1 files changed, 25 insertions, 16 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index abebaa0fc4..ad627d10d8 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.155 2017/08/10 17:18:38 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2438,36 +2438,45 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 }
 int
-ssl3_get_req_cert_type(SSL *s, unsigned char *p)
+ssl3_get_req_cert_types(SSL *s, CBB *cbb)
 {
-        int             ret = 0;
+        unsigned long alg_k;
-        unsigned long   alg_k;
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
 #ifndef OPENSSL_NO_GOST
-        if ((alg_k & SSL_kGOST)) {
+        if ((alg_k & SSL_kGOST) != 0) {
-                p[ret++] = TLS_CT_GOST94_SIGN;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
-                p[ret++] = TLS_CT_GOST01_SIGN;
+                        return 0;
-                p[ret++] = TLS_CT_GOST12_256_SIGN;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
-                p[ret++] = TLS_CT_GOST12_512_SIGN;
+                        return 0;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
+                        return 0;
+                if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
+                        return 0;
        }
 #endif
-        if (alg_k & SSL_kDHE) {
+        if ((alg_k & SSL_kDHE) != 0) {
-                p[ret++] = SSL3_CT_RSA_FIXED_DH;
+                if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
-                p[ret++] = SSL3_CT_DSS_FIXED_DH;
+                        return 0;
+                if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
+                        return 0;
        }
-        p[ret++] = SSL3_CT_RSA_SIGN;
-        p[ret++] = SSL3_CT_DSS_SIGN;
+        if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
+                return 0;
+        if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
+                return 0;
        /*
         * ECDSA certs can be used with RSA cipher suites as well
         * so we don't need to check for SSL_kECDH or SSL_kECDHE.
         */
-        p[ret++] = TLS_CT_ECDSA_SIGN;
+        if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
+                return 0;
-        return (ret);
+        return 1;
 }
 int

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index abebaa0fc4..ad627d10d8 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.155 2017/08/10 17:18:38 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.156 2017/08/11 17:54:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2438,36 +2438,45 @@ ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) clnt,
2438	}	2438	}
2439		2439
2440	int	2440	int
2441	ssl3_get_req_cert_type(SSL s, unsigned char p)	2441	ssl3_get_req_cert_types(SSL s, CBB cbb)
2442	{	2442	{
2443	int ret = 0;	2443	unsigned long alg_k;
2444	unsigned long alg_k;
2445		2444
2446	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	2445	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2447		2446
2448	#ifndef OPENSSL_NO_GOST	2447	#ifndef OPENSSL_NO_GOST
2449	if ((alg_k & SSL_kGOST)) {	2448	if ((alg_k & SSL_kGOST) != 0) {
2450	p[ret++] = TLS_CT_GOST94_SIGN;	2449	if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN))
2451	p[ret++] = TLS_CT_GOST01_SIGN;	2450	return 0;
2452	p[ret++] = TLS_CT_GOST12_256_SIGN;	2451	if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN))
2453	p[ret++] = TLS_CT_GOST12_512_SIGN;	2452	return 0;
		2453	if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN))
		2454	return 0;
		2455	if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN))
		2456	return 0;
2454	}	2457	}
2455	#endif	2458	#endif
2456		2459
2457	if (alg_k & SSL_kDHE) {	2460	if ((alg_k & SSL_kDHE) != 0) {
2458	p[ret++] = SSL3_CT_RSA_FIXED_DH;	2461	if (!CBB_add_u8(cbb, SSL3_CT_RSA_FIXED_DH))
2459	p[ret++] = SSL3_CT_DSS_FIXED_DH;	2462	return 0;
		2463	if (!CBB_add_u8(cbb, SSL3_CT_DSS_FIXED_DH))
		2464	return 0;
2460	}	2465	}
2461	p[ret++] = SSL3_CT_RSA_SIGN;	2466
2462	p[ret++] = SSL3_CT_DSS_SIGN;	2467	if (!CBB_add_u8(cbb, SSL3_CT_RSA_SIGN))
		2468	return 0;
		2469	if (!CBB_add_u8(cbb, SSL3_CT_DSS_SIGN))
		2470	return 0;
2463		2471
2464	/*	2472	/*
2465	* ECDSA certs can be used with RSA cipher suites as well	2473	* ECDSA certs can be used with RSA cipher suites as well
2466	* so we don't need to check for SSL_kECDH or SSL_kECDHE.	2474	* so we don't need to check for SSL_kECDH or SSL_kECDHE.
2467	*/	2475	*/
2468	p[ret++] = TLS_CT_ECDSA_SIGN;	2476	if (!CBB_add_u8(cbb, TLS_CT_ECDSA_SIGN))
		2477	return 0;
2469		2478
2470	return (ret);	2479	return 1;
2471	}	2480	}
2472		2481
2473	int	2482	int