Convert ssl3_send_certificate_request() to CBB.

ok beck@ doug@
author: jsing <> 2017-08-11 17:54:41 +0000
committer: jsing <> 2017-08-11 17:54:41 +0000
commit: ca0f57365762ec3e5a661aa179a61d0a6632fc19 (patch)
tree: 2c2648ba9c07f01384b0dc564ffd3f43c5a4c0aa /src/lib/libssl/ssl_srvr.c
parent: ae7814ca657a2fcd6d4b43b18786885a8f03ff26 (diff)
download: openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.tar.gz
openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.tar.bz2
openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.zip
1 files changed, 46 insertions, 45 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 575621a0ce..e370b7571c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1573,69 +1573,70 @@ ssl3_send_server_key_exchange(SSL *s)
 int
 ssl3_send_certificate_request(SSL *s)
 {
-        unsigned char *p, *d;
+        CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
-        int i, j, nl, off, n;
        STACK_OF(X509_NAME) *sk = NULL;
        X509_NAME *name;
-        BUF_MEM *buf;
+        int i;
-        if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
+        /*
-                buf = s->internal->init_buf;
+         * Certificate Request - RFC 5246 section 7.4.4.
+         */
-                d = p = ssl3_handshake_msg_start(s,
+        memset(&cbb, 0, sizeof(cbb));
-                    SSL3_MT_CERTIFICATE_REQUEST);
-                /* get the list of acceptable cert types */
+        if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
-                p++;
+                if (!ssl3_handshake_msg_start_cbb(s, &cbb, &cert_request,
-                n = ssl3_get_req_cert_type(s, p);
+                    SSL3_MT_CERTIFICATE_REQUEST))
-                d[0] = n;
+                        goto err;
-                p += n;
-                n++;
+                if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
+                        goto err;
+                if (!ssl3_get_req_cert_types(s, &cert_types))
+                        goto err;
                if (SSL_USE_SIGALGS(s)) {
-                        nl = tls12_get_req_sig_algs(s, p + 2);
+                        unsigned char *sigalgs_data;
-                        s2n(nl, p);
+                        size_t sigalgs_len;
-                        p += nl + 2;
-                        n += nl + 2;
+                        sigalgs_len = tls12_get_req_sig_algs(s, NULL);
+                        if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
+                                goto err;
+                        if (!CBB_add_space(&sigalgs, &sigalgs_data, sigalgs_len))
+                                goto err;
+                        tls12_get_req_sig_algs(s, sigalgs_data);
                }
-                off = n;
+                if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
-                p += 2;
+                        goto err;
-                n += 2;
                sk = SSL_get_client_CA_list(s);
-                nl = 0;
+                for (i = 0; i < sk_X509_NAME_num(sk); i++) {
-                if (sk != NULL) {
+                        unsigned char *name_data;
-                        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+                        size_t name_len;
-                                name = sk_X509_NAME_value(sk, i);
-                                j = i2d_X509_NAME(name, NULL);
+                        name = sk_X509_NAME_value(sk, i);
-                                if (!BUF_MEM_grow_clean(buf,
+                        name_len = i2d_X509_NAME(name, NULL);
-                                    ssl3_handshake_msg_hdr_len(s) + n + j
-                                    + 2)) {
+                        if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
-                                        SSLerror(s, ERR_R_BUF_LIB);
+                                goto err;
-                                        goto err;
+                        if (!CBB_add_space(&dn, &name_data, name_len))
-                                }
+                                goto err;
-                                p = ssl3_handshake_msg_start(s,
+                        if (i2d_X509_NAME(name, &name_data) != name_len)
-                                    SSL3_MT_CERTIFICATE_REQUEST) + n;
+                                goto err;
-                                s2n(j, p);
-                                i2d_X509_NAME(name, &p);
-                                n += 2 + j;
-                                nl += 2 + j;
-                        }
                }
-                /* else no CA names */
-                p = ssl3_handshake_msg_start(s,
-                    SSL3_MT_CERTIFICATE_REQUEST) + off;
-                s2n(nl, p);
-                ssl3_handshake_msg_finish(s, n);
+                if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
+                        goto err;
                S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;
        }
        /* SSL3_ST_SW_CERT_REQ_B */
        return (ssl3_handshake_write(s));
-err:
+ err:
+        CBB_cleanup(&cbb);
        return (-1);
 }
author	jsing <>	2017-08-11 17:54:41 +0000
committer	jsing <>	2017-08-11 17:54:41 +0000
commit	ca0f57365762ec3e5a661aa179a61d0a6632fc19 (patch)
tree	2c2648ba9c07f01384b0dc564ffd3f43c5a4c0aa /src/lib/libssl/ssl_srvr.c
parent	ae7814ca657a2fcd6d4b43b18786885a8f03ff26 (diff)
download	openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.tar.gz openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.tar.bz2 openbsd-ca0f57365762ec3e5a661aa179a61d0a6632fc19.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 575621a0ce..e370b7571c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.18 2017/08/10 17:18:38 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.19 2017/08/11 17:54:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1573,69 +1573,70 @@ ssl3_send_server_key_exchange(SSL *s)
1573	int	1573	int
1574	ssl3_send_certificate_request(SSL *s)	1574	ssl3_send_certificate_request(SSL *s)
1575	{	1575	{
1576	unsigned char p, d;	1576	CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn;
1577	int i, j, nl, off, n;
1578	STACK_OF(X509_NAME) *sk = NULL;	1577	STACK_OF(X509_NAME) *sk = NULL;
1579	X509_NAME *name;	1578	X509_NAME *name;
1580	BUF_MEM *buf;	1579	int i;
1581		1580
1582	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {	1581	/*
1583	buf = s->internal->init_buf;	1582	* Certificate Request - RFC 5246 section 7.4.4.
		1583	*/
1584		1584
1585	d = p = ssl3_handshake_msg_start(s,	1585	memset(&cbb, 0, sizeof(cbb));
1586	SSL3_MT_CERTIFICATE_REQUEST);
1587		1586
1588	/* get the list of acceptable cert types */	1587	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) {
1589	p++;	1588	if (!ssl3_handshake_msg_start_cbb(s, &cbb, &cert_request,
1590	n = ssl3_get_req_cert_type(s, p);	1589	SSL3_MT_CERTIFICATE_REQUEST))
1591	d[0] = n;	1590	goto err;
1592	p += n;	1591
1593	n++;	1592	if (!CBB_add_u8_length_prefixed(&cert_request, &cert_types))
		1593	goto err;
		1594	if (!ssl3_get_req_cert_types(s, &cert_types))
		1595	goto err;
1594		1596
1595	if (SSL_USE_SIGALGS(s)) {	1597	if (SSL_USE_SIGALGS(s)) {
1596	nl = tls12_get_req_sig_algs(s, p + 2);	1598	unsigned char *sigalgs_data;
1597	s2n(nl, p);	1599	size_t sigalgs_len;
1598	p += nl + 2;	1600
1599	n += nl + 2;	1601	sigalgs_len = tls12_get_req_sig_algs(s, NULL);
		1602	if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs))
		1603	goto err;
		1604	if (!CBB_add_space(&sigalgs, &sigalgs_data, sigalgs_len))
		1605	goto err;
		1606	tls12_get_req_sig_algs(s, sigalgs_data);
1600	}	1607	}
1601		1608
1602	off = n;	1609	if (!CBB_add_u16_length_prefixed(&cert_request, &cert_auth))
1603	p += 2;	1610	goto err;
1604	n += 2;
1605		1611
1606	sk = SSL_get_client_CA_list(s);	1612	sk = SSL_get_client_CA_list(s);
1607	nl = 0;	1613	for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1608	if (sk != NULL) {	1614	unsigned char *name_data;
1609	for (i = 0; i < sk_X509_NAME_num(sk); i++) {	1615	size_t name_len;
1610	name = sk_X509_NAME_value(sk, i);	1616
1611	j = i2d_X509_NAME(name, NULL);	1617	name = sk_X509_NAME_value(sk, i);
1612	if (!BUF_MEM_grow_clean(buf,	1618	name_len = i2d_X509_NAME(name, NULL);
1613	ssl3_handshake_msg_hdr_len(s) + n + j	1619
1614	+ 2)) {	1620	if (!CBB_add_u16_length_prefixed(&cert_auth, &dn))
1615	SSLerror(s, ERR_R_BUF_LIB);	1621	goto err;
1616	goto err;	1622	if (!CBB_add_space(&dn, &name_data, name_len))
1617	}	1623	goto err;
1618	p = ssl3_handshake_msg_start(s,	1624	if (i2d_X509_NAME(name, &name_data) != name_len)
1619	SSL3_MT_CERTIFICATE_REQUEST) + n;	1625	goto err;
1620	s2n(j, p);
1621	i2d_X509_NAME(name, &p);
1622	n += 2 + j;
1623	nl += 2 + j;
1624	}
1625	}	1626	}
1626	/* else no CA names */
1627	p = ssl3_handshake_msg_start(s,
1628	SSL3_MT_CERTIFICATE_REQUEST) + off;
1629	s2n(nl, p);
1630		1627
1631	ssl3_handshake_msg_finish(s, n);	1628	if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
		1629	goto err;
1632		1630
1633	S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;	1631	S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B;
1634	}	1632	}
1635		1633
1636	/* SSL3_ST_SW_CERT_REQ_B */	1634	/* SSL3_ST_SW_CERT_REQ_B */
1637	return (ssl3_handshake_write(s));	1635	return (ssl3_handshake_write(s));
1638	err:	1636
		1637	err:
		1638	CBB_cleanup(&cbb);
		1639
1639	return (-1);	1640	return (-1);
1640	}	1641	}
1641		1642