1 files changed, 19 insertions, 18 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index a8835edc8f..307ae842b8 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -101,23 +101,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
            tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
                tls_set_error(ctx,
                    "unable to parse revocation time in OCSP reply");
-                goto error;
+                goto err;
        }
        if (thisupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
                tls_set_error(ctx,
                    "unable to parse this update time in OCSP reply");
-                goto error;
+                goto err;
        }
        if (nextupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
                tls_set_error(ctx,
                    "unable to parse next update time in OCSP reply");
-                goto error;
+                goto err;
        }
        ctx->ocsp->ocsp_result = info;
        return 0;
- error:
+ err:
        free(info);
        return -1;
 }
@@ -162,32 +163,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx)
        STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
        if ((ocsp = tls_ocsp_new()) == NULL)
-                goto failed;
+                goto err;
        /* steal state from ctx struct */
        ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
        ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
        if (ocsp->main_cert == NULL) {
                tls_set_errorx(ctx, "no peer certificate for OCSP");
-                goto failed;
+                goto err;
        }
        ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
        if (ocsp_urls == NULL) {
                tls_set_errorx(ctx, "no OCSP URLs in peer certificate");
-                goto failed;
+                goto err;
        }
        ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
        if (ocsp->ocsp_url == NULL) {
                tls_set_errorx(ctx, "out of memory");
-                goto failed;
+                goto err;
        }
        X509_email_free(ocsp_urls);
        return ocsp;
- failed:
+ err:
        tls_ocsp_free(ocsp);
        X509_email_free(ocsp_urls);
        return NULL;
@@ -206,7 +207,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
        if ((br = OCSP_response_get1_basic(resp)) == NULL) {
                tls_set_errorx(ctx, "cannot load ocsp reply");
-                goto error;
+                goto err;
        }
        /*
@@ -219,7 +220,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
        if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
                SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
                tls_set_error(ctx, "ocsp verify failed");
-                goto error;
+                goto err;
        }
        /* signature OK, look inside */
@@ -227,43 +228,43 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
        if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
                tls_set_errorx(ctx, "ocsp verify failed: response - %s",
                    OCSP_response_status_str(response_status));
-                goto error;
+                goto err;
        }
        cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
            ctx->ocsp->extra_certs, ctx->ssl_ctx);
        if (cid == NULL) {
                tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");
-                goto error;
+                goto err;
        }
        if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
            &revtime, &thisupd, &nextupd) != 1) {
                tls_set_errorx(ctx, "ocsp verify failed: no result for cert");
-                goto error;
+                goto err;
        }
        if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
            MAXAGE_SEC) != 1) {
                tls_set_errorx(ctx,
                    "ocsp verify failed: ocsp response not current");
-                goto error;
+                goto err;
        }
        if (tls_ocsp_fill_info(ctx, response_status, cert_status,
            crl_reason, revtime, thisupd, nextupd) != 0)
-                goto error;
+                goto err;
        /* finally can look at status */
        if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
            V_OCSP_CERTSTATUS_UNKNOWN) {
                tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",
                               OCSP_crl_reason_str(crl_reason));
-                goto error;
+                goto err;
        }
        ret = 0;
- error:
+ err:
        sk_X509_free(combined);
        OCSP_CERTID_free(cid);
        OCSP_BASICRESP_free(br);

diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index a8835edc8f..307ae842b8 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -101,23 +101,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
101	tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {	101	tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
102	tls_set_error(ctx,	102	tls_set_error(ctx,
103	"unable to parse revocation time in OCSP reply");	103	"unable to parse revocation time in OCSP reply");
104	goto error;	104	goto err;
105	}	105	}
106	if (thisupd != NULL &&	106	if (thisupd != NULL &&
107	tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {	107	tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
108	tls_set_error(ctx,	108	tls_set_error(ctx,
109	"unable to parse this update time in OCSP reply");	109	"unable to parse this update time in OCSP reply");
110	goto error;	110	goto err;
111	}	111	}
112	if (nextupd != NULL &&	112	if (nextupd != NULL &&
113	tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {	113	tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
114	tls_set_error(ctx,	114	tls_set_error(ctx,
115	"unable to parse next update time in OCSP reply");	115	"unable to parse next update time in OCSP reply");
116	goto error;	116	goto err;
117	}	117	}
118	ctx->ocsp->ocsp_result = info;	118	ctx->ocsp->ocsp_result = info;
119	return 0;	119	return 0;
120	error:	120
		121	err:
121	free(info);	122	free(info);
122	return -1;	123	return -1;
123	}	124	}
@@ -162,32 +163,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx)
162	STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;	163	STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
163		164
164	if ((ocsp = tls_ocsp_new()) == NULL)	165	if ((ocsp = tls_ocsp_new()) == NULL)
165	goto failed;	166	goto err;
166		167
167	/* steal state from ctx struct */	168	/* steal state from ctx struct */
168	ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);	169	ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
169	ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);	170	ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
170	if (ocsp->main_cert == NULL) {	171	if (ocsp->main_cert == NULL) {
171	tls_set_errorx(ctx, "no peer certificate for OCSP");	172	tls_set_errorx(ctx, "no peer certificate for OCSP");
172	goto failed;	173	goto err;
173	}	174	}
174		175
175	ocsp_urls = X509_get1_ocsp(ocsp->main_cert);	176	ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
176	if (ocsp_urls == NULL) {	177	if (ocsp_urls == NULL) {
177	tls_set_errorx(ctx, "no OCSP URLs in peer certificate");	178	tls_set_errorx(ctx, "no OCSP URLs in peer certificate");
178	goto failed;	179	goto err;
179	}	180	}
180		181
181	ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));	182	ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
182	if (ocsp->ocsp_url == NULL) {	183	if (ocsp->ocsp_url == NULL) {
183	tls_set_errorx(ctx, "out of memory");	184	tls_set_errorx(ctx, "out of memory");
184	goto failed;	185	goto err;
185	}	186	}
186		187
187	X509_email_free(ocsp_urls);	188	X509_email_free(ocsp_urls);
188	return ocsp;	189	return ocsp;
189		190
190	failed:	191	err:
191	tls_ocsp_free(ocsp);	192	tls_ocsp_free(ocsp);
192	X509_email_free(ocsp_urls);	193	X509_email_free(ocsp_urls);
193	return NULL;	194	return NULL;
@@ -206,7 +207,7 @@ tls_ocsp_verify_response(struct tls ctx, OCSP_RESPONSE resp)
206		207
207	if ((br = OCSP_response_get1_basic(resp)) == NULL) {	208	if ((br = OCSP_response_get1_basic(resp)) == NULL) {
208	tls_set_errorx(ctx, "cannot load ocsp reply");	209	tls_set_errorx(ctx, "cannot load ocsp reply");
209	goto error;	210	goto err;
210	}	211	}
211		212
212	/*	213	/*
@@ -219,7 +220,7 @@ tls_ocsp_verify_response(struct tls ctx, OCSP_RESPONSE resp)
219	if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,	220	if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
220	SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {	221	SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
221	tls_set_error(ctx, "ocsp verify failed");	222	tls_set_error(ctx, "ocsp verify failed");
222	goto error;	223	goto err;
223	}	224	}
224		225
225	/* signature OK, look inside */	226	/* signature OK, look inside */
@@ -227,43 +228,43 @@ tls_ocsp_verify_response(struct tls ctx, OCSP_RESPONSE resp)
227	if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {	228	if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
228	tls_set_errorx(ctx, "ocsp verify failed: response - %s",	229	tls_set_errorx(ctx, "ocsp verify failed: response - %s",
229	OCSP_response_status_str(response_status));	230	OCSP_response_status_str(response_status));
230	goto error;	231	goto err;
231	}	232	}
232		233
233	cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,	234	cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
234	ctx->ocsp->extra_certs, ctx->ssl_ctx);	235	ctx->ocsp->extra_certs, ctx->ssl_ctx);
235	if (cid == NULL) {	236	if (cid == NULL) {
236	tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");	237	tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");
237	goto error;	238	goto err;
238	}	239	}
239		240
240	if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,	241	if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
241	&revtime, &thisupd, &nextupd) != 1) {	242	&revtime, &thisupd, &nextupd) != 1) {
242	tls_set_errorx(ctx, "ocsp verify failed: no result for cert");	243	tls_set_errorx(ctx, "ocsp verify failed: no result for cert");
243	goto error;	244	goto err;
244	}	245	}
245		246
246	if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,	247	if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
247	MAXAGE_SEC) != 1) {	248	MAXAGE_SEC) != 1) {
248	tls_set_errorx(ctx,	249	tls_set_errorx(ctx,
249	"ocsp verify failed: ocsp response not current");	250	"ocsp verify failed: ocsp response not current");
250	goto error;	251	goto err;
251	}	252	}
252		253
253	if (tls_ocsp_fill_info(ctx, response_status, cert_status,	254	if (tls_ocsp_fill_info(ctx, response_status, cert_status,
254	crl_reason, revtime, thisupd, nextupd) != 0)	255	crl_reason, revtime, thisupd, nextupd) != 0)
255	goto error;	256	goto err;
256		257
257	/* finally can look at status */	258	/* finally can look at status */
258	if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=	259	if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
259	V_OCSP_CERTSTATUS_UNKNOWN) {	260	V_OCSP_CERTSTATUS_UNKNOWN) {
260	tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",	261	tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",
261	OCSP_crl_reason_str(crl_reason));	262	OCSP_crl_reason_str(crl_reason));
262	goto error;	263	goto err;
263	}	264	}
264	ret = 0;	265	ret = 0;
265		266
266	error:	267	err:
267	sk_X509_free(combined);	268	sk_X509_free(combined);
268	OCSP_CERTID_free(cid);	269	OCSP_CERTID_free(cid);
269	OCSP_BASICRESP_free(br);	270	OCSP_BASICRESP_free(br);