From bf09b4f4a38c86a5a7590e1d92314441c4864ecc Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 26 Jan 2020 02:45:27 +0000
Subject: Move pad and verify context into tls13_lib.c

ok jsing@
---
 src/lib/libssl/tls13_client.c   | 25 ++++----------------
 src/lib/libssl/tls13_internal.h |  7 +++++-
 src/lib/libssl/tls13_lib.c      | 45 +++++++++++++++++++++++++++++++++++-
 src/lib/libssl/tls13_server.c   | 51 ++++-------------------------------------
 4 files changed, 60 insertions(+), 68 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index fb21b54621..5dffd2d33a 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.34 2020/01/25 14:23:27 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.35 2020/01/26 02:45:27 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -587,22 +587,6 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
 	return ret;
 }
 
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-static uint8_t cert_verify_pad[64] = {
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-
-static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
-
 int
 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
@@ -631,10 +615,11 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
 
 	if (!CBB_init(&cbb, 0))
 		goto err;
-	if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad)))
+	if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
+	    sizeof(tls13_cert_verify_pad)))
 		goto err;
-	if (!CBB_add_bytes(&cbb, server_cert_verify_context,
-	    strlen(server_cert_verify_context)))
+	if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
+	    strlen(tls13_cert_server_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&cbb, 0))
 		goto err;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 4cae2ebcce..ec58525c2b 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.56 2020/01/25 19:01:43 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.57 2020/01/26 02:45:27 beck Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -302,6 +302,8 @@ int tls13_server_finished_sent(struct tls13_ctx *ctx);
 
 void tls13_error_clear(struct tls13_error *error);
 
+int tls13_cert_add(CBB *cbb, X509 *cert);
+
 int tls13_error_set(struct tls13_error *error, int code, int subcode,
     const char *file, int line, const char *fmt, ...);
 int tls13_error_setx(struct tls13_error *error, int code, int subcode,
@@ -316,6 +318,9 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
 
 extern uint8_t tls13_downgrade_12[8];
 extern uint8_t tls13_downgrade_11[8];
+extern uint8_t tls13_cert_verify_pad[64];
+extern uint8_t tls13_cert_client_verify_context[];
+extern uint8_t tls13_cert_server_verify_context[];
 
 __END_HIDDEN_DECLS
 
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 950b5a4019..2a13e8f773 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.30 2020/01/25 13:11:20 tb Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.31 2020/01/26 02:45:27 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -607,3 +607,46 @@ tls13_legacy_shutdown(SSL *ssl)
 
 	return 0;
 }
+
+/*
+ * Certificate Verify padding - RFC 8446 section 4.4.3.
+ */
+uint8_t tls13_cert_verify_pad[64] = {
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+};
+
+uint8_t tls13_cert_client_verify_context[] = "TLS 1.3, client CertificateVerify";
+uint8_t tls13_cert_server_verify_context[] = "TLS 1.3, server CertificateVerify";
+
+int
+tls13_cert_add(CBB *cbb, X509 *cert)
+{
+	CBB cert_data, cert_exts;
+	uint8_t *data;
+	int cert_len;
+
+	if ((cert_len = i2d_X509(cert, NULL)) < 0)
+		return 0;
+
+	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
+		return 0;
+	if (!CBB_add_space(&cert_data, &data, cert_len))
+		return 0;
+	if (i2d_X509(cert, &data) != cert_len)
+		return 0;
+
+	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
+		return 0;
+
+	if (!CBB_flush(cbb))
+		return 0;
+
+	return 1;
+}
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 628e824313..8ed2a6ea11 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.16 2020/01/24 08:21:24 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.17 2020/01/26 02:45:27 beck Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -476,32 +476,6 @@ tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
 	return 0;
 }
 
-static int
-tls13_cert_add(CBB *cbb, X509 *cert)
-{
-	CBB cert_data, cert_exts;
-	uint8_t *data;
-	int cert_len;
-
-	if ((cert_len = i2d_X509(cert, NULL)) < 0)
-		return 0;
-
-	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
-		return 0;
-	if (!CBB_add_space(&cert_data, &data, cert_len))
-		return 0;
-	if (i2d_X509(cert, &data) != cert_len)
-		return 0;
-
-	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
-		return 0;
-
-	if (!CBB_flush(cbb))
-		return 0;
-
-	return 1;
-}
-
 int
 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 {
@@ -564,22 +538,6 @@ tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
 	return 0;
 }
 
-/*
- * Certificate Verify padding - RFC 8446 section 4.4.3.
- */
-static uint8_t cert_verify_pad[64] = {
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
-};
-
-static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
-
 int
 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 {
@@ -607,10 +565,11 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
 
 	if (!CBB_init(&sig_cbb, 0))
 		goto err;
-	if (!CBB_add_bytes(&sig_cbb, cert_verify_pad, sizeof(cert_verify_pad)))
+	if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
+	    sizeof(tls13_cert_verify_pad)))
 		goto err;
-	if (!CBB_add_bytes(&sig_cbb, server_cert_verify_context,
-	    strlen(server_cert_verify_context)))
+	if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
+	    strlen(tls13_cert_server_verify_context)))
 		goto err;
 	if (!CBB_add_u8(&sig_cbb, 0))
 		goto err;
-- 
cgit v1.2.3-55-g6feb