Convert CertStatus message construction to WPACKET
authorMatt Caswell <matt@openssl.org>
Thu, 29 Sep 2016 15:40:13 +0000 (16:40 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 29 Sep 2016 16:07:45 +0000 (17:07 +0100)
Reviewed-by: Rich Salz <rsalz@openssl.org>
include/openssl/ssl.h
ssl/ssl_err.c
ssl/statem/statem_srvr.c

index d741ece..517716f 100644 (file)
@@ -2220,6 +2220,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_TLS1_SET_SERVER_SIGALGS                    335
 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK          354
 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST          372
+# define SSL_F_TLS_CONSTRUCT_CERT_STATUS                  429
 # define SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC           427
 # define SSL_F_TLS_CONSTRUCT_CKE_DHE                      404
 # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE                    405
index e6c7320..9539e67 100644 (file)
@@ -239,6 +239,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "tls_client_key_exchange_post_work"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST),
      "tls_construct_certificate_request"},
+    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERT_STATUS), "tls_construct_cert_status"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC),
      "tls_construct_change_cipher_spec"},
     {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_DHE), "tls_construct_cke_dhe"},
index e361738..3fbc4ad 100644 (file)
@@ -3125,36 +3125,23 @@ int tls_construct_new_session_ticket(SSL *s)
 
 int tls_construct_cert_status(SSL *s)
 {
-    unsigned char *p;
-    size_t msglen;
-
-    /*-
-     * Grow buffer if need be: the length calculation is as
-     * follows handshake_header_length +
-     * 1 (ocsp response type) + 3 (ocsp response length)
-     * + (ocsp response)
-     */
-    msglen = 4 + s->tlsext_ocsp_resplen;
-    if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen))
-        goto err;
-
-    p = ssl_handshake_start(s);
-
-    /* status type */
-    *(p++) = s->tlsext_status_type;
-    /* length of OCSP response */
-    l2n3(s->tlsext_ocsp_resplen, p);
-    /* actual response */
-    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
+    WPACKET pkt;
 
-    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen))
-        goto err;
+    if (!WPACKET_init(&pkt, s->init_buf)
+            || !ssl_set_handshake_header2(s, &pkt,
+                                          SSL3_MT_CERTIFICATE_STATUS)
+            || !WPACKET_put_bytes_u8(&pkt, s->tlsext_status_type)
+            || !WPACKET_sub_memcpy_u24(&pkt, s->tlsext_ocsp_resp,
+                                       s->tlsext_ocsp_resplen)
+            || !ssl_close_construct_packet(s, &pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+        ossl_statem_set_error(s);
+        WPACKET_cleanup(&pkt);
+        return 0;
+    }
 
     return 1;
-
- err:
-    ossl_statem_set_error(s);
-    return 0;
 }
 
 #ifndef OPENSSL_NO_NEXTPROTONEG