Convert ssl3_get_cert_status to CBS.

ok miod@ jsing@
author: doug <> 2015-07-14 03:33:16 +0000
committer: doug <> 2015-07-14 03:33:16 +0000
commit: bcdb20158fefe3cccdac7449460a8cab650feded (patch)
tree: 46910f400f6dff8c4914a8acadb22869269e6837
parent: a92cc6d16d3d886b25d33b061f3eab33e11b2fc0 (diff)
download: openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.tar.gz
openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.tar.bz2
openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.zip
2 files changed, 52 insertions, 34 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 1bbe2e686b..eed6cb5215 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1784,9 +1784,11 @@ err:
 int
 ssl3_get_cert_status(SSL *s)
 {
+        CBS                      cert_status, response;
+        size_t                   stow_len;
        int                      ok, al;
-        unsigned long            resplen, n;
+        long                     n;
-        const unsigned char     *p;
+        uint8_t                  status_type;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
            SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
@@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s)
        if (!ok)
                return ((int)n);
-        if (n < 4) {
+        CBS_init(&cert_status, s->init_msg, n);
+        if (n < 0 || !CBS_get_u8(&cert_status, &status_type) ||
+            CBS_len(&cert_status) < 3) {
                /* need at least status type + length */
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
-        p = (unsigned char *)s->init_msg;
-        if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
+        if (status_type != TLSEXT_STATUSTYPE_ocsp) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_UNSUPPORTED_STATUS_TYPE);
                goto f_err;
        }
-        n2l3(p, resplen);
-        if (resplen + 4 != n) {
+        if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
+            CBS_len(&cert_status) != 0) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
-        free(s->tlsext_ocsp_resp);
-        if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) {
+        if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
-                al = SSL_AD_INTERNAL_ERROR;
+            &stow_len) || stow_len > INT_MAX) {
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                s->tlsext_ocsp_resplen = 0;
-                    ERR_R_MALLOC_FAILURE);
+                al = SSL_AD_INTERNAL_ERROR;
-                goto f_err;
+                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
-        }
+                    ERR_R_MALLOC_FAILURE);
-        memcpy(s->tlsext_ocsp_resp, p, resplen);
+                goto f_err;
-        s->tlsext_ocsp_resplen = resplen;
+        }
+        s->tlsext_ocsp_resplen = (int)stow_len;
        if (s->ctx->tlsext_status_cb) {
                int ret;
                ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 1bbe2e686b..eed6cb5215 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1784,9 +1784,11 @@ err:
 int
 ssl3_get_cert_status(SSL *s)
 {
+        CBS                      cert_status, response;
+        size_t                   stow_len;
        int                      ok, al;
-        unsigned long            resplen, n;
+        long                     n;
-        const unsigned char     *p;
+        uint8_t                  status_type;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
            SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
@@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s)
        if (!ok)
                return ((int)n);
-        if (n < 4) {
+        CBS_init(&cert_status, s->init_msg, n);
+        if (n < 0 || !CBS_get_u8(&cert_status, &status_type) ||
+            CBS_len(&cert_status) < 3) {
                /* need at least status type + length */
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
-        p = (unsigned char *)s->init_msg;
-        if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
+        if (status_type != TLSEXT_STATUSTYPE_ocsp) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_UNSUPPORTED_STATUS_TYPE);
                goto f_err;
        }
-        n2l3(p, resplen);
-        if (resplen + 4 != n) {
+        if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
+            CBS_len(&cert_status) != 0) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
-        free(s->tlsext_ocsp_resp);
-        if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) {
+        if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
-                al = SSL_AD_INTERNAL_ERROR;
+            &stow_len) || stow_len > INT_MAX) {
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                s->tlsext_ocsp_resplen = 0;
-                    ERR_R_MALLOC_FAILURE);
+                al = SSL_AD_INTERNAL_ERROR;
-                goto f_err;
+                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
-        }
+                    ERR_R_MALLOC_FAILURE);
-        memcpy(s->tlsext_ocsp_resp, p, resplen);
+                goto f_err;
-        s->tlsext_ocsp_resplen = resplen;
+        }
+        s->tlsext_ocsp_resplen = (int)stow_len;
        if (s->ctx->tlsext_status_cb) {
                int ret;
                ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
author	doug <>	2015-07-14 03:33:16 +0000
committer	doug <>	2015-07-14 03:33:16 +0000
commit	bcdb20158fefe3cccdac7449460a8cab650feded (patch)
tree	46910f400f6dff8c4914a8acadb22869269e6837
parent	a92cc6d16d3d886b25d33b061f3eab33e11b2fc0 (diff)
download	openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.tar.gz openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.tar.bz2 openbsd-bcdb20158fefe3cccdac7449460a8cab650feded.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 1bbe2e686b..eed6cb5215 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1784,9 +1784,11 @@ err:
1784	int	1784	int
1785	ssl3_get_cert_status(SSL *s)	1785	ssl3_get_cert_status(SSL *s)
1786	{	1786	{
		1787	CBS cert_status, response;
		1788	size_t stow_len;
1787	int ok, al;	1789	int ok, al;
1788	unsigned long resplen, n;	1790	long n;
1789	const unsigned char *p;	1791	uint8_t status_type;
1790		1792
1791	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,	1793	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1792	SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,	1794	SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
@@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s)
1794		1796
1795	if (!ok)	1797	if (!ok)
1796	return ((int)n);	1798	return ((int)n);
1797	if (n < 4) {	1799
		1800	CBS_init(&cert_status, s->init_msg, n);
		1801
		1802	if (n < 0 \|\| !CBS_get_u8(&cert_status, &status_type) \|\|
		1803	CBS_len(&cert_status) < 3) {
1798	/* need at least status type + length */	1804	/* need at least status type + length */
1799	al = SSL_AD_DECODE_ERROR;	1805	al = SSL_AD_DECODE_ERROR;
1800	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1806	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1801	SSL_R_LENGTH_MISMATCH);	1807	SSL_R_LENGTH_MISMATCH);
1802	goto f_err;	1808	goto f_err;
1803	}	1809	}
1804	p = (unsigned char *)s->init_msg;	1810
1805	if (*p++ != TLSEXT_STATUSTYPE_ocsp) {	1811	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1806	al = SSL_AD_DECODE_ERROR;	1812	al = SSL_AD_DECODE_ERROR;
1807	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1813	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1808	SSL_R_UNSUPPORTED_STATUS_TYPE);	1814	SSL_R_UNSUPPORTED_STATUS_TYPE);
1809	goto f_err;	1815	goto f_err;
1810	}	1816	}
1811	n2l3(p, resplen);	1817
1812	if (resplen + 4 != n) {	1818	if (!CBS_get_u24_length_prefixed(&cert_status, &response) \|\|
		1819	CBS_len(&cert_status) != 0) {
1813	al = SSL_AD_DECODE_ERROR;	1820	al = SSL_AD_DECODE_ERROR;
1814	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1821	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1815	SSL_R_LENGTH_MISMATCH);	1822	SSL_R_LENGTH_MISMATCH);
1816	goto f_err;	1823	goto f_err;
1817	}	1824	}
1818	free(s->tlsext_ocsp_resp);	1825
1819	if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) {	1826	if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1820	al = SSL_AD_INTERNAL_ERROR;	1827	&stow_len) \|\| stow_len > INT_MAX) {
1821	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1828	s->tlsext_ocsp_resplen = 0;
1822	ERR_R_MALLOC_FAILURE);	1829	al = SSL_AD_INTERNAL_ERROR;
1823	goto f_err;	1830	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1824	}	1831	ERR_R_MALLOC_FAILURE);
1825	memcpy(s->tlsext_ocsp_resp, p, resplen);	1832	goto f_err;
1826	s->tlsext_ocsp_resplen = resplen;	1833	}
		1834	s->tlsext_ocsp_resplen = (int)stow_len;
		1835
1827	if (s->ctx->tlsext_status_cb) {	1836	if (s->ctx->tlsext_status_cb) {
1828	int ret;	1837	int ret;
1829	ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);	1838	ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);


diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 1bbe2e686b..eed6cb5215 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1784,9 +1784,11 @@ err:
1784	int	1784	int
1785	ssl3_get_cert_status(SSL *s)	1785	ssl3_get_cert_status(SSL *s)
1786	{	1786	{
		1787	CBS cert_status, response;
		1788	size_t stow_len;
1787	int ok, al;	1789	int ok, al;
1788	unsigned long resplen, n;	1790	long n;
1789	const unsigned char *p;	1791	uint8_t status_type;
1790		1792
1791	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,	1793	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1792	SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,	1794	SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
@@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s)
1794		1796
1795	if (!ok)	1797	if (!ok)
1796	return ((int)n);	1798	return ((int)n);
1797	if (n < 4) {	1799
		1800	CBS_init(&cert_status, s->init_msg, n);
		1801
		1802	if (n < 0 \|\| !CBS_get_u8(&cert_status, &status_type) \|\|
		1803	CBS_len(&cert_status) < 3) {
1798	/* need at least status type + length */	1804	/* need at least status type + length */
1799	al = SSL_AD_DECODE_ERROR;	1805	al = SSL_AD_DECODE_ERROR;
1800	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1806	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1801	SSL_R_LENGTH_MISMATCH);	1807	SSL_R_LENGTH_MISMATCH);
1802	goto f_err;	1808	goto f_err;
1803	}	1809	}
1804	p = (unsigned char *)s->init_msg;	1810
1805	if (*p++ != TLSEXT_STATUSTYPE_ocsp) {	1811	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
1806	al = SSL_AD_DECODE_ERROR;	1812	al = SSL_AD_DECODE_ERROR;
1807	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1813	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1808	SSL_R_UNSUPPORTED_STATUS_TYPE);	1814	SSL_R_UNSUPPORTED_STATUS_TYPE);
1809	goto f_err;	1815	goto f_err;
1810	}	1816	}
1811	n2l3(p, resplen);	1817
1812	if (resplen + 4 != n) {	1818	if (!CBS_get_u24_length_prefixed(&cert_status, &response) \|\|
		1819	CBS_len(&cert_status) != 0) {
1813	al = SSL_AD_DECODE_ERROR;	1820	al = SSL_AD_DECODE_ERROR;
1814	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1821	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1815	SSL_R_LENGTH_MISMATCH);	1822	SSL_R_LENGTH_MISMATCH);
1816	goto f_err;	1823	goto f_err;
1817	}	1824	}
1818	free(s->tlsext_ocsp_resp);	1825
1819	if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) {	1826	if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1820	al = SSL_AD_INTERNAL_ERROR;	1827	&stow_len) \|\| stow_len > INT_MAX) {
1821	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,	1828	s->tlsext_ocsp_resplen = 0;
1822	ERR_R_MALLOC_FAILURE);	1829	al = SSL_AD_INTERNAL_ERROR;
1823	goto f_err;	1830	SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
1824	}	1831	ERR_R_MALLOC_FAILURE);
1825	memcpy(s->tlsext_ocsp_resp, p, resplen);	1832	goto f_err;
1826	s->tlsext_ocsp_resplen = resplen;	1833	}
		1834	s->tlsext_ocsp_resplen = (int)stow_len;
		1835
1827	if (s->ctx->tlsext_status_cb) {	1836	if (s->ctx->tlsext_status_cb) {
1828	int ret;	1837	int ret;
1829	ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);	1838	ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);