summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authormcbride <>2014-04-24 13:06:52 +0000
committermcbride <>2014-04-24 13:06:52 +0000
commit14a6049b862353b3465ce67d3a36960a1de3cc44 (patch)
tree4beef22b88f6255e8cb8dc4511eb88bac49824b7 /src
parent41d70a18a007c7de1f43d48f23ab4e31b8bf760e (diff)
downloadopenbsd-14a6049b862353b3465ce67d3a36960a1de3cc44.tar.gz
openbsd-14a6049b862353b3465ce67d3a36960a1de3cc44.tar.bz2
openbsd-14a6049b862353b3465ce67d3a36960a1de3cc44.zip
More KNF, things that couldn't be verified with md5(1), and some whitespace
I missed on the first go around.
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_clnt.c87
-rw-r--r--src/lib/libssl/s3_lib.c16
-rw-r--r--src/lib/libssl/s3_srvr.c166
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c87
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c16
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c166
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c219
-rw-r--r--src/lib/libssl/ssl_lib.c219
8 files changed, 508 insertions, 468 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b63f0bf0c9..e765da9ecd 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
@@ -111,7 +111,7 @@
111/* ==================================================================== 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * 113 *
114 * Portions of the attached software ("Contribution") are developed by 114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * 116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source 117 * The Contribution is licensed pursuant to the OpenSSL open source
@@ -412,12 +412,12 @@ ssl3_connect(SSL *s)
412 * For TLS, cert_req is set to 2, so a cert chain 412 * For TLS, cert_req is set to 2, so a cert chain
413 * of nothing is sent, but no verify packet is sent 413 * of nothing is sent, but no verify packet is sent
414 */ 414 */
415 /* 415 /*
416 * XXX: For now, we do not support client 416 * XXX: For now, we do not support client
417 * authentication in ECDH cipher suites with 417 * authentication in ECDH cipher suites with
418 * ECDH (rather than ECDSA) certificates. 418 * ECDH (rather than ECDSA) certificates.
419 * We need to skip the certificate verify 419 * We need to skip the certificate verify
420 * message when client's ECDH public key is sent 420 * message when client's ECDH public key is sent
421 * inside the client certificate. 421 * inside the client certificate.
422 */ 422 */
423 if (s->s3->tmp.cert_req == 1) { 423 if (s->s3->tmp.cert_req == 1) {
@@ -679,7 +679,7 @@ ssl3_client_hello(SSL *s)
679 /* Do the message type and length last */ 679 /* Do the message type and length last */
680 d = p = &(buf[4]); 680 d = p = &(buf[4]);
681 681
682 /* 682 /*
683 * Version indicates the negotiated version: for example from 683 * Version indicates the negotiated version: for example from
684 * an SSLv2/v3 compatible client hello). The client_version 684 * an SSLv2/v3 compatible client hello). The client_version
685 * field is the maximum version we permit and it is also 685 * field is the maximum version we permit and it is also
@@ -832,7 +832,7 @@ ssl3_get_server_hello(SSL *s)
832 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 832 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
833 if (s->d1->send_cookie == 0) { 833 if (s->d1->send_cookie == 0) {
834 s->s3->tmp.reuse_message = 1; 834 s->s3->tmp.reuse_message = 1;
835 return 1; 835 return (1);
836 } 836 }
837 else /* already sent a cookie */ 837 else /* already sent a cookie */
838 { 838 {
@@ -1473,7 +1473,7 @@ ssl3_get_key_exchange(SSL *s)
1473 p += i; 1473 p += i;
1474 n -= param_len; 1474 n -= param_len;
1475 1475
1476 /* 1476 /*
1477 * This should be because we are using an 1477 * This should be because we are using an
1478 * export cipher 1478 * export cipher
1479 */ 1479 */
@@ -2038,9 +2038,9 @@ ssl3_get_new_session_ticket(SSL *s)
2038 * There are two ways to detect a resumed ticket sesion. 2038 * There are two ways to detect a resumed ticket sesion.
2039 * One is to set an appropriate session ID and then the server 2039 * One is to set an appropriate session ID and then the server
2040 * must return a match in ServerHello. This allows the normal 2040 * must return a match in ServerHello. This allows the normal
2041 * client session ID matching to work and we know much 2041 * client session ID matching to work and we know much
2042 * earlier that the ticket has been accepted. 2042 * earlier that the ticket has been accepted.
2043 * 2043 *
2044 * The other way is to set zero length session ID when the 2044 * The other way is to set zero length session ID when the
2045 * ticket is presented and rely on the handshake to determine 2045 * ticket is presented and rely on the handshake to determine
2046 * session resumption. 2046 * session resumption.
@@ -2049,7 +2049,7 @@ ssl3_get_new_session_ticket(SSL *s)
2049 * assumptions elsewhere in OpenSSL. The session ID is set 2049 * assumptions elsewhere in OpenSSL. The session ID is set
2050 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2050 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
2051 * ticket. 2051 * ticket.
2052 */ 2052 */
2053 EVP_Digest(p, ticklen, s->session->session_id, 2053 EVP_Digest(p, ticklen, s->session->session_id,
2054 &s->session->session_id_length, EVP_sha256(), NULL); 2054 &s->session->session_id_length, EVP_sha256(), NULL);
2055 ret = 1; 2055 ret = 1;
@@ -2067,12 +2067,9 @@ ssl3_get_cert_status(SSL *s)
2067 unsigned long resplen, n; 2067 unsigned long resplen, n;
2068 const unsigned char *p; 2068 const unsigned char *p;
2069 2069
2070 n = s->method->ssl_get_message(s, 2070 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
2071 SSL3_ST_CR_CERT_STATUS_A, 2071 SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
2072 SSL3_ST_CR_CERT_STATUS_B, 2072 16384, &ok);
2073 SSL3_MT_CERTIFICATE_STATUS,
2074 16384,
2075 &ok);
2076 2073
2077 if (!ok) 2074 if (!ok)
2078 return ((int)n); 2075 return ((int)n);
@@ -2123,7 +2120,7 @@ ssl3_get_cert_status(SSL *s)
2123 goto f_err; 2120 goto f_err;
2124 } 2121 }
2125 } 2122 }
2126 return 1; 2123 return (1);
2127 f_err: 2124 f_err:
2128 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2125 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2129 return (-1); 2126 return (-1);
@@ -2147,7 +2144,7 @@ ssl3_get_server_done(SSL *s)
2147 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 2144 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2148 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, 2145 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,
2149 SSL_R_LENGTH_MISMATCH); 2146 SSL_R_LENGTH_MISMATCH);
2150 return -1; 2147 return (-1);
2151 } 2148 }
2152 ret = 1; 2149 ret = 1;
2153 return (ret); 2150 return (ret);
@@ -2229,8 +2226,7 @@ ssl3_send_client_key_exchange(SSL *s)
2229 2226
2230 s->session->master_key_length = 2227 s->session->master_key_length =
2231 s->method->ssl3_enc->generate_master_secret( 2228 s->method->ssl3_enc->generate_master_secret(
2232 s, s->session->master_key, tmp_buf, 2229 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2233 sizeof tmp_buf);
2234 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2230 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2235 } 2231 }
2236#ifndef OPENSSL_NO_KRB5 2232#ifndef OPENSSL_NO_KRB5
@@ -2246,7 +2242,7 @@ ssl3_send_client_key_exchange(SSL *s)
2246 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2242 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2247 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2243 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2248 + EVP_MAX_IV_LENGTH]; 2244 + EVP_MAX_IV_LENGTH];
2249 int padl, outl = sizeof(epms); 2245 int padl, outl = sizeof(epms);
2250 2246
2251 EVP_CIPHER_CTX_init(&ciph_ctx); 2247 EVP_CIPHER_CTX_init(&ciph_ctx);
2252 2248
@@ -2283,14 +2279,14 @@ ssl3_send_client_key_exchange(SSL *s)
2283 goto err; 2279 goto err;
2284 } 2280 }
2285 2281
2286 /* 2282 /*
2287 * 20010406 VRS - Earlier versions used KRB5 AP_REQ 2283 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
2288 * in place of RFC 2712 KerberosWrapper, as in: 2284 * in place of RFC 2712 KerberosWrapper, as in:
2289 * 2285 *
2290 * Send ticket (copy to *p, set n = length) 2286 * Send ticket (copy to *p, set n = length)
2291 * n = krb5_ap_req.length; 2287 * n = krb5_ap_req.length;
2292 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2288 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2293 * if (krb5_ap_req.data) 2289 * if (krb5_ap_req.data)
2294 * kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2290 * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2295 * 2291 *
2296 * Now using real RFC 2712 KerberosWrapper 2292 * Now using real RFC 2712 KerberosWrapper
@@ -2435,7 +2431,7 @@ ssl3_send_client_key_exchange(SSL *s)
2435 } 2431 }
2436#endif 2432#endif
2437 2433
2438#ifndef OPENSSL_NO_ECDH 2434#ifndef OPENSSL_NO_ECDH
2439 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2435 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2440 const EC_GROUP *srvr_group = NULL; 2436 const EC_GROUP *srvr_group = NULL;
2441 EC_KEY *tkey; 2437 EC_KEY *tkey;
@@ -2449,11 +2445,11 @@ ssl3_send_client_key_exchange(SSL *s)
2449 */ 2445 */
2450 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && 2446 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) &&
2451 (s->cert != NULL)) { 2447 (s->cert != NULL)) {
2452 /* 2448 /*
2453 * XXX: For now, we do not support client 2449 * XXX: For now, we do not support client
2454 * authentication using ECDH certificates. 2450 * authentication using ECDH certificates.
2455 * To add such support, one needs to add 2451 * To add such support, one needs to add
2456 * code that checks for appropriate 2452 * code that checks for appropriate
2457 * conditions and sets ecdh_clnt_cert to 1. 2453 * conditions and sets ecdh_clnt_cert to 1.
2458 * For example, the cert have an ECC 2454 * For example, the cert have an ECC
2459 * key on the same curve as the server's 2455 * key on the same curve as the server's
@@ -2561,7 +2557,7 @@ ssl3_send_client_key_exchange(SSL *s)
2561 2557
2562 /* generate master key from the result */ 2558 /* generate master key from the result */
2563 s->session->master_key_length = s->method->ssl3_enc \ 2559 s->session->master_key_length = s->method->ssl3_enc \
2564 -> generate_master_secret(s, 2560 -> generate_master_secret(s,
2565 s->session->master_key, p, n); 2561 s->session->master_key, p, n);
2566 2562
2567 memset(p, 0, n); /* clean up */ 2563 memset(p, 0, n); /* clean up */
@@ -2895,7 +2891,7 @@ ssl3_send_client_verify(SSL *s)
2895 } else { 2891 } else {
2896 ERR_clear_error(); 2892 ERR_clear_error();
2897 } 2893 }
2898 /* 2894 /*
2899 * For TLS v1.2 send signature algorithm and signature 2895 * For TLS v1.2 send signature algorithm and signature
2900 * using agreed digest and cached handshake records. 2896 * using agreed digest and cached handshake records.
2901 */ 2897 */
@@ -3024,9 +3020,10 @@ ssl3_send_client_certificate(SSL *s)
3024 3020
3025 /* We need to get a client cert */ 3021 /* We need to get a client cert */
3026 if (s->state == SSL3_ST_CW_CERT_B) { 3022 if (s->state == SSL3_ST_CW_CERT_B) {
3027 /* If we get an error, we need to 3023 /*
3024 * If we get an error, we need to
3028 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 3025 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3029 * We then get retied later 3026 * We then get retied later
3030 */ 3027 */
3031 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3028 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3032 if (i < 0) { 3029 if (i < 0) {
@@ -3120,7 +3117,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
3120 SSL_R_BAD_ECC_CERT); 3117 SSL_R_BAD_ECC_CERT);
3121 goto f_err; 3118 goto f_err;
3122 } else { 3119 } else {
3123 return 1; 3120 return (1);
3124 } 3121 }
3125 } 3122 }
3126#endif 3123#endif
@@ -3221,7 +3218,7 @@ ssl3_send_next_proto(SSL *s)
3221 s->init_off = 0; 3218 s->init_off = 0;
3222 } 3219 }
3223 3220
3224 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3221 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3225} 3222}
3226#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3223#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
3227 3224
@@ -3240,7 +3237,7 @@ ssl3_check_finished(SSL *s)
3240 3237
3241 /* If we have no ticket it cannot be a resumed session. */ 3238 /* If we have no ticket it cannot be a resumed session. */
3242 if (!s->session->tlsext_tick) 3239 if (!s->session->tlsext_tick)
3243 return 1; 3240 return (1);
3244 /* this function is called when we really expect a Certificate 3241 /* this function is called when we really expect a Certificate
3245 * message, so permit appropriate message length */ 3242 * message, so permit appropriate message length */
3246 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 3243 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
@@ -3250,9 +3247,9 @@ ssl3_check_finished(SSL *s)
3250 s->s3->tmp.reuse_message = 1; 3247 s->s3->tmp.reuse_message = 1;
3251 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || 3248 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3252 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3249 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3253 return 2; 3250 return (2);
3254 3251
3255 return 1; 3252 return (1);
3256} 3253}
3257#endif 3254#endif
3258 3255
@@ -3267,10 +3264,10 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3267 SSL_get_client_CA_list(s), 3264 SSL_get_client_CA_list(s),
3268 px509, ppkey, NULL, NULL, NULL); 3265 px509, ppkey, NULL, NULL, NULL);
3269 if (i != 0) 3266 if (i != 0)
3270 return i; 3267 return (i);
3271 } 3268 }
3272#endif 3269#endif
3273 if (s->ctx->client_cert_cb) 3270 if (s->ctx->client_cert_cb)
3274 i = s->ctx->client_cert_cb(s, px509, ppkey); 3271 i = s->ctx->client_cert_cb(s, px509, ppkey);
3275 return i; 3272 return (i};
3276} 3273}
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 28a3d51b9e..12ce8a1605 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2962,9 +2962,9 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2962 break; 2962 break;
2963 case SSL_CTRL_NEED_TMP_RSA: 2963 case SSL_CTRL_NEED_TMP_RSA:
2964 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 2964 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
2965 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 2965 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
2966 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) 2966 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)
2967 > (512 / 8)))) 2967 > (512 / 8))))
2968 ret = 1; 2968 ret = 1;
2969 break; 2969 break;
2970 case SSL_CTRL_SET_TMP_RSA: 2970 case SSL_CTRL_SET_TMP_RSA:
@@ -3113,10 +3113,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3113 } 3113 }
3114 if (s->tlsext_opaque_prf_input != NULL) 3114 if (s->tlsext_opaque_prf_input != NULL)
3115 free(s->tlsext_opaque_prf_input); 3115 free(s->tlsext_opaque_prf_input);
3116 if ((size_t)larg == 0) 3116 if ((size_t)larg == 0) {
3117 s->tlsext_opaque_prf_input = malloc(1); /* dummy byte just to get non-NULL */ 3117 /* dummy byte just to get non-NULL */
3118 else 3118 s->tlsext_opaque_prf_input = malloc(1);
3119 s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); 3119 } else
3120 s->tlsext_opaque_prf_input =
3121 BUF_memdup(parg, (size_t)larg);
3120 if (s->tlsext_opaque_prf_input != NULL) { 3122 if (s->tlsext_opaque_prf_input != NULL) {
3121 s->tlsext_opaque_prf_input_len = (size_t)larg; 3123 s->tlsext_opaque_prf_input_len = (size_t)larg;
3122 ret = 1; 3124 ret = 1;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f3edcc2efb..6d8ccd66b7 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
@@ -111,7 +111,7 @@
111/* ==================================================================== 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * 113 *
114 * Portions of the attached software ("Contribution") are developed by 114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * 116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source 117 * The Contribution is licensed pursuant to the OpenSSL open source
@@ -190,15 +190,17 @@ ssl_check_srp_ext_ClientHello(SSL *s, int *al)
190 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 190 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
191 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { 191 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
192 if (s->srp_ctx.login == NULL) { 192 if (s->srp_ctx.login == NULL) {
193 /* RFC 5054 says SHOULD reject, 193 /*
194 we do so if There is no srp login name */ 194 * RFC 5054 says SHOULD reject,
195 * we do so if There is no srp login name
196 */
195 ret = SSL3_AL_FATAL; 197 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 198 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 } else { 199 } else {
198 ret = SSL_srp_server_param_with_username(s, al); 200 ret = SSL_srp_server_param_with_username(s, al);
199 } 201 }
200 } 202 }
201 return ret; 203 return (ret);
202} 204}
203#endif 205#endif
204 206
@@ -228,7 +230,8 @@ ssl3_accept(SSL *s)
228 SSL_clear(s); 230 SSL_clear(s);
229 231
230 if (s->cert == NULL) { 232 if (s->cert == NULL) {
231 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 233 SSLerr(SSL_F_SSL3_ACCEPT,
234 SSL_R_NO_CERTIFICATE_SET);
232 return (-1); 235 return (-1);
233 } 236 }
234 237
@@ -250,8 +253,9 @@ ssl3_accept(SSL *s)
250 cb(s, SSL_CB_HANDSHAKE_START, 1); 253 cb(s, SSL_CB_HANDSHAKE_START, 1);
251 254
252 if ((s->version >> 8) != 3) { 255 if ((s->version >> 8) != 3) {
253 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 256 SSLerr(SSL_F_SSL3_ACCEPT,
254 return -1; 257 ERR_R_INTERNAL_ERROR);
258 return (-1);
255 } 259 }
256 s->type = SSL_ST_ACCEPT; 260 s->type = SSL_ST_ACCEPT;
257 261
@@ -342,7 +346,7 @@ ssl3_accept(SSL *s)
342 { 346 {
343 int al; 347 int al;
344 if ((ret = 348 if ((ret =
345 ssl_check_srp_ext_ClientHello(s, &al)) 349 ssl_check_srp_ext_ClientHello(s, &al))
346 < 0) { 350 < 0) {
347 /* 351 /*
348 * Callback indicates further work to 352 * Callback indicates further work to
@@ -531,7 +535,7 @@ ssl3_accept(SSL *s)
531 s->state = SSL3_ST_SW_SRVR_DONE_A; 535 s->state = SSL3_ST_SW_SRVR_DONE_A;
532 if (s->s3->handshake_buffer) 536 if (s->s3->handshake_buffer)
533 if (!ssl3_digest_cached_records(s)) 537 if (!ssl3_digest_cached_records(s))
534 return -1; 538 return (-1);
535 } else { 539 } else {
536 s->s3->tmp.cert_request = 1; 540 s->s3->tmp.cert_request = 1;
537 ret = ssl3_send_certificate_request(s); 541 ret = ssl3_send_certificate_request(s);
@@ -635,11 +639,11 @@ ssl3_accept(SSL *s)
635 if (!s->s3->handshake_buffer) { 639 if (!s->s3->handshake_buffer) {
636 SSLerr(SSL_F_SSL3_ACCEPT, 640 SSLerr(SSL_F_SSL3_ACCEPT,
637 ERR_R_INTERNAL_ERROR); 641 ERR_R_INTERNAL_ERROR);
638 return -1; 642 return (-1);
639 } 643 }
640 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 644 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
641 if (!ssl3_digest_cached_records(s)) 645 if (!ssl3_digest_cached_records(s))
642 return -1; 646 return (-1);
643 } else { 647 } else {
644 int offset = 0; 648 int offset = 0;
645 int dgst_num; 649 int dgst_num;
@@ -647,7 +651,7 @@ ssl3_accept(SSL *s)
647 s->state = SSL3_ST_SR_CERT_VRFY_A; 651 s->state = SSL3_ST_SR_CERT_VRFY_A;
648 s->init_num = 0; 652 s->init_num = 0;
649 653
650 /* 654 /*
651 * We need to get hashes here so if there is 655 * We need to get hashes here so if there is
652 * a client cert, it can be verified 656 * a client cert, it can be verified
653 * FIXME - digest processing for 657 * FIXME - digest processing for
@@ -656,7 +660,7 @@ ssl3_accept(SSL *s)
656 */ 660 */
657 if (s->s3->handshake_buffer) 661 if (s->s3->handshake_buffer)
658 if (!ssl3_digest_cached_records(s)) 662 if (!ssl3_digest_cached_records(s))
659 return -1; 663 return (-1);
660 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; 664 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
661 dgst_num++) 665 dgst_num++)
662 if (s->s3->handshake_dgst[dgst_num]) { 666 if (s->s3->handshake_dgst[dgst_num]) {
@@ -827,7 +831,8 @@ ssl3_accept(SSL *s)
827 /* break; */ 831 /* break; */
828 832
829 default: 833 default:
830 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE); 834 SSLerr(SSL_F_SSL3_ACCEPT,
835 SSL_R_UNKNOWN_STATE);
831 ret = -1; 836 ret = -1;
832 goto end; 837 goto end;
833 /* break; */ 838 /* break; */
@@ -903,7 +908,7 @@ ssl3_check_client_hello(SSL *s)
903 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { 908 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
904 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, 909 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
905 SSL_R_MULTIPLE_SGC_RESTARTS); 910 SSL_R_MULTIPLE_SGC_RESTARTS);
906 return -1; 911 return (-1);
907 } 912 }
908 /* 913 /*
909 * Throw away what we have done so far in the current handshake, 914 * Throw away what we have done so far in the current handshake,
@@ -923,9 +928,9 @@ ssl3_check_client_hello(SSL *s)
923 } 928 }
924#endif 929#endif
925 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 930 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
926 return 2; 931 return (2);
927 } 932 }
928 return 1; 933 return (1);
929} 934}
930 935
931int 936int
@@ -974,7 +979,8 @@ ssl3_get_client_hello(SSL *s)
974 979
975 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 980 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
976 (s->version != DTLS1_VERSION && s->client_version < s->version)) { 981 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
977 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 982 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
983 SSL_R_WRONG_VERSION_NUMBER);
978 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 984 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
979 !s->enc_write_ctx && !s->write_hash) { 985 !s->enc_write_ctx && !s->write_hash) {
980 /* 986 /*
@@ -999,7 +1005,7 @@ ssl3_get_client_hello(SSL *s)
999 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 1005 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
1000 1006
1001 if (cookie_length == 0) 1007 if (cookie_length == 0)
1002 return 1; 1008 return (1);
1003 } 1009 }
1004 1010
1005 /* load the client random */ 1011 /* load the client random */
@@ -1048,7 +1054,7 @@ ssl3_get_client_hello(SSL *s)
1048 /* cookie stuff */ 1054 /* cookie stuff */
1049 cookie_len = *(p++); 1055 cookie_len = *(p++);
1050 1056
1051 /* 1057 /*
1052 * The ClientHello may contain a cookie even if the 1058 * The ClientHello may contain a cookie even if the
1053 * HelloVerify message has not been sent--make sure that it 1059 * HelloVerify message has not been sent--make sure that it
1054 * does not cause an overflow. 1060 * does not cause an overflow.
@@ -1094,13 +1100,15 @@ ssl3_get_client_hello(SSL *s)
1094 if ((i == 0) && (j != 0)) { 1100 if ((i == 0) && (j != 0)) {
1095 /* we need a cipher if we are not resuming a session */ 1101 /* we need a cipher if we are not resuming a session */
1096 al = SSL_AD_ILLEGAL_PARAMETER; 1102 al = SSL_AD_ILLEGAL_PARAMETER;
1097 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); 1103 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1104 SSL_R_NO_CIPHERS_SPECIFIED);
1098 goto f_err; 1105 goto f_err;
1099 } 1106 }
1100 if ((p + i) >= (d + n)) { 1107 if ((p + i) >= (d + n)) {
1101 /* not enough data */ 1108 /* not enough data */
1102 al = SSL_AD_DECODE_ERROR; 1109 al = SSL_AD_DECODE_ERROR;
1103 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1110 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1111 SSL_R_LENGTH_MISMATCH);
1104 goto f_err; 1112 goto f_err;
1105 } 1113 }
1106 if ((i > 0) && 1114 if ((i > 0) &&
@@ -1143,7 +1151,8 @@ ssl3_get_client_hello(SSL *s)
1143 if ((p + i) > (d + n)) { 1151 if ((p + i) > (d + n)) {
1144 /* not enough data */ 1152 /* not enough data */
1145 al = SSL_AD_DECODE_ERROR; 1153 al = SSL_AD_DECODE_ERROR;
1146 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1154 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1155 SSL_R_LENGTH_MISMATCH);
1147 goto f_err; 1156 goto f_err;
1148 } 1157 }
1149 q = p; 1158 q = p;
@@ -1172,7 +1181,8 @@ ssl3_get_client_hello(SSL *s)
1172 } 1181 }
1173 } 1182 }
1174 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1183 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1175 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1184 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1185 SSL_R_CLIENTHELLO_TLSEXT);
1176 goto err; 1186 goto err;
1177 } 1187 }
1178 1188
@@ -1377,7 +1387,7 @@ ssl3_get_client_hello(SSL *s)
1377 } 1387 }
1378 1388
1379 /* 1389 /*
1380 * We now have the following setup. 1390 * We now have the following setup.
1381 * client_random 1391 * client_random
1382 * cipher_list - our prefered list of ciphers 1392 * cipher_list - our prefered list of ciphers
1383 * ciphers - the clients prefered list of ciphers 1393 * ciphers - the clients prefered list of ciphers
@@ -1422,7 +1432,7 @@ ssl3_send_server_hello(SSL *s)
1422#ifdef OPENSSL_NO_TLSEXT 1432#ifdef OPENSSL_NO_TLSEXT
1423 p = s->s3->server_random; 1433 p = s->s3->server_random;
1424 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1434 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1425 return -1; 1435 return (-1);
1426#endif 1436#endif
1427 /* Do the message type and length last */ 1437 /* Do the message type and length last */
1428 d = p= &(buf[4]); 1438 d = p= &(buf[4]);
@@ -1460,7 +1470,7 @@ ssl3_send_server_hello(SSL *s)
1460 if (sl > (int)sizeof(s->session->session_id)) { 1470 if (sl > (int)sizeof(s->session->session_id)) {
1461 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1471 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1462 ERR_R_INTERNAL_ERROR); 1472 ERR_R_INTERNAL_ERROR);
1463 return -1; 1473 return (-1);
1464 } 1474 }
1465 *(p++) = sl; 1475 *(p++) = sl;
1466 memcpy(p, s->session->session_id, sl); 1476 memcpy(p, s->session->session_id, sl);
@@ -1483,13 +1493,13 @@ ssl3_send_server_hello(SSL *s)
1483 if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1493 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1484 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1494 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1485 SSL_R_SERVERHELLO_TLSEXT); 1495 SSL_R_SERVERHELLO_TLSEXT);
1486 return -1; 1496 return (-1);
1487 } 1497 }
1488 if ((p = ssl_add_serverhello_tlsext(s, p, 1498 if ((p = ssl_add_serverhello_tlsext(s, p,
1489 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { 1499 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1490 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1491 ERR_R_INTERNAL_ERROR); 1501 ERR_R_INTERNAL_ERROR);
1492 return -1; 1502 return (-1);
1493 } 1503 }
1494#endif 1504#endif
1495 /* do the header */ 1505 /* do the header */
@@ -1714,9 +1724,9 @@ ssl3_send_server_key_exchange(SSL *s)
1714 goto err; 1724 goto err;
1715 } 1725 }
1716 1726
1717 /* 1727 /*
1718 * XXX: For now, we only support ephemeral ECDH 1728 * XXX: For now, we only support ephemeral ECDH
1719 * keys over named (not generic) curves. For 1729 * keys over named (not generic) curves. For
1720 * supported named curves, curve_id is non-zero. 1730 * supported named curves, curve_id is non-zero.
1721 */ 1731 */
1722 if ((curve_id = tls1_ec_nid2curve_id( 1732 if ((curve_id = tls1_ec_nid2curve_id(
@@ -1726,7 +1736,7 @@ ssl3_send_server_key_exchange(SSL *s)
1726 goto err; 1736 goto err;
1727 } 1737 }
1728 1738
1729 /* 1739 /*
1730 * Encode the public key. 1740 * Encode the public key.
1731 * First check the size of encoding and 1741 * First check the size of encoding and
1732 * allocate memory accordingly. 1742 * allocate memory accordingly.
@@ -1760,12 +1770,12 @@ ssl3_send_server_key_exchange(SSL *s)
1760 BN_CTX_free(bn_ctx); 1770 BN_CTX_free(bn_ctx);
1761 bn_ctx = NULL; 1771 bn_ctx = NULL;
1762 1772
1763 /* 1773 /*
1764 * XXX: For now, we only support named (not 1774 * XXX: For now, we only support named (not
1765 * generic) curves in ECDH ephemeral key exchanges. 1775 * generic) curves in ECDH ephemeral key exchanges.
1766 * In this situation, we need four additional bytes 1776 * In this situation, we need four additional bytes
1767 * to encode the entire ServerECDHParams 1777 * to encode the entire ServerECDHParams
1768 * structure. 1778 * structure.
1769 */ 1779 */
1770 n = 4 + encodedlen; 1780 n = 4 + encodedlen;
1771 1781
@@ -1790,7 +1800,8 @@ ssl3_send_server_key_exchange(SSL *s)
1790 if (type & SSL_kSRP) { 1800 if (type & SSL_kSRP) {
1791 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || 1801 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1792 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { 1802 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1793 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM); 1803 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1804 SSL_R_MISSING_SRP_PARAM);
1794 goto err; 1805 goto err;
1795 } 1806 }
1796 r[0] = s->srp_ctx.N; 1807 r[0] = s->srp_ctx.N;
@@ -1801,7 +1812,8 @@ ssl3_send_server_key_exchange(SSL *s)
1801#endif 1812#endif
1802 { 1813 {
1803 al = SSL_AD_HANDSHAKE_FAILURE; 1814 al = SSL_AD_HANDSHAKE_FAILURE;
1804 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1815 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1816 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1805 goto f_err; 1817 goto f_err;
1806 } 1818 }
1807 for (i = 0; i < 4 && r[i] != NULL; i++) { 1819 for (i = 0; i < 4 && r[i] != NULL; i++) {
@@ -1922,7 +1934,7 @@ ssl3_send_server_key_exchange(SSL *s)
1922 n += u + 2; 1934 n += u + 2;
1923 } else 1935 } else
1924 if (md) { 1936 if (md) {
1925 /* 1937 /*
1926 * For TLS1.2 and later send signature 1938 * For TLS1.2 and later send signature
1927 * algorithm 1939 * algorithm
1928 */ 1940 */
@@ -2384,7 +2396,8 @@ ssl3_get_client_key_exchange(SSL *s)
2384 } 2396 }
2385 2397
2386 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) { 2398 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2387 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2399 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2400 krb5rc);
2388 goto err; 2401 goto err;
2389 } 2402 }
2390 2403
@@ -2436,7 +2449,7 @@ ssl3_get_client_key_exchange(SSL *s)
2436 * instead of the protocol version. 2449 * instead of the protocol version.
2437 * 2450 *
2438 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such 2451 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2439 * clients. 2452 * clients.
2440 * (Perhaps we should have a separate BUG value for 2453 * (Perhaps we should have a separate BUG value for
2441 * the Kerberos cipher) 2454 * the Kerberos cipher)
2442 */ 2455 */
@@ -2463,7 +2476,7 @@ ssl3_get_client_key_exchange(SSL *s)
2463 } 2476 }
2464 2477
2465 2478
2466 /* 2479 /*
2467 * Was doing kssl_ctx_free() here, but it caused problems for 2480 * Was doing kssl_ctx_free() here, but it caused problems for
2468 * apache. 2481 * apache.
2469 * kssl_ctx = kssl_ctx_free(kssl_ctx); 2482 * kssl_ctx = kssl_ctx_free(kssl_ctx);
@@ -2528,13 +2541,13 @@ ssl3_get_client_key_exchange(SSL *s)
2528 if (((clnt_pub_pkey = X509_get_pubkey( 2541 if (((clnt_pub_pkey = X509_get_pubkey(
2529 s->session->peer)) == NULL) || 2542 s->session->peer)) == NULL) ||
2530 (clnt_pub_pkey->type != EVP_PKEY_EC)) { 2543 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2531 /* 2544 /*
2532 * XXX: For now, we do not support client 2545 * XXX: For now, we do not support client
2533 * authentication using ECDH certificates 2546 * authentication using ECDH certificates
2534 * so this branch (n == 0L) of the code is 2547 * so this branch (n == 0L) of the code is
2535 * never executed. When that support is 2548 * never executed. When that support is
2536 * added, we ought to ensure the key 2549 * added, we ought to ensure the key
2537 * received in the certificate is 2550 * received in the certificate is
2538 * authorized for key agreement. 2551 * authorized for key agreement.
2539 * ECDH_compute_key implicitly checks that 2552 * ECDH_compute_key implicitly checks that
2540 * the two ECDH shares are for the same 2553 * the two ECDH shares are for the same
@@ -2582,7 +2595,7 @@ ssl3_get_client_key_exchange(SSL *s)
2582 /* 2595 /*
2583 * p is pointing to somewhere in the buffer 2596 * p is pointing to somewhere in the buffer
2584 * currently, so set it to the start. 2597 * currently, so set it to the start.
2585 */ 2598 */
2586 p = (unsigned char *)s->init_buf->data; 2599 p = (unsigned char *)s->init_buf->data;
2587 } 2600 }
2588 2601
@@ -2808,7 +2821,7 @@ ssl3_get_client_key_exchange(SSL *s)
2808 EVP_PKEY_free(client_pub_pkey); 2821 EVP_PKEY_free(client_pub_pkey);
2809 EVP_PKEY_CTX_free(pkey_ctx); 2822 EVP_PKEY_CTX_free(pkey_ctx);
2810 if (ret) 2823 if (ret)
2811 return ret; 2824 return (ret);
2812 else 2825 else
2813 goto err; 2826 goto err;
2814 } else { 2827 } else {
@@ -2897,7 +2910,7 @@ ssl3_get_cert_verify(SSL *s)
2897 p = (unsigned char *)s->init_msg; 2910 p = (unsigned char *)s->init_msg;
2898 /* 2911 /*
2899 * Check for broken implementations of GOST ciphersuites. 2912 * Check for broken implementations of GOST ciphersuites.
2900 * 2913 *
2901 * If key is GOST and n is exactly 64, it is a bare 2914 * If key is GOST and n is exactly 64, it is a bare
2902 * signature without length field. 2915 * signature without length field.
2903 */ 2916 */
@@ -2946,7 +2959,8 @@ ssl3_get_cert_verify(SSL *s)
2946 } 2959 }
2947 j = EVP_PKEY_size(pkey); 2960 j = EVP_PKEY_size(pkey);
2948 if ((i > j) || (n > j) || (n <= 0)) { 2961 if ((i > j) || (n > j) || (n <= 0)) {
2949 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); 2962 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2963 SSL_R_WRONG_SIGNATURE_SIZE);
2950 al = SSL_AD_DECODE_ERROR; 2964 al = SSL_AD_DECODE_ERROR;
2951 goto f_err; 2965 goto f_err;
2952 } 2966 }
@@ -2967,14 +2981,16 @@ ssl3_get_cert_verify(SSL *s)
2967#endif 2981#endif
2968 if (!EVP_VerifyInit_ex(&mctx, md, NULL) || 2982 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2969 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { 2983 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
2970 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2984 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2985 ERR_R_EVP_LIB);
2971 al = SSL_AD_INTERNAL_ERROR; 2986 al = SSL_AD_INTERNAL_ERROR;
2972 goto f_err; 2987 goto f_err;
2973 } 2988 }
2974 2989
2975 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) { 2990 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
2976 al = SSL_AD_DECRYPT_ERROR; 2991 al = SSL_AD_DECRYPT_ERROR;
2977 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE); 2992 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2993 SSL_R_BAD_SIGNATURE);
2978 goto f_err; 2994 goto f_err;
2979 } 2995 }
2980 } else 2996 } else
@@ -3043,7 +3059,8 @@ ssl3_get_cert_verify(SSL *s)
3043 goto f_err; 3059 goto f_err;
3044 } 3060 }
3045 } else { 3061 } else {
3046 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3062 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3063 ERR_R_INTERNAL_ERROR);
3047 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 3064 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3048 goto f_err; 3065 goto f_err;
3049 } 3066 }
@@ -3277,10 +3294,10 @@ ssl3_send_newsession_ticket(SSL *s)
3277 * too long 3294 * too long
3278 */ 3295 */
3279 if (slen_full > 0xFF00) 3296 if (slen_full > 0xFF00)
3280 return -1; 3297 return (-1);
3281 senc = malloc(slen_full); 3298 senc = malloc(slen_full);
3282 if (!senc) 3299 if (!senc)
3283 return -1; 3300 return (-1);
3284 p = senc; 3301 p = senc;
3285 i2d_SSL_SESSION(s->session, &p); 3302 i2d_SSL_SESSION(s->session, &p);
3286 3303
@@ -3292,7 +3309,7 @@ ssl3_send_newsession_ticket(SSL *s)
3292 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3309 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3293 if (sess == NULL) { 3310 if (sess == NULL) {
3294 free(senc); 3311 free(senc);
3295 return -1; 3312 return (-1);
3296 } 3313 }
3297 3314
3298 /* ID is irrelevant for the ticket */ 3315 /* ID is irrelevant for the ticket */
@@ -3302,13 +3319,13 @@ ssl3_send_newsession_ticket(SSL *s)
3302 if (slen > slen_full) { 3319 if (slen > slen_full) {
3303 /* shouldn't ever happen */ 3320 /* shouldn't ever happen */
3304 free(senc); 3321 free(senc);
3305 return -1; 3322 return (-1);
3306 } 3323 }
3307 p = senc; 3324 p = senc;
3308 i2d_SSL_SESSION(sess, &p); 3325 i2d_SSL_SESSION(sess, &p);
3309 SSL_SESSION_free(sess); 3326 SSL_SESSION_free(sess);
3310 3327
3311 /* 3328 /*
3312 * Grow buffer if need be: the length calculation is as 3329 * Grow buffer if need be: the length calculation is as
3313 * follows 1 (size of message name) + 3 (message length 3330 * follows 1 (size of message name) + 3 (message length
3314 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3331 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -3319,7 +3336,7 @@ ssl3_send_newsession_ticket(SSL *s)
3319 if (!BUF_MEM_grow(s->init_buf, 3336 if (!BUF_MEM_grow(s->init_buf,
3320 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3337 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3321 EVP_MAX_MD_SIZE + slen)) 3338 EVP_MAX_MD_SIZE + slen))
3322 return -1; 3339 return (-1);
3323 3340
3324 p = (unsigned char *)s->init_buf->data; 3341 p = (unsigned char *)s->init_buf->data;
3325 /* do the header */ 3342 /* do the header */
@@ -3337,7 +3354,7 @@ ssl3_send_newsession_ticket(SSL *s)
3337 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3354 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3338 &hctx, 1) < 0) { 3355 &hctx, 1) < 0) {
3339 free(senc); 3356 free(senc);
3340 return -1; 3357 return (-1);
3341 } 3358 }
3342 } else { 3359 } else {
3343 RAND_pseudo_bytes(iv, 16); 3360 RAND_pseudo_bytes(iv, 16);
@@ -3409,7 +3426,7 @@ ssl3_send_cert_status(SSL *s)
3409 * + (ocsp response) 3426 * + (ocsp response)
3410 */ 3427 */
3411 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3428 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3412 return -1; 3429 return (-1);
3413 3430
3414 p = (unsigned char *)s->init_buf->data; 3431 p = (unsigned char *)s->init_buf->data;
3415 3432
@@ -3453,7 +3470,7 @@ ssl3_get_next_proto(SSL *s)
3453 if (!s->s3->next_proto_neg_seen) { 3470 if (!s->s3->next_proto_neg_seen) {
3454 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, 3471 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3455 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3472 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3456 return -1; 3473 return (-1);
3457 } 3474 }
3458 3475
3459 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, 3476 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
@@ -3470,11 +3487,11 @@ ssl3_get_next_proto(SSL *s)
3470 if (!s->s3->change_cipher_spec) { 3487 if (!s->s3->change_cipher_spec) {
3471 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, 3488 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3472 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3489 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3473 return -1; 3490 return (-1);
3474 } 3491 }
3475 3492
3476 if (n < 2) 3493 if (n < 2)
3477 return 0; 3494 return (0);
3478 /* The body must be > 1 bytes long */ 3495 /* The body must be > 1 bytes long */
3479 3496
3480 p = (unsigned char *)s->init_msg; 3497 p = (unsigned char *)s->init_msg;
@@ -3488,20 +3505,21 @@ ssl3_get_next_proto(SSL *s)
3488 */ 3505 */
3489 proto_len = p[0]; 3506 proto_len = p[0];
3490 if (proto_len + 2 > s->init_num) 3507 if (proto_len + 2 > s->init_num)
3491 return 0; 3508 return (0);
3492 padding_len = p[proto_len + 1]; 3509 padding_len = p[proto_len + 1];
3493 if (proto_len + padding_len + 2 != s->init_num) 3510 if (proto_len + padding_len + 2 != s->init_num)
3494 return 0; 3511 return (0);
3495 3512
3496 s->next_proto_negotiated = malloc(proto_len); 3513 s->next_proto_negotiated = malloc(proto_len);
3497 if (!s->next_proto_negotiated) { 3514 if (!s->next_proto_negotiated) {
3498 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); 3515 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3499 return 0; 3516 ERR_R_MALLOC_FAILURE);
3517 return (0);
3500 } 3518 }
3501 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3519 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3502 s->next_proto_negotiated_len = proto_len; 3520 s->next_proto_negotiated_len = proto_len;
3503 3521
3504 return 1; 3522 return (1);
3505} 3523}
3506# endif 3524# endif
3507#endif 3525#endif
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index b63f0bf0c9..e765da9ecd 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
@@ -111,7 +111,7 @@
111/* ==================================================================== 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * 113 *
114 * Portions of the attached software ("Contribution") are developed by 114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * 116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source 117 * The Contribution is licensed pursuant to the OpenSSL open source
@@ -412,12 +412,12 @@ ssl3_connect(SSL *s)
412 * For TLS, cert_req is set to 2, so a cert chain 412 * For TLS, cert_req is set to 2, so a cert chain
413 * of nothing is sent, but no verify packet is sent 413 * of nothing is sent, but no verify packet is sent
414 */ 414 */
415 /* 415 /*
416 * XXX: For now, we do not support client 416 * XXX: For now, we do not support client
417 * authentication in ECDH cipher suites with 417 * authentication in ECDH cipher suites with
418 * ECDH (rather than ECDSA) certificates. 418 * ECDH (rather than ECDSA) certificates.
419 * We need to skip the certificate verify 419 * We need to skip the certificate verify
420 * message when client's ECDH public key is sent 420 * message when client's ECDH public key is sent
421 * inside the client certificate. 421 * inside the client certificate.
422 */ 422 */
423 if (s->s3->tmp.cert_req == 1) { 423 if (s->s3->tmp.cert_req == 1) {
@@ -679,7 +679,7 @@ ssl3_client_hello(SSL *s)
679 /* Do the message type and length last */ 679 /* Do the message type and length last */
680 d = p = &(buf[4]); 680 d = p = &(buf[4]);
681 681
682 /* 682 /*
683 * Version indicates the negotiated version: for example from 683 * Version indicates the negotiated version: for example from
684 * an SSLv2/v3 compatible client hello). The client_version 684 * an SSLv2/v3 compatible client hello). The client_version
685 * field is the maximum version we permit and it is also 685 * field is the maximum version we permit and it is also
@@ -832,7 +832,7 @@ ssl3_get_server_hello(SSL *s)
832 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 832 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
833 if (s->d1->send_cookie == 0) { 833 if (s->d1->send_cookie == 0) {
834 s->s3->tmp.reuse_message = 1; 834 s->s3->tmp.reuse_message = 1;
835 return 1; 835 return (1);
836 } 836 }
837 else /* already sent a cookie */ 837 else /* already sent a cookie */
838 { 838 {
@@ -1473,7 +1473,7 @@ ssl3_get_key_exchange(SSL *s)
1473 p += i; 1473 p += i;
1474 n -= param_len; 1474 n -= param_len;
1475 1475
1476 /* 1476 /*
1477 * This should be because we are using an 1477 * This should be because we are using an
1478 * export cipher 1478 * export cipher
1479 */ 1479 */
@@ -2038,9 +2038,9 @@ ssl3_get_new_session_ticket(SSL *s)
2038 * There are two ways to detect a resumed ticket sesion. 2038 * There are two ways to detect a resumed ticket sesion.
2039 * One is to set an appropriate session ID and then the server 2039 * One is to set an appropriate session ID and then the server
2040 * must return a match in ServerHello. This allows the normal 2040 * must return a match in ServerHello. This allows the normal
2041 * client session ID matching to work and we know much 2041 * client session ID matching to work and we know much
2042 * earlier that the ticket has been accepted. 2042 * earlier that the ticket has been accepted.
2043 * 2043 *
2044 * The other way is to set zero length session ID when the 2044 * The other way is to set zero length session ID when the
2045 * ticket is presented and rely on the handshake to determine 2045 * ticket is presented and rely on the handshake to determine
2046 * session resumption. 2046 * session resumption.
@@ -2049,7 +2049,7 @@ ssl3_get_new_session_ticket(SSL *s)
2049 * assumptions elsewhere in OpenSSL. The session ID is set 2049 * assumptions elsewhere in OpenSSL. The session ID is set
2050 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2050 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
2051 * ticket. 2051 * ticket.
2052 */ 2052 */
2053 EVP_Digest(p, ticklen, s->session->session_id, 2053 EVP_Digest(p, ticklen, s->session->session_id,
2054 &s->session->session_id_length, EVP_sha256(), NULL); 2054 &s->session->session_id_length, EVP_sha256(), NULL);
2055 ret = 1; 2055 ret = 1;
@@ -2067,12 +2067,9 @@ ssl3_get_cert_status(SSL *s)
2067 unsigned long resplen, n; 2067 unsigned long resplen, n;
2068 const unsigned char *p; 2068 const unsigned char *p;
2069 2069
2070 n = s->method->ssl_get_message(s, 2070 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
2071 SSL3_ST_CR_CERT_STATUS_A, 2071 SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS,
2072 SSL3_ST_CR_CERT_STATUS_B, 2072 16384, &ok);
2073 SSL3_MT_CERTIFICATE_STATUS,
2074 16384,
2075 &ok);
2076 2073
2077 if (!ok) 2074 if (!ok)
2078 return ((int)n); 2075 return ((int)n);
@@ -2123,7 +2120,7 @@ ssl3_get_cert_status(SSL *s)
2123 goto f_err; 2120 goto f_err;
2124 } 2121 }
2125 } 2122 }
2126 return 1; 2123 return (1);
2127 f_err: 2124 f_err:
2128 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2125 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2129 return (-1); 2126 return (-1);
@@ -2147,7 +2144,7 @@ ssl3_get_server_done(SSL *s)
2147 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 2144 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2148 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, 2145 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,
2149 SSL_R_LENGTH_MISMATCH); 2146 SSL_R_LENGTH_MISMATCH);
2150 return -1; 2147 return (-1);
2151 } 2148 }
2152 ret = 1; 2149 ret = 1;
2153 return (ret); 2150 return (ret);
@@ -2229,8 +2226,7 @@ ssl3_send_client_key_exchange(SSL *s)
2229 2226
2230 s->session->master_key_length = 2227 s->session->master_key_length =
2231 s->method->ssl3_enc->generate_master_secret( 2228 s->method->ssl3_enc->generate_master_secret(
2232 s, s->session->master_key, tmp_buf, 2229 s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2233 sizeof tmp_buf);
2234 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2230 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2235 } 2231 }
2236#ifndef OPENSSL_NO_KRB5 2232#ifndef OPENSSL_NO_KRB5
@@ -2246,7 +2242,7 @@ ssl3_send_client_key_exchange(SSL *s)
2246 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2242 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2247 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2243 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2248 + EVP_MAX_IV_LENGTH]; 2244 + EVP_MAX_IV_LENGTH];
2249 int padl, outl = sizeof(epms); 2245 int padl, outl = sizeof(epms);
2250 2246
2251 EVP_CIPHER_CTX_init(&ciph_ctx); 2247 EVP_CIPHER_CTX_init(&ciph_ctx);
2252 2248
@@ -2283,14 +2279,14 @@ ssl3_send_client_key_exchange(SSL *s)
2283 goto err; 2279 goto err;
2284 } 2280 }
2285 2281
2286 /* 2282 /*
2287 * 20010406 VRS - Earlier versions used KRB5 AP_REQ 2283 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
2288 * in place of RFC 2712 KerberosWrapper, as in: 2284 * in place of RFC 2712 KerberosWrapper, as in:
2289 * 2285 *
2290 * Send ticket (copy to *p, set n = length) 2286 * Send ticket (copy to *p, set n = length)
2291 * n = krb5_ap_req.length; 2287 * n = krb5_ap_req.length;
2292 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2288 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2293 * if (krb5_ap_req.data) 2289 * if (krb5_ap_req.data)
2294 * kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2290 * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2295 * 2291 *
2296 * Now using real RFC 2712 KerberosWrapper 2292 * Now using real RFC 2712 KerberosWrapper
@@ -2435,7 +2431,7 @@ ssl3_send_client_key_exchange(SSL *s)
2435 } 2431 }
2436#endif 2432#endif
2437 2433
2438#ifndef OPENSSL_NO_ECDH 2434#ifndef OPENSSL_NO_ECDH
2439 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { 2435 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2440 const EC_GROUP *srvr_group = NULL; 2436 const EC_GROUP *srvr_group = NULL;
2441 EC_KEY *tkey; 2437 EC_KEY *tkey;
@@ -2449,11 +2445,11 @@ ssl3_send_client_key_exchange(SSL *s)
2449 */ 2445 */
2450 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && 2446 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) &&
2451 (s->cert != NULL)) { 2447 (s->cert != NULL)) {
2452 /* 2448 /*
2453 * XXX: For now, we do not support client 2449 * XXX: For now, we do not support client
2454 * authentication using ECDH certificates. 2450 * authentication using ECDH certificates.
2455 * To add such support, one needs to add 2451 * To add such support, one needs to add
2456 * code that checks for appropriate 2452 * code that checks for appropriate
2457 * conditions and sets ecdh_clnt_cert to 1. 2453 * conditions and sets ecdh_clnt_cert to 1.
2458 * For example, the cert have an ECC 2454 * For example, the cert have an ECC
2459 * key on the same curve as the server's 2455 * key on the same curve as the server's
@@ -2561,7 +2557,7 @@ ssl3_send_client_key_exchange(SSL *s)
2561 2557
2562 /* generate master key from the result */ 2558 /* generate master key from the result */
2563 s->session->master_key_length = s->method->ssl3_enc \ 2559 s->session->master_key_length = s->method->ssl3_enc \
2564 -> generate_master_secret(s, 2560 -> generate_master_secret(s,
2565 s->session->master_key, p, n); 2561 s->session->master_key, p, n);
2566 2562
2567 memset(p, 0, n); /* clean up */ 2563 memset(p, 0, n); /* clean up */
@@ -2895,7 +2891,7 @@ ssl3_send_client_verify(SSL *s)
2895 } else { 2891 } else {
2896 ERR_clear_error(); 2892 ERR_clear_error();
2897 } 2893 }
2898 /* 2894 /*
2899 * For TLS v1.2 send signature algorithm and signature 2895 * For TLS v1.2 send signature algorithm and signature
2900 * using agreed digest and cached handshake records. 2896 * using agreed digest and cached handshake records.
2901 */ 2897 */
@@ -3024,9 +3020,10 @@ ssl3_send_client_certificate(SSL *s)
3024 3020
3025 /* We need to get a client cert */ 3021 /* We need to get a client cert */
3026 if (s->state == SSL3_ST_CW_CERT_B) { 3022 if (s->state == SSL3_ST_CW_CERT_B) {
3027 /* If we get an error, we need to 3023 /*
3024 * If we get an error, we need to
3028 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 3025 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3029 * We then get retied later 3026 * We then get retied later
3030 */ 3027 */
3031 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3028 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3032 if (i < 0) { 3029 if (i < 0) {
@@ -3120,7 +3117,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
3120 SSL_R_BAD_ECC_CERT); 3117 SSL_R_BAD_ECC_CERT);
3121 goto f_err; 3118 goto f_err;
3122 } else { 3119 } else {
3123 return 1; 3120 return (1);
3124 } 3121 }
3125 } 3122 }
3126#endif 3123#endif
@@ -3221,7 +3218,7 @@ ssl3_send_next_proto(SSL *s)
3221 s->init_off = 0; 3218 s->init_off = 0;
3222 } 3219 }
3223 3220
3224 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3221 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3225} 3222}
3226#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3223#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
3227 3224
@@ -3240,7 +3237,7 @@ ssl3_check_finished(SSL *s)
3240 3237
3241 /* If we have no ticket it cannot be a resumed session. */ 3238 /* If we have no ticket it cannot be a resumed session. */
3242 if (!s->session->tlsext_tick) 3239 if (!s->session->tlsext_tick)
3243 return 1; 3240 return (1);
3244 /* this function is called when we really expect a Certificate 3241 /* this function is called when we really expect a Certificate
3245 * message, so permit appropriate message length */ 3242 * message, so permit appropriate message length */
3246 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 3243 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
@@ -3250,9 +3247,9 @@ ssl3_check_finished(SSL *s)
3250 s->s3->tmp.reuse_message = 1; 3247 s->s3->tmp.reuse_message = 1;
3251 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || 3248 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3252 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3249 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3253 return 2; 3250 return (2);
3254 3251
3255 return 1; 3252 return (1);
3256} 3253}
3257#endif 3254#endif
3258 3255
@@ -3267,10 +3264,10 @@ ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3267 SSL_get_client_CA_list(s), 3264 SSL_get_client_CA_list(s),
3268 px509, ppkey, NULL, NULL, NULL); 3265 px509, ppkey, NULL, NULL, NULL);
3269 if (i != 0) 3266 if (i != 0)
3270 return i; 3267 return (i);
3271 } 3268 }
3272#endif 3269#endif
3273 if (s->ctx->client_cert_cb) 3270 if (s->ctx->client_cert_cb)
3274 i = s->ctx->client_cert_cb(s, px509, ppkey); 3271 i = s->ctx->client_cert_cb(s, px509, ppkey);
3275 return i; 3272 return (i};
3276} 3273}
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 28a3d51b9e..12ce8a1605 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2962,9 +2962,9 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2962 break; 2962 break;
2963 case SSL_CTRL_NEED_TMP_RSA: 2963 case SSL_CTRL_NEED_TMP_RSA:
2964 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 2964 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
2965 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 2965 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
2966 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) 2966 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)
2967 > (512 / 8)))) 2967 > (512 / 8))))
2968 ret = 1; 2968 ret = 1;
2969 break; 2969 break;
2970 case SSL_CTRL_SET_TMP_RSA: 2970 case SSL_CTRL_SET_TMP_RSA:
@@ -3113,10 +3113,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
3113 } 3113 }
3114 if (s->tlsext_opaque_prf_input != NULL) 3114 if (s->tlsext_opaque_prf_input != NULL)
3115 free(s->tlsext_opaque_prf_input); 3115 free(s->tlsext_opaque_prf_input);
3116 if ((size_t)larg == 0) 3116 if ((size_t)larg == 0) {
3117 s->tlsext_opaque_prf_input = malloc(1); /* dummy byte just to get non-NULL */ 3117 /* dummy byte just to get non-NULL */
3118 else 3118 s->tlsext_opaque_prf_input = malloc(1);
3119 s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); 3119 } else
3120 s->tlsext_opaque_prf_input =
3121 BUF_memdup(parg, (size_t)larg);
3120 if (s->tlsext_opaque_prf_input != NULL) { 3122 if (s->tlsext_opaque_prf_input != NULL) {
3121 s->tlsext_opaque_prf_input_len = (size_t)larg; 3123 s->tlsext_opaque_prf_input_len = (size_t)larg;
3122 ret = 1; 3124 ret = 1;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index f3edcc2efb..6d8ccd66b7 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
@@ -111,7 +111,7 @@
111/* ==================================================================== 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * 113 *
114 * Portions of the attached software ("Contribution") are developed by 114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * 116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source 117 * The Contribution is licensed pursuant to the OpenSSL open source
@@ -190,15 +190,17 @@ ssl_check_srp_ext_ClientHello(SSL *s, int *al)
190 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 190 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
191 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { 191 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
192 if (s->srp_ctx.login == NULL) { 192 if (s->srp_ctx.login == NULL) {
193 /* RFC 5054 says SHOULD reject, 193 /*
194 we do so if There is no srp login name */ 194 * RFC 5054 says SHOULD reject,
195 * we do so if There is no srp login name
196 */
195 ret = SSL3_AL_FATAL; 197 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 198 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 } else { 199 } else {
198 ret = SSL_srp_server_param_with_username(s, al); 200 ret = SSL_srp_server_param_with_username(s, al);
199 } 201 }
200 } 202 }
201 return ret; 203 return (ret);
202} 204}
203#endif 205#endif
204 206
@@ -228,7 +230,8 @@ ssl3_accept(SSL *s)
228 SSL_clear(s); 230 SSL_clear(s);
229 231
230 if (s->cert == NULL) { 232 if (s->cert == NULL) {
231 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 233 SSLerr(SSL_F_SSL3_ACCEPT,
234 SSL_R_NO_CERTIFICATE_SET);
232 return (-1); 235 return (-1);
233 } 236 }
234 237
@@ -250,8 +253,9 @@ ssl3_accept(SSL *s)
250 cb(s, SSL_CB_HANDSHAKE_START, 1); 253 cb(s, SSL_CB_HANDSHAKE_START, 1);
251 254
252 if ((s->version >> 8) != 3) { 255 if ((s->version >> 8) != 3) {
253 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 256 SSLerr(SSL_F_SSL3_ACCEPT,
254 return -1; 257 ERR_R_INTERNAL_ERROR);
258 return (-1);
255 } 259 }
256 s->type = SSL_ST_ACCEPT; 260 s->type = SSL_ST_ACCEPT;
257 261
@@ -342,7 +346,7 @@ ssl3_accept(SSL *s)
342 { 346 {
343 int al; 347 int al;
344 if ((ret = 348 if ((ret =
345 ssl_check_srp_ext_ClientHello(s, &al)) 349 ssl_check_srp_ext_ClientHello(s, &al))
346 < 0) { 350 < 0) {
347 /* 351 /*
348 * Callback indicates further work to 352 * Callback indicates further work to
@@ -531,7 +535,7 @@ ssl3_accept(SSL *s)
531 s->state = SSL3_ST_SW_SRVR_DONE_A; 535 s->state = SSL3_ST_SW_SRVR_DONE_A;
532 if (s->s3->handshake_buffer) 536 if (s->s3->handshake_buffer)
533 if (!ssl3_digest_cached_records(s)) 537 if (!ssl3_digest_cached_records(s))
534 return -1; 538 return (-1);
535 } else { 539 } else {
536 s->s3->tmp.cert_request = 1; 540 s->s3->tmp.cert_request = 1;
537 ret = ssl3_send_certificate_request(s); 541 ret = ssl3_send_certificate_request(s);
@@ -635,11 +639,11 @@ ssl3_accept(SSL *s)
635 if (!s->s3->handshake_buffer) { 639 if (!s->s3->handshake_buffer) {
636 SSLerr(SSL_F_SSL3_ACCEPT, 640 SSLerr(SSL_F_SSL3_ACCEPT,
637 ERR_R_INTERNAL_ERROR); 641 ERR_R_INTERNAL_ERROR);
638 return -1; 642 return (-1);
639 } 643 }
640 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 644 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
641 if (!ssl3_digest_cached_records(s)) 645 if (!ssl3_digest_cached_records(s))
642 return -1; 646 return (-1);
643 } else { 647 } else {
644 int offset = 0; 648 int offset = 0;
645 int dgst_num; 649 int dgst_num;
@@ -647,7 +651,7 @@ ssl3_accept(SSL *s)
647 s->state = SSL3_ST_SR_CERT_VRFY_A; 651 s->state = SSL3_ST_SR_CERT_VRFY_A;
648 s->init_num = 0; 652 s->init_num = 0;
649 653
650 /* 654 /*
651 * We need to get hashes here so if there is 655 * We need to get hashes here so if there is
652 * a client cert, it can be verified 656 * a client cert, it can be verified
653 * FIXME - digest processing for 657 * FIXME - digest processing for
@@ -656,7 +660,7 @@ ssl3_accept(SSL *s)
656 */ 660 */
657 if (s->s3->handshake_buffer) 661 if (s->s3->handshake_buffer)
658 if (!ssl3_digest_cached_records(s)) 662 if (!ssl3_digest_cached_records(s))
659 return -1; 663 return (-1);
660 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; 664 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
661 dgst_num++) 665 dgst_num++)
662 if (s->s3->handshake_dgst[dgst_num]) { 666 if (s->s3->handshake_dgst[dgst_num]) {
@@ -827,7 +831,8 @@ ssl3_accept(SSL *s)
827 /* break; */ 831 /* break; */
828 832
829 default: 833 default:
830 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE); 834 SSLerr(SSL_F_SSL3_ACCEPT,
835 SSL_R_UNKNOWN_STATE);
831 ret = -1; 836 ret = -1;
832 goto end; 837 goto end;
833 /* break; */ 838 /* break; */
@@ -903,7 +908,7 @@ ssl3_check_client_hello(SSL *s)
903 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { 908 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
904 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, 909 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
905 SSL_R_MULTIPLE_SGC_RESTARTS); 910 SSL_R_MULTIPLE_SGC_RESTARTS);
906 return -1; 911 return (-1);
907 } 912 }
908 /* 913 /*
909 * Throw away what we have done so far in the current handshake, 914 * Throw away what we have done so far in the current handshake,
@@ -923,9 +928,9 @@ ssl3_check_client_hello(SSL *s)
923 } 928 }
924#endif 929#endif
925 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 930 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
926 return 2; 931 return (2);
927 } 932 }
928 return 1; 933 return (1);
929} 934}
930 935
931int 936int
@@ -974,7 +979,8 @@ ssl3_get_client_hello(SSL *s)
974 979
975 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 980 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
976 (s->version != DTLS1_VERSION && s->client_version < s->version)) { 981 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
977 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 982 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
983 SSL_R_WRONG_VERSION_NUMBER);
978 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 984 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
979 !s->enc_write_ctx && !s->write_hash) { 985 !s->enc_write_ctx && !s->write_hash) {
980 /* 986 /*
@@ -999,7 +1005,7 @@ ssl3_get_client_hello(SSL *s)
999 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 1005 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
1000 1006
1001 if (cookie_length == 0) 1007 if (cookie_length == 0)
1002 return 1; 1008 return (1);
1003 } 1009 }
1004 1010
1005 /* load the client random */ 1011 /* load the client random */
@@ -1048,7 +1054,7 @@ ssl3_get_client_hello(SSL *s)
1048 /* cookie stuff */ 1054 /* cookie stuff */
1049 cookie_len = *(p++); 1055 cookie_len = *(p++);
1050 1056
1051 /* 1057 /*
1052 * The ClientHello may contain a cookie even if the 1058 * The ClientHello may contain a cookie even if the
1053 * HelloVerify message has not been sent--make sure that it 1059 * HelloVerify message has not been sent--make sure that it
1054 * does not cause an overflow. 1060 * does not cause an overflow.
@@ -1094,13 +1100,15 @@ ssl3_get_client_hello(SSL *s)
1094 if ((i == 0) && (j != 0)) { 1100 if ((i == 0) && (j != 0)) {
1095 /* we need a cipher if we are not resuming a session */ 1101 /* we need a cipher if we are not resuming a session */
1096 al = SSL_AD_ILLEGAL_PARAMETER; 1102 al = SSL_AD_ILLEGAL_PARAMETER;
1097 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); 1103 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1104 SSL_R_NO_CIPHERS_SPECIFIED);
1098 goto f_err; 1105 goto f_err;
1099 } 1106 }
1100 if ((p + i) >= (d + n)) { 1107 if ((p + i) >= (d + n)) {
1101 /* not enough data */ 1108 /* not enough data */
1102 al = SSL_AD_DECODE_ERROR; 1109 al = SSL_AD_DECODE_ERROR;
1103 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1110 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1111 SSL_R_LENGTH_MISMATCH);
1104 goto f_err; 1112 goto f_err;
1105 } 1113 }
1106 if ((i > 0) && 1114 if ((i > 0) &&
@@ -1143,7 +1151,8 @@ ssl3_get_client_hello(SSL *s)
1143 if ((p + i) > (d + n)) { 1151 if ((p + i) > (d + n)) {
1144 /* not enough data */ 1152 /* not enough data */
1145 al = SSL_AD_DECODE_ERROR; 1153 al = SSL_AD_DECODE_ERROR;
1146 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); 1154 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1155 SSL_R_LENGTH_MISMATCH);
1147 goto f_err; 1156 goto f_err;
1148 } 1157 }
1149 q = p; 1158 q = p;
@@ -1172,7 +1181,8 @@ ssl3_get_client_hello(SSL *s)
1172 } 1181 }
1173 } 1182 }
1174 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1183 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1175 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1184 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1185 SSL_R_CLIENTHELLO_TLSEXT);
1176 goto err; 1186 goto err;
1177 } 1187 }
1178 1188
@@ -1377,7 +1387,7 @@ ssl3_get_client_hello(SSL *s)
1377 } 1387 }
1378 1388
1379 /* 1389 /*
1380 * We now have the following setup. 1390 * We now have the following setup.
1381 * client_random 1391 * client_random
1382 * cipher_list - our prefered list of ciphers 1392 * cipher_list - our prefered list of ciphers
1383 * ciphers - the clients prefered list of ciphers 1393 * ciphers - the clients prefered list of ciphers
@@ -1422,7 +1432,7 @@ ssl3_send_server_hello(SSL *s)
1422#ifdef OPENSSL_NO_TLSEXT 1432#ifdef OPENSSL_NO_TLSEXT
1423 p = s->s3->server_random; 1433 p = s->s3->server_random;
1424 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1434 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1425 return -1; 1435 return (-1);
1426#endif 1436#endif
1427 /* Do the message type and length last */ 1437 /* Do the message type and length last */
1428 d = p= &(buf[4]); 1438 d = p= &(buf[4]);
@@ -1460,7 +1470,7 @@ ssl3_send_server_hello(SSL *s)
1460 if (sl > (int)sizeof(s->session->session_id)) { 1470 if (sl > (int)sizeof(s->session->session_id)) {
1461 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1471 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1462 ERR_R_INTERNAL_ERROR); 1472 ERR_R_INTERNAL_ERROR);
1463 return -1; 1473 return (-1);
1464 } 1474 }
1465 *(p++) = sl; 1475 *(p++) = sl;
1466 memcpy(p, s->session->session_id, sl); 1476 memcpy(p, s->session->session_id, sl);
@@ -1483,13 +1493,13 @@ ssl3_send_server_hello(SSL *s)
1483 if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1493 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1484 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1494 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1485 SSL_R_SERVERHELLO_TLSEXT); 1495 SSL_R_SERVERHELLO_TLSEXT);
1486 return -1; 1496 return (-1);
1487 } 1497 }
1488 if ((p = ssl_add_serverhello_tlsext(s, p, 1498 if ((p = ssl_add_serverhello_tlsext(s, p,
1489 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { 1499 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1490 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, 1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1491 ERR_R_INTERNAL_ERROR); 1501 ERR_R_INTERNAL_ERROR);
1492 return -1; 1502 return (-1);
1493 } 1503 }
1494#endif 1504#endif
1495 /* do the header */ 1505 /* do the header */
@@ -1714,9 +1724,9 @@ ssl3_send_server_key_exchange(SSL *s)
1714 goto err; 1724 goto err;
1715 } 1725 }
1716 1726
1717 /* 1727 /*
1718 * XXX: For now, we only support ephemeral ECDH 1728 * XXX: For now, we only support ephemeral ECDH
1719 * keys over named (not generic) curves. For 1729 * keys over named (not generic) curves. For
1720 * supported named curves, curve_id is non-zero. 1730 * supported named curves, curve_id is non-zero.
1721 */ 1731 */
1722 if ((curve_id = tls1_ec_nid2curve_id( 1732 if ((curve_id = tls1_ec_nid2curve_id(
@@ -1726,7 +1736,7 @@ ssl3_send_server_key_exchange(SSL *s)
1726 goto err; 1736 goto err;
1727 } 1737 }
1728 1738
1729 /* 1739 /*
1730 * Encode the public key. 1740 * Encode the public key.
1731 * First check the size of encoding and 1741 * First check the size of encoding and
1732 * allocate memory accordingly. 1742 * allocate memory accordingly.
@@ -1760,12 +1770,12 @@ ssl3_send_server_key_exchange(SSL *s)
1760 BN_CTX_free(bn_ctx); 1770 BN_CTX_free(bn_ctx);
1761 bn_ctx = NULL; 1771 bn_ctx = NULL;
1762 1772
1763 /* 1773 /*
1764 * XXX: For now, we only support named (not 1774 * XXX: For now, we only support named (not
1765 * generic) curves in ECDH ephemeral key exchanges. 1775 * generic) curves in ECDH ephemeral key exchanges.
1766 * In this situation, we need four additional bytes 1776 * In this situation, we need four additional bytes
1767 * to encode the entire ServerECDHParams 1777 * to encode the entire ServerECDHParams
1768 * structure. 1778 * structure.
1769 */ 1779 */
1770 n = 4 + encodedlen; 1780 n = 4 + encodedlen;
1771 1781
@@ -1790,7 +1800,8 @@ ssl3_send_server_key_exchange(SSL *s)
1790 if (type & SSL_kSRP) { 1800 if (type & SSL_kSRP) {
1791 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || 1801 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1792 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { 1802 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1793 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM); 1803 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1804 SSL_R_MISSING_SRP_PARAM);
1794 goto err; 1805 goto err;
1795 } 1806 }
1796 r[0] = s->srp_ctx.N; 1807 r[0] = s->srp_ctx.N;
@@ -1801,7 +1812,8 @@ ssl3_send_server_key_exchange(SSL *s)
1801#endif 1812#endif
1802 { 1813 {
1803 al = SSL_AD_HANDSHAKE_FAILURE; 1814 al = SSL_AD_HANDSHAKE_FAILURE;
1804 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1815 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1816 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1805 goto f_err; 1817 goto f_err;
1806 } 1818 }
1807 for (i = 0; i < 4 && r[i] != NULL; i++) { 1819 for (i = 0; i < 4 && r[i] != NULL; i++) {
@@ -1922,7 +1934,7 @@ ssl3_send_server_key_exchange(SSL *s)
1922 n += u + 2; 1934 n += u + 2;
1923 } else 1935 } else
1924 if (md) { 1936 if (md) {
1925 /* 1937 /*
1926 * For TLS1.2 and later send signature 1938 * For TLS1.2 and later send signature
1927 * algorithm 1939 * algorithm
1928 */ 1940 */
@@ -2384,7 +2396,8 @@ ssl3_get_client_key_exchange(SSL *s)
2384 } 2396 }
2385 2397
2386 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) { 2398 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2387 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2399 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2400 krb5rc);
2388 goto err; 2401 goto err;
2389 } 2402 }
2390 2403
@@ -2436,7 +2449,7 @@ ssl3_get_client_key_exchange(SSL *s)
2436 * instead of the protocol version. 2449 * instead of the protocol version.
2437 * 2450 *
2438 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such 2451 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2439 * clients. 2452 * clients.
2440 * (Perhaps we should have a separate BUG value for 2453 * (Perhaps we should have a separate BUG value for
2441 * the Kerberos cipher) 2454 * the Kerberos cipher)
2442 */ 2455 */
@@ -2463,7 +2476,7 @@ ssl3_get_client_key_exchange(SSL *s)
2463 } 2476 }
2464 2477
2465 2478
2466 /* 2479 /*
2467 * Was doing kssl_ctx_free() here, but it caused problems for 2480 * Was doing kssl_ctx_free() here, but it caused problems for
2468 * apache. 2481 * apache.
2469 * kssl_ctx = kssl_ctx_free(kssl_ctx); 2482 * kssl_ctx = kssl_ctx_free(kssl_ctx);
@@ -2528,13 +2541,13 @@ ssl3_get_client_key_exchange(SSL *s)
2528 if (((clnt_pub_pkey = X509_get_pubkey( 2541 if (((clnt_pub_pkey = X509_get_pubkey(
2529 s->session->peer)) == NULL) || 2542 s->session->peer)) == NULL) ||
2530 (clnt_pub_pkey->type != EVP_PKEY_EC)) { 2543 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2531 /* 2544 /*
2532 * XXX: For now, we do not support client 2545 * XXX: For now, we do not support client
2533 * authentication using ECDH certificates 2546 * authentication using ECDH certificates
2534 * so this branch (n == 0L) of the code is 2547 * so this branch (n == 0L) of the code is
2535 * never executed. When that support is 2548 * never executed. When that support is
2536 * added, we ought to ensure the key 2549 * added, we ought to ensure the key
2537 * received in the certificate is 2550 * received in the certificate is
2538 * authorized for key agreement. 2551 * authorized for key agreement.
2539 * ECDH_compute_key implicitly checks that 2552 * ECDH_compute_key implicitly checks that
2540 * the two ECDH shares are for the same 2553 * the two ECDH shares are for the same
@@ -2582,7 +2595,7 @@ ssl3_get_client_key_exchange(SSL *s)
2582 /* 2595 /*
2583 * p is pointing to somewhere in the buffer 2596 * p is pointing to somewhere in the buffer
2584 * currently, so set it to the start. 2597 * currently, so set it to the start.
2585 */ 2598 */
2586 p = (unsigned char *)s->init_buf->data; 2599 p = (unsigned char *)s->init_buf->data;
2587 } 2600 }
2588 2601
@@ -2808,7 +2821,7 @@ ssl3_get_client_key_exchange(SSL *s)
2808 EVP_PKEY_free(client_pub_pkey); 2821 EVP_PKEY_free(client_pub_pkey);
2809 EVP_PKEY_CTX_free(pkey_ctx); 2822 EVP_PKEY_CTX_free(pkey_ctx);
2810 if (ret) 2823 if (ret)
2811 return ret; 2824 return (ret);
2812 else 2825 else
2813 goto err; 2826 goto err;
2814 } else { 2827 } else {
@@ -2897,7 +2910,7 @@ ssl3_get_cert_verify(SSL *s)
2897 p = (unsigned char *)s->init_msg; 2910 p = (unsigned char *)s->init_msg;
2898 /* 2911 /*
2899 * Check for broken implementations of GOST ciphersuites. 2912 * Check for broken implementations of GOST ciphersuites.
2900 * 2913 *
2901 * If key is GOST and n is exactly 64, it is a bare 2914 * If key is GOST and n is exactly 64, it is a bare
2902 * signature without length field. 2915 * signature without length field.
2903 */ 2916 */
@@ -2946,7 +2959,8 @@ ssl3_get_cert_verify(SSL *s)
2946 } 2959 }
2947 j = EVP_PKEY_size(pkey); 2960 j = EVP_PKEY_size(pkey);
2948 if ((i > j) || (n > j) || (n <= 0)) { 2961 if ((i > j) || (n > j) || (n <= 0)) {
2949 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); 2962 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2963 SSL_R_WRONG_SIGNATURE_SIZE);
2950 al = SSL_AD_DECODE_ERROR; 2964 al = SSL_AD_DECODE_ERROR;
2951 goto f_err; 2965 goto f_err;
2952 } 2966 }
@@ -2967,14 +2981,16 @@ ssl3_get_cert_verify(SSL *s)
2967#endif 2981#endif
2968 if (!EVP_VerifyInit_ex(&mctx, md, NULL) || 2982 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2969 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { 2983 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
2970 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2984 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2985 ERR_R_EVP_LIB);
2971 al = SSL_AD_INTERNAL_ERROR; 2986 al = SSL_AD_INTERNAL_ERROR;
2972 goto f_err; 2987 goto f_err;
2973 } 2988 }
2974 2989
2975 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) { 2990 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
2976 al = SSL_AD_DECRYPT_ERROR; 2991 al = SSL_AD_DECRYPT_ERROR;
2977 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE); 2992 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2993 SSL_R_BAD_SIGNATURE);
2978 goto f_err; 2994 goto f_err;
2979 } 2995 }
2980 } else 2996 } else
@@ -3043,7 +3059,8 @@ ssl3_get_cert_verify(SSL *s)
3043 goto f_err; 3059 goto f_err;
3044 } 3060 }
3045 } else { 3061 } else {
3046 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3062 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3063 ERR_R_INTERNAL_ERROR);
3047 al = SSL_AD_UNSUPPORTED_CERTIFICATE; 3064 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3048 goto f_err; 3065 goto f_err;
3049 } 3066 }
@@ -3277,10 +3294,10 @@ ssl3_send_newsession_ticket(SSL *s)
3277 * too long 3294 * too long
3278 */ 3295 */
3279 if (slen_full > 0xFF00) 3296 if (slen_full > 0xFF00)
3280 return -1; 3297 return (-1);
3281 senc = malloc(slen_full); 3298 senc = malloc(slen_full);
3282 if (!senc) 3299 if (!senc)
3283 return -1; 3300 return (-1);
3284 p = senc; 3301 p = senc;
3285 i2d_SSL_SESSION(s->session, &p); 3302 i2d_SSL_SESSION(s->session, &p);
3286 3303
@@ -3292,7 +3309,7 @@ ssl3_send_newsession_ticket(SSL *s)
3292 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3309 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3293 if (sess == NULL) { 3310 if (sess == NULL) {
3294 free(senc); 3311 free(senc);
3295 return -1; 3312 return (-1);
3296 } 3313 }
3297 3314
3298 /* ID is irrelevant for the ticket */ 3315 /* ID is irrelevant for the ticket */
@@ -3302,13 +3319,13 @@ ssl3_send_newsession_ticket(SSL *s)
3302 if (slen > slen_full) { 3319 if (slen > slen_full) {
3303 /* shouldn't ever happen */ 3320 /* shouldn't ever happen */
3304 free(senc); 3321 free(senc);
3305 return -1; 3322 return (-1);
3306 } 3323 }
3307 p = senc; 3324 p = senc;
3308 i2d_SSL_SESSION(sess, &p); 3325 i2d_SSL_SESSION(sess, &p);
3309 SSL_SESSION_free(sess); 3326 SSL_SESSION_free(sess);
3310 3327
3311 /* 3328 /*
3312 * Grow buffer if need be: the length calculation is as 3329 * Grow buffer if need be: the length calculation is as
3313 * follows 1 (size of message name) + 3 (message length 3330 * follows 1 (size of message name) + 3 (message length
3314 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3331 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -3319,7 +3336,7 @@ ssl3_send_newsession_ticket(SSL *s)
3319 if (!BUF_MEM_grow(s->init_buf, 3336 if (!BUF_MEM_grow(s->init_buf,
3320 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3337 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3321 EVP_MAX_MD_SIZE + slen)) 3338 EVP_MAX_MD_SIZE + slen))
3322 return -1; 3339 return (-1);
3323 3340
3324 p = (unsigned char *)s->init_buf->data; 3341 p = (unsigned char *)s->init_buf->data;
3325 /* do the header */ 3342 /* do the header */
@@ -3337,7 +3354,7 @@ ssl3_send_newsession_ticket(SSL *s)
3337 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3354 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3338 &hctx, 1) < 0) { 3355 &hctx, 1) < 0) {
3339 free(senc); 3356 free(senc);
3340 return -1; 3357 return (-1);
3341 } 3358 }
3342 } else { 3359 } else {
3343 RAND_pseudo_bytes(iv, 16); 3360 RAND_pseudo_bytes(iv, 16);
@@ -3409,7 +3426,7 @@ ssl3_send_cert_status(SSL *s)
3409 * + (ocsp response) 3426 * + (ocsp response)
3410 */ 3427 */
3411 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3428 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3412 return -1; 3429 return (-1);
3413 3430
3414 p = (unsigned char *)s->init_buf->data; 3431 p = (unsigned char *)s->init_buf->data;
3415 3432
@@ -3453,7 +3470,7 @@ ssl3_get_next_proto(SSL *s)
3453 if (!s->s3->next_proto_neg_seen) { 3470 if (!s->s3->next_proto_neg_seen) {
3454 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, 3471 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3455 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3472 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3456 return -1; 3473 return (-1);
3457 } 3474 }
3458 3475
3459 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A, 3476 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
@@ -3470,11 +3487,11 @@ ssl3_get_next_proto(SSL *s)
3470 if (!s->s3->change_cipher_spec) { 3487 if (!s->s3->change_cipher_spec) {
3471 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, 3488 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3472 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3489 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3473 return -1; 3490 return (-1);
3474 } 3491 }
3475 3492
3476 if (n < 2) 3493 if (n < 2)
3477 return 0; 3494 return (0);
3478 /* The body must be > 1 bytes long */ 3495 /* The body must be > 1 bytes long */
3479 3496
3480 p = (unsigned char *)s->init_msg; 3497 p = (unsigned char *)s->init_msg;
@@ -3488,20 +3505,21 @@ ssl3_get_next_proto(SSL *s)
3488 */ 3505 */
3489 proto_len = p[0]; 3506 proto_len = p[0];
3490 if (proto_len + 2 > s->init_num) 3507 if (proto_len + 2 > s->init_num)
3491 return 0; 3508 return (0);
3492 padding_len = p[proto_len + 1]; 3509 padding_len = p[proto_len + 1];
3493 if (proto_len + padding_len + 2 != s->init_num) 3510 if (proto_len + padding_len + 2 != s->init_num)
3494 return 0; 3511 return (0);
3495 3512
3496 s->next_proto_negotiated = malloc(proto_len); 3513 s->next_proto_negotiated = malloc(proto_len);
3497 if (!s->next_proto_negotiated) { 3514 if (!s->next_proto_negotiated) {
3498 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); 3515 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3499 return 0; 3516 ERR_R_MALLOC_FAILURE);
3517 return (0);
3500 } 3518 }
3501 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3519 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3502 s->next_proto_negotiated_len = proto_len; 3520 s->next_proto_negotiated_len = proto_len;
3503 3521
3504 return 1; 3522 return (1);
3505} 3523}
3506# endif 3524# endif
3507#endif 3525#endif
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 830f574183..21a48da182 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -7,21 +7,21 @@
7 * This package is an SSL implementation written 7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com). 8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL. 9 * The implementation was written so as to conform with Netscapes SSL.
10 * 10 *
11 * This library is free for commercial and non-commercial use as long as 11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions 12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA, 13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms 15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 * 17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in 18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed. 19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution 20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used. 21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or 22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package. 23 * in documentation (online or textual) provided with the package.
24 * 24 *
25 * Redistribution and use in source and binary forms, with or without 25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions 26 * modification, are permitted provided that the following conditions
27 * are met: 27 * are met:
@@ -36,10 +36,10 @@
36 * Eric Young (eay@cryptsoft.com)" 36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library 37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-). 38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from 39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement: 40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 * 42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -51,7 +51,7 @@
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE. 53 * SUCH DAMAGE.
54 * 54 *
55 * The licence and distribution terms for any publically available version or 55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be 56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence 57 * copied and put under another distribution licence
@@ -65,7 +65,7 @@
65 * are met: 65 * are met:
66 * 66 *
67 * 1. Redistributions of source code must retain the above copyright 67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer. 68 * notice, this list of conditions and the following disclaimer.
69 * 69 *
70 * 2. Redistributions in binary form must reproduce the above copyright 70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in 71 * notice, this list of conditions and the following disclaimer in
@@ -112,7 +112,7 @@
112 */ 112 */
113/* ==================================================================== 113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by 115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */ 117 */
118/* ==================================================================== 118/* ====================================================================
@@ -203,7 +203,7 @@ SSL_clear(SSL *s)
203 if (s->renegotiate) { 203 if (s->renegotiate) {
204 SSLerr(SSL_F_SSL_CLEAR, 204 SSLerr(SSL_F_SSL_CLEAR,
205 ERR_R_INTERNAL_ERROR); 205 ERR_R_INTERNAL_ERROR);
206 return 0; 206 return (0);
207 } 207 }
208 208
209 s->type = 0; 209 s->type = 0;
@@ -393,12 +393,12 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
393 if (sid_ctx_len > sizeof ctx->sid_ctx) { 393 if (sid_ctx_len > sizeof ctx->sid_ctx) {
394 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, 394 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
395 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 395 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
396 return 0; 396 return (0);
397 } 397 }
398 ctx->sid_ctx_length = sid_ctx_len; 398 ctx->sid_ctx_length = sid_ctx_len;
399 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); 399 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
400 400
401 return 1; 401 return (1);
402} 402}
403 403
404int 404int
@@ -407,13 +407,13 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
407{ 407{
408 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 408 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
409 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, 409 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
410 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 410 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
411 return 0; 411 return (0);
412 } 412 }
413 ssl->sid_ctx_length = sid_ctx_len; 413 ssl->sid_ctx_length = sid_ctx_len;
414 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); 414 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
415 415
416 return 1; 416 return (1);
417} 417}
418 418
419int 419int
@@ -422,7 +422,7 @@ SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
422 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 422 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
423 ctx->generate_session_id = cb; 423 ctx->generate_session_id = cb;
424 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 424 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
425 return 1; 425 return (1);
426} 426}
427 427
428int 428int
@@ -431,7 +431,7 @@ SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
431 CRYPTO_w_lock(CRYPTO_LOCK_SSL); 431 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
432 ssl->generate_session_id = cb; 432 ssl->generate_session_id = cb;
433 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 433 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
434 return 1; 434 return (1);
435} 435}
436 436
437int 437int
@@ -448,7 +448,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
448 SSL_SESSION r, *p; 448 SSL_SESSION r, *p;
449 449
450 if (id_len > sizeof r.session_id) 450 if (id_len > sizeof r.session_id)
451 return 0; 451 return (0);
452 452
453 r.ssl_version = ssl->version; 453 r.ssl_version = ssl->version;
454 r.session_id_length = id_len; 454 r.session_id_length = id_len;
@@ -463,37 +463,37 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
463int 463int
464SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 464SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
465{ 465{
466 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 466 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
467} 467}
468 468
469int 469int
470SSL_set_purpose(SSL *s, int purpose) 470SSL_set_purpose(SSL *s, int purpose)
471{ 471{
472 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 472 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
473} 473}
474 474
475int 475int
476SSL_CTX_set_trust(SSL_CTX *s, int trust) 476SSL_CTX_set_trust(SSL_CTX *s, int trust)
477{ 477{
478 return X509_VERIFY_PARAM_set_trust(s->param, trust); 478 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
479} 479}
480 480
481int 481int
482SSL_set_trust(SSL *s, int trust) 482SSL_set_trust(SSL *s, int trust)
483{ 483{
484 return X509_VERIFY_PARAM_set_trust(s->param, trust); 484 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
485} 485}
486 486
487int 487int
488SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) 488SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
489{ 489{
490 return X509_VERIFY_PARAM_set1(ctx->param, vpm); 490 return (X509_VERIFY_PARAM_set1(ctx->param, vpm));
491} 491}
492 492
493int 493int
494SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) 494SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
495{ 495{
496 return X509_VERIFY_PARAM_set1(ssl->param, vpm); 496 return (X509_VERIFY_PARAM_set1(ssl->param, vpm));
497} 497}
498 498
499void 499void
@@ -743,7 +743,7 @@ SSL_get_finished(const SSL *s, void *buf, size_t count)
743 count = ret; 743 count = ret;
744 memcpy(buf, s->s3->tmp.finish_md, count); 744 memcpy(buf, s->s3->tmp.finish_md, count);
745 } 745 }
746 return ret; 746 return (ret);
747} 747}
748 748
749/* return length of latest Finished message we expected, copy to 'buf' */ 749/* return length of latest Finished message we expected, copy to 'buf' */
@@ -758,7 +758,7 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
758 count = ret; 758 count = ret;
759 memcpy(buf, s->s3->tmp.peer_finish_md, count); 759 memcpy(buf, s->s3->tmp.peer_finish_md, count);
760 } 760 }
761 return ret; 761 return (ret);
762} 762}
763 763
764 764
@@ -771,10 +771,11 @@ SSL_get_verify_mode(const SSL *s)
771int 771int
772SSL_get_verify_depth(const SSL *s) 772SSL_get_verify_depth(const SSL *s)
773{ 773{
774 return X509_VERIFY_PARAM_get_depth(s->param); 774 return (X509_VERIFY_PARAM_get_depth(s->param));
775} 775}
776 776
777int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) 777int
778(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
778{ 779{
779 return (s->verify_callback); 780 return (s->verify_callback);
780} 781}
@@ -788,7 +789,7 @@ SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
788int 789int
789SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 790SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
790{ 791{
791 return X509_VERIFY_PARAM_get_depth(ctx->param); 792 return (X509_VERIFY_PARAM_get_depth(ctx->param));
792} 793}
793 794
794int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) 795int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
@@ -938,7 +939,7 @@ SSL_check_private_key(const SSL *ssl)
938 if (ssl->cert == NULL) { 939 if (ssl->cert == NULL) {
939 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, 940 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
940 SSL_R_NO_CERTIFICATE_ASSIGNED); 941 SSL_R_NO_CERTIFICATE_ASSIGNED);
941 return 0; 942 return (0);
942 } 943 }
943 if (ssl->cert->key->x509 == NULL) { 944 if (ssl->cert->key->x509 == NULL) {
944 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, 945 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
@@ -984,7 +985,7 @@ SSL_read(SSL *s, void *buf, int num)
984 if (s->handshake_func == 0) { 985 if (s->handshake_func == 0) {
985 SSLerr(SSL_F_SSL_READ, 986 SSLerr(SSL_F_SSL_READ,
986 SSL_R_UNINITIALIZED); 987 SSL_R_UNINITIALIZED);
987 return -1; 988 return (-1);
988 } 989 }
989 990
990 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 991 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
@@ -1000,7 +1001,7 @@ SSL_peek(SSL *s, void *buf, int num)
1000 if (s->handshake_func == 0) { 1001 if (s->handshake_func == 0) {
1001 SSLerr(SSL_F_SSL_PEEK, 1002 SSLerr(SSL_F_SSL_PEEK,
1002 SSL_R_UNINITIALIZED); 1003 SSL_R_UNINITIALIZED);
1003 return -1; 1004 return (-1);
1004 } 1005 }
1005 1006
1006 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1007 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
@@ -1015,7 +1016,7 @@ SSL_write(SSL *s, const void *buf, int num)
1015 if (s->handshake_func == 0) { 1016 if (s->handshake_func == 0) {
1016 SSLerr(SSL_F_SSL_WRITE, 1017 SSLerr(SSL_F_SSL_WRITE,
1017 SSL_R_UNINITIALIZED); 1018 SSL_R_UNINITIALIZED);
1018 return -1; 1019 return (-1);
1019 } 1020 }
1020 1021
1021 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1022 if (s->shutdown & SSL_SENT_SHUTDOWN) {
@@ -1040,7 +1041,7 @@ SSL_shutdown(SSL *s)
1040 if (s->handshake_func == 0) { 1041 if (s->handshake_func == 0) {
1041 SSLerr(SSL_F_SSL_SHUTDOWN, 1042 SSLerr(SSL_F_SSL_SHUTDOWN,
1042 SSL_R_UNINITIALIZED); 1043 SSL_R_UNINITIALIZED);
1043 return -1; 1044 return (-1);
1044 } 1045 }
1045 1046
1046 if ((s != NULL) && !SSL_in_init(s)) 1047 if ((s != NULL) && !SSL_in_init(s))
@@ -1096,7 +1097,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1096 1097
1097 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1098 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1098 s->msg_callback_arg = parg; 1099 s->msg_callback_arg = parg;
1099 return 1; 1100 return (1);
1100 1101
1101 case SSL_CTRL_OPTIONS: 1102 case SSL_CTRL_OPTIONS:
1102 return (s->options|=larg); 1103 return (s->options|=larg);
@@ -1115,24 +1116,24 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1115 case SSL_CTRL_SET_MTU: 1116 case SSL_CTRL_SET_MTU:
1116#ifndef OPENSSL_NO_DTLS1 1117#ifndef OPENSSL_NO_DTLS1
1117 if (larg < (long)dtls1_min_mtu()) 1118 if (larg < (long)dtls1_min_mtu())
1118 return 0; 1119 return (0);
1119#endif 1120#endif
1120 1121
1121 if (SSL_version(s) == DTLS1_VERSION || 1122 if (SSL_version(s) == DTLS1_VERSION ||
1122 SSL_version(s) == DTLS1_BAD_VER) { 1123 SSL_version(s) == DTLS1_BAD_VER) {
1123 s->d1->mtu = larg; 1124 s->d1->mtu = larg;
1124 return larg; 1125 return (larg);
1125 } 1126 }
1126 return 0; 1127 return (0);
1127 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1128 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1128 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1129 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1129 return 0; 1130 return (0);
1130 s->max_send_fragment = larg; 1131 s->max_send_fragment = larg;
1131 return 1; 1132 return (1);
1132 case SSL_CTRL_GET_RI_SUPPORT: 1133 case SSL_CTRL_GET_RI_SUPPORT:
1133 if (s->s3) 1134 if (s->s3)
1134 return s->s3->send_connection_binding; 1135 return (s->s3->send_connection_binding);
1135 else return 0; 1136 else return (0);
1136 default: 1137 default:
1137 return (s->method->ssl_ctrl(s, cmd, larg, parg)); 1138 return (s->method->ssl_ctrl(s, cmd, larg, parg));
1138 } 1139 }
@@ -1146,7 +1147,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1146 s->msg_callback = (void (*)(int write_p, int version, 1147 s->msg_callback = (void (*)(int write_p, int version,
1147 int content_type, const void *buf, size_t len, 1148 int content_type, const void *buf, size_t len,
1148 SSL *ssl, void *arg))(fp); 1149 SSL *ssl, void *arg))(fp);
1149 return 1; 1150 return (1);
1150 1151
1151 default: 1152 default:
1152 return (s->method->ssl_callback_ctrl(s, cmd, fp)); 1153 return (s->method->ssl_callback_ctrl(s, cmd, fp));
@@ -1156,7 +1157,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1156LHASH_OF(SSL_SESSION) * 1157LHASH_OF(SSL_SESSION) *
1157SSL_CTX_sessions(SSL_CTX *ctx) 1158SSL_CTX_sessions(SSL_CTX *ctx)
1158{ 1159{
1159 return ctx->sessions; 1160 return (ctx->sessions);
1160} 1161}
1161 1162
1162long 1163long
@@ -1174,7 +1175,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1174 1175
1175 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1176 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1176 ctx->msg_callback_arg = parg; 1177 ctx->msg_callback_arg = parg;
1177 return 1; 1178 return (1);
1178 1179
1179 case SSL_CTRL_GET_MAX_CERT_LIST: 1180 case SSL_CTRL_GET_MAX_CERT_LIST:
1180 return (ctx->max_cert_list); 1181 return (ctx->max_cert_list);
@@ -1230,9 +1231,9 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1230 return (ctx->mode&=~larg); 1231 return (ctx->mode&=~larg);
1231 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1232 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1232 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1233 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1233 return 0; 1234 return (0);
1234 ctx->max_send_fragment = larg; 1235 ctx->max_send_fragment = larg;
1235 return 1; 1236 return (1);
1236 default: 1237 default:
1237 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); 1238 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
1238 } 1239 }
@@ -1246,7 +1247,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1246 ctx->msg_callback = (void (*)(int write_p, int version, 1247 ctx->msg_callback = (void (*)(int write_p, int version,
1247 int content_type, const void *buf, size_t len, SSL *ssl, 1248 int content_type, const void *buf, size_t len, SSL *ssl,
1248 void *arg))(fp); 1249 void *arg))(fp);
1249 return 1; 1250 return (1);
1250 1251
1251 default: 1252 default:
1252 return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); 1253 return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp));
@@ -1339,7 +1340,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1339 1340
1340 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, 1341 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1341 &ctx->cipher_list_by_id, str); 1342 &ctx->cipher_list_by_id, str);
1342 /* 1343 /*
1343 * ssl_create_cipher_list may return an empty stack if it 1344 * ssl_create_cipher_list may return an empty stack if it
1344 * was unable to find a cipher matching the given rule string 1345 * was unable to find a cipher matching the given rule string
1345 * (for example if the rule string specifies a cipher which 1346 * (for example if the rule string specifies a cipher which
@@ -1349,13 +1350,13 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1349 * updated. 1350 * updated.
1350 */ 1351 */
1351 if (sk == NULL) 1352 if (sk == NULL)
1352 return 0; 1353 return (0);
1353 else if (sk_SSL_CIPHER_num(sk) == 0) { 1354 else if (sk_SSL_CIPHER_num(sk) == 0) {
1354 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, 1355 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST,
1355 SSL_R_NO_CIPHER_MATCH); 1356 SSL_R_NO_CIPHER_MATCH);
1356 return 0; 1357 return (0);
1357 } 1358 }
1358 return 1; 1359 return (1);
1359} 1360}
1360 1361
1361/* Specify the ciphers to be used by the SSL. */ 1362/* Specify the ciphers to be used by the SSL. */
@@ -1368,13 +1369,13 @@ SSL_set_cipher_list(SSL *s, const char *str)
1368 &s->cipher_list_by_id, str); 1369 &s->cipher_list_by_id, str);
1369 /* see comment in SSL_CTX_set_cipher_list */ 1370 /* see comment in SSL_CTX_set_cipher_list */
1370 if (sk == NULL) 1371 if (sk == NULL)
1371 return 0; 1372 return (0);
1372 else if (sk_SSL_CIPHER_num(sk) == 0) { 1373 else if (sk_SSL_CIPHER_num(sk) == 0) {
1373 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, 1374 SSLerr(SSL_F_SSL_SET_CIPHER_LIST,
1374 SSL_R_NO_CIPHER_MATCH); 1375 SSL_R_NO_CIPHER_MATCH);
1375 return 0; 1376 return (0);
1376 } 1377 }
1377 return 1; 1378 return (1);
1378} 1379}
1379 1380
1380/* works well for SSLv2, not so good for SSLv3 */ 1381/* works well for SSLv2, not so good for SSLv3 */
@@ -1540,11 +1541,11 @@ const char *
1540SSL_get_servername(const SSL *s, const int type) 1541SSL_get_servername(const SSL *s, const int type)
1541{ 1542{
1542 if (type != TLSEXT_NAMETYPE_host_name) 1543 if (type != TLSEXT_NAMETYPE_host_name)
1543 return NULL; 1544 return (NULL);
1544 1545
1545 return s->session && !s->tlsext_hostname ? 1546 return (s->session && !s->tlsext_hostname ?
1546 s->session->tlsext_hostname : 1547 s->session->tlsext_hostname :
1547 s->tlsext_hostname; 1548 s->tlsext_hostname);
1548} 1549}
1549 1550
1550int 1551int
@@ -1553,8 +1554,8 @@ SSL_get_servername_type(const SSL *s)
1553 if (s->session && 1554 if (s->session &&
1554 (!s->tlsext_hostname ? 1555 (!s->tlsext_hostname ?
1555 s->session->tlsext_hostname : s->tlsext_hostname)) 1556 s->session->tlsext_hostname : s->tlsext_hostname))
1556 return TLSEXT_NAMETYPE_host_name; 1557 return (TLSEXT_NAMETYPE_host_name);
1557 return -1; 1558 return (-1);
1558} 1559}
1559 1560
1560# ifndef OPENSSL_NO_NEXTPROTONEG 1561# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1626,7 +1627,7 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1626 found: 1627 found:
1627 *out = (unsigned char *) result + 1; 1628 *out = (unsigned char *) result + 1;
1628 *outlen = result[0]; 1629 *outlen = result[0];
1629 return status; 1630 return (status);
1630} 1631}
1631 1632
1632/* 1633/*
@@ -1697,10 +1698,10 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1697 int use_context) 1698 int use_context)
1698{ 1699{
1699 if (s->version < TLS1_VERSION) 1700 if (s->version < TLS1_VERSION)
1700 return -1; 1701 return (-1);
1701 1702
1702 return s->method->ssl3_enc->export_keying_material(s, out, olen, 1703 return (s->method->ssl3_enc->export_keying_material(s, out, olen,
1703 label, llen, p, plen, use_context); 1704 label, llen, p, plen, use_context));
1704} 1705}
1705 1706
1706static unsigned long 1707static unsigned long
@@ -2087,7 +2088,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2087 2088
2088 2089
2089#ifdef CIPHER_DEBUG 2090#ifdef CIPHER_DEBUG
2090 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 2091 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d "
2092 "rs=%d ds=%d dhr=%d dhd=%d\n",
2091 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp, 2093 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp,
2092 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa); 2094 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
2093#endif 2095#endif
@@ -2247,11 +2249,11 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2247 /* ECDH key length in export ciphers must be <= 163 bits */ 2249 /* ECDH key length in export ciphers must be <= 163 bits */
2248 pkey = X509_get_pubkey(x); 2250 pkey = X509_get_pubkey(x);
2249 if (pkey == NULL) 2251 if (pkey == NULL)
2250 return 0; 2252 return (0);
2251 keysize = EVP_PKEY_bits(pkey); 2253 keysize = EVP_PKEY_bits(pkey);
2252 EVP_PKEY_free(pkey); 2254 EVP_PKEY_free(pkey);
2253 if (keysize > 163) 2255 if (keysize > 163)
2254 return 0; 2256 return (0);
2255 } 2257 }
2256 2258
2257 /* This call populates the ex_flags field correctly */ 2259 /* This call populates the ex_flags field correctly */
@@ -2265,7 +2267,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2265 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { 2267 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
2266 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2268 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2267 SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); 2269 SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2268 return 0; 2270 return (0);
2269 } 2271 }
2270 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < 2272 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
2271 TLS1_2_VERSION) { 2273 TLS1_2_VERSION) {
@@ -2273,7 +2275,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2273 if (pk_nid != NID_X9_62_id_ecPublicKey) { 2275 if (pk_nid != NID_X9_62_id_ecPublicKey) {
2274 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2276 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2275 SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); 2277 SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2276 return 0; 2278 return (0);
2277 } 2279 }
2278 } 2280 }
2279 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < 2281 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
@@ -2282,7 +2284,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2282 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { 2284 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
2283 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2285 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2284 SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); 2286 SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2285 return 0; 2287 return (0);
2286 } 2288 }
2287 } 2289 }
2288 } 2290 }
@@ -2291,11 +2293,11 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2291 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { 2293 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
2292 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2294 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2293 SSL_R_ECC_CERT_NOT_FOR_SIGNING); 2295 SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2294 return 0; 2296 return (0);
2295 } 2297 }
2296 } 2298 }
2297 2299
2298 return 1; 2300 return (1);
2299 /* all checks are ok */ 2301 /* all checks are ok */
2300} 2302}
2301 2303
@@ -2355,7 +2357,7 @@ ssl_get_server_send_pkey(const SSL *s)
2355 return (NULL); 2357 return (NULL);
2356 } 2358 }
2357 2359
2358 return c->pkeys + i; 2360 return (c->pkeys + i);
2359} 2361}
2360 2362
2361X509 * 2363X509 *
@@ -2365,8 +2367,8 @@ ssl_get_server_send_cert(const SSL *s)
2365 2367
2366 cpk = ssl_get_server_send_pkey(s); 2368 cpk = ssl_get_server_send_pkey(s);
2367 if (!cpk) 2369 if (!cpk)
2368 return NULL; 2370 return (NULL);
2369 return cpk->x509; 2371 return (cpk->x509);
2370} 2372}
2371 2373
2372EVP_PKEY * 2374EVP_PKEY *
@@ -2397,7 +2399,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
2397 } 2399 }
2398 if (pmd) 2400 if (pmd)
2399 *pmd = c->pkeys[idx].digest; 2401 *pmd = c->pkeys[idx].digest;
2400 return c->pkeys[idx].privatekey; 2402 return (c->pkeys[idx].privatekey);
2401} 2403}
2402 2404
2403void 2405void
@@ -2506,7 +2508,7 @@ SSL_get_error(const SSL *s, int i)
2506 else if (reason == BIO_RR_ACCEPT) 2508 else if (reason == BIO_RR_ACCEPT)
2507 return (SSL_ERROR_WANT_ACCEPT); 2509 return (SSL_ERROR_WANT_ACCEPT);
2508 else 2510 else
2509 return(SSL_ERROR_SYSCALL); /* unknown */ 2511 return (SSL_ERROR_SYSCALL); /* unknown */
2510 } 2512 }
2511 } 2513 }
2512 2514
@@ -2514,13 +2516,13 @@ SSL_get_error(const SSL *s, int i)
2514 bio = SSL_get_wbio(s); 2516 bio = SSL_get_wbio(s);
2515 if (BIO_should_write(bio)) 2517 if (BIO_should_write(bio))
2516 return (SSL_ERROR_WANT_WRITE); 2518 return (SSL_ERROR_WANT_WRITE);
2517 else if (BIO_should_read(bio)) 2519 else if (BIO_should_read(bio)) {
2518 return (SSL_ERROR_WANT_READ);
2519 /* 2520 /*
2520 * See above (SSL_want_read(s) with 2521 * See above (SSL_want_read(s) with
2521 * BIO_should_write(bio)) 2522 * BIO_should_write(bio))
2522 */ 2523 */
2523 else if (BIO_should_io_special(bio)) { 2524 return (SSL_ERROR_WANT_READ);
2525 } else if (BIO_should_io_special(bio)) {
2524 reason = BIO_get_retry_reason(bio); 2526 reason = BIO_get_retry_reason(bio);
2525 if (reason == BIO_RR_CONNECT) 2527 if (reason == BIO_RR_CONNECT)
2526 return (SSL_ERROR_WANT_CONNECT); 2528 return (SSL_ERROR_WANT_CONNECT);
@@ -2561,7 +2563,7 @@ SSL_do_handshake(SSL *s)
2561 return (ret); 2563 return (ret);
2562} 2564}
2563 2565
2564/* 2566/*
2565 * For the next 2 functions, SSL_clear() sets shutdown and so 2567 * For the next 2 functions, SSL_clear() sets shutdown and so
2566 * one of these calls will reset it 2568 * one of these calls will reset it
2567 */ 2569 */
@@ -2627,15 +2629,15 @@ const char *
2627SSL_get_version(const SSL *s) 2629SSL_get_version(const SSL *s)
2628{ 2630{
2629 if (s->version == TLS1_2_VERSION) 2631 if (s->version == TLS1_2_VERSION)
2630 return("TLSv1.2"); 2632 return ("TLSv1.2");
2631 else if (s->version == TLS1_1_VERSION) 2633 else if (s->version == TLS1_1_VERSION)
2632 return("TLSv1.1"); 2634 return ("TLSv1.1");
2633 else if (s->version == TLS1_VERSION) 2635 else if (s->version == TLS1_VERSION)
2634 return("TLSv1"); 2636 return ("TLSv1");
2635 else if (s->version == SSL3_VERSION) 2637 else if (s->version == SSL3_VERSION)
2636 return("SSLv3"); 2638 return ("SSLv3");
2637 else 2639 else
2638 return("unknown"); 2640 return ("unknown");
2639} 2641}
2640 2642
2641SSL * 2643SSL *
@@ -2722,14 +2724,14 @@ SSL_dup(SSL *s)
2722 ret->quiet_shutdown = s->quiet_shutdown; 2724 ret->quiet_shutdown = s->quiet_shutdown;
2723 ret->shutdown = s->shutdown; 2725 ret->shutdown = s->shutdown;
2724 /* SSL_dup does not really work at any state, though */ 2726 /* SSL_dup does not really work at any state, though */
2725 ret->state=s->state; 2727 ret->state=s->state;
2726 ret->rstate = s->rstate; 2728 ret->rstate = s->rstate;
2727 2729
2728 /* 2730 /*
2729 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, 2731 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
2730 * ret->init_off 2732 * ret->init_off
2731 */ 2733 */
2732 ret->init_num = 0; 2734 ret->init_num = 0;
2733 2735
2734 ret->hit = s->hit; 2736 ret->hit = s->hit;
2735 2737
@@ -2741,10 +2743,11 @@ SSL_dup(SSL *s)
2741 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 2743 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2742 goto err; 2744 goto err;
2743 } 2745 }
2744 if (s->cipher_list_by_id != NULL) 2746 if (s->cipher_list_by_id != NULL) {
2745 if ((ret->cipher_list_by_id = 2747 if ((ret->cipher_list_by_id =
2746 sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL) 2748 sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL)
2747 goto err; 2749 goto err;
2750 }
2748 2751
2749 /* Dup the client_CA list */ 2752 /* Dup the client_CA list */
2750 if (s->client_CA != NULL) { 2753 if (s->client_CA != NULL) {
@@ -2825,13 +2828,13 @@ SSL_get_current_cipher(const SSL *s)
2825const void * 2828const void *
2826SSL_get_current_compression(SSL *s) 2829SSL_get_current_compression(SSL *s)
2827{ 2830{
2828 return NULL; 2831 return (NULL);
2829} 2832}
2830 2833
2831const void * 2834const void *
2832SSL_get_current_expansion(SSL *s) 2835SSL_get_current_expansion(SSL *s)
2833{ 2836{
2834 return NULL; 2837 return (NULL);
2835} 2838}
2836#else 2839#else
2837 2840
@@ -2950,7 +2953,7 @@ SSL_CTX *
2950SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) 2953SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2951{ 2954{
2952 if (ssl->ctx == ctx) 2955 if (ssl->ctx == ctx)
2953 return ssl->ctx; 2956 return (ssl->ctx);
2954#ifndef OPENSSL_NO_TLSEXT 2957#ifndef OPENSSL_NO_TLSEXT
2955 if (ctx == NULL) 2958 if (ctx == NULL)
2956 ctx = ssl->initial_ctx; 2959 ctx = ssl->initial_ctx;
@@ -2993,7 +2996,7 @@ SSL_set_info_callback(SSL *ssl,
2993 */ 2996 */
2994void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 2997void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2995{ 2998{
2996 return ssl->info_callback; 2999 return (ssl->info_callback);
2997} 3000}
2998 3001
2999int 3002int
@@ -3024,8 +3027,8 @@ int
3024SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 3027SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3025 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3028 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3026{ 3029{
3027 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, 3030 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
3028 new_func, dup_func, free_func); 3031 new_func, dup_func, free_func));
3029} 3032}
3030 3033
3031int 3034int
@@ -3044,8 +3047,8 @@ int
3044SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 3047SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3045 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3048 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3046{ 3049{
3047 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, 3050 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3048 new_func, dup_func, free_func); 3051 new_func, dup_func, free_func));
3049} 3052}
3050 3053
3051int 3054int
@@ -3171,50 +3174,50 @@ SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3171 PSK_MAX_IDENTITY_LEN) { 3174 PSK_MAX_IDENTITY_LEN) {
3172 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, 3175 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT,
3173 SSL_R_DATA_LENGTH_TOO_LONG); 3176 SSL_R_DATA_LENGTH_TOO_LONG);
3174 return 0; 3177 return (0);
3175 } 3178 }
3176 if (ctx->psk_identity_hint != NULL) 3179 if (ctx->psk_identity_hint != NULL)
3177 free(ctx->psk_identity_hint); 3180 free(ctx->psk_identity_hint);
3178 if (identity_hint != NULL) { 3181 if (identity_hint != NULL) {
3179 ctx->psk_identity_hint = BUF_strdup(identity_hint); 3182 ctx->psk_identity_hint = BUF_strdup(identity_hint);
3180 if (ctx->psk_identity_hint == NULL) 3183 if (ctx->psk_identity_hint == NULL)
3181 return 0; 3184 return (0);
3182 } else 3185 } else
3183 ctx->psk_identity_hint = NULL; 3186 ctx->psk_identity_hint = NULL;
3184 return 1; 3187 return (1);
3185} 3188}
3186 3189
3187int 3190int
3188SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) 3191SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3189{ 3192{
3190 if (s == NULL) 3193 if (s == NULL)
3191 return 0; 3194 return (0);
3192 3195
3193 if (s->session == NULL) 3196 if (s->session == NULL)
3194 return 1; /* session not created yet, ignored */ 3197 return (1); /* session not created yet, ignored */
3195 3198
3196 if (identity_hint != NULL && strlen(identity_hint) > 3199 if (identity_hint != NULL && strlen(identity_hint) >
3197 PSK_MAX_IDENTITY_LEN) { 3200 PSK_MAX_IDENTITY_LEN) {
3198 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, 3201 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT,
3199 SSL_R_DATA_LENGTH_TOO_LONG); 3202 SSL_R_DATA_LENGTH_TOO_LONG);
3200 return 0; 3203 return (0);
3201 } 3204 }
3202 if (s->session->psk_identity_hint != NULL) 3205 if (s->session->psk_identity_hint != NULL)
3203 free(s->session->psk_identity_hint); 3206 free(s->session->psk_identity_hint);
3204 if (identity_hint != NULL) { 3207 if (identity_hint != NULL) {
3205 s->session->psk_identity_hint = BUF_strdup(identity_hint); 3208 s->session->psk_identity_hint = BUF_strdup(identity_hint);
3206 if (s->session->psk_identity_hint == NULL) 3209 if (s->session->psk_identity_hint == NULL)
3207 return 0; 3210 return (0);
3208 } else 3211 } else
3209 s->session->psk_identity_hint = NULL; 3212 s->session->psk_identity_hint = NULL;
3210 return 1; 3213 return (1);
3211} 3214}
3212 3215
3213const char * 3216const char *
3214SSL_get_psk_identity_hint(const SSL *s) 3217SSL_get_psk_identity_hint(const SSL *s)
3215{ 3218{
3216 if (s == NULL || s->session == NULL) 3219 if (s == NULL || s->session == NULL)
3217 return NULL; 3220 return (NULL);
3218 return (s->session->psk_identity_hint); 3221 return (s->session->psk_identity_hint);
3219} 3222}
3220 3223
@@ -3222,7 +3225,7 @@ const char *
3222SSL_get_psk_identity(const SSL *s) 3225SSL_get_psk_identity(const SSL *s)
3223{ 3226{
3224 if (s == NULL || s->session == NULL) 3227 if (s == NULL || s->session == NULL)
3225 return NULL; 3228 return (NULL);
3226 return (s->session->psk_identity); 3229 return (s->session->psk_identity);
3227} 3230}
3228 3231
@@ -3289,7 +3292,7 @@ ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
3289 *hash = EVP_MD_CTX_create(); 3292 *hash = EVP_MD_CTX_create();
3290 if (md) 3293 if (md)
3291 EVP_DigestInit_ex(*hash, md, NULL); 3294 EVP_DigestInit_ex(*hash, md, NULL);
3292 return *hash; 3295 return (*hash);
3293} 3296}
3294 3297
3295void 3298void
@@ -3309,7 +3312,7 @@ SSL_set_debug(SSL *s, int debug)
3309int 3312int
3310SSL_cache_hit(SSL *s) 3313SSL_cache_hit(SSL *s)
3311{ 3314{
3312 return s->hit; 3315 return (s->hit);
3313} 3316}
3314 3317
3315IMPLEMENT_STACK_OF(SSL_CIPHER) 3318IMPLEMENT_STACK_OF(SSL_CIPHER)
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 830f574183..21a48da182 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -7,21 +7,21 @@
7 * This package is an SSL implementation written 7 * This package is an SSL implementation written
8 * by Eric Young (eay@cryptsoft.com). 8 * by Eric Young (eay@cryptsoft.com).
9 * The implementation was written so as to conform with Netscapes SSL. 9 * The implementation was written so as to conform with Netscapes SSL.
10 * 10 *
11 * This library is free for commercial and non-commercial use as long as 11 * This library is free for commercial and non-commercial use as long as
12 * the following conditions are aheared to. The following conditions 12 * the following conditions are aheared to. The following conditions
13 * apply to all code found in this distribution, be it the RC4, RSA, 13 * apply to all code found in this distribution, be it the RC4, RSA,
14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 14 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
15 * included with this distribution is covered by the same copyright terms 15 * included with this distribution is covered by the same copyright terms
16 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 16 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
17 * 17 *
18 * Copyright remains Eric Young's, and as such any Copyright notices in 18 * Copyright remains Eric Young's, and as such any Copyright notices in
19 * the code are not to be removed. 19 * the code are not to be removed.
20 * If this package is used in a product, Eric Young should be given attribution 20 * If this package is used in a product, Eric Young should be given attribution
21 * as the author of the parts of the library used. 21 * as the author of the parts of the library used.
22 * This can be in the form of a textual message at program startup or 22 * This can be in the form of a textual message at program startup or
23 * in documentation (online or textual) provided with the package. 23 * in documentation (online or textual) provided with the package.
24 * 24 *
25 * Redistribution and use in source and binary forms, with or without 25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions 26 * modification, are permitted provided that the following conditions
27 * are met: 27 * are met:
@@ -36,10 +36,10 @@
36 * Eric Young (eay@cryptsoft.com)" 36 * Eric Young (eay@cryptsoft.com)"
37 * The word 'cryptographic' can be left out if the rouines from the library 37 * The word 'cryptographic' can be left out if the rouines from the library
38 * being used are not cryptographic related :-). 38 * being used are not cryptographic related :-).
39 * 4. If you include any Windows specific code (or a derivative thereof) from 39 * 4. If you include any Windows specific code (or a derivative thereof) from
40 * the apps directory (application code) you must include an acknowledgement: 40 * the apps directory (application code) you must include an acknowledgement:
41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 41 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
42 * 42 *
43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 43 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -51,7 +51,7 @@
51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * SUCH DAMAGE. 53 * SUCH DAMAGE.
54 * 54 *
55 * The licence and distribution terms for any publically available version or 55 * The licence and distribution terms for any publically available version or
56 * derivative of this code cannot be changed. i.e. this code cannot simply be 56 * derivative of this code cannot be changed. i.e. this code cannot simply be
57 * copied and put under another distribution licence 57 * copied and put under another distribution licence
@@ -65,7 +65,7 @@
65 * are met: 65 * are met:
66 * 66 *
67 * 1. Redistributions of source code must retain the above copyright 67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer. 68 * notice, this list of conditions and the following disclaimer.
69 * 69 *
70 * 2. Redistributions in binary form must reproduce the above copyright 70 * 2. Redistributions in binary form must reproduce the above copyright
71 * notice, this list of conditions and the following disclaimer in 71 * notice, this list of conditions and the following disclaimer in
@@ -112,7 +112,7 @@
112 */ 112 */
113/* ==================================================================== 113/* ====================================================================
114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 114 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
115 * ECC cipher suite support in OpenSSL originally developed by 115 * ECC cipher suite support in OpenSSL originally developed by
116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 116 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
117 */ 117 */
118/* ==================================================================== 118/* ====================================================================
@@ -203,7 +203,7 @@ SSL_clear(SSL *s)
203 if (s->renegotiate) { 203 if (s->renegotiate) {
204 SSLerr(SSL_F_SSL_CLEAR, 204 SSLerr(SSL_F_SSL_CLEAR,
205 ERR_R_INTERNAL_ERROR); 205 ERR_R_INTERNAL_ERROR);
206 return 0; 206 return (0);
207 } 207 }
208 208
209 s->type = 0; 209 s->type = 0;
@@ -393,12 +393,12 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
393 if (sid_ctx_len > sizeof ctx->sid_ctx) { 393 if (sid_ctx_len > sizeof ctx->sid_ctx) {
394 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, 394 SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
395 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 395 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
396 return 0; 396 return (0);
397 } 397 }
398 ctx->sid_ctx_length = sid_ctx_len; 398 ctx->sid_ctx_length = sid_ctx_len;
399 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); 399 memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
400 400
401 return 1; 401 return (1);
402} 402}
403 403
404int 404int
@@ -407,13 +407,13 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
407{ 407{
408 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { 408 if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
409 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, 409 SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
410 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); 410 SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
411 return 0; 411 return (0);
412 } 412 }
413 ssl->sid_ctx_length = sid_ctx_len; 413 ssl->sid_ctx_length = sid_ctx_len;
414 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); 414 memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
415 415
416 return 1; 416 return (1);
417} 417}
418 418
419int 419int
@@ -422,7 +422,7 @@ SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
422 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 422 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
423 ctx->generate_session_id = cb; 423 ctx->generate_session_id = cb;
424 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 424 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
425 return 1; 425 return (1);
426} 426}
427 427
428int 428int
@@ -431,7 +431,7 @@ SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
431 CRYPTO_w_lock(CRYPTO_LOCK_SSL); 431 CRYPTO_w_lock(CRYPTO_LOCK_SSL);
432 ssl->generate_session_id = cb; 432 ssl->generate_session_id = cb;
433 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 433 CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
434 return 1; 434 return (1);
435} 435}
436 436
437int 437int
@@ -448,7 +448,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
448 SSL_SESSION r, *p; 448 SSL_SESSION r, *p;
449 449
450 if (id_len > sizeof r.session_id) 450 if (id_len > sizeof r.session_id)
451 return 0; 451 return (0);
452 452
453 r.ssl_version = ssl->version; 453 r.ssl_version = ssl->version;
454 r.session_id_length = id_len; 454 r.session_id_length = id_len;
@@ -463,37 +463,37 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
463int 463int
464SSL_CTX_set_purpose(SSL_CTX *s, int purpose) 464SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
465{ 465{
466 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 466 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
467} 467}
468 468
469int 469int
470SSL_set_purpose(SSL *s, int purpose) 470SSL_set_purpose(SSL *s, int purpose)
471{ 471{
472 return X509_VERIFY_PARAM_set_purpose(s->param, purpose); 472 return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
473} 473}
474 474
475int 475int
476SSL_CTX_set_trust(SSL_CTX *s, int trust) 476SSL_CTX_set_trust(SSL_CTX *s, int trust)
477{ 477{
478 return X509_VERIFY_PARAM_set_trust(s->param, trust); 478 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
479} 479}
480 480
481int 481int
482SSL_set_trust(SSL *s, int trust) 482SSL_set_trust(SSL *s, int trust)
483{ 483{
484 return X509_VERIFY_PARAM_set_trust(s->param, trust); 484 return (X509_VERIFY_PARAM_set_trust(s->param, trust));
485} 485}
486 486
487int 487int
488SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) 488SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
489{ 489{
490 return X509_VERIFY_PARAM_set1(ctx->param, vpm); 490 return (X509_VERIFY_PARAM_set1(ctx->param, vpm));
491} 491}
492 492
493int 493int
494SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) 494SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
495{ 495{
496 return X509_VERIFY_PARAM_set1(ssl->param, vpm); 496 return (X509_VERIFY_PARAM_set1(ssl->param, vpm));
497} 497}
498 498
499void 499void
@@ -743,7 +743,7 @@ SSL_get_finished(const SSL *s, void *buf, size_t count)
743 count = ret; 743 count = ret;
744 memcpy(buf, s->s3->tmp.finish_md, count); 744 memcpy(buf, s->s3->tmp.finish_md, count);
745 } 745 }
746 return ret; 746 return (ret);
747} 747}
748 748
749/* return length of latest Finished message we expected, copy to 'buf' */ 749/* return length of latest Finished message we expected, copy to 'buf' */
@@ -758,7 +758,7 @@ SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
758 count = ret; 758 count = ret;
759 memcpy(buf, s->s3->tmp.peer_finish_md, count); 759 memcpy(buf, s->s3->tmp.peer_finish_md, count);
760 } 760 }
761 return ret; 761 return (ret);
762} 762}
763 763
764 764
@@ -771,10 +771,11 @@ SSL_get_verify_mode(const SSL *s)
771int 771int
772SSL_get_verify_depth(const SSL *s) 772SSL_get_verify_depth(const SSL *s)
773{ 773{
774 return X509_VERIFY_PARAM_get_depth(s->param); 774 return (X509_VERIFY_PARAM_get_depth(s->param));
775} 775}
776 776
777int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) 777int
778(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
778{ 779{
779 return (s->verify_callback); 780 return (s->verify_callback);
780} 781}
@@ -788,7 +789,7 @@ SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
788int 789int
789SSL_CTX_get_verify_depth(const SSL_CTX *ctx) 790SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
790{ 791{
791 return X509_VERIFY_PARAM_get_depth(ctx->param); 792 return (X509_VERIFY_PARAM_get_depth(ctx->param));
792} 793}
793 794
794int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) 795int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
@@ -938,7 +939,7 @@ SSL_check_private_key(const SSL *ssl)
938 if (ssl->cert == NULL) { 939 if (ssl->cert == NULL) {
939 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, 940 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
940 SSL_R_NO_CERTIFICATE_ASSIGNED); 941 SSL_R_NO_CERTIFICATE_ASSIGNED);
941 return 0; 942 return (0);
942 } 943 }
943 if (ssl->cert->key->x509 == NULL) { 944 if (ssl->cert->key->x509 == NULL) {
944 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, 945 SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
@@ -984,7 +985,7 @@ SSL_read(SSL *s, void *buf, int num)
984 if (s->handshake_func == 0) { 985 if (s->handshake_func == 0) {
985 SSLerr(SSL_F_SSL_READ, 986 SSLerr(SSL_F_SSL_READ,
986 SSL_R_UNINITIALIZED); 987 SSL_R_UNINITIALIZED);
987 return -1; 988 return (-1);
988 } 989 }
989 990
990 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 991 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
@@ -1000,7 +1001,7 @@ SSL_peek(SSL *s, void *buf, int num)
1000 if (s->handshake_func == 0) { 1001 if (s->handshake_func == 0) {
1001 SSLerr(SSL_F_SSL_PEEK, 1002 SSLerr(SSL_F_SSL_PEEK,
1002 SSL_R_UNINITIALIZED); 1003 SSL_R_UNINITIALIZED);
1003 return -1; 1004 return (-1);
1004 } 1005 }
1005 1006
1006 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 1007 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
@@ -1015,7 +1016,7 @@ SSL_write(SSL *s, const void *buf, int num)
1015 if (s->handshake_func == 0) { 1016 if (s->handshake_func == 0) {
1016 SSLerr(SSL_F_SSL_WRITE, 1017 SSLerr(SSL_F_SSL_WRITE,
1017 SSL_R_UNINITIALIZED); 1018 SSL_R_UNINITIALIZED);
1018 return -1; 1019 return (-1);
1019 } 1020 }
1020 1021
1021 if (s->shutdown & SSL_SENT_SHUTDOWN) { 1022 if (s->shutdown & SSL_SENT_SHUTDOWN) {
@@ -1040,7 +1041,7 @@ SSL_shutdown(SSL *s)
1040 if (s->handshake_func == 0) { 1041 if (s->handshake_func == 0) {
1041 SSLerr(SSL_F_SSL_SHUTDOWN, 1042 SSLerr(SSL_F_SSL_SHUTDOWN,
1042 SSL_R_UNINITIALIZED); 1043 SSL_R_UNINITIALIZED);
1043 return -1; 1044 return (-1);
1044 } 1045 }
1045 1046
1046 if ((s != NULL) && !SSL_in_init(s)) 1047 if ((s != NULL) && !SSL_in_init(s))
@@ -1096,7 +1097,7 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1096 1097
1097 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1098 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1098 s->msg_callback_arg = parg; 1099 s->msg_callback_arg = parg;
1099 return 1; 1100 return (1);
1100 1101
1101 case SSL_CTRL_OPTIONS: 1102 case SSL_CTRL_OPTIONS:
1102 return (s->options|=larg); 1103 return (s->options|=larg);
@@ -1115,24 +1116,24 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
1115 case SSL_CTRL_SET_MTU: 1116 case SSL_CTRL_SET_MTU:
1116#ifndef OPENSSL_NO_DTLS1 1117#ifndef OPENSSL_NO_DTLS1
1117 if (larg < (long)dtls1_min_mtu()) 1118 if (larg < (long)dtls1_min_mtu())
1118 return 0; 1119 return (0);
1119#endif 1120#endif
1120 1121
1121 if (SSL_version(s) == DTLS1_VERSION || 1122 if (SSL_version(s) == DTLS1_VERSION ||
1122 SSL_version(s) == DTLS1_BAD_VER) { 1123 SSL_version(s) == DTLS1_BAD_VER) {
1123 s->d1->mtu = larg; 1124 s->d1->mtu = larg;
1124 return larg; 1125 return (larg);
1125 } 1126 }
1126 return 0; 1127 return (0);
1127 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1128 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1128 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1129 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1129 return 0; 1130 return (0);
1130 s->max_send_fragment = larg; 1131 s->max_send_fragment = larg;
1131 return 1; 1132 return (1);
1132 case SSL_CTRL_GET_RI_SUPPORT: 1133 case SSL_CTRL_GET_RI_SUPPORT:
1133 if (s->s3) 1134 if (s->s3)
1134 return s->s3->send_connection_binding; 1135 return (s->s3->send_connection_binding);
1135 else return 0; 1136 else return (0);
1136 default: 1137 default:
1137 return (s->method->ssl_ctrl(s, cmd, larg, parg)); 1138 return (s->method->ssl_ctrl(s, cmd, larg, parg));
1138 } 1139 }
@@ -1146,7 +1147,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1146 s->msg_callback = (void (*)(int write_p, int version, 1147 s->msg_callback = (void (*)(int write_p, int version,
1147 int content_type, const void *buf, size_t len, 1148 int content_type, const void *buf, size_t len,
1148 SSL *ssl, void *arg))(fp); 1149 SSL *ssl, void *arg))(fp);
1149 return 1; 1150 return (1);
1150 1151
1151 default: 1152 default:
1152 return (s->method->ssl_callback_ctrl(s, cmd, fp)); 1153 return (s->method->ssl_callback_ctrl(s, cmd, fp));
@@ -1156,7 +1157,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
1156LHASH_OF(SSL_SESSION) * 1157LHASH_OF(SSL_SESSION) *
1157SSL_CTX_sessions(SSL_CTX *ctx) 1158SSL_CTX_sessions(SSL_CTX *ctx)
1158{ 1159{
1159 return ctx->sessions; 1160 return (ctx->sessions);
1160} 1161}
1161 1162
1162long 1163long
@@ -1174,7 +1175,7 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1174 1175
1175 case SSL_CTRL_SET_MSG_CALLBACK_ARG: 1176 case SSL_CTRL_SET_MSG_CALLBACK_ARG:
1176 ctx->msg_callback_arg = parg; 1177 ctx->msg_callback_arg = parg;
1177 return 1; 1178 return (1);
1178 1179
1179 case SSL_CTRL_GET_MAX_CERT_LIST: 1180 case SSL_CTRL_GET_MAX_CERT_LIST:
1180 return (ctx->max_cert_list); 1181 return (ctx->max_cert_list);
@@ -1230,9 +1231,9 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
1230 return (ctx->mode&=~larg); 1231 return (ctx->mode&=~larg);
1231 case SSL_CTRL_SET_MAX_SEND_FRAGMENT: 1232 case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
1232 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) 1233 if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
1233 return 0; 1234 return (0);
1234 ctx->max_send_fragment = larg; 1235 ctx->max_send_fragment = larg;
1235 return 1; 1236 return (1);
1236 default: 1237 default:
1237 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); 1238 return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
1238 } 1239 }
@@ -1246,7 +1247,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
1246 ctx->msg_callback = (void (*)(int write_p, int version, 1247 ctx->msg_callback = (void (*)(int write_p, int version,
1247 int content_type, const void *buf, size_t len, SSL *ssl, 1248 int content_type, const void *buf, size_t len, SSL *ssl,
1248 void *arg))(fp); 1249 void *arg))(fp);
1249 return 1; 1250 return (1);
1250 1251
1251 default: 1252 default:
1252 return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); 1253 return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp));
@@ -1339,7 +1340,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1339 1340
1340 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, 1341 sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
1341 &ctx->cipher_list_by_id, str); 1342 &ctx->cipher_list_by_id, str);
1342 /* 1343 /*
1343 * ssl_create_cipher_list may return an empty stack if it 1344 * ssl_create_cipher_list may return an empty stack if it
1344 * was unable to find a cipher matching the given rule string 1345 * was unable to find a cipher matching the given rule string
1345 * (for example if the rule string specifies a cipher which 1346 * (for example if the rule string specifies a cipher which
@@ -1349,13 +1350,13 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
1349 * updated. 1350 * updated.
1350 */ 1351 */
1351 if (sk == NULL) 1352 if (sk == NULL)
1352 return 0; 1353 return (0);
1353 else if (sk_SSL_CIPHER_num(sk) == 0) { 1354 else if (sk_SSL_CIPHER_num(sk) == 0) {
1354 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, 1355 SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST,
1355 SSL_R_NO_CIPHER_MATCH); 1356 SSL_R_NO_CIPHER_MATCH);
1356 return 0; 1357 return (0);
1357 } 1358 }
1358 return 1; 1359 return (1);
1359} 1360}
1360 1361
1361/* Specify the ciphers to be used by the SSL. */ 1362/* Specify the ciphers to be used by the SSL. */
@@ -1368,13 +1369,13 @@ SSL_set_cipher_list(SSL *s, const char *str)
1368 &s->cipher_list_by_id, str); 1369 &s->cipher_list_by_id, str);
1369 /* see comment in SSL_CTX_set_cipher_list */ 1370 /* see comment in SSL_CTX_set_cipher_list */
1370 if (sk == NULL) 1371 if (sk == NULL)
1371 return 0; 1372 return (0);
1372 else if (sk_SSL_CIPHER_num(sk) == 0) { 1373 else if (sk_SSL_CIPHER_num(sk) == 0) {
1373 SSLerr(SSL_F_SSL_SET_CIPHER_LIST, 1374 SSLerr(SSL_F_SSL_SET_CIPHER_LIST,
1374 SSL_R_NO_CIPHER_MATCH); 1375 SSL_R_NO_CIPHER_MATCH);
1375 return 0; 1376 return (0);
1376 } 1377 }
1377 return 1; 1378 return (1);
1378} 1379}
1379 1380
1380/* works well for SSLv2, not so good for SSLv3 */ 1381/* works well for SSLv2, not so good for SSLv3 */
@@ -1540,11 +1541,11 @@ const char *
1540SSL_get_servername(const SSL *s, const int type) 1541SSL_get_servername(const SSL *s, const int type)
1541{ 1542{
1542 if (type != TLSEXT_NAMETYPE_host_name) 1543 if (type != TLSEXT_NAMETYPE_host_name)
1543 return NULL; 1544 return (NULL);
1544 1545
1545 return s->session && !s->tlsext_hostname ? 1546 return (s->session && !s->tlsext_hostname ?
1546 s->session->tlsext_hostname : 1547 s->session->tlsext_hostname :
1547 s->tlsext_hostname; 1548 s->tlsext_hostname);
1548} 1549}
1549 1550
1550int 1551int
@@ -1553,8 +1554,8 @@ SSL_get_servername_type(const SSL *s)
1553 if (s->session && 1554 if (s->session &&
1554 (!s->tlsext_hostname ? 1555 (!s->tlsext_hostname ?
1555 s->session->tlsext_hostname : s->tlsext_hostname)) 1556 s->session->tlsext_hostname : s->tlsext_hostname))
1556 return TLSEXT_NAMETYPE_host_name; 1557 return (TLSEXT_NAMETYPE_host_name);
1557 return -1; 1558 return (-1);
1558} 1559}
1559 1560
1560# ifndef OPENSSL_NO_NEXTPROTONEG 1561# ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1626,7 +1627,7 @@ SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1626 found: 1627 found:
1627 *out = (unsigned char *) result + 1; 1628 *out = (unsigned char *) result + 1;
1628 *outlen = result[0]; 1629 *outlen = result[0];
1629 return status; 1630 return (status);
1630} 1631}
1631 1632
1632/* 1633/*
@@ -1697,10 +1698,10 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1697 int use_context) 1698 int use_context)
1698{ 1699{
1699 if (s->version < TLS1_VERSION) 1700 if (s->version < TLS1_VERSION)
1700 return -1; 1701 return (-1);
1701 1702
1702 return s->method->ssl3_enc->export_keying_material(s, out, olen, 1703 return (s->method->ssl3_enc->export_keying_material(s, out, olen,
1703 label, llen, p, plen, use_context); 1704 label, llen, p, plen, use_context));
1704} 1705}
1705 1706
1706static unsigned long 1707static unsigned long
@@ -2087,7 +2088,8 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2087 2088
2088 2089
2089#ifdef CIPHER_DEBUG 2090#ifdef CIPHER_DEBUG
2090 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", 2091 printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d "
2092 "rs=%d ds=%d dhr=%d dhd=%d\n",
2091 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp, 2093 rsa_tmp, rsa_tmp_export, dh_tmp, have_ecdh_tmp,
2092 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa); 2094 rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
2093#endif 2095#endif
@@ -2247,11 +2249,11 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2247 /* ECDH key length in export ciphers must be <= 163 bits */ 2249 /* ECDH key length in export ciphers must be <= 163 bits */
2248 pkey = X509_get_pubkey(x); 2250 pkey = X509_get_pubkey(x);
2249 if (pkey == NULL) 2251 if (pkey == NULL)
2250 return 0; 2252 return (0);
2251 keysize = EVP_PKEY_bits(pkey); 2253 keysize = EVP_PKEY_bits(pkey);
2252 EVP_PKEY_free(pkey); 2254 EVP_PKEY_free(pkey);
2253 if (keysize > 163) 2255 if (keysize > 163)
2254 return 0; 2256 return (0);
2255 } 2257 }
2256 2258
2257 /* This call populates the ex_flags field correctly */ 2259 /* This call populates the ex_flags field correctly */
@@ -2265,7 +2267,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2265 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { 2267 if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
2266 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2268 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2267 SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); 2269 SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2268 return 0; 2270 return (0);
2269 } 2271 }
2270 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < 2272 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
2271 TLS1_2_VERSION) { 2273 TLS1_2_VERSION) {
@@ -2273,7 +2275,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2273 if (pk_nid != NID_X9_62_id_ecPublicKey) { 2275 if (pk_nid != NID_X9_62_id_ecPublicKey) {
2274 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2276 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2275 SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); 2277 SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2276 return 0; 2278 return (0);
2277 } 2279 }
2278 } 2280 }
2279 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < 2281 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
@@ -2282,7 +2284,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2282 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { 2284 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
2283 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2285 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2284 SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); 2286 SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2285 return 0; 2287 return (0);
2286 } 2288 }
2287 } 2289 }
2288 } 2290 }
@@ -2291,11 +2293,11 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2291 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { 2293 if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
2292 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, 2294 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
2293 SSL_R_ECC_CERT_NOT_FOR_SIGNING); 2295 SSL_R_ECC_CERT_NOT_FOR_SIGNING);
2294 return 0; 2296 return (0);
2295 } 2297 }
2296 } 2298 }
2297 2299
2298 return 1; 2300 return (1);
2299 /* all checks are ok */ 2301 /* all checks are ok */
2300} 2302}
2301 2303
@@ -2355,7 +2357,7 @@ ssl_get_server_send_pkey(const SSL *s)
2355 return (NULL); 2357 return (NULL);
2356 } 2358 }
2357 2359
2358 return c->pkeys + i; 2360 return (c->pkeys + i);
2359} 2361}
2360 2362
2361X509 * 2363X509 *
@@ -2365,8 +2367,8 @@ ssl_get_server_send_cert(const SSL *s)
2365 2367
2366 cpk = ssl_get_server_send_pkey(s); 2368 cpk = ssl_get_server_send_pkey(s);
2367 if (!cpk) 2369 if (!cpk)
2368 return NULL; 2370 return (NULL);
2369 return cpk->x509; 2371 return (cpk->x509);
2370} 2372}
2371 2373
2372EVP_PKEY * 2374EVP_PKEY *
@@ -2397,7 +2399,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
2397 } 2399 }
2398 if (pmd) 2400 if (pmd)
2399 *pmd = c->pkeys[idx].digest; 2401 *pmd = c->pkeys[idx].digest;
2400 return c->pkeys[idx].privatekey; 2402 return (c->pkeys[idx].privatekey);
2401} 2403}
2402 2404
2403void 2405void
@@ -2506,7 +2508,7 @@ SSL_get_error(const SSL *s, int i)
2506 else if (reason == BIO_RR_ACCEPT) 2508 else if (reason == BIO_RR_ACCEPT)
2507 return (SSL_ERROR_WANT_ACCEPT); 2509 return (SSL_ERROR_WANT_ACCEPT);
2508 else 2510 else
2509 return(SSL_ERROR_SYSCALL); /* unknown */ 2511 return (SSL_ERROR_SYSCALL); /* unknown */
2510 } 2512 }
2511 } 2513 }
2512 2514
@@ -2514,13 +2516,13 @@ SSL_get_error(const SSL *s, int i)
2514 bio = SSL_get_wbio(s); 2516 bio = SSL_get_wbio(s);
2515 if (BIO_should_write(bio)) 2517 if (BIO_should_write(bio))
2516 return (SSL_ERROR_WANT_WRITE); 2518 return (SSL_ERROR_WANT_WRITE);
2517 else if (BIO_should_read(bio)) 2519 else if (BIO_should_read(bio)) {
2518 return (SSL_ERROR_WANT_READ);
2519 /* 2520 /*
2520 * See above (SSL_want_read(s) with 2521 * See above (SSL_want_read(s) with
2521 * BIO_should_write(bio)) 2522 * BIO_should_write(bio))
2522 */ 2523 */
2523 else if (BIO_should_io_special(bio)) { 2524 return (SSL_ERROR_WANT_READ);
2525 } else if (BIO_should_io_special(bio)) {
2524 reason = BIO_get_retry_reason(bio); 2526 reason = BIO_get_retry_reason(bio);
2525 if (reason == BIO_RR_CONNECT) 2527 if (reason == BIO_RR_CONNECT)
2526 return (SSL_ERROR_WANT_CONNECT); 2528 return (SSL_ERROR_WANT_CONNECT);
@@ -2561,7 +2563,7 @@ SSL_do_handshake(SSL *s)
2561 return (ret); 2563 return (ret);
2562} 2564}
2563 2565
2564/* 2566/*
2565 * For the next 2 functions, SSL_clear() sets shutdown and so 2567 * For the next 2 functions, SSL_clear() sets shutdown and so
2566 * one of these calls will reset it 2568 * one of these calls will reset it
2567 */ 2569 */
@@ -2627,15 +2629,15 @@ const char *
2627SSL_get_version(const SSL *s) 2629SSL_get_version(const SSL *s)
2628{ 2630{
2629 if (s->version == TLS1_2_VERSION) 2631 if (s->version == TLS1_2_VERSION)
2630 return("TLSv1.2"); 2632 return ("TLSv1.2");
2631 else if (s->version == TLS1_1_VERSION) 2633 else if (s->version == TLS1_1_VERSION)
2632 return("TLSv1.1"); 2634 return ("TLSv1.1");
2633 else if (s->version == TLS1_VERSION) 2635 else if (s->version == TLS1_VERSION)
2634 return("TLSv1"); 2636 return ("TLSv1");
2635 else if (s->version == SSL3_VERSION) 2637 else if (s->version == SSL3_VERSION)
2636 return("SSLv3"); 2638 return ("SSLv3");
2637 else 2639 else
2638 return("unknown"); 2640 return ("unknown");
2639} 2641}
2640 2642
2641SSL * 2643SSL *
@@ -2722,14 +2724,14 @@ SSL_dup(SSL *s)
2722 ret->quiet_shutdown = s->quiet_shutdown; 2724 ret->quiet_shutdown = s->quiet_shutdown;
2723 ret->shutdown = s->shutdown; 2725 ret->shutdown = s->shutdown;
2724 /* SSL_dup does not really work at any state, though */ 2726 /* SSL_dup does not really work at any state, though */
2725 ret->state=s->state; 2727 ret->state=s->state;
2726 ret->rstate = s->rstate; 2728 ret->rstate = s->rstate;
2727 2729
2728 /* 2730 /*
2729 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, 2731 * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
2730 * ret->init_off 2732 * ret->init_off
2731 */ 2733 */
2732 ret->init_num = 0; 2734 ret->init_num = 0;
2733 2735
2734 ret->hit = s->hit; 2736 ret->hit = s->hit;
2735 2737
@@ -2741,10 +2743,11 @@ SSL_dup(SSL *s)
2741 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) 2743 sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
2742 goto err; 2744 goto err;
2743 } 2745 }
2744 if (s->cipher_list_by_id != NULL) 2746 if (s->cipher_list_by_id != NULL) {
2745 if ((ret->cipher_list_by_id = 2747 if ((ret->cipher_list_by_id =
2746 sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL) 2748 sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL)
2747 goto err; 2749 goto err;
2750 }
2748 2751
2749 /* Dup the client_CA list */ 2752 /* Dup the client_CA list */
2750 if (s->client_CA != NULL) { 2753 if (s->client_CA != NULL) {
@@ -2825,13 +2828,13 @@ SSL_get_current_cipher(const SSL *s)
2825const void * 2828const void *
2826SSL_get_current_compression(SSL *s) 2829SSL_get_current_compression(SSL *s)
2827{ 2830{
2828 return NULL; 2831 return (NULL);
2829} 2832}
2830 2833
2831const void * 2834const void *
2832SSL_get_current_expansion(SSL *s) 2835SSL_get_current_expansion(SSL *s)
2833{ 2836{
2834 return NULL; 2837 return (NULL);
2835} 2838}
2836#else 2839#else
2837 2840
@@ -2950,7 +2953,7 @@ SSL_CTX *
2950SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) 2953SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
2951{ 2954{
2952 if (ssl->ctx == ctx) 2955 if (ssl->ctx == ctx)
2953 return ssl->ctx; 2956 return (ssl->ctx);
2954#ifndef OPENSSL_NO_TLSEXT 2957#ifndef OPENSSL_NO_TLSEXT
2955 if (ctx == NULL) 2958 if (ctx == NULL)
2956 ctx = ssl->initial_ctx; 2959 ctx = ssl->initial_ctx;
@@ -2993,7 +2996,7 @@ SSL_set_info_callback(SSL *ssl,
2993 */ 2996 */
2994void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 2997void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
2995{ 2998{
2996 return ssl->info_callback; 2999 return (ssl->info_callback);
2997} 3000}
2998 3001
2999int 3002int
@@ -3024,8 +3027,8 @@ int
3024SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 3027SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3025 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3028 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3026{ 3029{
3027 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, 3030 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
3028 new_func, dup_func, free_func); 3031 new_func, dup_func, free_func));
3029} 3032}
3030 3033
3031int 3034int
@@ -3044,8 +3047,8 @@ int
3044SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 3047SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
3045 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) 3048 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
3046{ 3049{
3047 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, 3050 return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
3048 new_func, dup_func, free_func); 3051 new_func, dup_func, free_func));
3049} 3052}
3050 3053
3051int 3054int
@@ -3171,50 +3174,50 @@ SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
3171 PSK_MAX_IDENTITY_LEN) { 3174 PSK_MAX_IDENTITY_LEN) {
3172 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, 3175 SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT,
3173 SSL_R_DATA_LENGTH_TOO_LONG); 3176 SSL_R_DATA_LENGTH_TOO_LONG);
3174 return 0; 3177 return (0);
3175 } 3178 }
3176 if (ctx->psk_identity_hint != NULL) 3179 if (ctx->psk_identity_hint != NULL)
3177 free(ctx->psk_identity_hint); 3180 free(ctx->psk_identity_hint);
3178 if (identity_hint != NULL) { 3181 if (identity_hint != NULL) {
3179 ctx->psk_identity_hint = BUF_strdup(identity_hint); 3182 ctx->psk_identity_hint = BUF_strdup(identity_hint);
3180 if (ctx->psk_identity_hint == NULL) 3183 if (ctx->psk_identity_hint == NULL)
3181 return 0; 3184 return (0);
3182 } else 3185 } else
3183 ctx->psk_identity_hint = NULL; 3186 ctx->psk_identity_hint = NULL;
3184 return 1; 3187 return (1);
3185} 3188}
3186 3189
3187int 3190int
3188SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) 3191SSL_use_psk_identity_hint(SSL *s, const char *identity_hint)
3189{ 3192{
3190 if (s == NULL) 3193 if (s == NULL)
3191 return 0; 3194 return (0);
3192 3195
3193 if (s->session == NULL) 3196 if (s->session == NULL)
3194 return 1; /* session not created yet, ignored */ 3197 return (1); /* session not created yet, ignored */
3195 3198
3196 if (identity_hint != NULL && strlen(identity_hint) > 3199 if (identity_hint != NULL && strlen(identity_hint) >
3197 PSK_MAX_IDENTITY_LEN) { 3200 PSK_MAX_IDENTITY_LEN) {
3198 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT, 3201 SSLerr(SSL_F_SSL_USE_PSK_IDENTITY_HINT,
3199 SSL_R_DATA_LENGTH_TOO_LONG); 3202 SSL_R_DATA_LENGTH_TOO_LONG);
3200 return 0; 3203 return (0);
3201 } 3204 }
3202 if (s->session->psk_identity_hint != NULL) 3205 if (s->session->psk_identity_hint != NULL)
3203 free(s->session->psk_identity_hint); 3206 free(s->session->psk_identity_hint);
3204 if (identity_hint != NULL) { 3207 if (identity_hint != NULL) {
3205 s->session->psk_identity_hint = BUF_strdup(identity_hint); 3208 s->session->psk_identity_hint = BUF_strdup(identity_hint);
3206 if (s->session->psk_identity_hint == NULL) 3209 if (s->session->psk_identity_hint == NULL)
3207 return 0; 3210 return (0);
3208 } else 3211 } else
3209 s->session->psk_identity_hint = NULL; 3212 s->session->psk_identity_hint = NULL;
3210 return 1; 3213 return (1);
3211} 3214}
3212 3215
3213const char * 3216const char *
3214SSL_get_psk_identity_hint(const SSL *s) 3217SSL_get_psk_identity_hint(const SSL *s)
3215{ 3218{
3216 if (s == NULL || s->session == NULL) 3219 if (s == NULL || s->session == NULL)
3217 return NULL; 3220 return (NULL);
3218 return (s->session->psk_identity_hint); 3221 return (s->session->psk_identity_hint);
3219} 3222}
3220 3223
@@ -3222,7 +3225,7 @@ const char *
3222SSL_get_psk_identity(const SSL *s) 3225SSL_get_psk_identity(const SSL *s)
3223{ 3226{
3224 if (s == NULL || s->session == NULL) 3227 if (s == NULL || s->session == NULL)
3225 return NULL; 3228 return (NULL);
3226 return (s->session->psk_identity); 3229 return (s->session->psk_identity);
3227} 3230}
3228 3231
@@ -3289,7 +3292,7 @@ ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
3289 *hash = EVP_MD_CTX_create(); 3292 *hash = EVP_MD_CTX_create();
3290 if (md) 3293 if (md)
3291 EVP_DigestInit_ex(*hash, md, NULL); 3294 EVP_DigestInit_ex(*hash, md, NULL);
3292 return *hash; 3295 return (*hash);
3293} 3296}
3294 3297
3295void 3298void
@@ -3309,7 +3312,7 @@ SSL_set_debug(SSL *s, int debug)
3309int 3312int
3310SSL_cache_hit(SSL *s) 3313SSL_cache_hit(SSL *s)
3311{ 3314{
3312 return s->hit; 3315 return (s->hit);
3313} 3316}
3314 3317
3315IMPLEMENT_STACK_OF(SSL_CIPHER) 3318IMPLEMENT_STACK_OF(SSL_CIPHER)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 15:58:52 +0000