fix for the HCertificateRequest in tlshand.c:/^msgRecv

 - use the right sizes for length fields
 - add additional check before the get16 at tlshand.c:1150
 - add   p += nn; n -= nn;
   which were missing after   makebytes at tlshand.c:1145

the latter fixes the problem I had with the test
at tlshand.c:1153 where the (n != nn) part succeeded
while we would want it (would expect it) to fail.

I've not yet tested this on the real system but
 - it feels and looks convincingly ok,
 - it explains the values of n and nn that I saw,
   and, better than that,
 - it checks out with the data I gathered earlier
   while debugging this (unfortunately I have only
   a single sample -- the one from our campus net)

as before, please doublecheck; I'm feeling good about this.

Axel.

Reference: /n/sources/patch/applied/tlshand-msgrecv-hcertreq-fix
Date: Mon Aug 29 00:40:13 CES 2005

--- /sys/src/libsec/port/tlshand.c	Mon Aug 29 00:04:21 2005
+++ /sys/src/libsec/port/tlshand.c	Mon Aug 29 00:41:22 2005
@@ -1135,26 +1135,23 @@
 		}
 		break;
 	case HCertificateRequest:
+		if(n < 1)
+			goto Short;
+		nn = p[0];
+		p += 1;
+		n -= 1;
+		if(nn < 1 || nn > n)
+			goto Short;
+		m->u.certificateRequest.types = makebytes(p, nn);
+		p += nn;
+		n -= nn;
 		if(n < 2)
 			goto Short;
 		nn = get16(p);
 		p += 2;
 		n -= 2;
-		if(nn < 1 || nn > n)
-			goto Short;
-		m->u.certificateRequest.types = makebytes(p, nn);
-		nn = get24(p);
-		p += 3;
-		n -= 3;
-		/*
-		 * can't do this because it fails in 802.1x-TTLS
-		 * for unknown reasons.  maybe the other side generates
-		 * bogus data, or maybe we're just confused.
-		 *
 		if(nn == 0 || n != nn)
 			goto Short;
-		 */
-		USED(nn);
 		/* cas */
 		i = 0;
 		while(n > 0) {