runner: Rewrite some ServerKeyExchange serializers with cryptobyte

Some code scanner was complaining about a theoretical overflow in sizing
the buffer.

Change-Id: I88ae44627684ffd6e3c1b3dd490400acf2f604d4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/96648
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

ssl/test/runner/key_agreement.go

diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go
index 62635c0..a92df92 100644
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@@ -18,6 +18,7 @@
 	"slices"
 
 	"boringssl.googlesource.com/boringssl.git/ssl/test/runner/kyber"
+	"golang.org/x/crypto/cryptobyte"
 )
 
 type keyType int
@@ -54,13 +55,13 @@
 	}
 	ka.exportKey = key
 
-	modulus := key.N.Bytes()
-	exponent := big.NewInt(int64(key.E)).Bytes()
-	serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent))
-	serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus)))
-	serverRSAParams = append(serverRSAParams, modulus...)
-	serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent)))
-	serverRSAParams = append(serverRSAParams, exponent...)
+	bb := cryptobyte.NewBuilder(nil)
+	addUint16LengthPrefixedBytes(bb, key.N.Bytes())
+	addUint16LengthPrefixedBytes(bb, big.NewInt(int64(key.E)).Bytes())
+	serverRSAParams, err := bb.Bytes()
+	if err != nil {
+		return nil, err
+	}
 
 	var sigAlg signatureAlgorithm
 	if ka.version.protocolVersion() >= VersionTLS12 {
@@ -76,21 +77,16 @@
 	}
 
 	skx := new(serverKeyExchangeMsg)
-	sigAlgsLen := 0
+	bb = cryptobyte.NewBuilder(nil)
+	bb.AddBytes(serverRSAParams)
 	if ka.version.protocolVersion() >= VersionTLS12 {
-		sigAlgsLen = 2
+		bb.AddUint16(uint16(sigAlg))
 	}
-	skx.key = make([]byte, len(serverRSAParams)+sigAlgsLen+2+len(sig))
-	copy(skx.key, serverRSAParams)
-	k := skx.key[len(serverRSAParams):]
-	if ka.version.protocolVersion() >= VersionTLS12 {
-		k[0] = byte(sigAlg >> 8)
-		k[1] = byte(sigAlg)
-		k = k[2:]
+	addUint16LengthPrefixedBytes(bb, sig)
+	skx.key, err = bb.Bytes()
+	if err != nil {
+		return nil, err
 	}
-	k[0] = byte(len(sig) >> 8)
-	k[1] = byte(len(sig))
-	copy(k[2:], sig)
 
 	return skx, nil
 }
@@ -648,21 +644,16 @@
 	if config.Bugs.UnauthenticatedECDH {
 		skx.key = params
 	} else {
-		sigAlgsLen := 0
+		bb := cryptobyte.NewBuilder(nil)
+		bb.AddBytes(params)
 		if ka.version.protocolVersion() >= VersionTLS12 {
-			sigAlgsLen = 2
+			bb.AddUint16(uint16(sigAlg))
 		}
-		skx.key = make([]byte, len(params)+sigAlgsLen+2+len(sig))
-		copy(skx.key, params)
-		k := skx.key[len(params):]
-		if ka.version.protocolVersion() >= VersionTLS12 {
-			k[0] = byte(sigAlg >> 8)
-			k[1] = byte(sigAlg)
-			k = k[2:]
+		addUint16LengthPrefixedBytes(bb, sig)
+		skx.key, err = bb.Bytes()
+		if err != nil {
+			return nil, err
 		}
-		k[0] = byte(len(sig) >> 8)
-		k[1] = byte(len(sig))
-		copy(k[2:], sig)
 	}
 
 	return skx, nil
@@ -757,15 +748,17 @@
 	}
 
 	// http://tools.ietf.org/html/rfc4492#section-5.4
-	serverECDHParams := make([]byte, 1+2+1+len(publicKey))
-	serverECDHParams[0] = 3 // named curve
+	bb := cryptobyte.NewBuilder(nil)
+	bb.AddUint8(3) // named curve
 	if config.Bugs.SendCurve != 0 {
 		curveID = config.Bugs.SendCurve
 	}
-	serverECDHParams[1] = byte(curveID >> 8)
-	serverECDHParams[2] = byte(curveID)
-	serverECDHParams[3] = byte(len(publicKey))
-	copy(serverECDHParams[4:], publicKey)
+	bb.AddUint16(uint16(curveID))
+	addUint8LengthPrefixedBytes(bb, publicKey)
+	serverECDHParams, err := bb.Bytes()
+	if err != nil {
+		return nil, err
+	}
 
 	return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams)
 }