Convert ssl3_send_client_kex_gost() to CBB.

ok doug@
author: jsing <> 2016-12-13 16:07:00 +0000
committer: jsing <> 2016-12-13 16:07:00 +0000
commit: 92997cec5c4d33e0d4e9a1ac02d614de826b28b0 (patch)
tree: c84cf00ee85ab6dc5f143b2ebf6a1d10d0559176 /src/lib
parent: b090b768a852bbd563170b08d89c7c2ad09d6949 (diff)
download: openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.tar.gz
openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.tar.bz2
openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.zip
1 files changed, 19 insertions, 17 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 7549dd6f87..68d6b1a9cf 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.153 2016/12/13 13:56:15 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.154 2016/12/13 16:07:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2107,8 +2107,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 }
 static int
-ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
+ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
-    int *outlen)
 {
        unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
        EVP_PKEY *pub_key = NULL;
@@ -2119,7 +2118,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
        EVP_MD_CTX *ukm_hash;
        int ret = -1;
        int nid;
-        int n;
+        CBB gostblob;
        /* Get server sertificate PKEY and create ctx from it */
        peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
@@ -2185,22 +2184,19 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
        /*
         * Make GOST keytransport blob message, encapsulate it into sequence.
         */
-        *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
        msglen = 255;
        if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
            32) < 0) {
                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG);
                goto err;
        }
-        if (msglen >= 0x80) {
-                *(p++) = 0x81;
+        if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
-                *(p++) = msglen & 0xff;
+                goto err;
-                n = msglen + 3;
+        if (!CBB_add_bytes(&gostblob, tmp, msglen))
-        } else {
+                goto err;
-                *(p++) = msglen & 0xff;
+        if (!CBB_flush(cbb))
-                n = msglen + 2;
+                goto err;
-        }
-        memcpy(p, tmp, msglen);
        /* Check if pubkey from client certificate was used. */
        if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
@@ -2213,10 +2209,9 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, unsigned char *p,
            s->method->ssl3_enc->generate_master_secret(s,
                s->session->master_key, premaster_secret, 32);
-        *outlen = n;
        ret = 1;
-err:
+ err:
        explicit_bzero(premaster_secret, sizeof(premaster_secret));
        EVP_PKEY_free(pub_key);
@@ -2281,8 +2276,15 @@ ssl3_send_client_key_exchange(SSL *s)
                                goto err;
                        n = (int)outlen;
                } else if (alg_k & SSL_kGOST) {
-                        if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1)
+                        if (!CBB_init_fixed(&cbb, p, bufend - p))
+                                goto err;
+                        if (ssl3_send_client_kex_gost(s, sess_cert, &cbb) != 1)
+                                goto err;
+                        if (!CBB_finish(&cbb, NULL, &outlen))
+                                goto err;
+                        if (outlen > INT_MAX)
                                goto err;
+                        n = (int)outlen;
                } else {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_HANDSHAKE_FAILURE);
author	jsing <>	2016-12-13 16:07:00 +0000
committer	jsing <>	2016-12-13 16:07:00 +0000
commit	92997cec5c4d33e0d4e9a1ac02d614de826b28b0 (patch)
tree	c84cf00ee85ab6dc5f143b2ebf6a1d10d0559176 /src/lib
parent	b090b768a852bbd563170b08d89c7c2ad09d6949 (diff)
download	openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.tar.gz openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.tar.bz2 openbsd-92997cec5c4d33e0d4e9a1ac02d614de826b28b0.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 7549dd6f87..68d6b1a9cf 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.153 2016/12/13 13:56:15 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.154 2016/12/13 16:07:00 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2107,8 +2107,7 @@ ssl3_send_client_kex_ecdhe(SSL s, SESS_CERT sess_cert, CBB *cbb)
2107	}	2107	}
2108		2108
2109	static int	2109	static int
2110	ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, unsigned char *p,	2110	ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, CBB *cbb)
2111	int *outlen)
2112	{	2111	{
2113	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];	2112	unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2114	EVP_PKEY *pub_key = NULL;	2113	EVP_PKEY *pub_key = NULL;
@@ -2119,7 +2118,7 @@ ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, unsigned char *p,
2119	EVP_MD_CTX *ukm_hash;	2118	EVP_MD_CTX *ukm_hash;
2120	int ret = -1;	2119	int ret = -1;
2121	int nid;	2120	int nid;
2122	int n;	2121	CBB gostblob;
2123		2122
2124	/* Get server sertificate PKEY and create ctx from it */	2123	/* Get server sertificate PKEY and create ctx from it */
2125	peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;	2124	peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
@@ -2185,22 +2184,19 @@ ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, unsigned char *p,
2185	/*	2184	/*
2186	* Make GOST keytransport blob message, encapsulate it into sequence.	2185	* Make GOST keytransport blob message, encapsulate it into sequence.
2187	*/	2186	*/
2188	*(p++) = V_ASN1_SEQUENCE \| V_ASN1_CONSTRUCTED;
2189	msglen = 255;	2187	msglen = 255;
2190	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,	2188	if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
2191	32) < 0) {	2189	32) < 0) {
2192	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG);	2190	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG);
2193	goto err;	2191	goto err;
2194	}	2192	}
2195	if (msglen >= 0x80) {	2193
2196	*(p++) = 0x81;	2194	if (!CBB_add_asn1(cbb, &gostblob, CBS_ASN1_SEQUENCE))
2197	*(p++) = msglen & 0xff;	2195	goto err;
2198	n = msglen + 3;	2196	if (!CBB_add_bytes(&gostblob, tmp, msglen))
2199	} else {	2197	goto err;
2200	*(p++) = msglen & 0xff;	2198	if (!CBB_flush(cbb))
2201	n = msglen + 2;	2199	goto err;
2202	}
2203	memcpy(p, tmp, msglen);
2204		2200
2205	/* Check if pubkey from client certificate was used. */	2201	/* Check if pubkey from client certificate was used. */
2206	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,	2202	if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
@@ -2213,10 +2209,9 @@ ssl3_send_client_kex_gost(SSL s, SESS_CERT sess_cert, unsigned char *p,
2213	s->method->ssl3_enc->generate_master_secret(s,	2209	s->method->ssl3_enc->generate_master_secret(s,
2214	s->session->master_key, premaster_secret, 32);	2210	s->session->master_key, premaster_secret, 32);
2215		2211
2216	*outlen = n;
2217	ret = 1;	2212	ret = 1;
2218		2213
2219	err:	2214	err:
2220	explicit_bzero(premaster_secret, sizeof(premaster_secret));	2215	explicit_bzero(premaster_secret, sizeof(premaster_secret));
2221	EVP_PKEY_free(pub_key);	2216	EVP_PKEY_free(pub_key);
2222		2217
@@ -2281,8 +2276,15 @@ ssl3_send_client_key_exchange(SSL *s)
2281	goto err;	2276	goto err;
2282	n = (int)outlen;	2277	n = (int)outlen;
2283	} else if (alg_k & SSL_kGOST) {	2278	} else if (alg_k & SSL_kGOST) {
2284	if (ssl3_send_client_kex_gost(s, sess_cert, p, &n) != 1)	2279	if (!CBB_init_fixed(&cbb, p, bufend - p))
		2280	goto err;
		2281	if (ssl3_send_client_kex_gost(s, sess_cert, &cbb) != 1)
		2282	goto err;
		2283	if (!CBB_finish(&cbb, NULL, &outlen))
		2284	goto err;
		2285	if (outlen > INT_MAX)
2285	goto err;	2286	goto err;
		2287	n = (int)outlen;
2286	} else {	2288	} else {
2287	ssl3_send_alert(s, SSL3_AL_FATAL,	2289	ssl3_send_alert(s, SSL3_AL_FATAL,
2288	SSL_AD_HANDSHAKE_FAILURE);	2290	SSL_AD_HANDSHAKE_FAILURE);