SSL3_STATE *s3;
if ((s3 = calloc(1, sizeof *s3)) == NULL)
- return 0;
+ goto err;
memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
@@ -2341,6 +2341,8 @@ ssl3_new(SSL *s)
s->method->ssl_clear(s);
return (1);
+err:
+ return (0);
}
void
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index bec8328269..6ad721bd8a 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.68 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.69 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -319,7 +319,7 @@ tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
static int
tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
- unsigned int key_len, const unsigned char *iv, unsigned int iv_len)
+ unsigned key_len, const unsigned char *iv, unsigned iv_len)
{
const EVP_AEAD *aead = s->s3->tmp.new_aead;
SSL_AEAD_CTX *aead_ctx;
@@ -856,7 +856,6 @@ tls1_enc(SSL *s, int send)
rec->length += pad;
}
} else if ((bs != 1) && send) {
- /* XXX divide by zero if bs == 0 (should not happen) */
i = bs - ((int)l % bs);
/* Add weird padding of upto 256 bytes */
@@ -1121,7 +1120,7 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
currentvalpos++;
val[currentvalpos] = contextlen & 0xff;
currentvalpos++;
- if (contextlen != 0 && context != NULL) {
+ if ((contextlen > 0) || (context != NULL)) {
memcpy(val + currentvalpos, context, contextlen);
}
}
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index bec8328269..6ad721bd8a 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.68 2014/08/07 19:46:31 miod Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.69 2014/08/07 20:02:23 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -319,7 +319,7 @@ tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
static int
tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
- unsigned int key_len, const unsigned char *iv, unsigned int iv_len)
+ unsigned key_len, const unsigned char *iv, unsigned iv_len)
{
const EVP_AEAD *aead = s->s3->tmp.new_aead;
SSL_AEAD_CTX *aead_ctx;
@@ -856,7 +856,6 @@ tls1_enc(SSL *s, int send)
rec->length += pad;
}
} else if ((bs != 1) && send) {
- /* XXX divide by zero if bs == 0 (should not happen) */
i = bs - ((int)l % bs);
/* Add weird padding of upto 256 bytes */
@@ -1121,7 +1120,7 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
currentvalpos++;
val[currentvalpos] = contextlen & 0xff;
currentvalpos++;
- if (contextlen != 0 && context != NULL) {
+ if ((contextlen > 0) || (context != NULL)) {
memcpy(val + currentvalpos, context, contextlen);
}
}
--
cgit v1.2.3-55-g6feb