1 files changed, 45 insertions, 45 deletions
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index cfd0fb9b4b..52af34a809 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.48 2015/09/12 15:03:39 jsing Exp $ */
+/* $OpenBSD: s3_both.c,v 1.49 2016/12/06 13:17:52 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -316,49 +316,50 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b)
 }
 static int
-ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
+ssl3_add_cert(CBB *cbb, X509 *x)
 {
-        int n;
+        unsigned char *data;
-        unsigned char *p;
+        int cert_len;
+        int ret = 0;
+        CBB cert;
-        n = i2d_X509(x, NULL);
+        if ((cert_len = i2d_X509(x, NULL)) < 0)
-        if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) {
+                goto err;
-                SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
-                return (-1);
-        }
-        /* XXX */
-        p = (unsigned char *)&(buf->data[*l]);
-        l2n3(n, p);
-        i2d_X509(x, &p);
-        *l += n + 3;
-        return (0);
+        if (!CBB_add_u24_length_prefixed(cbb, &cert))
+                goto err;
+        if (!CBB_add_space(&cert, &data, cert_len))
+                goto err;
+        if (i2d_X509(x, &data) < 0)
+                goto err;
+        if (!CBB_flush(cbb))
+                goto err;
+        ret = 1;
+ err:
+        return (ret);
 }
-unsigned long
+int
-ssl3_output_cert_chain(SSL *s, X509 *x)
+ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)
 {
-        unsigned char *p;
+        int no_chain = 0;
-        unsigned long l = ssl3_handshake_msg_hdr_len(s) + 3;
+        CBB cert_list;
-        BUF_MEM *buf;
+        int ret = 0;
-        int no_chain;
        int i;
+        if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
+                goto err;
        if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
                no_chain = 1;
-        else
-                no_chain = 0;
-        /* TLSv1 sends a chain with nothing in it, instead of an alert */
+        /* TLSv1 sends a chain with nothing in it, instead of an alert. */
-        buf = s->init_buf;
-        if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + 6)) {
-                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
-                return (0);
-        }
        if (x != NULL) {
                if (no_chain) {
-                        if (ssl3_add_cert_to_buf(buf, &l, x))
+                        if (!ssl3_add_cert(&cert_list, x))
-                                return (0);
+                                goto err;
                } else {
                        X509_STORE_CTX xs_ctx;
@@ -366,7 +367,7 @@ ssl3_output_cert_chain(SSL *s, X509 *x)
                            x, NULL)) {
                                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,
                                    ERR_R_X509_LIB);
-                                return (0);
+                                goto err;
                        }
                        X509_verify_cert(&xs_ctx);
@@ -374,30 +375,29 @@ ssl3_output_cert_chain(SSL *s, X509 *x)
                        ERR_clear_error();
                        for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
                                x = sk_X509_value(xs_ctx.chain, i);
-                                if (ssl3_add_cert_to_buf(buf, &l, x)) {
+                                if (!ssl3_add_cert(&cert_list, x)) {
                                        X509_STORE_CTX_cleanup(&xs_ctx);
-                                        return 0;
+                                        goto err;
                                }
                        }
                        X509_STORE_CTX_cleanup(&xs_ctx);
                }
        }
        /* Thawte special :-) */
        for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
                x = sk_X509_value(s->ctx->extra_certs, i);
-                if (ssl3_add_cert_to_buf(buf, &l, x))
+                if (!ssl3_add_cert(&cert_list, x))
-                        return (0);
+                        goto err;
        }
-        l -= ssl3_handshake_msg_hdr_len(s) + 3;
+        if (!CBB_flush(cbb))
-        p = (unsigned char *)&(buf->data[4]);
+                goto err;
-        l2n3(l, p);
-        l += 3;
+        ret = 1;
-        p = (unsigned char *)&(buf->data[0]);
-        *(p++) = SSL3_MT_CERTIFICATE;
+ err:
-        l2n3(l, p);
+        return (ret);
-        l += 4; /* XXX */
-        return (l);
 }
 /*

diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index cfd0fb9b4b..52af34a809 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_both.c,v 1.48 2015/09/12 15:03:39 jsing Exp $ */	1	/* $OpenBSD: s3_both.c,v 1.49 2016/12/06 13:17:52 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -316,49 +316,50 @@ ssl3_send_change_cipher_spec(SSL *s, int a, int b)
316	}	316	}
317		317
318	static int	318	static int
319	ssl3_add_cert_to_buf(BUF_MEM buf, unsigned long l, X509 *x)	319	ssl3_add_cert(CBB cbb, X509 x)
320	{	320	{
321	int n;	321	unsigned char *data;
322	unsigned char *p;	322	int cert_len;
		323	int ret = 0;
		324	CBB cert;
323		325
324	n = i2d_X509(x, NULL);	326	if ((cert_len = i2d_X509(x, NULL)) < 0)
325	if (!BUF_MEM_grow_clean(buf, n + (*l) + 3)) {	327	goto err;
326	SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
327	return (-1);
328	}
329	/* XXX */
330	p = (unsigned char )&(buf->data[l]);
331	l2n3(n, p);
332	i2d_X509(x, &p);
333	*l += n + 3;
334		328
335	return (0);	329	if (!CBB_add_u24_length_prefixed(cbb, &cert))
		330	goto err;
		331	if (!CBB_add_space(&cert, &data, cert_len))
		332	goto err;
		333	if (i2d_X509(x, &data) < 0)
		334	goto err;
		335	if (!CBB_flush(cbb))
		336	goto err;
		337
		338	ret = 1;
		339
		340	err:
		341	return (ret);
336	}	342	}
337		343
338	unsigned long	344	int
339	ssl3_output_cert_chain(SSL s, X509 x)	345	ssl3_output_cert_chain(SSL s, CBB cbb, X509 *x)
340	{	346	{
341	unsigned char *p;	347	int no_chain = 0;
342	unsigned long l = ssl3_handshake_msg_hdr_len(s) + 3;	348	CBB cert_list;
343	BUF_MEM *buf;	349	int ret = 0;
344	int no_chain;
345	int i;	350	int i;
346		351
		352	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
		353	goto err;
		354
347	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| s->ctx->extra_certs)	355	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| s->ctx->extra_certs)
348	no_chain = 1;	356	no_chain = 1;
349	else
350	no_chain = 0;
351		357
352	/* TLSv1 sends a chain with nothing in it, instead of an alert */	358	/* TLSv1 sends a chain with nothing in it, instead of an alert. */
353	buf = s->init_buf;
354	if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + 6)) {
355	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
356	return (0);
357	}
358	if (x != NULL) {	359	if (x != NULL) {
359	if (no_chain) {	360	if (no_chain) {
360	if (ssl3_add_cert_to_buf(buf, &l, x))	361	if (!ssl3_add_cert(&cert_list, x))
361	return (0);	362	goto err;
362	} else {	363	} else {
363	X509_STORE_CTX xs_ctx;	364	X509_STORE_CTX xs_ctx;
364		365
@@ -366,7 +367,7 @@ ssl3_output_cert_chain(SSL s, X509 x)
366	x, NULL)) {	367	x, NULL)) {
367	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,	368	SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,
368	ERR_R_X509_LIB);	369	ERR_R_X509_LIB);
369	return (0);	370	goto err;
370	}	371	}
371	X509_verify_cert(&xs_ctx);	372	X509_verify_cert(&xs_ctx);
372		373
@@ -374,30 +375,29 @@ ssl3_output_cert_chain(SSL s, X509 x)
374	ERR_clear_error();	375	ERR_clear_error();
375	for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {	376	for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
376	x = sk_X509_value(xs_ctx.chain, i);	377	x = sk_X509_value(xs_ctx.chain, i);
377	if (ssl3_add_cert_to_buf(buf, &l, x)) {	378	if (!ssl3_add_cert(&cert_list, x)) {
378	X509_STORE_CTX_cleanup(&xs_ctx);	379	X509_STORE_CTX_cleanup(&xs_ctx);
379	return 0;	380	goto err;
380	}	381	}
381	}	382	}
382	X509_STORE_CTX_cleanup(&xs_ctx);	383	X509_STORE_CTX_cleanup(&xs_ctx);
383	}	384	}
384	}	385	}
		386
385	/* Thawte special :-) */	387	/* Thawte special :-) */
386	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {	388	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
387	x = sk_X509_value(s->ctx->extra_certs, i);	389	x = sk_X509_value(s->ctx->extra_certs, i);
388	if (ssl3_add_cert_to_buf(buf, &l, x))	390	if (!ssl3_add_cert(&cert_list, x))
389	return (0);	391	goto err;
390	}	392	}
391		393
392	l -= ssl3_handshake_msg_hdr_len(s) + 3;	394	if (!CBB_flush(cbb))
393	p = (unsigned char *)&(buf->data[4]);	395	goto err;
394	l2n3(l, p);	396
395	l += 3;	397	ret = 1;
396	p = (unsigned char *)&(buf->data[0]);	398
397	*(p++) = SSL3_MT_CERTIFICATE;	399	err:
398	l2n3(l, p);	400	return (ret);
399	l += 4; /* XXX */
400	return (l);
401	}	401	}
402		402
403	/*	403	/*