diff options
author | jsing <> | 2021-10-23 08:34:36 +0000 |
---|---|---|
committer | jsing <> | 2021-10-23 08:34:36 +0000 |
commit | 3781592d1cd8ce107960abb543e4eccf20288a82 (patch) | |
tree | 84ea9950c0cb3d3c14ebfccb65a931db3ba71bfd /src/lib/libssl/ssl_srvr.c | |
parent | 5ee33af93b944cb8cf535f155eb2a489305b5ccc (diff) | |
download | openbsd-3781592d1cd8ce107960abb543e4eccf20288a82.tar.gz openbsd-3781592d1cd8ce107960abb543e4eccf20288a82.tar.bz2 openbsd-3781592d1cd8ce107960abb543e4eccf20288a82.zip |
Untangle ssl3_get_message() return values.
This function currently has a long return type that may be <= 0 on
error/retry (which is then cast to an int in order to return it up the
stack), or it returns the length of the handshake message (on success).
This obviously means that 0 can be returned for both success and failure,
which is the reason why a separate 'ok' argument has to exist.
Untangle this mess by changing the return value to an int that indicates
success (1) or error/retry (<= 0). The length never needs to actually be
returned as it is already stored in s->internal->init_num (which is where
the return value is read from anyway).
ok tb@
Diffstat (limited to '')
-rw-r--r-- | src/lib/libssl/ssl_srvr.c | 69 |
1 files changed, 33 insertions, 36 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 3a37fc7e09..1bbe551b3c 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssl_srvr.c,v 1.119 2021/09/03 13:18:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.120 2021/10/23 08:34:36 jsing Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -779,8 +779,7 @@ ssl3_get_client_hello(SSL *s) | |||
779 | uint16_t client_version; | 779 | uint16_t client_version; |
780 | uint8_t comp_method; | 780 | uint8_t comp_method; |
781 | int comp_null; | 781 | int comp_null; |
782 | int i, j, ok, al, ret = -1, cookie_valid = 0; | 782 | int i, j, al, ret, cookie_valid = 0; |
783 | long n; | ||
784 | unsigned long id; | 783 | unsigned long id; |
785 | SSL_CIPHER *c; | 784 | SSL_CIPHER *c; |
786 | STACK_OF(SSL_CIPHER) *ciphers = NULL; | 785 | STACK_OF(SSL_CIPHER) *ciphers = NULL; |
@@ -795,22 +794,22 @@ ssl3_get_client_hello(SSL *s) | |||
795 | * If we are SSLv3, we will respond with SSLv3, even if prompted with | 794 | * If we are SSLv3, we will respond with SSLv3, even if prompted with |
796 | * TLSv1. | 795 | * TLSv1. |
797 | */ | 796 | */ |
798 | if (S3I(s)->hs.state == SSL3_ST_SR_CLNT_HELLO_A) { | 797 | if (S3I(s)->hs.state == SSL3_ST_SR_CLNT_HELLO_A) |
799 | S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_B; | 798 | S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_B; |
800 | } | ||
801 | 799 | ||
802 | s->internal->first_packet = 1; | 800 | s->internal->first_packet = 1; |
803 | n = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, | 801 | if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, |
804 | SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, | 802 | SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, |
805 | SSL3_RT_MAX_PLAIN_LENGTH, &ok); | 803 | SSL3_RT_MAX_PLAIN_LENGTH)) <= 0) |
806 | if (!ok) | 804 | return ret; |
807 | return ((int)n); | ||
808 | s->internal->first_packet = 0; | 805 | s->internal->first_packet = 0; |
809 | 806 | ||
810 | if (n < 0) | 807 | ret = -1; |
808 | |||
809 | if (s->internal->init_num < 0) | ||
811 | goto err; | 810 | goto err; |
812 | 811 | ||
813 | CBS_init(&cbs, s->internal->init_msg, n); | 812 | CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); |
814 | 813 | ||
815 | /* Parse client hello up until the extensions (if any). */ | 814 | /* Parse client hello up until the extensions (if any). */ |
816 | if (!CBS_get_u16(&cbs, &client_version)) | 815 | if (!CBS_get_u16(&cbs, &client_version)) |
@@ -2055,20 +2054,18 @@ int | |||
2055 | ssl3_get_client_key_exchange(SSL *s) | 2054 | ssl3_get_client_key_exchange(SSL *s) |
2056 | { | 2055 | { |
2057 | unsigned long alg_k; | 2056 | unsigned long alg_k; |
2058 | int al, ok; | 2057 | int al, ret; |
2059 | CBS cbs; | 2058 | CBS cbs; |
2060 | long n; | ||
2061 | 2059 | ||
2062 | /* 2048 maxlen is a guess. How long a key does that permit? */ | 2060 | /* 2048 maxlen is a guess. How long a key does that permit? */ |
2063 | n = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, | 2061 | if ((ret = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, |
2064 | SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); | 2062 | SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0) |
2065 | if (!ok) | 2063 | return ret; |
2066 | return ((int)n); | ||
2067 | 2064 | ||
2068 | if (n < 0) | 2065 | if (s->internal->init_num < 0) |
2069 | goto err; | 2066 | goto err; |
2070 | 2067 | ||
2071 | CBS_init(&cbs, s->internal->init_msg, n); | 2068 | CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); |
2072 | 2069 | ||
2073 | alg_k = S3I(s)->hs.cipher->algorithm_mkey; | 2070 | alg_k = S3I(s)->hs.cipher->algorithm_mkey; |
2074 | 2071 | ||
@@ -2113,24 +2110,24 @@ ssl3_get_cert_verify(SSL *s) | |||
2113 | EVP_PKEY *pkey = NULL; | 2110 | EVP_PKEY *pkey = NULL; |
2114 | X509 *peer = NULL; | 2111 | X509 *peer = NULL; |
2115 | EVP_MD_CTX mctx; | 2112 | EVP_MD_CTX mctx; |
2116 | int al, ok, verify; | 2113 | int al, verify; |
2117 | const unsigned char *hdata; | 2114 | const unsigned char *hdata; |
2118 | size_t hdatalen; | 2115 | size_t hdatalen; |
2119 | int type = 0; | 2116 | int type = 0; |
2120 | int ret = 0; | 2117 | int ret; |
2121 | long n; | ||
2122 | 2118 | ||
2123 | EVP_MD_CTX_init(&mctx); | 2119 | EVP_MD_CTX_init(&mctx); |
2124 | 2120 | ||
2125 | n = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A, | 2121 | if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A, |
2126 | SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); | 2122 | SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0) |
2127 | if (!ok) | 2123 | return ret; |
2128 | return ((int)n); | ||
2129 | 2124 | ||
2130 | if (n < 0) | 2125 | ret = 0; |
2126 | |||
2127 | if (s->internal->init_num < 0) | ||
2131 | goto err; | 2128 | goto err; |
2132 | 2129 | ||
2133 | CBS_init(&cbs, s->internal->init_msg, n); | 2130 | CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); |
2134 | 2131 | ||
2135 | if (s->session->peer != NULL) { | 2132 | if (s->session->peer != NULL) { |
2136 | peer = s->session->peer; | 2133 | peer = s->session->peer; |
@@ -2329,16 +2326,16 @@ int | |||
2329 | ssl3_get_client_certificate(SSL *s) | 2326 | ssl3_get_client_certificate(SSL *s) |
2330 | { | 2327 | { |
2331 | CBS cbs, client_certs; | 2328 | CBS cbs, client_certs; |
2332 | int i, ok, al, ret = -1; | ||
2333 | X509 *x = NULL; | 2329 | X509 *x = NULL; |
2334 | long n; | ||
2335 | const unsigned char *q; | 2330 | const unsigned char *q; |
2336 | STACK_OF(X509) *sk = NULL; | 2331 | STACK_OF(X509) *sk = NULL; |
2332 | int i, al, ret; | ||
2333 | |||
2334 | if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, | ||
2335 | -1, s->internal->max_cert_list)) <= 0) | ||
2336 | return ret; | ||
2337 | 2337 | ||
2338 | n = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, | 2338 | ret = -1; |
2339 | -1, s->internal->max_cert_list, &ok); | ||
2340 | if (!ok) | ||
2341 | return ((int)n); | ||
2342 | 2339 | ||
2343 | if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { | 2340 | if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { |
2344 | if ((s->verify_mode & SSL_VERIFY_PEER) && | 2341 | if ((s->verify_mode & SSL_VERIFY_PEER) && |
@@ -2367,10 +2364,10 @@ ssl3_get_client_certificate(SSL *s) | |||
2367 | goto fatal_err; | 2364 | goto fatal_err; |
2368 | } | 2365 | } |
2369 | 2366 | ||
2370 | if (n < 0) | 2367 | if (s->internal->init_num < 0) |
2371 | goto decode_err; | 2368 | goto decode_err; |
2372 | 2369 | ||
2373 | CBS_init(&cbs, s->internal->init_msg, n); | 2370 | CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); |
2374 | 2371 | ||
2375 | if ((sk = sk_X509_new_null()) == NULL) { | 2372 | if ((sk = sk_X509_new_null()) == NULL) { |
2376 | SSLerror(s, ERR_R_MALLOC_FAILURE); | 2373 | SSLerror(s, ERR_R_MALLOC_FAILURE); |