2 files changed, 42 insertions, 66 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 7d6681b3ac..8c622f4974 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.80 2014/07/12 18:10:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -994,8 +994,6 @@ ssl3_get_server_certificate(SSL *s)
        SESS_CERT               *sc;
        EVP_PKEY                *pkey = NULL;
-        int                      need_cert = 1;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
            SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
@@ -1093,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
        pkey = X509_get_pubkey(x);
-        if (need_cert && ((pkey == NULL) ||
+        if (pkey == NULL || EVP_PKEY_missing_parameters(pkey))) {
-            EVP_PKEY_missing_parameters(pkey))) {
                x = NULL;
                al = SSL3_AL_FATAL;
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1103,7 +1100,7 @@ ssl3_get_server_certificate(SSL *s)
        }
        i = ssl_cert_type(x, pkey);
-        if (need_cert && i < 0) {
+        if (i < 0) {
                x = NULL;
                al = SSL3_AL_FATAL;
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1111,30 +1108,21 @@ ssl3_get_server_certificate(SSL *s)
                goto f_err;
        }
-        if (need_cert) {
+        sc->peer_cert_type = i;
-                sc->peer_cert_type = i;
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-                CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        /*
-                /*
+         * Why would the following ever happen?
-                 * Why would the following ever happen?
+         * We just created sc a couple of lines ago.
-                 * We just created sc a couple of lines ago.
+         */
-                 */
+        if (sc->peer_pkeys[i].x509 != NULL)
-                if (sc->peer_pkeys[i].x509 != NULL)
+                X509_free(sc->peer_pkeys[i].x509);
-                        X509_free(sc->peer_pkeys[i].x509);
+        sc->peer_pkeys[i].x509 = x;
-                sc->peer_pkeys[i].x509 = x;
+        sc->peer_key = &(sc->peer_pkeys[i]);
-                sc->peer_key = &(sc->peer_pkeys[i]);
+        if (s->session->peer != NULL)
-                if (s->session->peer != NULL)
+                X509_free(s->session->peer);
-                        X509_free(s->session->peer);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-                CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        s->session->peer = x;
-                s->session->peer = x;
-        } else {
-                sc->peer_cert_type = i;
-                sc->peer_key = NULL;
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                s->session->peer = NULL;
-        }
        s->session->verify_result = s->verify_result;
        x = NULL;
@@ -2621,8 +2609,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
        idx = sc->peer_cert_type;
        if (idx == SSL_PKEY_ECC) {
-                if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
+                if (ssl_check_srvr_ecc_cert_and_alg(
-                    s) == 0) {
+                    sc->peer_pkeys[idx].x509, s) == 0) {
                        /* check failed */
                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                            SSL_R_BAD_ECC_CERT);
@@ -2635,7 +2623,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
        i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
        EVP_PKEY_free(pkey);
-        /* Check that we have a certificate if we require one */
+        /* Check that we have a certificate if we require one. */
        if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                    SSL_R_MISSING_RSA_SIGNING_CERT);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 7d6681b3ac..8c622f4974 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.80 2014/07/12 18:10:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -994,8 +994,6 @@ ssl3_get_server_certificate(SSL *s)
        SESS_CERT               *sc;
        EVP_PKEY                *pkey = NULL;
-        int                      need_cert = 1;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
            SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
@@ -1093,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
        pkey = X509_get_pubkey(x);
-        if (need_cert && ((pkey == NULL) ||
+        if (pkey == NULL || EVP_PKEY_missing_parameters(pkey))) {
-            EVP_PKEY_missing_parameters(pkey))) {
                x = NULL;
                al = SSL3_AL_FATAL;
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1103,7 +1100,7 @@ ssl3_get_server_certificate(SSL *s)
        }
        i = ssl_cert_type(x, pkey);
-        if (need_cert && i < 0) {
+        if (i < 0) {
                x = NULL;
                al = SSL3_AL_FATAL;
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1111,30 +1108,21 @@ ssl3_get_server_certificate(SSL *s)
                goto f_err;
        }
-        if (need_cert) {
+        sc->peer_cert_type = i;
-                sc->peer_cert_type = i;
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-                CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        /*
-                /*
+         * Why would the following ever happen?
-                 * Why would the following ever happen?
+         * We just created sc a couple of lines ago.
-                 * We just created sc a couple of lines ago.
+         */
-                 */
+        if (sc->peer_pkeys[i].x509 != NULL)
-                if (sc->peer_pkeys[i].x509 != NULL)
+                X509_free(sc->peer_pkeys[i].x509);
-                        X509_free(sc->peer_pkeys[i].x509);
+        sc->peer_pkeys[i].x509 = x;
-                sc->peer_pkeys[i].x509 = x;
+        sc->peer_key = &(sc->peer_pkeys[i]);
-                sc->peer_key = &(sc->peer_pkeys[i]);
+        if (s->session->peer != NULL)
-                if (s->session->peer != NULL)
+                X509_free(s->session->peer);
-                        X509_free(s->session->peer);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-                CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        s->session->peer = x;
-                s->session->peer = x;
-        } else {
-                sc->peer_cert_type = i;
-                sc->peer_key = NULL;
-                if (s->session->peer != NULL)
-                        X509_free(s->session->peer);
-                s->session->peer = NULL;
-        }
        s->session->verify_result = s->verify_result;
        x = NULL;
@@ -2621,8 +2609,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
        idx = sc->peer_cert_type;
        if (idx == SSL_PKEY_ECC) {
-                if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
+                if (ssl_check_srvr_ecc_cert_and_alg(
-                    s) == 0) {
+                    sc->peer_pkeys[idx].x509, s) == 0) {
                        /* check failed */
                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                            SSL_R_BAD_ECC_CERT);
@@ -2635,7 +2623,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
        i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
        EVP_PKEY_free(pkey);
-        /* Check that we have a certificate if we require one */
+        /* Check that we have a certificate if we require one. */
        if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
                    SSL_R_MISSING_RSA_SIGNING_CERT);

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 7d6681b3ac..8c622f4974 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.80 2014/07/12 18:10:21 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -994,8 +994,6 @@ ssl3_get_server_certificate(SSL *s)
994	SESS_CERT *sc;	994	SESS_CERT *sc;
995	EVP_PKEY *pkey = NULL;	995	EVP_PKEY *pkey = NULL;
996		996
997	int need_cert = 1;
998
999	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,	997	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1000	SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);	998	SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1001		999
@@ -1093,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
1093		1091
1094	pkey = X509_get_pubkey(x);	1092	pkey = X509_get_pubkey(x);
1095		1093
1096	if (need_cert && ((pkey == NULL) \|\|	1094	if (pkey == NULL \|\| EVP_PKEY_missing_parameters(pkey))) {
1097	EVP_PKEY_missing_parameters(pkey))) {
1098	x = NULL;	1095	x = NULL;
1099	al = SSL3_AL_FATAL;	1096	al = SSL3_AL_FATAL;
1100	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1097	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1103,7 +1100,7 @@ ssl3_get_server_certificate(SSL *s)
1103	}	1100	}
1104		1101
1105	i = ssl_cert_type(x, pkey);	1102	i = ssl_cert_type(x, pkey);
1106	if (need_cert && i < 0) {	1103	if (i < 0) {
1107	x = NULL;	1104	x = NULL;
1108	al = SSL3_AL_FATAL;	1105	al = SSL3_AL_FATAL;
1109	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1106	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1111,30 +1108,21 @@ ssl3_get_server_certificate(SSL *s)
1111	goto f_err;	1108	goto f_err;
1112	}	1109	}
1113		1110
1114	if (need_cert) {	1111	sc->peer_cert_type = i;
1115	sc->peer_cert_type = i;	1112	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1116	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);	1113	/*
1117	/*	1114	* Why would the following ever happen?
1118	* Why would the following ever happen?	1115	* We just created sc a couple of lines ago.
1119	* We just created sc a couple of lines ago.	1116	*/
1120	*/	1117	if (sc->peer_pkeys[i].x509 != NULL)
1121	if (sc->peer_pkeys[i].x509 != NULL)	1118	X509_free(sc->peer_pkeys[i].x509);
1122	X509_free(sc->peer_pkeys[i].x509);	1119	sc->peer_pkeys[i].x509 = x;
1123	sc->peer_pkeys[i].x509 = x;	1120	sc->peer_key = &(sc->peer_pkeys[i]);
1124	sc->peer_key = &(sc->peer_pkeys[i]);	1121
1125		1122	if (s->session->peer != NULL)
1126	if (s->session->peer != NULL)	1123	X509_free(s->session->peer);
1127	X509_free(s->session->peer);	1124	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1128	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);	1125	s->session->peer = x;
1129	s->session->peer = x;
1130	} else {
1131	sc->peer_cert_type = i;
1132	sc->peer_key = NULL;
1133
1134	if (s->session->peer != NULL)
1135	X509_free(s->session->peer);
1136	s->session->peer = NULL;
1137	}
1138	s->session->verify_result = s->verify_result;	1126	s->session->verify_result = s->verify_result;
1139		1127
1140	x = NULL;	1128	x = NULL;
@@ -2621,8 +2609,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
2621		2609
2622	idx = sc->peer_cert_type;	2610	idx = sc->peer_cert_type;
2623	if (idx == SSL_PKEY_ECC) {	2611	if (idx == SSL_PKEY_ECC) {
2624	if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,	2612	if (ssl_check_srvr_ecc_cert_and_alg(
2625	s) == 0) {	2613	sc->peer_pkeys[idx].x509, s) == 0) {
2626	/* check failed */	2614	/* check failed */
2627	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,	2615	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2628	SSL_R_BAD_ECC_CERT);	2616	SSL_R_BAD_ECC_CERT);
@@ -2635,7 +2623,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2635	i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);	2623	i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
2636	EVP_PKEY_free(pkey);	2624	EVP_PKEY_free(pkey);
2637		2625
2638	/* Check that we have a certificate if we require one */	2626	/* Check that we have a certificate if we require one. */
2639	if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_SIGN)) {	2627	if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_SIGN)) {
2640	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,	2628	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2641	SSL_R_MISSING_RSA_SIGNING_CERT);	2629	SSL_R_MISSING_RSA_SIGNING_CERT);


diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 7d6681b3ac..8c622f4974 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.79 2014/07/12 13:11:53 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.80 2014/07/12 18:10:21 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -994,8 +994,6 @@ ssl3_get_server_certificate(SSL *s)
994	SESS_CERT *sc;	994	SESS_CERT *sc;
995	EVP_PKEY *pkey = NULL;	995	EVP_PKEY *pkey = NULL;
996		996
997	int need_cert = 1;
998
999	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,	997	n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1000	SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);	998	SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1001		999
@@ -1093,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
1093		1091
1094	pkey = X509_get_pubkey(x);	1092	pkey = X509_get_pubkey(x);
1095		1093
1096	if (need_cert && ((pkey == NULL) \|\|	1094	if (pkey == NULL \|\| EVP_PKEY_missing_parameters(pkey))) {
1097	EVP_PKEY_missing_parameters(pkey))) {
1098	x = NULL;	1095	x = NULL;
1099	al = SSL3_AL_FATAL;	1096	al = SSL3_AL_FATAL;
1100	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1097	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1103,7 +1100,7 @@ ssl3_get_server_certificate(SSL *s)
1103	}	1100	}
1104		1101
1105	i = ssl_cert_type(x, pkey);	1102	i = ssl_cert_type(x, pkey);
1106	if (need_cert && i < 0) {	1103	if (i < 0) {
1107	x = NULL;	1104	x = NULL;
1108	al = SSL3_AL_FATAL;	1105	al = SSL3_AL_FATAL;
1109	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1106	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1111,30 +1108,21 @@ ssl3_get_server_certificate(SSL *s)
1111	goto f_err;	1108	goto f_err;
1112	}	1109	}
1113		1110
1114	if (need_cert) {	1111	sc->peer_cert_type = i;
1115	sc->peer_cert_type = i;	1112	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1116	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);	1113	/*
1117	/*	1114	* Why would the following ever happen?
1118	* Why would the following ever happen?	1115	* We just created sc a couple of lines ago.
1119	* We just created sc a couple of lines ago.	1116	*/
1120	*/	1117	if (sc->peer_pkeys[i].x509 != NULL)
1121	if (sc->peer_pkeys[i].x509 != NULL)	1118	X509_free(sc->peer_pkeys[i].x509);
1122	X509_free(sc->peer_pkeys[i].x509);	1119	sc->peer_pkeys[i].x509 = x;
1123	sc->peer_pkeys[i].x509 = x;	1120	sc->peer_key = &(sc->peer_pkeys[i]);
1124	sc->peer_key = &(sc->peer_pkeys[i]);	1121
1125		1122	if (s->session->peer != NULL)
1126	if (s->session->peer != NULL)	1123	X509_free(s->session->peer);
1127	X509_free(s->session->peer);	1124	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1128	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);	1125	s->session->peer = x;
1129	s->session->peer = x;
1130	} else {
1131	sc->peer_cert_type = i;
1132	sc->peer_key = NULL;
1133
1134	if (s->session->peer != NULL)
1135	X509_free(s->session->peer);
1136	s->session->peer = NULL;
1137	}
1138	s->session->verify_result = s->verify_result;	1126	s->session->verify_result = s->verify_result;
1139		1127
1140	x = NULL;	1128	x = NULL;
@@ -2621,8 +2609,8 @@ ssl3_check_cert_and_algorithm(SSL *s)
2621		2609
2622	idx = sc->peer_cert_type;	2610	idx = sc->peer_cert_type;
2623	if (idx == SSL_PKEY_ECC) {	2611	if (idx == SSL_PKEY_ECC) {
2624	if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,	2612	if (ssl_check_srvr_ecc_cert_and_alg(
2625	s) == 0) {	2613	sc->peer_pkeys[idx].x509, s) == 0) {
2626	/* check failed */	2614	/* check failed */
2627	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,	2615	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2628	SSL_R_BAD_ECC_CERT);	2616	SSL_R_BAD_ECC_CERT);
@@ -2635,7 +2623,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2635	i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);	2623	i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
2636	EVP_PKEY_free(pkey);	2624	EVP_PKEY_free(pkey);
2637		2625
2638	/* Check that we have a certificate if we require one */	2626	/* Check that we have a certificate if we require one. */
2639	if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_SIGN)) {	2627	if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA\|EVP_PKT_SIGN)) {
2640	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,	2628	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2641	SSL_R_MISSING_RSA_SIGNING_CERT);	2629	SSL_R_MISSING_RSA_SIGNING_CERT);