Convert ssl3_send_certificate_request() to CBB.

ok beck@ doug@
author: jsing <> 2017-08-11 17:54:41 +0000
committer: jsing <> 2017-08-11 17:54:41 +0000
commit: c816ff36b369b883cb09c054723a64703a1f1400 (patch)
tree: 2c2648ba9c07f01384b0dc564ffd3f43c5a4c0aa
parent: e6b0fa6981ed471d488e3006530b34afa02e618e (diff)
download: openbsd-c816ff36b369b883cb09c054723a64703a1f1400.tar.gz
openbsd-c816ff36b369b883cb09c054723a64703a1f1400.tar.bz2
openbsd-c816ff36b369b883cb09c054723a64703a1f1400.zip
3 files changed, 73 insertions, 63 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index abebaa0fc4..ad627d10d8 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.155 2017/08/10 17:18:38 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2438,36 +2438,45 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 }
 int
-ssl3_get_req_cert_type(SSL *s, unsigned char *p)
+ssl3_get_req_cert_types(SSL *s, CBB *cbb)
 {
-        int             ret = 0;
+        unsigned long alg_k;
-        unsigned long   alg_k;
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
 #ifndef OPENSSL_NO_GOST
-        if ((alg_k & SSL_kGOST)) {
+        if ((alg_k & SSL_kGOST) != 0) {
-                p[ret++] = TLS_CT_GOST94_SIGN;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
-                p[ret++] = TLS_CT_GOST01_SIGN;
+                        return 0;
-                p[ret++] = TLS_CT_GOST12_256_SIGN;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
-                p[ret++] = TLS_CT_GOST12_512_SIGN;
+                        return 0;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
+                        return 0;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
+                        return 0;
        }
 #endif
-        if (alg_k & SSL_kDHE) {
+        if ((alg_k & SSL_kDHE) != 0) {
-                p[ret++] = SSL3_CT_RSA_FIXED_DH;
+                if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
-                p[ret++] = SSL3_CT_DSS_FIXED_DH;
+                        return 0;
+                if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
+                        return 0;
        }
-        p[ret++] = SSL3_CT_RSA_SIGN;
-        p[ret++] = SSL3_CT_DSS_SIGN;
+        if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
+                return 0;
+        if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
+                return 0;
        /*
         * ECDSA certs can be used with RSA cipher suites as well
         * so we don't need to check for SSL_kECDH or SSL_kECDHE.
         */
-        p[ret++] = TLS_CT_ECDSA_SIGN;
+        if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
+                return 0;
-        return (ret);
+        return 1;
 }
 int
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index c11c5899e3..84bb6879b0 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.185 2017/08/11 05:06:34 doug Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.186 2017/08/11 17:54:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1138,7 +1138,7 @@ int ssl3_get_finished(SSL *s, int state_a, int state_b);
 int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
 int ssl3_do_write(SSL *s, int type);
 int ssl3_send_alert(SSL *s, int level, int desc);
-int ssl3_get_req_cert_type(SSL *s, unsigned char *p);
+int ssl3_get_req_cert_types(SSL *s, CBB *cbb);
 long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
 int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen);
 int ssl3_num_ciphers(void);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 575621a0ce..e370b7571c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1573,69 +1573,70 @@ ssl3_send_server_key_exchange(SSL *s)
 int
 ssl3_send_certificate_request(SSL *s)
 {
-        unsigned char *p, *d;
+        CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
-        int i, j, nl, off, n;
        STACK_OF(X509_NAME) *sk = NULL;
        X509_NAME *name;
-        BUF_MEM *buf;
+        int i;
-        if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
+        /*
-                buf = s->internal->init_buf;
+         * Certificate Request - RFC 5246 section 7.4.4.
+         */
-                d = p = ssl3_handshake_msg_start(s,
+        memset(&cbb, 0, sizeof(cbb));
-                    SSL3_MT_CERTIFICATE_REQUEST);
-                /* get the list of acceptable cert types */
+        if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
-                p++;
+                if (!ssl3_handshake_msg_start_cbb(s, &cbb, &cert_request,
-                n = ssl3_get_req_cert_type(s, p);
+                    SSL3_MT_CERTIFICATE_REQUEST))
-                d[0] = n;
+                        goto err;
-                p += n;
-                n++;
+                if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
+                        goto err;
+                if (!ssl3_get_req_cert_types(s, &cert_types))
+                        goto err;
                if (SSL_USE_SIGALGS(s)) {
-                        nl = tls12_get_req_sig_algs(s, p + 2);
+                        unsigned char *sigalgs_data;
-                        s2n(nl, p);
+                        size_t sigalgs_len;
-                        p += nl + 2;
-                        n += nl + 2;
+                        sigalgs_len = tls12_get_req_sig_algs(s, NULL);
+                        if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
+                                goto err;
+                        if (!CBB_add_space(&sigalgs, &sigalgs_data, sigalgs_len))
+                                goto err;
+                        tls12_get_req_sig_algs(s, sigalgs_data);
                }
-                off = n;
+                if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
-                p += 2;
+                        goto err;
-                n += 2;
                sk = SSL_get_client_CA_list(s);
-                nl = 0;
+                for (i = 0; i < sk_X509_NAME_num(sk); i++) {
-                if (sk != NULL) {
+                        unsigned char *name_data;
-                        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+                        size_t name_len;
-                                name = sk_X509_NAME_value(sk, i);
-                                j = i2d_X509_NAME(name, NULL);
+                        name = sk_X509_NAME_value(sk, i);
-                                if (!BUF_MEM_grow_clean(buf,
+                        name_len = i2d_X509_NAME(name, NULL);
-                                    ssl3_handshake_msg_hdr_len(s) + n + j
-                                    + 2)) {
+                        if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
-                                        SSLerror(s, ERR_R_BUF_LIB);
+                                goto err;
-                                        goto err;
+                        if (!CBB_add_space(&dn, &name_data, name_len))
-                                }
+                                goto err;
-                                p = ssl3_handshake_msg_start(s,
+                        if (i2d_X509_NAME(name, &name_data) != name_len)
-                                    SSL3_MT_CERTIFICATE_REQUEST) + n;
+                                goto err;
-                                s2n(j, p);
-                                i2d_X509_NAME(name, &p);
-                                n += 2 + j;
-                                nl += 2 + j;
-                        }
                }
-                /* else no CA names */
-                p = ssl3_handshake_msg_start(s,
-                    SSL3_MT_CERTIFICATE_REQUEST) + off;
-                s2n(nl, p);
-                ssl3_handshake_msg_finish(s, n);
+                if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
+                        goto err;
                S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;
        }
        /* SSL3_ST_SW_CERT_REQ_B */
        return (ssl3_handshake_write(s));
-err:
+ err:
+        CBB_cleanup(&cbb);
        return (-1);
 }
author	jsing <>	2017-08-11 17:54:41 +0000
committer	jsing <>	2017-08-11 17:54:41 +0000
commit	c816ff36b369b883cb09c054723a64703a1f1400 (patch)
tree	2c2648ba9c07f01384b0dc564ffd3f43c5a4c0aa
parent	e6b0fa6981ed471d488e3006530b34afa02e618e (diff)
download	openbsd-c816ff36b369b883cb09c054723a64703a1f1400.tar.gz openbsd-c816ff36b369b883cb09c054723a64703a1f1400.tar.bz2 openbsd-c816ff36b369b883cb09c054723a64703a1f1400.zip

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index abebaa0fc4..ad627d10d8 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.155 2017/08/10 17:18:38 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2438,36 +2438,45 @@ ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) clnt,
2438	}	2438	}
2439		2439
2440	int	2440	int
2441	ssl3_get_req_cert_type(SSL s, unsigned char p)	2441	ssl3_get_req_cert_types(SSL s, CBB cbb)
2442	{	2442	{
2443	int ret = 0;	2443	unsigned long alg_k;
2444	unsigned long alg_k;
2445		2444
2446	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	2445	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2447		2446
2448	#ifndef OPENSSL_NO_GOST	2447	#ifndef OPENSSL_NO_GOST
2449	if ((alg_k & SSL_kGOST)) {	2448	if ((alg_k & SSL_kGOST) != 0) {
2450	p[ret++] = TLS_CT_GOST94_SIGN;	2449	if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
2451	p[ret++] = TLS_CT_GOST01_SIGN;	2450	return 0;
2452	p[ret++] = TLS_CT_GOST12_256_SIGN;	2451	if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2453	p[ret++] = TLS_CT_GOST12_512_SIGN;	2452	return 0;
		2453	if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
		2454	return 0;
		2455	if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
		2456	return 0;
2454	}	2457	}
2455	#endif	2458	#endif
2456		2459
2457	if (alg_k & SSL_kDHE) {	2460	if ((alg_k & SSL_kDHE) != 0) {
2458	p[ret++] = SSL3_CT_RSA_FIXED_DH;	2461	if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2459	p[ret++] = SSL3_CT_DSS_FIXED_DH;	2462	return 0;
		2463	if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
		2464	return 0;
2460	}	2465	}
2461	p[ret++] = SSL3_CT_RSA_SIGN;	2466
2462	p[ret++] = SSL3_CT_DSS_SIGN;	2467	if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
		2468	return 0;
		2469	if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
		2470	return 0;
2463		2471
2464	/*	2472	/*
2465	* ECDSA certs can be used with RSA cipher suites as well	2473	* ECDSA certs can be used with RSA cipher suites as well
2466	* so we don't need to check for SSL_kECDH or SSL_kECDHE.	2474	* so we don't need to check for SSL_kECDH or SSL_kECDHE.
2467	*/	2475	*/
2468	p[ret++] = TLS_CT_ECDSA_SIGN;	2476	if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
		2477	return 0;
2469		2478
2470	return (ret);	2479	return 1;
2471	}	2480	}
2472		2481
2473	int	2482	int


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index c11c5899e3..84bb6879b0 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.185 2017/08/11 05:06:34 doug Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.186 2017/08/11 17:54:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1138,7 +1138,7 @@ int ssl3_get_finished(SSL *s, int state_a, int state_b);
1138	int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);	1138	int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
1139	int ssl3_do_write(SSL *s, int type);	1139	int ssl3_do_write(SSL *s, int type);
1140	int ssl3_send_alert(SSL *s, int level, int desc);	1140	int ssl3_send_alert(SSL *s, int level, int desc);
1141	int ssl3_get_req_cert_type(SSL s, unsigned char p);	1141	int ssl3_get_req_cert_types(SSL s, CBB cbb);
1142	long ssl3_get_message(SSL s, int st1, int stn, int mt, long max, int ok);	1142	long ssl3_get_message(SSL s, int st1, int stn, int mt, long max, int ok);
1143	int ssl3_send_finished(SSL s, int a, int b, const char sender, int slen);	1143	int ssl3_send_finished(SSL s, int a, int b, const char sender, int slen);
1144	int ssl3_num_ciphers(void);	1144	int ssl3_num_ciphers(void);


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 575621a0ce..e370b7571c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1573,69 +1573,70 @@ ssl3_send_server_key_exchange(SSL *s)
1573	int	1573	int
1574	ssl3_send_certificate_request(SSL *s)	1574	ssl3_send_certificate_request(SSL *s)
1575	{	1575	{
1576	unsigned char p, d;	1576	CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
1577	int i, j, nl, off, n;
1578	STACK_OF(X509_NAME) *sk = NULL;	1577	STACK_OF(X509_NAME) *sk = NULL;
1579	X509_NAME *name;	1578	X509_NAME *name;
1580	BUF_MEM *buf;	1579	int i;
1581		1580
1582	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {	1581	/*
1583	buf = s->internal->init_buf;	1582	* Certificate Request - RFC 5246 section 7.4.4.
		1583	*/
1584		1584
1585	d = p = ssl3_handshake_msg_start(s,	1585	memset(&cbb, 0, sizeof(cbb));
1586	SSL3_MT_CERTIFICATE_REQUEST);
1587		1586
1588	/* get the list of acceptable cert types */	1587	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
1589	p++;	1588	if (!ssl3_handshake_msg_start_cbb(s, &cbb, &cert_request,
1590	n = ssl3_get_req_cert_type(s, p);	1589	SSL3_MT_CERTIFICATE_REQUEST))
1591	d[0] = n;	1590	goto err;
1592	p += n;	1591
1593	n++;	1592	if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
		1593	goto err;
		1594	if (!ssl3_get_req_cert_types(s, &cert_types))
		1595	goto err;
1594		1596
1595	if (SSL_USE_SIGALGS(s)) {	1597	if (SSL_USE_SIGALGS(s)) {
1596	nl = tls12_get_req_sig_algs(s, p + 2);	1598	unsigned char *sigalgs_data;
1597	s2n(nl, p);	1599	size_t sigalgs_len;
1598	p += nl + 2;	1600
1599	n += nl + 2;	1601	sigalgs_len = tls12_get_req_sig_algs(s, NULL);
		1602	if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
		1603	goto err;
		1604	if (!CBB_add_space(&sigalgs, &sigalgs_data, sigalgs_len))
		1605	goto err;
		1606	tls12_get_req_sig_algs(s, sigalgs_data);
1600	}	1607	}
1601		1608
1602	off = n;	1609	if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
1603	p += 2;	1610	goto err;
1604	n += 2;
1605		1611
1606	sk = SSL_get_client_CA_list(s);	1612	sk = SSL_get_client_CA_list(s);
1607	nl = 0;	1613	for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1608	if (sk != NULL) {	1614	unsigned char *name_data;
1609	for (i = 0; i < sk_X509_NAME_num(sk); i++) {	1615	size_t name_len;
1610	name = sk_X509_NAME_value(sk, i);	1616
1611	j = i2d_X509_NAME(name, NULL);	1617	name = sk_X509_NAME_value(sk, i);
1612	if (!BUF_MEM_grow_clean(buf,	1618	name_len = i2d_X509_NAME(name, NULL);
1613	ssl3_handshake_msg_hdr_len(s) + n + j	1619
1614	+ 2)) {	1620	if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
1615	SSLerror(s, ERR_R_BUF_LIB);	1621	goto err;
1616	goto err;	1622	if (!CBB_add_space(&dn, &name_data, name_len))
1617	}	1623	goto err;
1618	p = ssl3_handshake_msg_start(s,	1624	if (i2d_X509_NAME(name, &name_data) != name_len)
1619	SSL3_MT_CERTIFICATE_REQUEST) + n;	1625	goto err;
1620	s2n(j, p);
1621	i2d_X509_NAME(name, &p);
1622	n += 2 + j;
1623	nl += 2 + j;
1624	}
1625	}	1626	}
1626	/* else no CA names */
1627	p = ssl3_handshake_msg_start(s,
1628	SSL3_MT_CERTIFICATE_REQUEST) + off;
1629	s2n(nl, p);
1630		1627
1631	ssl3_handshake_msg_finish(s, n);	1628	if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
		1629	goto err;
1632		1630
1633	S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;	1631	S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;
1634	}	1632	}
1635		1633
1636	/* SSL3_ST_SW_CERT_REQ_B */	1634	/* SSL3_ST_SW_CERT_REQ_B */
1637	return (ssl3_handshake_write(s));	1635	return (ssl3_handshake_write(s));
1638	err:	1636
		1637	err:
		1638	CBB_cleanup(&cbb);
		1639
1639	return (-1);	1640	return (-1);
1640	}	1641	}
1641		1642