From 2c5bb57394ae3bd0d749e60f9e5489396e6f7d75 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 10 May 2020 14:17:48 +0000
Subject: Use size_t for OCSP response length.

The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.

ok beck@
---
 src/lib/libssl/s3_lib.c     | 22 ++++++++++++++++++----
 src/lib/libssl/ssl_clnt.c   |  7 ++-----
 src/lib/libssl/ssl_lib.c    |  4 ++--
 src/lib/libssl/ssl_locl.h   |  5 +++--
 src/lib/libssl/ssl_srvr.c   |  4 ++--
 src/lib/libssl/ssl_tlsext.c |  7 ++-----
 src/lib/libssl/t1_lib.c     |  9 ++++-----
 src/lib/libssl/tls13_lib.c  |  4 ++--
 8 files changed, 35 insertions(+), 27 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 87b43a3521..afc798bedc 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.192 2020/04/18 14:07:56 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.193 2020/05/10 14:17:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1842,16 +1842,30 @@ _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids)
 static int
 _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp)
 {
-	*resp = s->internal->tlsext_ocsp_resp;
-	return s->internal->tlsext_ocsp_resplen;
+	if (s->internal->tlsext_ocsp_resp != NULL &&
+	    s->internal->tlsext_ocsp_resp_len < INT_MAX) {
+		*resp = s->internal->tlsext_ocsp_resp;
+		return (int)s->internal->tlsext_ocsp_resp_len;
+	}
+
+	*resp = NULL;
+
+	return -1;
 }
 
 static int
 _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
 {
 	free(s->internal->tlsext_ocsp_resp);
+	s->internal->tlsext_ocsp_resp = NULL;
+	s->internal->tlsext_ocsp_resp_len = 0;
+
+	if (resp_len < 0)
+		return 0;
+
 	s->internal->tlsext_ocsp_resp = resp;
-	s->internal->tlsext_ocsp_resplen = resp_len;
+	s->internal->tlsext_ocsp_resp_len = (size_t)resp_len;
+
 	return 1;
 }
 
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index a83453d39c..6b457569a3 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.65 2020/05/09 13:54:19 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.66 2020/05/10 14:17:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1830,7 +1830,6 @@ int
 ssl3_get_cert_status(SSL *s)
 {
 	CBS			 cert_status, response;
-	size_t			 stow_len;
 	int			 ok, al;
 	long			 n;
 	uint8_t			 status_type;
@@ -1871,13 +1870,11 @@ ssl3_get_cert_status(SSL *s)
 	}
 
 	if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
-	    &stow_len) || stow_len > INT_MAX) {
-		s->internal->tlsext_ocsp_resplen = 0;
+	    &s->internal->tlsext_ocsp_resp_len)) {
  		al = SSL_AD_INTERNAL_ERROR;
  		SSLerror(s, ERR_R_MALLOC_FAILURE);
  		goto f_err;
  	}
-	s->internal->tlsext_ocsp_resplen = (int)stow_len;
 
 	if (s->ctx->internal->tlsext_status_cb) {
 		int ret;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 0c9b90be85..1c4ab636a1 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.212 2020/03/16 15:25:14 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.213 2020/05/10 14:17:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -299,7 +299,7 @@ SSL_new(SSL_CTX *ctx)
 	s->internal->tlsext_ocsp_ids = NULL;
 	s->internal->tlsext_ocsp_exts = NULL;
 	s->internal->tlsext_ocsp_resp = NULL;
-	s->internal->tlsext_ocsp_resplen = -1;
+	s->internal->tlsext_ocsp_resp_len = 0;
 	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
 	s->initial_ctx = ctx;
 
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0212166678..e222348ea9 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.272 2020/04/18 14:07:56 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.273 2020/05/10 14:17:47 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -747,9 +747,10 @@ typedef struct ssl_internal_st {
 	/* OCSP status request only */
 	STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
 	X509_EXTENSIONS *tlsext_ocsp_exts;
+
 	/* OCSP response received or to be sent */
 	unsigned char *tlsext_ocsp_resp;
-	int tlsext_ocsp_resplen;
+	size_t tlsext_ocsp_resp_len;
 
 	/* RFC4507 session ticket expected to be received or sent */
 	int tlsext_ticket_expected;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 72419dcf3a..e78099cdad 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.74 2020/05/09 13:51:44 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.75 2020/05/10 14:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2624,7 +2624,7 @@ ssl3_send_cert_status(SSL *s)
 		if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp))
 			goto err;
 		if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp,
-		    s->internal->tlsext_ocsp_resplen))
+		    s->internal->tlsext_ocsp_resp_len))
 			goto err;
 		if (!ssl3_handshake_msg_finish(s, &cbb))
 			goto err;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 65e53f93be..1f70cb90e6 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.66 2020/05/10 14:07:01 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.67 2020/05/10 14:17:48 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -922,7 +922,6 @@ int
 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert)
 {
 	CBS response;
-	size_t stow_len;
 	uint16_t version = TLS1_get_client_version(s);
 	uint8_t status_type;
 
@@ -944,12 +943,10 @@ tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert)
 			return 0;
 		}
 		if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
-		    &stow_len)) {
-			s->internal->tlsext_ocsp_resplen = 0;
+		    &s->internal->tlsext_ocsp_resp_len)) {
 			*alert = SSL_AD_INTERNAL_ERROR;
 			return 0;
 		}
-		s->internal->tlsext_ocsp_resplen = (int)stow_len;
 	} else {
 		if (s->tlsext_status_type == -1) {
 			*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b265ea089f..fc828541cd 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.165 2020/03/10 17:02:21 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.166 2020/05/10 14:17:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -717,12 +717,11 @@ ssl_check_serverhello_tlsext(SSL *s)
 	if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) &&
 	    s->ctx && s->ctx->internal->tlsext_status_cb) {
 		int r;
-		/* Set resp to NULL, resplen to -1 so callback knows
- 		 * there is no response.
- 		 */
+
 		free(s->internal->tlsext_ocsp_resp);
 		s->internal->tlsext_ocsp_resp = NULL;
-		s->internal->tlsext_ocsp_resplen = -1;
+		s->internal->tlsext_ocsp_resp_len = 0;
+
 		r = s->ctx->internal->tlsext_status_cb(s,
 		    s->ctx->internal->tlsext_status_arg);
 		if (r == 0) {
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index ad78d5b597..29c81afba3 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.39 2020/05/10 14:03:14 jsing Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.40 2020/05/10 14:17:48 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -170,7 +170,7 @@ tls13_legacy_ocsp_status_recv_cb(void *arg)
 	int ret;
 
 	if (s->ctx->internal->tlsext_status_cb == NULL ||
-	    s->internal->tlsext_ocsp_resplen == -1)
+	    s->internal->tlsext_ocsp_resp == NULL)
 		return 1;
 
 	ret = s->ctx->internal->tlsext_status_cb(s,
-- 
cgit v1.2.3-55-g6feb