From 5923ad4bbe5d13c2fcc11f7849594db838ea57bd Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 30 Sep 2016 00:27:40 +0100 Subject: [PATCH] Don't set the handshake header in every message Move setting the handshake header up a level into the state machine code in order to reduce boilerplate. Reviewed-by: Rich Salz --- include/openssl/ssl.h | 2 + ssl/ssl_err.c | 4 + ssl/statem/statem_clnt.c | 126 ++++++++++++++--------------- ssl/statem/statem_lib.c | 16 +--- ssl/statem/statem_locl.h | 1 - ssl/statem/statem_srvr.c | 169 +++++++++++++++++++-------------------- 6 files changed, 148 insertions(+), 170 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 517716f345..e0d82f23bd 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2078,7 +2078,9 @@ int ERR_load_SSL_strings(void); # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 370 # define SSL_F_DTLS_PROCESS_HELLO_VERIFY 386 # define SSL_F_OPENSSL_INIT_SSL 342 +# define SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE 430 # define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION 417 +# define SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE 431 # define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION 418 # define SSL_F_READ_STATE_MACHINE 352 # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 9539e674e1..c1a886ac4c 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -49,8 +49,12 @@ static ERR_STRING_DATA SSL_str_functs[] = { "dtls_get_reassembled_message"}, {ERR_FUNC(SSL_F_DTLS_PROCESS_HELLO_VERIFY), "dtls_process_hello_verify"}, {ERR_FUNC(SSL_F_OPENSSL_INIT_SSL), "OPENSSL_init_ssl"}, + {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE), + "ossl_statem_client_construct_message"}, {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION), "ossl_statem_client_read_transition"}, + {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE), + "ossl_statem_server_construct_message"}, {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION), "ossl_statem_server_read_transition"}, {ERR_FUNC(SSL_F_READ_STATE_MACHINE), "read_state_machine"}, diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5614d5afcb..18eaf3257f 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -513,41 +513,74 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt) { OSSL_STATEM *st = &s->statem; + int (*confunc) (SSL *s, WPACKET *pkt) = NULL; + int ret = 1, mt; - switch (st->hand_state) { - default: - /* Shouldn't happen */ - return 0; + if (st->hand_state == TLS_ST_CW_CHANGE) { + /* Special case becase it is a different content type */ + if (SSL_IS_DTLS(s)) + return dtls_construct_change_cipher_spec(s, pkt); - case TLS_ST_CW_CLNT_HELLO: - return tls_construct_client_hello(s, pkt); + return tls_construct_change_cipher_spec(s, pkt); + } else { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; - case TLS_ST_CW_CERT: - return tls_construct_client_certificate(s, pkt); + case TLS_ST_CW_CLNT_HELLO: + confunc = tls_construct_client_hello; + mt = SSL3_MT_CLIENT_HELLO; + break; - case TLS_ST_CW_KEY_EXCH: - return tls_construct_client_key_exchange(s, pkt); + case TLS_ST_CW_CERT: + confunc = tls_construct_client_certificate; + mt = SSL3_MT_CERTIFICATE; + break; - case TLS_ST_CW_CERT_VRFY: - return tls_construct_client_verify(s, pkt); + case TLS_ST_CW_KEY_EXCH: + confunc = tls_construct_client_key_exchange; + mt = SSL3_MT_CLIENT_KEY_EXCHANGE; + break; - case TLS_ST_CW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s, pkt); - else - return tls_construct_change_cipher_spec(s, pkt); + case TLS_ST_CW_CERT_VRFY: + confunc = tls_construct_client_verify; + mt = SSL3_MT_CERTIFICATE_VERIFY; + break; #if !defined(OPENSSL_NO_NEXTPROTONEG) - case TLS_ST_CW_NEXT_PROTO: - return tls_construct_next_proto(s, pkt); + case TLS_ST_CW_NEXT_PROTO: + confunc = tls_construct_next_proto; + mt = SSL3_MT_NEXT_PROTO; + break; #endif - case TLS_ST_CW_FINISHED: - return tls_construct_finished(s, pkt, - s->method-> - ssl3_enc->client_finished_label, - s->method-> - ssl3_enc->client_finished_label_len); + case TLS_ST_CW_FINISHED: + mt = SSL3_MT_FINISHED; + break; + } + + if (!ssl_set_handshake_header(s, pkt, mt)) { + SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (st->hand_state == TLS_ST_CW_FINISHED) + ret = tls_construct_finished(s, pkt, + s->method-> + ssl3_enc->client_finished_label, + s->method-> + ssl3_enc->client_finished_label_len); + else + ret = confunc(s, pkt); + + if (!ret || !ssl_close_construct_packet(s, pkt)) { + SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } } + return 1; } /* @@ -736,12 +769,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0) return 0; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CLIENT_HELLO)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - return 0; - } - /*- * version indicates the negotiated version: for example from * an SSLv2/v3 compatible client hello). The client_version @@ -855,11 +882,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) return 0; } - if (!ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - return 0; - } - return 1; } @@ -2455,12 +2477,6 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) unsigned long alg_k; int al = -1; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CLIENT_KEY_EXCHANGE)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto err; - } - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; if ((alg_k & SSL_PSK) @@ -2488,12 +2504,6 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) goto err; } - if (!ssl_close_construct_packet(s, pkt)) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto err; - } - return 1; err: if (al != -1) @@ -2582,11 +2592,6 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt) void *hdata; unsigned char *sig = NULL; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE_VERIFY)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); - goto err; - } - mctx = EVP_MD_CTX_new(); if (mctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE); @@ -2640,11 +2645,6 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt) if (!ssl3_digest_cached_records(s, 0)) goto err; - if (!ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); - goto err; - } - OPENSSL_free(sig); EVP_MD_CTX_free(mctx); return 1; @@ -2846,11 +2846,6 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt) size_t len, padding_len; unsigned char *padding = NULL; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_NEXT_PROTO)) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR); - goto err; - } - len = s->next_proto_negotiated_len; padding_len = 32 - ((len + 2) % 32); @@ -2862,11 +2857,6 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt) memset(padding, 0, padding_len); - if (!ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR); - goto err; - } - return 1; err: ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index a6b1f6beb9..cac18cc550 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -75,11 +75,6 @@ int tls_construct_finished(SSL *s, WPACKET *pkt, const char *sender, int slen) { int i; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_FINISHED)) { - SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); - goto err; - } - i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); @@ -108,11 +103,6 @@ int tls_construct_finished(SSL *s, WPACKET *pkt, const char *sender, int slen) s->s3->previous_server_finished_len = i; } - if (!ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); - goto err; - } - return 1; err: ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); @@ -278,11 +268,9 @@ int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) { - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE) - || !WPACKET_start_sub_packet_u24(pkt) + if (!WPACKET_start_sub_packet_u24(pkt) || !ssl_add_cert_chain(s, pkt, cpk) - || !WPACKET_close(pkt) - || !ssl_close_construct_packet(s, pkt)) { + || !WPACKET_close(pkt)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index 8d6dd2a042..f67361c06f 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -109,7 +109,6 @@ __owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt); __owur WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst); __owur int tls_construct_server_hello(SSL *s, WPACKET *pkt); -__owur int tls_construct_hello_request(SSL *s, WPACKET *pkt); __owur int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt); __owur int tls_construct_server_certificate(SSL *s, WPACKET *pkt); __owur int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 17dc9cbf5d..46bd5c7be0 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -622,52 +622,91 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt) { OSSL_STATEM *st = &s->statem; + int (*confunc) (SSL *s, WPACKET *pkt) = NULL; + int ret = 1, mt; - switch (st->hand_state) { - default: - /* Shouldn't happen */ - return 0; + if (st->hand_state == TLS_ST_SW_CHANGE) { + /* Special case becase it is a different content type */ + if (SSL_IS_DTLS(s)) + return dtls_construct_change_cipher_spec(s, pkt); - case DTLS_ST_SW_HELLO_VERIFY_REQUEST: + return tls_construct_change_cipher_spec(s, pkt); + } else if (st->hand_state == DTLS_ST_SW_HELLO_VERIFY_REQUEST) { + /* Special case because we don't call ssl_close_construct_packet() */ return dtls_construct_hello_verify_request(s, pkt); + } else { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; - case TLS_ST_SW_HELLO_REQ: - return tls_construct_hello_request(s, pkt); + case TLS_ST_SW_HELLO_REQ: + /* No construction function needed */ + mt = SSL3_MT_HELLO_REQUEST; + break; - case TLS_ST_SW_SRVR_HELLO: - return tls_construct_server_hello(s, pkt); + case TLS_ST_SW_SRVR_HELLO: + confunc = tls_construct_server_hello; + mt = SSL3_MT_SERVER_HELLO; + break; - case TLS_ST_SW_CERT: - return tls_construct_server_certificate(s, pkt); + case TLS_ST_SW_CERT: + confunc = tls_construct_server_certificate; + mt = SSL3_MT_CERTIFICATE; + break; - case TLS_ST_SW_KEY_EXCH: - return tls_construct_server_key_exchange(s, pkt); + case TLS_ST_SW_KEY_EXCH: + confunc = tls_construct_server_key_exchange; + mt = SSL3_MT_SERVER_KEY_EXCHANGE; + break; - case TLS_ST_SW_CERT_REQ: - return tls_construct_certificate_request(s, pkt); + case TLS_ST_SW_CERT_REQ: + confunc = tls_construct_certificate_request; + mt = SSL3_MT_CERTIFICATE_REQUEST; + break; - case TLS_ST_SW_SRVR_DONE: - return tls_construct_server_done(s, pkt); + case TLS_ST_SW_SRVR_DONE: + confunc = tls_construct_server_done; + mt = SSL3_MT_SERVER_DONE; + break; - case TLS_ST_SW_SESSION_TICKET: - return tls_construct_new_session_ticket(s, pkt); + case TLS_ST_SW_SESSION_TICKET: + confunc = tls_construct_new_session_ticket; + mt = SSL3_MT_NEWSESSION_TICKET; + break; - case TLS_ST_SW_CERT_STATUS: - return tls_construct_cert_status(s, pkt); + case TLS_ST_SW_CERT_STATUS: + confunc = tls_construct_cert_status; + mt = SSL3_MT_CERTIFICATE_STATUS; + break; - case TLS_ST_SW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s, pkt); - else - return tls_construct_change_cipher_spec(s, pkt); + case TLS_ST_SW_FINISHED: + mt = SSL3_MT_FINISHED; + break; + } - case TLS_ST_SW_FINISHED: - return tls_construct_finished(s, pkt, - s->method-> - ssl3_enc->server_finished_label, - s->method-> - ssl3_enc->server_finished_label_len); + if (!ssl_set_handshake_header(s, pkt, mt)) { + SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (st->hand_state == TLS_ST_SW_FINISHED) + ret = tls_construct_finished(s, pkt, + s->method-> + ssl3_enc->server_finished_label, + s->method-> + ssl3_enc->server_finished_label_len); + else if (confunc != NULL) + ret = confunc(s, pkt); + + if (!ret || !ssl_close_construct_packet(s, pkt)) { + SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } } + return 1; } /* @@ -829,17 +868,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) } #endif -int tls_construct_hello_request(SSL *s, WPACKET *pkt) -{ - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_HELLO_REQUEST) - || !ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); - return 0; - } - - return 1; -} - int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, unsigned char cookie_len) { @@ -1492,8 +1520,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) int sl, compm, al = SSL_AD_INTERNAL_ERROR; size_t len; - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_SERVER_HELLO) - || !WPACKET_put_bytes_u16(pkt, s->version) + if (!WPACKET_put_bytes_u16(pkt, s->version) /* * Random stuff. Filling of the server_random takes place in * tls_process_client_hello() @@ -1544,8 +1571,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || !WPACKET_put_bytes_u8(pkt, compm) || !ssl_prepare_serverhello_tlsext(s) - || !ssl_add_serverhello_tlsext(s, pkt, &al) - || !ssl_close_construct_packet(s, pkt)) { + || !ssl_add_serverhello_tlsext(s, pkt, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } @@ -1558,21 +1584,13 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) int tls_construct_server_done(SSL *s, WPACKET *pkt) { - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_SERVER_DONE) - || !ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); - goto err; - } - if (!s->s3->tmp.cert_request) { - if (!ssl3_digest_cached_records(s, 0)) - goto err; + if (!ssl3_digest_cached_records(s, 0)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; + } } return 1; - - err: - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - return 0; } int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) @@ -1593,9 +1611,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); size_t paramlen, paramoffset; - if (!ssl_set_handshake_header(s, pkt, - SSL3_MT_SERVER_KEY_EXCHANGE) - || !WPACKET_get_total_written(pkt, ¶moffset)) { + if (!WPACKET_get_total_written(pkt, ¶moffset)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } @@ -1900,11 +1916,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } } - if (!ssl_close_construct_packet(s, pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto f_err; - } - EVP_MD_CTX_free(md_ctx); return 1; f_err: @@ -1925,13 +1936,6 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) int i, nl; STACK_OF(X509_NAME) *sk = NULL; - if (!ssl_set_handshake_header(s, pkt, - SSL3_MT_CERTIFICATE_REQUEST)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; - } - - /* get the list of acceptable cert types */ if (!WPACKET_start_sub_packet_u8(pkt) || !ssl3_get_req_cert_type(s, pkt) @@ -1978,8 +1982,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } /* else no CA names */ - if (!WPACKET_close(pkt) - || !ssl_close_construct_packet(s, pkt)) { + if (!WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -2954,11 +2957,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) return 0; } - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_NEWSESSION_TICKET)) { - SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); - goto err; - } - ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); if (ctx == NULL || hctx == NULL) { @@ -3067,8 +3065,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) || hlen > EVP_MAX_MD_SIZE || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) || macdata1 != macdata2 - || !WPACKET_close(pkt) - || !ssl_close_construct_packet(s, pkt)) { + || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; } @@ -3087,11 +3084,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) int tls_construct_cert_status(SSL *s, WPACKET *pkt) { - if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE_STATUS) - || !WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) + if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, - s->tlsext_ocsp_resplen) - || !ssl_close_construct_packet(s, pkt)) { + s->tlsext_ocsp_resplen)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; -- 2.25.1