Clean up TLSv1.2 certificate request handshake data.

Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
author: jsing <> 2021-04-21 19:27:56 +0000
committer: jsing <> 2021-04-21 19:27:56 +0000
commit: c0fa404c22925c9af0bc614df8099126ce54eee8 (patch)
tree: 00c27f46eb336858aa2f95e55eb1b6f71cb3c869 /src/lib/libssl/ssl_srvr.c
parent: 82f5c0f3ecd6365b1fe8cbd40e7c8bf23ee55632 (diff)
download: openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.tar.gz
openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.tar.bz2
openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 8241a59ac0..c85a25158f 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.102 2021/04/19 16:51:56 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.103 2021/04/21 19:27:56 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -464,13 +464,13 @@ ssl3_accept(SSL *s)
                             SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
                                /* No cert request. */
                                skip = 1;
-                                S3I(s)->tmp.cert_request = 0;
+                                S3I(s)->hs.tls12.cert_request = 0;
                                S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
                                if (!SSL_is_dtls(s))
                                        tls1_transcript_free(s);
                        } else {
-                                S3I(s)->tmp.cert_request = 1;
+                                S3I(s)->hs.tls12.cert_request = 1;
                                if (SSL_is_dtls(s))
                                        dtls1_start_timer(s);
                                ret = ssl3_send_certificate_request(s);
@@ -522,7 +522,7 @@ ssl3_accept(SSL *s)
                case SSL3_ST_SR_CERT_A:
                case SSL3_ST_SR_CERT_B:
-                        if (S3I(s)->tmp.cert_request) {
+                        if (S3I(s)->hs.tls12.cert_request) {
                                ret = ssl3_get_client_certificate(s);
                                if (ret <= 0)
                                        goto end;
@@ -2379,7 +2379,7 @@ ssl3_get_client_certificate(SSL *s)
                 * If tls asked for a client cert,
                 * the client must return a 0 list.
                 */
-                if (S3I(s)->tmp.cert_request) {
+                if (S3I(s)->hs.tls12.cert_request) {
                        SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
                            );
                        al = SSL_AD_UNEXPECTED_MESSAGE;
author	jsing <>	2021-04-21 19:27:56 +0000
committer	jsing <>	2021-04-21 19:27:56 +0000
commit	c0fa404c22925c9af0bc614df8099126ce54eee8 (patch)
tree	00c27f46eb336858aa2f95e55eb1b6f71cb3c869 /src/lib/libssl/ssl_srvr.c
parent	82f5c0f3ecd6365b1fe8cbd40e7c8bf23ee55632 (diff)
download	openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.tar.gz openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.tar.bz2 openbsd-c0fa404c22925c9af0bc614df8099126ce54eee8.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 8241a59ac0..c85a25158f 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.102 2021/04/19 16:51:56 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.103 2021/04/21 19:27:56 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -464,13 +464,13 @@ ssl3_accept(SSL *s)
464	SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {	464	SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
465	/* No cert request. */	465	/* No cert request. */
466	skip = 1;	466	skip = 1;
467	S3I(s)->tmp.cert_request = 0;	467	S3I(s)->hs.tls12.cert_request = 0;
468	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;	468	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
469		469
470	if (!SSL_is_dtls(s))	470	if (!SSL_is_dtls(s))
471	tls1_transcript_free(s);	471	tls1_transcript_free(s);
472	} else {	472	} else {
473	S3I(s)->tmp.cert_request = 1;	473	S3I(s)->hs.tls12.cert_request = 1;
474	if (SSL_is_dtls(s))	474	if (SSL_is_dtls(s))
475	dtls1_start_timer(s);	475	dtls1_start_timer(s);
476	ret = ssl3_send_certificate_request(s);	476	ret = ssl3_send_certificate_request(s);
@@ -522,7 +522,7 @@ ssl3_accept(SSL *s)
522		522
523	case SSL3_ST_SR_CERT_A:	523	case SSL3_ST_SR_CERT_A:
524	case SSL3_ST_SR_CERT_B:	524	case SSL3_ST_SR_CERT_B:
525	if (S3I(s)->tmp.cert_request) {	525	if (S3I(s)->hs.tls12.cert_request) {
526	ret = ssl3_get_client_certificate(s);	526	ret = ssl3_get_client_certificate(s);
527	if (ret <= 0)	527	if (ret <= 0)
528	goto end;	528	goto end;
@@ -2379,7 +2379,7 @@ ssl3_get_client_certificate(SSL *s)
2379	* If tls asked for a client cert,	2379	* If tls asked for a client cert,
2380	* the client must return a 0 list.	2380	* the client must return a 0 list.
2381	*/	2381	*/
2382	if (S3I(s)->tmp.cert_request) {	2382	if (S3I(s)->hs.tls12.cert_request) {
2383	SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST	2383	SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2384	);	2384	);
2385	al = SSL_AD_UNEXPECTED_MESSAGE;	2385	al = SSL_AD_UNEXPECTED_MESSAGE;