summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/s3_clnt.c43
1 files changed, 26 insertions, 17 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 1bbe2e686b3..eed6cb5215c 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1784,9 +1784,11 @@ err:
int
ssl3_get_cert_status(SSL *s)
{
+ CBS cert_status, response;
+ size_t stow_len;
int ok, al;
- unsigned long resplen, n;
- const unsigned char *p;
+ long n;
+ uint8_t status_type;
n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
@@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s)
if (!ok)
return ((int)n);
- if (n < 4) {
+
+ CBS_init(&cert_status, s->init_msg, n);
+
+ if (n < 0 || !CBS_get_u8(&cert_status, &status_type) ||
+ CBS_len(&cert_status) < 3) {
/* need at least status type + length */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
SSL_R_LENGTH_MISMATCH);
goto f_err;
}
- p = (unsigned char *)s->init_msg;
- if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
+
+ if (status_type != TLSEXT_STATUSTYPE_ocsp) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
SSL_R_UNSUPPORTED_STATUS_TYPE);
goto f_err;
}
- n2l3(p, resplen);
- if (resplen + 4 != n) {
+
+ if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
+ CBS_len(&cert_status) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
SSL_R_LENGTH_MISMATCH);
goto f_err;
}
- free(s->tlsext_ocsp_resp);
- if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
- ERR_R_MALLOC_FAILURE);
- goto f_err;
- }
- memcpy(s->tlsext_ocsp_resp, p, resplen);
- s->tlsext_ocsp_resplen = resplen;
+
+ if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
+ &stow_len) || stow_len > INT_MAX) {
+ s->tlsext_ocsp_resplen = 0;
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+ ERR_R_MALLOC_FAILURE);
+ goto f_err;
+ }
+ s->tlsext_ocsp_resplen = (int)stow_len;
+
if (s->ctx->tlsext_status_cb) {
int ret;
ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);