-/* $OpenBSD: s3_lib.c,v 1.207 2021/04/19 16:47:25 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.208 2021/04/21 19:27:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
freezero(S3I(s)->hs.tls13.cookie, S3I(s)->hs.tls13.cookie_len);
tls13_clienthello_hash_clear(&S3I(s)->hs.tls13);
- sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free);
tls1_transcript_free(s);
tls1_transcript_hash_free(s);
size_t rlen, wlen;
tls1_cleanup_key_block(s);
- sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free);
DH_free(S3I(s)->tmp.dh);
S3I(s)->tmp.dh = NULL;
-/* $OpenBSD: ssl_clnt.c,v 1.91 2021/04/19 16:51:56 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.92 2021/04/21 19:27:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
goto end;
if (SSL_is_dtls(s))
dtls1_stop_timer(s);
- if (S3I(s)->tmp.cert_req)
+ if (S3I(s)->hs.tls12.cert_request)
S3I(s)->hs.state = SSL3_ST_CW_CERT_A;
else
S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_A;
* message when client's ECDH public key is sent
* inside the client certificate.
*/
- if (S3I(s)->tmp.cert_req == 1) {
+ if (S3I(s)->hs.tls12.cert_request == 1) {
S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_A;
} else {
S3I(s)->hs.state = SSL3_ST_CW_CHANGE_A;
{
int ok, ret = 0;
long n;
- uint8_t ctype_num;
- CBS cert_request, ctypes, rdn_list;
+ CBS cert_request, cert_types, rdn_list;
X509_NAME *xn = NULL;
const unsigned char *q;
STACK_OF(X509_NAME) *ca_sk = NULL;
if (!ok)
return ((int)n);
- S3I(s)->tmp.cert_req = 0;
+ S3I(s)->hs.tls12.cert_request = 0;
if (S3I(s)->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
S3I(s)->hs.tls12.reuse_message = 1;
goto err;
}
- /* get the certificate types */
- if (!CBS_get_u8(&cert_request, &ctype_num))
+ if (!CBS_get_u8_length_prefixed(&cert_request, &cert_types))
goto decode_err;
- if (ctype_num > SSL3_CT_NUMBER)
- ctype_num = SSL3_CT_NUMBER;
- if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) ||
- !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype,
- sizeof(S3I(s)->tmp.ctype), NULL)) {
- SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
- goto err;
- }
-
if (SSL_USE_SIGALGS(s)) {
CBS sigalgs;
}
/* we should setup a certificate to return.... */
- S3I(s)->tmp.cert_req = 1;
- S3I(s)->tmp.ctype_num = ctype_num;
- sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free);
- S3I(s)->tmp.ca_names = ca_sk;
+ S3I(s)->hs.tls12.cert_request = 1;
+ sk_X509_NAME_pop_free(S3I(s)->hs.tls12.ca_names, X509_NAME_free);
+ S3I(s)->hs.tls12.ca_names = ca_sk;
ca_sk = NULL;
ret = 1;
/*
* If we have client certificate, use its secret as peer key.
*/
- if (S3I(s)->tmp.cert_req && s->cert->key->privatekey) {
+ if (S3I(s)->hs.tls12.cert_request && s->cert->key->privatekey) {
if (EVP_PKEY_derive_set_peer(pkey_ctx,
s->cert->key->privatekey) <=0) {
/*
X509_free(x509);
EVP_PKEY_free(pkey);
if (i == 0) {
- S3I(s)->tmp.cert_req = 2;
+ S3I(s)->hs.tls12.cert_request = 2;
/* There is no client certificate to verify. */
tls1_transcript_free(s);
SSL3_MT_CERTIFICATE))
goto err;
if (!ssl3_output_cert_chain(s, &client_cert,
- (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key))
+ (S3I(s)->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
goto err;
if (!ssl3_handshake_msg_finish(s, &cbb))
goto err;
-/* $OpenBSD: ssl_locl.h,v 1.336 2021/04/19 17:26:39 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.337 2021/04/21 19:27:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
/* Reuse current handshake message. */
int reuse_message;
+ /* Client certificate requests. */
+ int cert_request;
+ STACK_OF(X509_NAME) *ca_names;
+
/* Size of the MAC secret. */
int mac_secret_size;
int ecdh_nid;
uint8_t *x25519;
-
- /* used for certificate requests */
- int cert_req;
- int ctype_num;
- char ctype[SSL3_CT_NUMBER];
- STACK_OF(X509_NAME) *ca_names;
-
- int cert_request;
} tmp;
/* Connection binding to prevent renegotiation attacks */
-/* $OpenBSD: ssl_srvr.c,v 1.102 2021/04/19 16:51:56 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.103 2021/04/21 19:27:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* No cert request. */
skip = 1;
- S3I(s)->tmp.cert_request = 0;
+ S3I(s)->hs.tls12.cert_request = 0;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
if (!SSL_is_dtls(s))
tls1_transcript_free(s);
} else {
- S3I(s)->tmp.cert_request = 1;
+ S3I(s)->hs.tls12.cert_request = 1;
if (SSL_is_dtls(s))
dtls1_start_timer(s);
ret = ssl3_send_certificate_request(s);
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
- if (S3I(s)->tmp.cert_request) {
+ if (S3I(s)->hs.tls12.cert_request) {
ret = ssl3_get_client_certificate(s);
if (ret <= 0)
goto end;
* If tls asked for a client cert,
* the client must return a 0 list.
*/
- if (S3I(s)->tmp.cert_request) {
+ if (S3I(s)->hs.tls12.cert_request) {
SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
);
al = SSL_AD_UNEXPECTED_MESSAGE;
projects / openbsd / commitdiff