diff options
| author | jsing <> | 2014-06-05 14:31:44 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-05 14:31:44 +0000 |
| commit | d874ba6e9641314de878a6d18eaefe826cbe532b (patch) | |
| tree | c58c410dcfa20b703d162473cc455c3d5bd7986d /src/lib | |
| parent | 5e2731501137a3bdb1c9a5b0ef6a691daa72ad6d (diff) | |
| download | openbsd-d874ba6e9641314de878a6d18eaefe826cbe532b.tar.gz openbsd-d874ba6e9641314de878a6d18eaefe826cbe532b.tar.bz2 openbsd-d874ba6e9641314de878a6d18eaefe826cbe532b.zip | |
More KNF.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 81 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 81 |
2 files changed, 64 insertions, 98 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 2c3ce60fb3..66fb26345e 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -826,9 +826,8 @@ ssl3_get_server_hello(SSL *s) | |||
| 826 | if (s->d1->send_cookie == 0) { | 826 | if (s->d1->send_cookie == 0) { |
| 827 | s->s3->tmp.reuse_message = 1; | 827 | s->s3->tmp.reuse_message = 1; |
| 828 | return (1); | 828 | return (1); |
| 829 | } | 829 | } else { |
| 830 | else /* already sent a cookie */ | 830 | /* Already sent a cookie. */ |
| 831 | { | ||
| 832 | al = SSL_AD_UNEXPECTED_MESSAGE; | 831 | al = SSL_AD_UNEXPECTED_MESSAGE; |
| 833 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 832 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, |
| 834 | SSL_R_BAD_MESSAGE_TYPE); | 833 | SSL_R_BAD_MESSAGE_TYPE); |
| @@ -844,12 +843,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 844 | goto f_err; | 843 | goto f_err; |
| 845 | } | 844 | } |
| 846 | 845 | ||
| 847 | d = p=(unsigned char *)s->init_msg; | 846 | d = p = (unsigned char *)s->init_msg; |
| 848 | 847 | ||
| 849 | if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { | 848 | if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { |
| 850 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 849 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); |
| 851 | SSL_R_WRONG_SSL_VERSION); | 850 | s->version = (s->version&0xff00) | p[1]; |
| 852 | s->version = (s->version&0xff00)|p[1]; | ||
| 853 | al = SSL_AD_PROTOCOL_VERSION; | 851 | al = SSL_AD_PROTOCOL_VERSION; |
| 854 | goto f_err; | 852 | goto f_err; |
| 855 | } | 853 | } |
| @@ -898,7 +896,8 @@ ssl3_get_server_hello(SSL *s) | |||
| 898 | goto f_err; | 896 | goto f_err; |
| 899 | } | 897 | } |
| 900 | s->hit = 1; | 898 | s->hit = 1; |
| 901 | } else { /* a miss or crap from the other end */ | 899 | } else { |
| 900 | /* a miss or crap from the other end */ | ||
| 902 | 901 | ||
| 903 | /* If we were trying for session-id reuse, make a new | 902 | /* If we were trying for session-id reuse, make a new |
| 904 | * SSL_SESSION so we don't stuff up other people */ | 903 | * SSL_SESSION so we don't stuff up other people */ |
| @@ -1124,8 +1123,7 @@ ssl3_get_server_certificate(SSL *s) | |||
| 1124 | } | 1123 | } |
| 1125 | 1124 | ||
| 1126 | i = ssl_verify_cert_chain(s, sk); | 1125 | i = ssl_verify_cert_chain(s, sk); |
| 1127 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) | 1126 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { |
| 1128 | ) { | ||
| 1129 | al = ssl_verify_alarm_type(s->verify_result); | 1127 | al = ssl_verify_alarm_type(s->verify_result); |
| 1130 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | 1128 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, |
| 1131 | SSL_R_CERTIFICATE_VERIFY_FAILED); | 1129 | SSL_R_CERTIFICATE_VERIFY_FAILED); |
| @@ -1738,7 +1736,7 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1738 | } | 1736 | } |
| 1739 | } | 1737 | } |
| 1740 | 1738 | ||
| 1741 | p = d=(unsigned char *)s->init_msg; | 1739 | p = d = (unsigned char *)s->init_msg; |
| 1742 | 1740 | ||
| 1743 | if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { | 1741 | if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { |
| 1744 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 1742 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, |
| @@ -2008,8 +2006,7 @@ ssl3_get_server_done(SSL *s) | |||
| 2008 | if (n > 0) { | 2006 | if (n > 0) { |
| 2009 | /* should contain no data */ | 2007 | /* should contain no data */ |
| 2010 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | 2008 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
| 2011 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE, | 2009 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH); |
| 2012 | SSL_R_LENGTH_MISMATCH); | ||
| 2013 | return (-1); | 2010 | return (-1); |
| 2014 | } | 2011 | } |
| 2015 | ret = 1; | 2012 | ret = 1; |
| @@ -2089,8 +2086,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2089 | s->method->ssl3_enc->generate_master_secret( | 2086 | s->method->ssl3_enc->generate_master_secret( |
| 2090 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); | 2087 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); |
| 2091 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | 2088 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); |
| 2092 | } | 2089 | } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2093 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | ||
| 2094 | DH *dh_srvr, *dh_clnt; | 2090 | DH *dh_srvr, *dh_clnt; |
| 2095 | 2091 | ||
| 2096 | if (s->session->sess_cert == NULL) { | 2092 | if (s->session->sess_cert == NULL) { |
| @@ -2154,9 +2150,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2154 | DH_free(dh_clnt); | 2150 | DH_free(dh_clnt); |
| 2155 | 2151 | ||
| 2156 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | 2152 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ |
| 2157 | } | 2153 | } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { |
| 2158 | |||
| 2159 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { | ||
| 2160 | const EC_GROUP *srvr_group = NULL; | 2154 | const EC_GROUP *srvr_group = NULL; |
| 2161 | EC_KEY *tkey; | 2155 | EC_KEY *tkey; |
| 2162 | int ecdh_clnt_cert = 0; | 2156 | int ecdh_clnt_cert = 0; |
| @@ -2334,8 +2328,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2334 | if (clnt_ecdh != NULL) | 2328 | if (clnt_ecdh != NULL) |
| 2335 | EC_KEY_free(clnt_ecdh); | 2329 | EC_KEY_free(clnt_ecdh); |
| 2336 | EVP_PKEY_free(srvr_pub_pkey); | 2330 | EVP_PKEY_free(srvr_pub_pkey); |
| 2337 | } | 2331 | } else if (alg_k & SSL_kGOST) { |
| 2338 | else if (alg_k & SSL_kGOST) { | ||
| 2339 | /* GOST key exchange message creation */ | 2332 | /* GOST key exchange message creation */ |
| 2340 | EVP_PKEY_CTX *pkey_ctx; | 2333 | EVP_PKEY_CTX *pkey_ctx; |
| 2341 | X509 *peer_cert; | 2334 | X509 *peer_cert; |
| @@ -2354,7 +2347,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2354 | if (!peer_cert) | 2347 | if (!peer_cert) |
| 2355 | peer_cert = s->session->sess_cert->peer_pkeys[ | 2348 | peer_cert = s->session->sess_cert->peer_pkeys[ |
| 2356 | (keytype = SSL_PKEY_GOST94)].x509; | 2349 | (keytype = SSL_PKEY_GOST94)].x509; |
| 2357 | if (!peer_cert) { | 2350 | if (!peer_cert) { |
| 2358 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 2351 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 2359 | SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); | 2352 | SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); |
| 2360 | goto err; | 2353 | goto err; |
| @@ -2610,8 +2603,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2610 | n = u + 4; | 2603 | n = u + 4; |
| 2611 | if (!ssl3_digest_cached_records(s)) | 2604 | if (!ssl3_digest_cached_records(s)) |
| 2612 | goto err; | 2605 | goto err; |
| 2613 | } else | 2606 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 2614 | if (pkey->type == EVP_PKEY_RSA) { | ||
| 2615 | s->method->ssl3_enc->cert_verify_mac( | 2607 | s->method->ssl3_enc->cert_verify_mac( |
| 2616 | s, NID_md5, &(data[0])); | 2608 | s, NID_md5, &(data[0])); |
| 2617 | if (RSA_sign(NID_md5_sha1, data, | 2609 | if (RSA_sign(NID_md5_sha1, data, |
| @@ -2623,8 +2615,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2623 | } | 2615 | } |
| 2624 | s2n(u, p); | 2616 | s2n(u, p); |
| 2625 | n = u + 2; | 2617 | n = u + 2; |
| 2626 | } else | 2618 | } else if (pkey->type == EVP_PKEY_DSA) { |
| 2627 | if (pkey->type == EVP_PKEY_DSA) { | ||
| 2628 | if (!DSA_sign(pkey->save_type, | 2619 | if (!DSA_sign(pkey->save_type, |
| 2629 | &(data[MD5_DIGEST_LENGTH]), | 2620 | &(data[MD5_DIGEST_LENGTH]), |
| 2630 | SHA_DIGEST_LENGTH, &(p[2]), | 2621 | SHA_DIGEST_LENGTH, &(p[2]), |
| @@ -2635,8 +2626,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2635 | } | 2626 | } |
| 2636 | s2n(j, p); | 2627 | s2n(j, p); |
| 2637 | n = j + 2; | 2628 | n = j + 2; |
| 2638 | } else | 2629 | } else if (pkey->type == EVP_PKEY_EC) { |
| 2639 | if (pkey->type == EVP_PKEY_EC) { | ||
| 2640 | if (!ECDSA_sign(pkey->save_type, | 2630 | if (!ECDSA_sign(pkey->save_type, |
| 2641 | &(data[MD5_DIGEST_LENGTH]), | 2631 | &(data[MD5_DIGEST_LENGTH]), |
| 2642 | SHA_DIGEST_LENGTH, &(p[2]), | 2632 | SHA_DIGEST_LENGTH, &(p[2]), |
| @@ -2647,8 +2637,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2647 | } | 2637 | } |
| 2648 | s2n(j, p); | 2638 | s2n(j, p); |
| 2649 | n = j + 2; | 2639 | n = j + 2; |
| 2650 | } else | 2640 | } else if (pkey->type == NID_id_GostR3410_94 || |
| 2651 | if (pkey->type == NID_id_GostR3410_94 || | ||
| 2652 | pkey->type == NID_id_GostR3410_2001) { | 2641 | pkey->type == NID_id_GostR3410_2001) { |
| 2653 | unsigned char signbuf[64]; | 2642 | unsigned char signbuf[64]; |
| 2654 | int i; | 2643 | int i; |
| @@ -2791,8 +2780,8 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2791 | idx = sc->peer_cert_type; | 2780 | idx = sc->peer_cert_type; |
| 2792 | if (idx == SSL_PKEY_ECC) { | 2781 | if (idx == SSL_PKEY_ECC) { |
| 2793 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | 2782 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, |
| 2794 | s) == 0) | 2783 | s) == 0) { |
| 2795 | { /* check failed */ | 2784 | /* check failed */ |
| 2796 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2785 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2797 | SSL_R_BAD_ECC_CERT); | 2786 | SSL_R_BAD_ECC_CERT); |
| 2798 | goto f_err; | 2787 | goto f_err; |
| @@ -2804,14 +2793,13 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2804 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); | 2793 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); |
| 2805 | EVP_PKEY_free(pkey); | 2794 | EVP_PKEY_free(pkey); |
| 2806 | 2795 | ||
| 2807 | |||
| 2808 | /* Check that we have a certificate if we require one */ | 2796 | /* Check that we have a certificate if we require one */ |
| 2809 | if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { | 2797 | if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { |
| 2810 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2798 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2811 | SSL_R_MISSING_RSA_SIGNING_CERT); | 2799 | SSL_R_MISSING_RSA_SIGNING_CERT); |
| 2812 | goto f_err; | 2800 | goto f_err; |
| 2813 | } | 2801 | } else if ((alg_a & SSL_aDSS) && |
| 2814 | else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { | 2802 | !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { |
| 2815 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2803 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2816 | SSL_R_MISSING_DSA_SIGNING_CERT); | 2804 | SSL_R_MISSING_DSA_SIGNING_CERT); |
| 2817 | goto f_err; | 2805 | goto f_err; |
| @@ -2831,8 +2819,7 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2831 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2819 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2832 | SSL_R_MISSING_DH_RSA_CERT); | 2820 | SSL_R_MISSING_DH_RSA_CERT); |
| 2833 | goto f_err; | 2821 | goto f_err; |
| 2834 | } | 2822 | } else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { |
| 2835 | else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { | ||
| 2836 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2823 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2837 | SSL_R_MISSING_DH_DSA_CERT); | 2824 | SSL_R_MISSING_DH_DSA_CERT); |
| 2838 | goto f_err; | 2825 | goto f_err; |
| @@ -2847,22 +2834,18 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2847 | SSL_R_MISSING_EXPORT_TMP_RSA_KEY); | 2834 | SSL_R_MISSING_EXPORT_TMP_RSA_KEY); |
| 2848 | goto f_err; | 2835 | goto f_err; |
| 2849 | } | 2836 | } |
| 2850 | } else | 2837 | } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2851 | if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | 2838 | if (dh == NULL || DH_size(dh) * 8 > |
| 2852 | if (dh == NULL || DH_size(dh) * 8 > | 2839 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { |
| 2853 | SSL_C_EXPORT_PKEYLENGTH( | ||
| 2854 | s->s3->tmp.new_cipher)) { | ||
| 2855 | SSLerr( | ||
| 2856 | SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | ||
| 2857 | SSL_R_MISSING_EXPORT_TMP_DH_KEY); | ||
| 2858 | goto f_err; | ||
| 2859 | } | ||
| 2860 | } else | ||
| 2861 | { | ||
| 2862 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2840 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2863 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 2841 | SSL_R_MISSING_EXPORT_TMP_DH_KEY); |
| 2864 | goto f_err; | 2842 | goto f_err; |
| 2865 | } | 2843 | } |
| 2844 | } else { | ||
| 2845 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | ||
| 2846 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | ||
| 2847 | goto f_err; | ||
| 2848 | } | ||
| 2866 | } | 2849 | } |
| 2867 | return (1); | 2850 | return (1); |
| 2868 | f_err: | 2851 | f_err: |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 2c3ce60fb3..66fb26345e 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
| @@ -826,9 +826,8 @@ ssl3_get_server_hello(SSL *s) | |||
| 826 | if (s->d1->send_cookie == 0) { | 826 | if (s->d1->send_cookie == 0) { |
| 827 | s->s3->tmp.reuse_message = 1; | 827 | s->s3->tmp.reuse_message = 1; |
| 828 | return (1); | 828 | return (1); |
| 829 | } | 829 | } else { |
| 830 | else /* already sent a cookie */ | 830 | /* Already sent a cookie. */ |
| 831 | { | ||
| 832 | al = SSL_AD_UNEXPECTED_MESSAGE; | 831 | al = SSL_AD_UNEXPECTED_MESSAGE; |
| 833 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 832 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, |
| 834 | SSL_R_BAD_MESSAGE_TYPE); | 833 | SSL_R_BAD_MESSAGE_TYPE); |
| @@ -844,12 +843,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 844 | goto f_err; | 843 | goto f_err; |
| 845 | } | 844 | } |
| 846 | 845 | ||
| 847 | d = p=(unsigned char *)s->init_msg; | 846 | d = p = (unsigned char *)s->init_msg; |
| 848 | 847 | ||
| 849 | if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { | 848 | if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { |
| 850 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 849 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); |
| 851 | SSL_R_WRONG_SSL_VERSION); | 850 | s->version = (s->version&0xff00) | p[1]; |
| 852 | s->version = (s->version&0xff00)|p[1]; | ||
| 853 | al = SSL_AD_PROTOCOL_VERSION; | 851 | al = SSL_AD_PROTOCOL_VERSION; |
| 854 | goto f_err; | 852 | goto f_err; |
| 855 | } | 853 | } |
| @@ -898,7 +896,8 @@ ssl3_get_server_hello(SSL *s) | |||
| 898 | goto f_err; | 896 | goto f_err; |
| 899 | } | 897 | } |
| 900 | s->hit = 1; | 898 | s->hit = 1; |
| 901 | } else { /* a miss or crap from the other end */ | 899 | } else { |
| 900 | /* a miss or crap from the other end */ | ||
| 902 | 901 | ||
| 903 | /* If we were trying for session-id reuse, make a new | 902 | /* If we were trying for session-id reuse, make a new |
| 904 | * SSL_SESSION so we don't stuff up other people */ | 903 | * SSL_SESSION so we don't stuff up other people */ |
| @@ -1124,8 +1123,7 @@ ssl3_get_server_certificate(SSL *s) | |||
| 1124 | } | 1123 | } |
| 1125 | 1124 | ||
| 1126 | i = ssl_verify_cert_chain(s, sk); | 1125 | i = ssl_verify_cert_chain(s, sk); |
| 1127 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) | 1126 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { |
| 1128 | ) { | ||
| 1129 | al = ssl_verify_alarm_type(s->verify_result); | 1127 | al = ssl_verify_alarm_type(s->verify_result); |
| 1130 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | 1128 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, |
| 1131 | SSL_R_CERTIFICATE_VERIFY_FAILED); | 1129 | SSL_R_CERTIFICATE_VERIFY_FAILED); |
| @@ -1738,7 +1736,7 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1738 | } | 1736 | } |
| 1739 | } | 1737 | } |
| 1740 | 1738 | ||
| 1741 | p = d=(unsigned char *)s->init_msg; | 1739 | p = d = (unsigned char *)s->init_msg; |
| 1742 | 1740 | ||
| 1743 | if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { | 1741 | if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { |
| 1744 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 1742 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, |
| @@ -2008,8 +2006,7 @@ ssl3_get_server_done(SSL *s) | |||
| 2008 | if (n > 0) { | 2006 | if (n > 0) { |
| 2009 | /* should contain no data */ | 2007 | /* should contain no data */ |
| 2010 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | 2008 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
| 2011 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE, | 2009 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH); |
| 2012 | SSL_R_LENGTH_MISMATCH); | ||
| 2013 | return (-1); | 2010 | return (-1); |
| 2014 | } | 2011 | } |
| 2015 | ret = 1; | 2012 | ret = 1; |
| @@ -2089,8 +2086,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2089 | s->method->ssl3_enc->generate_master_secret( | 2086 | s->method->ssl3_enc->generate_master_secret( |
| 2090 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); | 2087 | s, s->session->master_key, tmp_buf, sizeof tmp_buf); |
| 2091 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | 2088 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); |
| 2092 | } | 2089 | } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2093 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | ||
| 2094 | DH *dh_srvr, *dh_clnt; | 2090 | DH *dh_srvr, *dh_clnt; |
| 2095 | 2091 | ||
| 2096 | if (s->session->sess_cert == NULL) { | 2092 | if (s->session->sess_cert == NULL) { |
| @@ -2154,9 +2150,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2154 | DH_free(dh_clnt); | 2150 | DH_free(dh_clnt); |
| 2155 | 2151 | ||
| 2156 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | 2152 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ |
| 2157 | } | 2153 | } else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { |
| 2158 | |||
| 2159 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { | ||
| 2160 | const EC_GROUP *srvr_group = NULL; | 2154 | const EC_GROUP *srvr_group = NULL; |
| 2161 | EC_KEY *tkey; | 2155 | EC_KEY *tkey; |
| 2162 | int ecdh_clnt_cert = 0; | 2156 | int ecdh_clnt_cert = 0; |
| @@ -2334,8 +2328,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2334 | if (clnt_ecdh != NULL) | 2328 | if (clnt_ecdh != NULL) |
| 2335 | EC_KEY_free(clnt_ecdh); | 2329 | EC_KEY_free(clnt_ecdh); |
| 2336 | EVP_PKEY_free(srvr_pub_pkey); | 2330 | EVP_PKEY_free(srvr_pub_pkey); |
| 2337 | } | 2331 | } else if (alg_k & SSL_kGOST) { |
| 2338 | else if (alg_k & SSL_kGOST) { | ||
| 2339 | /* GOST key exchange message creation */ | 2332 | /* GOST key exchange message creation */ |
| 2340 | EVP_PKEY_CTX *pkey_ctx; | 2333 | EVP_PKEY_CTX *pkey_ctx; |
| 2341 | X509 *peer_cert; | 2334 | X509 *peer_cert; |
| @@ -2354,7 +2347,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2354 | if (!peer_cert) | 2347 | if (!peer_cert) |
| 2355 | peer_cert = s->session->sess_cert->peer_pkeys[ | 2348 | peer_cert = s->session->sess_cert->peer_pkeys[ |
| 2356 | (keytype = SSL_PKEY_GOST94)].x509; | 2349 | (keytype = SSL_PKEY_GOST94)].x509; |
| 2357 | if (!peer_cert) { | 2350 | if (!peer_cert) { |
| 2358 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 2351 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 2359 | SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); | 2352 | SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); |
| 2360 | goto err; | 2353 | goto err; |
| @@ -2610,8 +2603,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2610 | n = u + 4; | 2603 | n = u + 4; |
| 2611 | if (!ssl3_digest_cached_records(s)) | 2604 | if (!ssl3_digest_cached_records(s)) |
| 2612 | goto err; | 2605 | goto err; |
| 2613 | } else | 2606 | } else if (pkey->type == EVP_PKEY_RSA) { |
| 2614 | if (pkey->type == EVP_PKEY_RSA) { | ||
| 2615 | s->method->ssl3_enc->cert_verify_mac( | 2607 | s->method->ssl3_enc->cert_verify_mac( |
| 2616 | s, NID_md5, &(data[0])); | 2608 | s, NID_md5, &(data[0])); |
| 2617 | if (RSA_sign(NID_md5_sha1, data, | 2609 | if (RSA_sign(NID_md5_sha1, data, |
| @@ -2623,8 +2615,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2623 | } | 2615 | } |
| 2624 | s2n(u, p); | 2616 | s2n(u, p); |
| 2625 | n = u + 2; | 2617 | n = u + 2; |
| 2626 | } else | 2618 | } else if (pkey->type == EVP_PKEY_DSA) { |
| 2627 | if (pkey->type == EVP_PKEY_DSA) { | ||
| 2628 | if (!DSA_sign(pkey->save_type, | 2619 | if (!DSA_sign(pkey->save_type, |
| 2629 | &(data[MD5_DIGEST_LENGTH]), | 2620 | &(data[MD5_DIGEST_LENGTH]), |
| 2630 | SHA_DIGEST_LENGTH, &(p[2]), | 2621 | SHA_DIGEST_LENGTH, &(p[2]), |
| @@ -2635,8 +2626,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2635 | } | 2626 | } |
| 2636 | s2n(j, p); | 2627 | s2n(j, p); |
| 2637 | n = j + 2; | 2628 | n = j + 2; |
| 2638 | } else | 2629 | } else if (pkey->type == EVP_PKEY_EC) { |
| 2639 | if (pkey->type == EVP_PKEY_EC) { | ||
| 2640 | if (!ECDSA_sign(pkey->save_type, | 2630 | if (!ECDSA_sign(pkey->save_type, |
| 2641 | &(data[MD5_DIGEST_LENGTH]), | 2631 | &(data[MD5_DIGEST_LENGTH]), |
| 2642 | SHA_DIGEST_LENGTH, &(p[2]), | 2632 | SHA_DIGEST_LENGTH, &(p[2]), |
| @@ -2647,8 +2637,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2647 | } | 2637 | } |
| 2648 | s2n(j, p); | 2638 | s2n(j, p); |
| 2649 | n = j + 2; | 2639 | n = j + 2; |
| 2650 | } else | 2640 | } else if (pkey->type == NID_id_GostR3410_94 || |
| 2651 | if (pkey->type == NID_id_GostR3410_94 || | ||
| 2652 | pkey->type == NID_id_GostR3410_2001) { | 2641 | pkey->type == NID_id_GostR3410_2001) { |
| 2653 | unsigned char signbuf[64]; | 2642 | unsigned char signbuf[64]; |
| 2654 | int i; | 2643 | int i; |
| @@ -2791,8 +2780,8 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2791 | idx = sc->peer_cert_type; | 2780 | idx = sc->peer_cert_type; |
| 2792 | if (idx == SSL_PKEY_ECC) { | 2781 | if (idx == SSL_PKEY_ECC) { |
| 2793 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | 2782 | if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, |
| 2794 | s) == 0) | 2783 | s) == 0) { |
| 2795 | { /* check failed */ | 2784 | /* check failed */ |
| 2796 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2785 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2797 | SSL_R_BAD_ECC_CERT); | 2786 | SSL_R_BAD_ECC_CERT); |
| 2798 | goto f_err; | 2787 | goto f_err; |
| @@ -2804,14 +2793,13 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2804 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); | 2793 | i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); |
| 2805 | EVP_PKEY_free(pkey); | 2794 | EVP_PKEY_free(pkey); |
| 2806 | 2795 | ||
| 2807 | |||
| 2808 | /* Check that we have a certificate if we require one */ | 2796 | /* Check that we have a certificate if we require one */ |
| 2809 | if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { | 2797 | if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { |
| 2810 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2798 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2811 | SSL_R_MISSING_RSA_SIGNING_CERT); | 2799 | SSL_R_MISSING_RSA_SIGNING_CERT); |
| 2812 | goto f_err; | 2800 | goto f_err; |
| 2813 | } | 2801 | } else if ((alg_a & SSL_aDSS) && |
| 2814 | else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { | 2802 | !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { |
| 2815 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2803 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2816 | SSL_R_MISSING_DSA_SIGNING_CERT); | 2804 | SSL_R_MISSING_DSA_SIGNING_CERT); |
| 2817 | goto f_err; | 2805 | goto f_err; |
| @@ -2831,8 +2819,7 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2831 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2819 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2832 | SSL_R_MISSING_DH_RSA_CERT); | 2820 | SSL_R_MISSING_DH_RSA_CERT); |
| 2833 | goto f_err; | 2821 | goto f_err; |
| 2834 | } | 2822 | } else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { |
| 2835 | else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { | ||
| 2836 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2823 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2837 | SSL_R_MISSING_DH_DSA_CERT); | 2824 | SSL_R_MISSING_DH_DSA_CERT); |
| 2838 | goto f_err; | 2825 | goto f_err; |
| @@ -2847,22 +2834,18 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2847 | SSL_R_MISSING_EXPORT_TMP_RSA_KEY); | 2834 | SSL_R_MISSING_EXPORT_TMP_RSA_KEY); |
| 2848 | goto f_err; | 2835 | goto f_err; |
| 2849 | } | 2836 | } |
| 2850 | } else | 2837 | } else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { |
| 2851 | if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { | 2838 | if (dh == NULL || DH_size(dh) * 8 > |
| 2852 | if (dh == NULL || DH_size(dh) * 8 > | 2839 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { |
| 2853 | SSL_C_EXPORT_PKEYLENGTH( | ||
| 2854 | s->s3->tmp.new_cipher)) { | ||
| 2855 | SSLerr( | ||
| 2856 | SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | ||
| 2857 | SSL_R_MISSING_EXPORT_TMP_DH_KEY); | ||
| 2858 | goto f_err; | ||
| 2859 | } | ||
| 2860 | } else | ||
| 2861 | { | ||
| 2862 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | 2840 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, |
| 2863 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 2841 | SSL_R_MISSING_EXPORT_TMP_DH_KEY); |
| 2864 | goto f_err; | 2842 | goto f_err; |
| 2865 | } | 2843 | } |
| 2844 | } else { | ||
| 2845 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, | ||
| 2846 | SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | ||
| 2847 | goto f_err; | ||
| 2848 | } | ||
| 2866 | } | 2849 | } |
| 2867 | return (1); | 2850 | return (1); |
| 2868 | f_err: | 2851 | f_err: |