Let SSL_copy_session_id() return an int for error checking.

Accordingly, add some error checking to SSL_copy_session_id(), BIO_ssl_copy_session_id(), and SSL_dup(). Prompted by OpenSSL commit 17dd65e6e1f Tested in a bulk build by sthen ok jsing
author: tb <> 2018-08-24 20:30:21 +0000
committer: tb <> 2018-08-24 20:30:21 +0000
commit: f6faa42a2e718b5331e22139845d05acd06ceb7e (patch)
tree: 178f87a146a07d41a49712b685a292a7bd8a6362
parent: acbbcd39d35326b275f28f6a108e12506a819b8e (diff)
download: openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.tar.gz
openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.tar.bz2
openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.zip
3 files changed, 31 insertions, 28 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index d68e011c62..93cfa0d2a4 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.28 2018/05/01 13:30:24 tb Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.29 2018/08/24 20:30:21 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -568,7 +568,9 @@ BIO_ssl_copy_session_id(BIO *t, BIO *f)
        if ((((BIO_SSL *)t->ptr)->ssl == NULL) ||
            (((BIO_SSL *)f->ptr)->ssl == NULL))
                return (0);
-        SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, ((BIO_SSL *)f->ptr)->ssl);
+        if (!SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl,
+            ((BIO_SSL *)f->ptr)->ssl))
+                return (0);
        return (1);
 }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index c3b553fa2f..324691485b 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.158 2018/05/01 13:30:24 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.159 2018/08/24 20:30:21 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1311,7 +1311,7 @@ long	SSL_SESSION_get_time(const SSL_SESSION *s);
 long    SSL_SESSION_set_time(SSL_SESSION *s, long t);
 long    SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long    SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void    SSL_copy_session_id(SSL *to, const SSL *from);
+int     SSL_copy_session_id(SSL *to, const SSL *from);
 X509    *SSL_SESSION_get0_peer(SSL_SESSION *s);
 int     SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
            unsigned int sid_len);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4f1eb5bf0a..0dbc7b3707 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.185 2018/04/25 07:10:39 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.186 2018/08/24 20:30:21 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -853,22 +853,21 @@ SSL_get_peer_cert_chain(const SSL *s)
 * Now in theory, since the calling process own 't' it should be safe to
 * modify.  We need to be able to read f without being hassled
 */
-void
+int
 SSL_copy_session_id(SSL *t, const SSL *f)
 {
        CERT    *tmp;
-        /* Do we need to to SSL locking? */
+        /* Do we need to do SSL locking? */
-        SSL_set_session(t, SSL_get_session(f));
+        if (!SSL_set_session(t, SSL_get_session(f)))
+                return 0;
-        /*
+        /* What if we are set up for one protocol but want to talk another? */
-         * What if we are setup as SSLv2 but want to talk SSLv3 or
-         * vice-versa.
-         */
        if (t->method != f->method) {
-                t->method->internal->ssl_free(t);       /* cleanup current */
+                t->method->internal->ssl_free(t);
-                t->method = f->method;  /* change method */
+                t->method = f->method;
-                t->method->internal->ssl_new(t);        /* setup new */
+                if (!t->method->internal->ssl_new(t))
+                        return 0;
        }
        tmp = t->cert;
@@ -878,7 +877,11 @@ SSL_copy_session_id(SSL *t, const SSL *f)
        } else
                t->cert = NULL;
        ssl_cert_free(tmp);
-        SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
+        if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length))
+                return 0;
+        return 1;
 }
 /* Fix this so it checks all the valid key/cert options */
@@ -2500,15 +2503,15 @@ SSL_dup(SSL *s)
        int i;
        if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
-                return (NULL);
+                goto err;
        ret->version = s->version;
        ret->internal->type = s->internal->type;
        ret->method = s->method;
        if (s->session != NULL) {
-                /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
+                if (!SSL_copy_session_id(ret, s))
-                SSL_copy_session_id(ret, s);
+                        goto err;
        } else {
                /*
                 * No session has been established yet, so we have to expect
@@ -2528,8 +2531,9 @@ SSL_dup(SSL *s)
                                goto err;
                }
-                SSL_set_session_id_context(ret,
+                if (!SSL_set_session_id_context(ret, s->sid_ctx,
-                s->sid_ctx, s->sid_ctx_length);
+                    s->sid_ctx_length))
+                        goto err;
        }
        ret->internal->options = s->internal->options;
@@ -2612,13 +2616,10 @@ SSL_dup(SSL *s)
                }
        }
-        if (0) {
+        return ret;
-err:
+ err:
-                if (ret != NULL)
+        SSL_free(ret);
-                        SSL_free(ret);
+        return NULL;
-                ret = NULL;
-        }
-        return (ret);
 }
 void
author	tb <>	2018-08-24 20:30:21 +0000
committer	tb <>	2018-08-24 20:30:21 +0000
commit	f6faa42a2e718b5331e22139845d05acd06ceb7e (patch)
tree	178f87a146a07d41a49712b685a292a7bd8a6362
parent	acbbcd39d35326b275f28f6a108e12506a819b8e (diff)
download	openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.tar.gz openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.tar.bz2 openbsd-f6faa42a2e718b5331e22139845d05acd06ceb7e.zip

diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c index d68e011c62..93cfa0d2a4 100644 --- a/src/lib/libssl/bio_ssl.c +++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bio_ssl.c,v 1.28 2018/05/01 13:30:24 tb Exp $ */	1	/* $OpenBSD: bio_ssl.c,v 1.29 2018/08/24 20:30:21 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -568,7 +568,9 @@ BIO_ssl_copy_session_id(BIO t, BIO f)
568	if ((((BIO_SSL *)t->ptr)->ssl == NULL) \|\|	568	if ((((BIO_SSL *)t->ptr)->ssl == NULL) \|\|
569	(((BIO_SSL *)f->ptr)->ssl == NULL))	569	(((BIO_SSL *)f->ptr)->ssl == NULL))
570	return (0);	570	return (0);
571	SSL_copy_session_id(((BIO_SSL )t->ptr)->ssl, ((BIO_SSL )f->ptr)->ssl);	571	if (!SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl,
		572	((BIO_SSL *)f->ptr)->ssl))
		573	return (0);
572	return (1);	574	return (1);
573	}	575	}
574		576


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index c3b553fa2f..324691485b 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.158 2018/05/01 13:30:24 tb Exp $ */	1	/* $OpenBSD: ssl.h,v 1.159 2018/08/24 20:30:21 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1311,7 +1311,7 @@ long SSL_SESSION_get_time(const SSL_SESSION *s);
1311	long SSL_SESSION_set_time(SSL_SESSION *s, long t);	1311	long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1312	long SSL_SESSION_get_timeout(const SSL_SESSION *s);	1312	long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1313	long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);	1313	long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1314	void SSL_copy_session_id(SSL to, const SSL from);	1314	int SSL_copy_session_id(SSL to, const SSL from);
1315	X509 SSL_SESSION_get0_peer(SSL_SESSION s);	1315	X509 SSL_SESSION_get0_peer(SSL_SESSION s);
1316	int SSL_SESSION_set1_id(SSL_SESSION s, const unsigned char sid,	1316	int SSL_SESSION_set1_id(SSL_SESSION s, const unsigned char sid,
1317	unsigned int sid_len);	1317	unsigned int sid_len);


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 4f1eb5bf0a..0dbc7b3707 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.185 2018/04/25 07:10:39 tb Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.186 2018/08/24 20:30:21 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -853,22 +853,21 @@ SSL_get_peer_cert_chain(const SSL *s)
853	* Now in theory, since the calling process own 't' it should be safe to	853	* Now in theory, since the calling process own 't' it should be safe to
854	* modify. We need to be able to read f without being hassled	854	* modify. We need to be able to read f without being hassled
855	*/	855	*/
856	void	856	int
857	SSL_copy_session_id(SSL t, const SSL f)	857	SSL_copy_session_id(SSL t, const SSL f)
858	{	858	{
859	CERT *tmp;	859	CERT *tmp;
860		860
861	/* Do we need to to SSL locking? */	861	/* Do we need to do SSL locking? */
862	SSL_set_session(t, SSL_get_session(f));	862	if (!SSL_set_session(t, SSL_get_session(f)))
		863	return 0;
863		864
864	/*	865	/* What if we are set up for one protocol but want to talk another? */
865	* What if we are setup as SSLv2 but want to talk SSLv3 or
866	* vice-versa.
867	*/
868	if (t->method != f->method) {	866	if (t->method != f->method) {
869	t->method->internal->ssl_free(t); /* cleanup current */	867	t->method->internal->ssl_free(t);
870	t->method = f->method; /* change method */	868	t->method = f->method;
871	t->method->internal->ssl_new(t); /* setup new */	869	if (!t->method->internal->ssl_new(t))
		870	return 0;
872	}	871	}
873		872
874	tmp = t->cert;	873	tmp = t->cert;
@@ -878,7 +877,11 @@ SSL_copy_session_id(SSL t, const SSL f)
878	} else	877	} else
879	t->cert = NULL;	878	t->cert = NULL;
880	ssl_cert_free(tmp);	879	ssl_cert_free(tmp);
881	SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);	880
		881	if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length))
		882	return 0;
		883
		884	return 1;
882	}	885	}
883		886
884	/* Fix this so it checks all the valid key/cert options */	887	/* Fix this so it checks all the valid key/cert options */
@@ -2500,15 +2503,15 @@ SSL_dup(SSL *s)
2500	int i;	2503	int i;
2501		2504
2502	if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)	2505	if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
2503	return (NULL);	2506	goto err;
2504		2507
2505	ret->version = s->version;	2508	ret->version = s->version;
2506	ret->internal->type = s->internal->type;	2509	ret->internal->type = s->internal->type;
2507	ret->method = s->method;	2510	ret->method = s->method;
2508		2511
2509	if (s->session != NULL) {	2512	if (s->session != NULL) {
2510	/* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */	2513	if (!SSL_copy_session_id(ret, s))
2511	SSL_copy_session_id(ret, s);	2514	goto err;
2512	} else {	2515	} else {
2513	/*	2516	/*
2514	* No session has been established yet, so we have to expect	2517	* No session has been established yet, so we have to expect
@@ -2528,8 +2531,9 @@ SSL_dup(SSL *s)
2528	goto err;	2531	goto err;
2529	}	2532	}
2530		2533
2531	SSL_set_session_id_context(ret,	2534	if (!SSL_set_session_id_context(ret, s->sid_ctx,
2532	s->sid_ctx, s->sid_ctx_length);	2535	s->sid_ctx_length))
		2536	goto err;
2533	}	2537	}
2534		2538
2535	ret->internal->options = s->internal->options;	2539	ret->internal->options = s->internal->options;
@@ -2612,13 +2616,10 @@ SSL_dup(SSL *s)
2612	}	2616	}
2613	}	2617	}
2614		2618
2615	if (0) {	2619	return ret;
2616	err:	2620	err:
2617	if (ret != NULL)	2621	SSL_free(ret);
2618	SSL_free(ret);	2622	return NULL;
2619	ret = NULL;
2620	}
2621	return (ret);
2622	}	2623	}
2623		2624
2624	void	2625	void