aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2015-03-06 14:37:17 +0000
committerMatt Caswell <matt@openssl.org>2015-03-23 15:23:11 +0000
commit69f682374868ba2b19a8aeada496bf03dbb037cf (patch)
tree1c7717928dc7eecd832f2c864ff19c63af708ffc
parent4bcdb4a6019e57b3de077b17940e18befe745531 (diff)
downloadopenssl-69f682374868ba2b19a8aeada496bf03dbb037cf.tar.gz
Fix missing return value checks
Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat
-rw-r--r--ssl/bio_ssl.c5
-rw-r--r--ssl/d1_both.c9
-rw-r--r--ssl/d1_clnt.c6
-rw-r--r--ssl/d1_lib.c6
-rw-r--r--ssl/d1_pkt.c8
-rw-r--r--ssl/d1_srvr.c6
-rw-r--r--ssl/s23_clnt.c6
-rw-r--r--ssl/s23_srvr.c6
-rw-r--r--ssl/s3_clnt.c11
-rw-r--r--ssl/s3_enc.c10
-rw-r--r--ssl/s3_lib.c3
-rw-r--r--ssl/s3_pkt.c5
-rw-r--r--ssl/s3_srvr.c36
-rw-r--r--ssl/ssl.h5
-rw-r--r--ssl/ssl_algs.c2
-rw-r--r--ssl/ssl_ciph.c5
-rw-r--r--ssl/ssl_err.c81
-rw-r--r--ssl/ssl_lib.c25
-rw-r--r--ssl/ssl_rsa.c5
-rw-r--r--ssl/ssl_sess.c6
-rw-r--r--ssl/ssl_txt.c3
-rw-r--r--ssl/ssltest.c95
-rw-r--r--ssl/t1_enc.c3
-rw-r--r--ssl/t1_lib.c26
24 files changed, 237 insertions, 136 deletions
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index e2831af7f3..99f8b5e524 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -292,7 +292,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
else if (ssl->handshake_func == ssl->method->ssl_accept)
SSL_set_accept_state(ssl);
- SSL_clear(ssl);
+ if(!SSL_clear(ssl)) {
+ ret = 0;
+ break;
+ }
if (b->next_bio != NULL)
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index a7d0a82085..22626f1f0b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -989,7 +989,10 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
s->d1->handshake_write_seq, 0, 0);
/* buffer the message to handle re-xmits */
- dtls1_buffer_message(s, 1);
+ if(!dtls1_buffer_message(s, 1)) {
+ SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
s->state = b;
}
@@ -1237,7 +1240,7 @@ void dtls1_clear_record_buffer(SSL *s)
}
}
-unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+void dtls1_set_message_header(SSL *s, unsigned char *p,
unsigned char mt, unsigned long len,
unsigned long frag_off,
unsigned long frag_len)
@@ -1250,8 +1253,6 @@ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
frag_off, frag_len);
-
- return p += DTLS1_HM_HEADER_LENGTH;
}
/* don't actually do the writing, wait till the MTU has been retrieved */
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 151dd47285..c5831cd2eb 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -181,8 +181,10 @@ int dtls1_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
#ifndef OPENSSL_NO_SCTP
/*
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index e9a2fc5bf8..b568944ba0 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -567,7 +567,11 @@ static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
s->init_off = 0;
/* Buffer the message to handle re-xmits */
- dtls1_buffer_message(s, 0);
+ /*
+ * Deliberately swallow error return. We really should do something with
+ * this - but its a void function that can't (easily) be changed
+ */
+ if(!dtls1_buffer_message(s, 0));
}
static int dtls1_handshake_write(SSL *s)
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 4dbd694442..5463acfe7f 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -937,7 +937,10 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
- dtls1_process_heartbeat(s);
+ /* We allow a 0 return */
+ if(dtls1_process_heartbeat(s) < 0) {
+ return -1;
+ }
/* Exit and notify application to read again */
rr->length = 0;
@@ -1246,7 +1249,8 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if (dtls1_check_timeout_num(s) < 0)
return -1;
- dtls1_retransmit_buffered_messages(s);
+ /* Ignore retransmit failures - swallow return code */
+ if(dtls1_retransmit_buffered_messages(s));
rr->length = 0;
goto start;
}
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index bcf63e016b..24361ae5df 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -184,8 +184,10 @@ int dtls1_accept(SSL *s)
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
s->d1->listen = listen;
#ifndef OPENSSL_NO_SCTP
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index e04d3af9f6..21a32bce70 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -157,8 +157,10 @@ int ssl23_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
for (;;) {
state = s->state;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6ac6e4edad..255d27810f 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -156,8 +156,10 @@ int ssl23_accept(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
for (;;) {
state = s->state;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b37a7339f4..3a37a240e3 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -197,8 +197,10 @@ int ssl3_connect(SSL *s)
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
#ifndef OPENSSL_NO_HEARTBEATS
/*
@@ -3044,6 +3046,11 @@ int ssl3_send_client_key_exchange(SSL *s)
OPENSSL_cleanse(pms, pmslen);
OPENSSL_free(pms);
s->cert->pms = NULL;
+ if(s->session->master_key_length < 0) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
}
return n;
memerr:
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 83a576ad1a..bcefe12769 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -253,7 +253,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd = s->enc_read_ctx;
- ssl_replace_hash(&s->read_hash, m);
+ if(!ssl_replace_hash(&s->read_hash, m)) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->expand != NULL) {
@@ -288,7 +291,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
*/
EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd = s->enc_write_ctx;
- ssl_replace_hash(&s->write_hash, m);
+ if(!ssl_replace_hash(&s->write_hash, m)) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->compress != NULL) {
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3e6530e32b..d40a181ebe 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3114,7 +3114,8 @@ int ssl3_new(SSL *s)
s->s3 = s3;
#ifndef OPENSSL_NO_SRP
- SSL_SRP_CTX_init(s);
+ if(!SSL_SRP_CTX_init(s))
+ goto err;
#endif
s->method->ssl_clear(s);
return (1);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index cf02e49f76..4f81f1a222 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1320,7 +1320,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
- tls1_process_heartbeat(s);
+ /* We can ignore 0 return values */
+ if(tls1_process_heartbeat(s) < 0) {
+ return -1;
+ }
/* Exit and notify application to read again */
rr->length = 0;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f8c7e373cd..16265dcb39 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -226,8 +226,10 @@ int ssl3_accept(SSL *s)
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
if (s->cert == NULL) {
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
@@ -2227,6 +2229,11 @@ int ssl3_get_client_key_exchange(SSL *s)
sizeof
(rand_premaster_secret));
OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
} else
#endif
#ifndef OPENSSL_NO_DH
@@ -2319,6 +2326,11 @@ int ssl3_get_client_key_exchange(SSL *s)
session->master_key,
p, i);
OPENSSL_cleanse(p, i);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (dh_clnt)
return 2;
} else
@@ -2484,6 +2496,11 @@ int ssl3_get_client_key_exchange(SSL *s)
s->
session->master_key,
pms, outl);
+ if(s->session->master_key_length < 0) {
+ al = SSL_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (kssl_ctx->client_princ) {
size_t len = strlen(kssl_ctx->client_princ);
@@ -2632,6 +2649,11 @@ int ssl3_get_client_key_exchange(SSL *s)
p, i);
OPENSSL_cleanse(p, i);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
return (ret);
} else
#endif
@@ -2716,6 +2738,11 @@ int ssl3_get_client_key_exchange(SSL *s)
session->master_key,
psk_or_pre_ms,
pre_ms_len);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto psk_err;
+ }
psk_err = 0;
psk_err:
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@@ -2817,6 +2844,11 @@ int ssl3_get_client_key_exchange(SSL *s)
s->
session->master_key,
premaster_secret, 32);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
/* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index ba58e0fd4c..60d196ecef 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1773,7 +1773,7 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,
__owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-__owur STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
__owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
*meths);
void SSL_COMP_free_compression_methods(void);
@@ -1782,7 +1782,7 @@ __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
__owur const void *SSL_get_current_compression(SSL *s);
__owur const void *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const void *comp);
-__owur void *SSL_COMP_get_compression_methods(void);
+void *SSL_COMP_get_compression_methods(void);
__owur int SSL_COMP_add_compression_method(int id, void *cm);
# endif
@@ -1956,6 +1956,7 @@ void ERR_load_SSL_strings(void);
# define SSL_F_DTLS1_READ_BYTES 258
# define SSL_F_DTLS1_READ_FAILED 259
# define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
+# define SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC 342
# define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
# define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
# define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 504e4d7a46..ba9fc48a8d 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -130,7 +130,7 @@ int SSL_library_init(void)
* This will initialise the built-in compression algorithms. The value
* returned is a STACK_OF(SSL_COMP), but that can be discarded safely
*/
- (void)SSL_COMP_get_compression_methods();
+ SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index f220e8e572..0f6758bb52 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -532,10 +532,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
else
*comp = NULL;
}
+ /* If were only interested in comp then return success */
+ if((enc == NULL) && (md == NULL))
+ return 1;
}
if ((enc == NULL) || (md == NULL))
- return (0);
+ return 0;
switch (c->algorithm_enc) {
case SSL_DES:
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index f370e9e383..5616f7d6b6 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -83,8 +83,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "dtls1_get_message"},
- {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),
- "DTLS1_GET_MESSAGE_FRAGMENT"},
+ {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "dtls1_get_record"},
{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "dtls1_handle_timeout"},
{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
@@ -96,7 +95,9 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"},
{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),
- "dtls1_send_certificate_request"},
+ "DTLS1_SEND_CERTIFICATE_REQUEST"},
+ {ERR_FUNC(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC),
+ "dtls1_send_change_cipher_spec"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),
"dtls1_send_client_certificate"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),
@@ -109,8 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "dtls1_send_server_hello"},
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),
"dtls1_send_server_key_exchange"},
- {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),
- "dtls1_write_app_data_bytes"},
+ {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"},
{ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"},
@@ -130,10 +130,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"},
{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"},
- {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),
- "ssl3_digest_cached_records"},
- {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
- "ssl3_do_change_cipher_spec"},
+ {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "ssl3_digest_cached_records"},
+ {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "ssl3_do_change_cipher_spec"},
{ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),
@@ -183,8 +181,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "SSL_ADD_CERT_TO_BUF"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),
"ssl_add_clienthello_renegotiate_ext"},
- {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),
- "ssl_add_clienthello_tlsext"},
+ {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "ssl_add_clienthello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),
"ssl_add_clienthello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),
@@ -193,8 +190,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"SSL_add_file_cert_subjects_to_stack"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),
"ssl_add_serverhello_renegotiate_ext"},
- {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),
- "ssl_add_serverhello_tlsext"},
+ {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "ssl_add_serverhello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),
"ssl_add_serverhello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"},
@@ -210,8 +206,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"SSL_CHECK_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),
"ssl_check_srvr_ecc_cert_and_alg"},
- {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),
- "SSL_CIPHER_PROCESS_RULESTR"},
+ {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),
@@ -296,10 +291,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
- {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),
- "SSL_set_session_id_context"},
- {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),
- "SSL_set_session_ticket_ext"},
+ {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
+ {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@@ -317,10 +310,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
- {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),
- "SSL_use_RSAPrivateKey_ASN1"},
- {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),
- "SSL_use_RSAPrivateKey_file"},
+ {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
+ {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
{ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
@@ -391,16 +382,14 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_BAD_VALUE), "bad value"},
{ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"},
{ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"},
- {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
- "block cipher pad is wrong"},
+ {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
{ERR_REASON(SSL_R_BN_LIB), "bn lib"},
{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"},
{ERR_REASON(SSL_R_CA_DN_TOO_LONG), "ca dn too long"},
{ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
{ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
- {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),
- "certificate verify failed"},
+ {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
{ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"},
{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"},
{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
@@ -413,8 +402,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"},
{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
"compression id not within private range"},
- {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),
- "compression library error"},
+ {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
{ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
@@ -443,8 +431,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
"empty srtp protection profile list"},
- {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
- "encrypted length too long"},
+ {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
"error generating tmp rsa key"},
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
@@ -494,8 +481,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
- {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
- "missing export tmp dh key"},
+ {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
"missing export tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
@@ -527,8 +513,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
{ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"},
- {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST),
- "digest requred for handshake isn't computed"},
+ {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
{ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
{ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),
"no shared sigature algorithms"},
@@ -546,8 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"only TLS 1.2 allowed in Suite B mode"},
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),
"only tls allowed in fips mode"},
- {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),
- "opaque PRF input too long"},
+ {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too long"},
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
{ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"},
{ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"},
@@ -597,8 +581,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
"ssl3 ext invalid servername type"},
{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
- {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),
- "ssl3 session id too short"},
+ {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
"sslv3 alert bad certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
@@ -634,13 +617,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"ssl session id context too long"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
"ssl session id has bad length"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),
- "tlsv1 alert access denied"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
"tlsv1 alert decryption failed"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
- "tlsv1 alert decrypt error"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
"tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
@@ -683,8 +664,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tls rsa encrypted value length is wrong"},
{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),
"tried to use unsupported cipher"},
- {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),
- "unable to decode dh certs"},
+ {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),
"unable to decode ecdh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),
@@ -693,8 +673,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"unable to find ecdh parameters"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
"unable to find public key parameters"},
- {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),
- "unable to find ssl method"},
+ {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
"unable to load ssl3 md5 routines"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
@@ -708,12 +687,10 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
{ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
{ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
- {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
- "unknown key exchange type"},
+ {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
- {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),
- "unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"},
{ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"},
{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1e9b34f78a..0c9f4f7006 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -378,7 +378,8 @@ SSL *SSL_new(SSL_CTX *ctx)
s->references = 1;
s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
- SSL_clear(s);
+ if(!SSL_clear(s))
+ goto err;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
@@ -885,7 +886,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
CERT *tmp;
/* Do we need to to SSL locking? */
- SSL_set_session(t, SSL_get_session(f));
+ if(!SSL_set_session(t, SSL_get_session(f))) {
+ /* How do we handle this!! void function */
+ return;
+ }
/*
* what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
@@ -904,7 +908,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
t->cert = NULL;
if (tmp != NULL)
ssl_cert_free(tmp);
- SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
+ if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
+ /* Really should do something about this..but void function - ignore */
+ ;
+ }
}
/* Fix this so it checks all the valid key/cert options */
@@ -1924,10 +1931,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
if (ret->cert_store == NULL)
goto err;
- ssl_create_cipher_list(ret->method,
+ if(!ssl_create_cipher_list(ret->method,
&ret->cipher_list, &ret->cipher_list_by_id,
- SSL_DEFAULT_CIPHER_LIST, ret->cert);
- if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ SSL_DEFAULT_CIPHER_LIST, ret->cert)
+ || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -1980,7 +1987,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->psk_server_callback = NULL;
#endif
#ifndef OPENSSL_NO_SRP
- SSL_CTX_SRP_CTX_init(ret);
+ if(!SSL_CTX_SRP_CTX_init(ret))
+ goto err;
#endif
#ifndef OPENSSL_NO_ENGINE
ret->client_cert_engine = NULL;
@@ -2783,7 +2791,8 @@ SSL *SSL_dup(SSL *s)
goto err;
}
- SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length);
+ if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length))
+ goto err;
}
ret->options = s->options;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 8799d3dd56..60a68340d1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -693,7 +693,10 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
int r;
unsigned long err;
- SSL_CTX_clear_chain_certs(ctx);
+ if(!SSL_CTX_clear_chain_certs(ctx)) {
+ ret = 0;
+ goto end;
+ }
while ((ca = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index cf019c8346..22d2e661b9 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -510,12 +510,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
*/
if (!
(s->session_ctx->session_cache_mode &
- SSL_SESS_CACHE_NO_INTERNAL_STORE))
+ SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
/*
* The following should not return 1, otherwise, things are
* very strange
*/
- SSL_CTX_add_session(s->session_ctx, ret);
+ if(SSL_CTX_add_session(s->session_ctx, ret))
+ goto err;
+ }
}
}
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index e5774d2c14..ccdf8ec257 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -214,7 +214,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (x->compress_meth != 0) {
SSL_COMP *comp = NULL;
- ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0);
+ if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
+ goto err;
if (comp == NULL) {
if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <=
0)
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index a57d5052c3..457ba86a7b 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -1443,8 +1443,11 @@ int main(int argc, char *argv[])
SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL) {
- SSL_CTX_set_cipher_list(c_ctx, cipher);
- SSL_CTX_set_cipher_list(s_ctx, cipher);
+ if(!SSL_CTX_set_cipher_list(c_ctx, cipher)
+ || !SSL_CTX_set_cipher_list(s_ctx, cipher)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
/* Process SSL_CONF arguments */
@@ -1537,10 +1540,13 @@ int main(int argc, char *argv[])
}
if (client_auth) {
- SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM);
- SSL_CTX_use_PrivateKey_file(c_ctx,
+ if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
+ || !SSL_CTX_use_PrivateKey_file(c_ctx,
(client_key ? client_key : client_cert),
- SSL_FILETYPE_PEM);
+ SSL_FILETYPE_PEM)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
@@ -1569,8 +1575,11 @@ int main(int argc, char *argv[])
{
int session_id_context = 0;
- SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
- sizeof session_id_context);
+ if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
+ sizeof session_id_context)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
/* Use PSK only if PSK key is given */
@@ -1637,15 +1646,22 @@ int main(int argc, char *argv[])
}
#endif
- if (serverinfo_sct)
- SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+ if (serverinfo_sct) {
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL);
- if (serverinfo_tack)
- SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+ serverinfo_cli_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error adding SCT extension\n");
+ goto end;
+ }
+ }
+ if (serverinfo_tack) {
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL);
-
+ serverinfo_cli_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error adding TACK extension\n");
+ goto end;
+ }
+ }
if (serverinfo_file)
if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) {
BIO_printf(bio_err, "missing serverinfo file\n");
@@ -1653,39 +1669,41 @@ int main(int argc, char *argv[])
}
if (custom_ext) {
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_cli_add_cb,
NULL, NULL,
- custom_ext_0_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_0_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_cli_add_cb,
NULL, NULL,
- custom_ext_1_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_1_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_cli_add_cb,
NULL, NULL,
- custom_ext_2_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_2_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_cli_add_cb,
NULL, NULL,
- custom_ext_3_cli_parse_cb, NULL);
-
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_3_cli_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_srv_add_cb,
NULL, NULL,
- custom_ext_0_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_0_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_srv_add_cb,
NULL, NULL,
- custom_ext_1_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_1_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_srv_add_cb,
NULL, NULL,
- custom_ext_2_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_2_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_srv_add_cb,
NULL, NULL,
- custom_ext_3_srv_parse_cb, NULL);
+ custom_ext_3_srv_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error setting custom extensions\n");
+ goto end;
+ }
}
if (alpn_server)
@@ -1699,7 +1717,12 @@ int main(int argc, char *argv[])
BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
goto end;
}
- SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
+ /* Returns 0 on success!! */
+ if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
+ BIO_printf(bio_err, "Error setting ALPN\n");
+ OPENSSL_free(alpn);
+ goto end;
+ }
OPENSSL_free(alpn);
}
@@ -1722,8 +1745,12 @@ int main(int argc, char *argv[])
#endif /* OPENSSL_NO_KRB5 */
for (i = 0; i < number; i++) {
- if (!reuse)
- SSL_set_session(c_ssl, NULL);
+ if (!reuse) {
+ if(!SSL_set_session(c_ssl, NULL)) {
+ BIO_printf(bio_err, "Failed to set session\n");
+ goto end;
+ }
+ }
if (bio_pair)
ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
else
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 26f8415dcb..df97f19386 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1095,7 +1095,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
* exchange and before certificate verify)
*/
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
- ssl3_digest_cached_records(s);
+ if(!ssl3_digest_cached_records(s))
+ return -1;
}
hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
#ifdef SSL_DEBUG
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 511223eb94..dd28cd6ed8 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1431,7 +1431,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
int el;
- ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
+ /* Returns 0 on success!! */
+ if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
if ((limit - ret - 4 - el) < 0)
return NULL;
@@ -1601,8 +1605,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
if (SSL_IS_DTLS(s) && s->srtp_profile) {
int el;
- ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
-
+ /* Returns 0 on success!! */
+ if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
if ((limit - ret - 4 - el) < 0)
return NULL;
@@ -4141,12 +4148,13 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
{
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+ /* Deliberately ignore all return values */
+ if(tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC));
}
/* User level utiity function to check a chain is suitable */
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-18 20:52:10 +0000