Use each once in s3_srvr.c to show how they work.

Also fix a bug introduced in c3fc7eea
and made apparent by this change:
ssl3_get_next_proto wasn't updating next_proto_negotiated_len
Reviewed-by: NMatt Caswell <matt@openssl.org>

Process the ServerKeyExchange message using the PACKET API
Reviewed-by: NTim Hudson <tjh@openssl.org>

Process ServerHello messages using the PACKET API
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

PR#4009.
Reviewed-by: NRich Salz <rsalz@openssl.org>

After openssl_zalloc, cleanup more "set to 0/NULL" assignments.
Many are from github feedback.
Reviewed-by: NTim Hudson <tjh@openssl.org>

There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>

Fix the setup of DTLS1.2 buffers to take account of the Header
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Use sizeof instead of an explicit size, and use the functions for the
purpose.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Rewrite ssl3_get_client_hello to use the new methods.
Reviewed-by: NMatt Caswell <matt@openssl.org>

If the client challenge is less than 32 bytes, it is padded with leading - not trailing - zero bytes.
Reviewed-by: NMatt Caswell <matt@openssl.org>

The PACKET should hold a 'const unsigned char*' underneath as well
but the legacy code passes the record buffer around as 'unsigned char*'
(to callbacks, too) so that's a bigger refactor.
Reviewed-by: NMatt Caswell <matt@openssl.org>

A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.

The bug can be demonstrated as follows:

Start a DTLS s_server instance:
openssl s_server -dtls

Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket

Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem

The client will abort the handshake.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Process CertificateRequest messages using the PACKET API
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Use the new PACKET code to process the CKE message
Reviewed-by: NStephen Henson <steve@openssl.org>

Process NewSessionTicket messages using the new PACKET API
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Commit 9ceb2426 (PACKETise ClientHello) broke session tickets by failing
to detect the session ticket extension in an incoming ClientHello. This
commit fixes the bug.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Process the Certificate Status message using the PACKET API
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Enhance the PACKET code readability, and fix a stale comment. Thanks
to Ben Kaduk (bkaduk@akamai.com) for pointing this out.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

The new ClientHello PACKET code is missing a return value check.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Use the PACKET API to process an incoming server Certificate message.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.
Reviewed-by: NMatt Caswell <matt@openssl.org>

When config'd with "sctp" running "make test" causes a seg fault. This is
actually due to the way ssltest works - it dives under the covers and frees
up BIOs manually and so some BIOs are NULL when the SCTP code does not
expect it. The simplest fix is just to add some sanity checks to make sure
the BIOs aren't NULL before we use them.

This problem occurs in master and 1.0.2. The fix has also been applied to
1.0.1 to keep the code in sync.
Reviewed-by: NTim Hudson <tjh@openssl.org>

There are some missing return value checks in the SCTP code. In master this
was causing a compilation failure when config'd with
"--strict-warnings sctp".
Reviewed-by: NTim Hudson <tjh@openssl.org>

If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)

The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.

CVE-2015-1794
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

make errors wants things in a different order to the way things are
currently defined in the header files. The easiest fix is to just let it
reorder it.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Especially since after the #ifdef cleanups this is not useful.
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

--strict-warnings started showing warnings for this today...

Surely an error should be raised if these reads fail?
Reviewed-by: NTim Hudson <tjh@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Change NextProto message processing to use the PACKET API.
Reviewed-by: NStephen Henson <steve@openssl.org>

Modify CertificateVerify processing to use the new PACKET API.
Reviewed-by: NStephen Henson <steve@openssl.org>

Use the PACKET API for processing ClientCertificate messages
Reviewed-by: NTim Hudson <tjh@openssl.org>

Some of the PACKET functions were returning incorrect data. An unfortunate
choice of test data in the unit test was masking the failure.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The move of CCS into the state machine was causing make errors to fail. This
fixes it.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The move of CCS into the state machine introduced a bug in ssl3_read_bytes.
The value of |recvd_type| was not being set if we are satisfying the request
from handshake fragment storage. This can occur, for example, with
renegotiation and causes the handshake to fail.
Reviewed-by: NTim Hudson <tjh@openssl.org>