Convert CertStatus message construction to WPACKET

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 16:40:13 +01:00 · 2016-09-29 16:40:13 +01:00 · cc59ad1073
commit cc59ad1073
parent f308416e27
3 changed files with 16 additions and 27 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -2220,6 +2220,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_TLS1_SET_SERVER_SIGALGS                    335
 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK          354
 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST          372
+# define SSL_F_TLS_CONSTRUCT_CERT_STATUS                  429
 # define SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC           427
 # define SSL_F_TLS_CONSTRUCT_CKE_DHE                      404
 # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE                    405
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@ -239,6 +239,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     "tls_client_key_exchange_post_work"},
    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST),
     "tls_construct_certificate_request"},
+    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERT_STATUS), "tls_construct_cert_status"},
    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC),
     "tls_construct_change_cipher_spec"},
    {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_DHE), "tls_construct_cke_dhe"},
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -3125,36 +3125,23 @@ int tls_construct_new_session_ticket(SSL *s)

 int tls_construct_cert_status(SSL *s)
 {
-    unsigned char *p;
-    size_t msglen;
+    WPACKET pkt;

-    /*-
-     * Grow buffer if need be: the length calculation is as
-     * follows handshake_header_length +
-     * 1 (ocsp response type) + 3 (ocsp response length)
-     * + (ocsp response)
-     */
-    msglen = 4 + s->tlsext_ocsp_resplen;
-    if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen))
-        goto err;
-
-    p = ssl_handshake_start(s);
-
-    /* status type */
-    *(p++) = s->tlsext_status_type;
-    /* length of OCSP response */
-    l2n3(s->tlsext_ocsp_resplen, p);
-    /* actual response */
-    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
-
-    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen))
-        goto err;
+    if (!WPACKET_init(&pkt, s->init_buf)
+            || !ssl_set_handshake_header2(s, &pkt,
+                                          SSL3_MT_CERTIFICATE_STATUS)
+            || !WPACKET_put_bytes_u8(&pkt, s->tlsext_status_type)
+            || !WPACKET_sub_memcpy_u24(&pkt, s->tlsext_ocsp_resp,
+                                       s->tlsext_ocsp_resplen)
+            || !ssl_close_construct_packet(s, &pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+        ossl_statem_set_error(s);
+        WPACKET_cleanup(&pkt);
+        return 0;
+    }

    return 1;
-
- err:
-    ossl_statem_set_error(s);
-    return 0;
 }

 #ifndef OPENSSL_NO_NEXTPROTONEG