The branch master has been updated via ac8cc3efb26fa91c4f29463044cfe9e7070ebc14 (commit) via 28ff8ef3f71e23660db5d42002af1b44d99f3e4a (commit) from 25849a8f8bb64956f35a8a2a160ae0de1d2990c6 (commit)
- Log ----------------------------------------------------------------- commit ac8cc3efb26fa91c4f29463044cfe9e7070ebc14 Author: Matt Caswell <m...@openssl.org> Date: Thu Sep 29 14:26:36 2016 +0100 Remove tls12_copy_sigalgs_old() This was a temporary function needed during the conversion to WPACKET. All callers have now been converted to the new way of doing this so this function is no longer required. Reviewed-by: Rich Salz <rs...@openssl.org> commit 28ff8ef3f71e23660db5d42002af1b44d99f3e4a Author: Matt Caswell <m...@openssl.org> Date: Thu Sep 29 14:25:52 2016 +0100 Convert CertificateRequest construction to WPACKET Reviewed-by: Rich Salz <rs...@openssl.org> ----------------------------------------------------------------------- Summary of changes: ssl/s3_lib.c | 42 ++++++++++++-------------- ssl/ssl_locl.h | 4 +-- ssl/statem/statem_srvr.c | 76 ++++++++++++++++++++++++++---------------------- ssl/t1_lib.c | 20 ------------- 4 files changed, 61 insertions(+), 81 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2115a7e..ea607a5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3708,15 +3708,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, return (ret); } -int ssl3_get_req_cert_type(SSL *s, unsigned char *p) +int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) { - int ret = 0; uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ if (s->cert->ctypes) { - memcpy(p, s->cert->ctypes, s->cert->ctype_num); - return (int)s->cert->ctype_num; + return WPACKET_memcpy(pkt, s->cert->ctypes, s->cert->ctype_num); } /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); @@ -3724,45 +3722,43 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg_k = s->s3->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST - if (s->version >= TLS1_VERSION) { - if (alg_k & SSL_kGOST) { - p[ret++] = TLS_CT_GOST01_SIGN; - p[ret++] = TLS_CT_GOST12_SIGN; - p[ret++] = TLS_CT_GOST12_512_SIGN; - return (ret); - } - } + if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST)) + return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN); #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { #ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_RSA - p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) + return 0; # endif # ifndef OPENSSL_NO_DSA - p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) + return 0; # endif #endif /* !OPENSSL_NO_DH */ } #ifndef OPENSSL_NO_RSA - if (!(alg_a & SSL_aRSA)) - p[ret++] = SSL3_CT_RSA_SIGN; + if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_DSA - if (!(alg_a & SSL_aDSS)) - p[ret++] = SSL3_CT_DSS_SIGN; + if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_EC /* * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE */ - if (s->version >= TLS1_VERSION) { - if (!(alg_a & SSL_aECDSA)) - p[ret++] = TLS_CT_ECDSA_SIGN; - } + if (s->version >= TLS1_VERSION + && !(alg_a & SSL_aECDSA) + && !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN)) + return 0; #endif - return (ret); + return 1; } static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 7dbff76..a1b3e3d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1873,7 +1873,7 @@ __owur int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); __owur int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); -__owur int ssl3_get_req_cert_type(SSL *s, unsigned char *p); +__owur int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt); __owur int ssl3_num_ciphers(void); __owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); @@ -2068,8 +2068,6 @@ __owur int ssl_add_serverhello_renegotiate_ext(SSL *s, WPACKET *pkt); __owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); __owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); __owur long ssl_get_algorithm2(SSL *s); -__owur size_t tls12_copy_sigalgs_old(SSL *s, unsigned char *out, - const unsigned char *psig, size_t psiglen); __owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, const unsigned char *psig, size_t psiglen); __owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index bf50e79..799700b 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1960,62 +1960,66 @@ int tls_construct_server_key_exchange(SSL *s) int tls_construct_certificate_request(SSL *s) { - unsigned char *p, *d; - int i, j, nl, off, n; + int i, nl; STACK_OF(X509_NAME) *sk = NULL; - X509_NAME *name; - BUF_MEM *buf; + WPACKET pkt; - buf = s->init_buf; + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header2(s, &pkt, + SSL3_MT_CERTIFICATE_REQUEST)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } - d = p = ssl_handshake_start(s); /* get the list of acceptable cert types */ - p++; - n = ssl3_get_req_cert_type(s, p); - d[0] = n; - p += n; - n++; + if (!WPACKET_start_sub_packet_u8(&pkt) + || !ssl3_get_req_cert_type(s, &pkt) + || !WPACKET_close(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; - unsigned char *etmp = p; nl = tls12_get_psigalgs(s, &psigs); - /* Skip over length for now */ - p += 2; - nl = tls12_copy_sigalgs_old(s, p, psigs, nl); - /* Now fill in length */ - s2n(nl, etmp); - p += nl; - n += nl + 2; + if (!WPACKET_start_sub_packet_u16(&pkt) + || !tls12_copy_sigalgs(s, &pkt, psigs, nl) + || !WPACKET_close(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } } - off = n; - p += 2; - n += 2; + /* Start sub-packet for client CA list */ + if (!WPACKET_start_sub_packet_u16(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } sk = SSL_get_client_CA_list(s); - nl = 0; if (sk != NULL) { for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = sk_X509_NAME_value(sk, i); - j = i2d_X509_NAME(name, NULL); - if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); + unsigned char *namebytes; + X509_NAME *name = sk_X509_NAME_value(sk, i); + int namelen; + + if (name == NULL + || (namelen = i2d_X509_NAME(name, NULL)) < 0 + || !WPACKET_sub_allocate_bytes_u16(&pkt, namelen, + &namebytes) + || i2d_X509_NAME(name, &namebytes) != namelen) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); goto err; } - p = ssl_handshake_start(s) + n; - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; } } /* else no CA names */ - p = ssl_handshake_start(s) + off; - s2n(nl, p); - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { + if (!WPACKET_close(&pkt) + || !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -2024,6 +2028,8 @@ int tls_construct_certificate_request(SSL *s) return 1; err: + WPACKET_cleanup(&pkt); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); ossl_statem_set_error(s); return 0; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 230fe66..e2e5f60 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3320,26 +3320,6 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op) *pmask_a |= SSL_aECDSA; } -/* - * Old version of the tls12_copy_sigalgs function used by code that has not - * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion - * is complete. - * TODO - DELETE ME - */ -size_t tls12_copy_sigalgs_old(SSL *s, unsigned char *out, - const unsigned char *psig, size_t psiglen) -{ - unsigned char *tmpout = out; - size_t i; - for (i = 0; i < psiglen; i += 2, psig += 2) { - if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) { - *tmpout++ = psig[0]; - *tmpout++ = psig[1]; - } - } - return tmpout - out; -} - int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, const unsigned char *psig, size_t psiglen) { _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits