mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

PACKETise Server Certificate processing

Browse Source 
Use the PACKET API to process an incoming server Certificate message.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
This commit is contained in:
Matt Caswell 2015-08-04 20:10:06 +01:00
parent 2acdef5e97
commit df758a8569
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
ssl/s3_clnt.c
View File

@ -1232,12 +1232,12 @@ int ssl3_get_server_hello(SSL *s)
int ssl3_get_server_certificate(SSL *s) int ssl3_get_server_certificate(SSL *s)
{ {
int al, i, ok, ret = -1, exp_idx; int al, i, ok, ret = -1, exp_idx;
unsigned long n, nc, llen, l; unsigned long n, cert_list_len, cert_len;
X509 *x = NULL; X509 *x = NULL;
const unsigned char *q, *p; unsigned char *certstart, *certbytes;
unsigned char *d;
STACK_OF(X509) *sk = NULL; STACK_OF(X509) *sk = NULL;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
PACKET pkt;
n = s->method->ssl_get_message(s, n = s->method->ssl_get_message(s,
SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_A,
@ -1257,36 +1257,41 @@ int ssl3_get_server_certificate(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
goto f_err; goto f_err;
} }
p = d = (unsigned char *)s->init_msg;
if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
if ((sk = sk_X509_new_null()) == NULL) { if ((sk = sk_X509_new_null()) == NULL) {
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
n2l3(p, llen); if (!PACKET_get_net_3(&pkt, &cert_list_len)
if (llen + 3 != n) { || PACKET_remaining(&pkt) != cert_list_len) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err; goto f_err;
} }
for (nc = 0; nc < llen;) { while (PACKET_remaining(&pkt)) {
n2l3(p, l); if (!PACKET_get_net_3(&pkt, &cert_len)
if ((l + nc + 3) > llen) { || !PACKET_get_bytes(&pkt, &certbytes, cert_len)) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
goto f_err; goto f_err;
} }
q = p; certstart = certbytes;
x = d2i_X509(NULL, &q, l); x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
if (x == NULL) { if (x == NULL) {
al = SSL_AD_BAD_CERTIFICATE; al = SSL_AD_BAD_CERTIFICATE;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
goto f_err; goto f_err;
} }
if (q != (p + l)) { if (certbytes != (certstart + cert_len)) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
@ -1297,8 +1302,6 @@ int ssl3_get_server_certificate(SSL *s)
goto err; goto err;
} }
x = NULL; x = NULL;
nc += l + 3;
p = q;
} }
i = ssl_verify_cert_chain(s, sk); i = ssl_verify_cert_chain(s, sk);