From 69f682374868ba2b19a8aeada496bf03dbb037cf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 6 Mar 2015 14:37:17 +0000 Subject: [PATCH] Fix missing return value checks Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: Richard Levitte --- ssl/bio_ssl.c | 5 ++- ssl/d1_both.c | 9 ++--- ssl/d1_clnt.c | 6 ++-- ssl/d1_lib.c | 6 +++- ssl/d1_pkt.c | 8 +++-- ssl/d1_srvr.c | 6 ++-- ssl/s23_clnt.c | 6 ++-- ssl/s23_srvr.c | 6 ++-- ssl/s3_clnt.c | 11 ++++-- ssl/s3_enc.c | 10 ++++-- ssl/s3_lib.c | 3 +- ssl/s3_pkt.c | 5 ++- ssl/s3_srvr.c | 36 +++++++++++++++++-- ssl/ssl.h | 5 +-- ssl/ssl_algs.c | 2 +- ssl/ssl_ciph.c | 5 ++- ssl/ssl_err.c | 81 +++++++++++++++--------------------------- ssl/ssl_lib.c | 25 ++++++++----- ssl/ssl_rsa.c | 5 ++- ssl/ssl_sess.c | 6 ++-- ssl/ssl_txt.c | 3 +- ssl/ssltest.c | 95 ++++++++++++++++++++++++++++++++------------------ ssl/t1_enc.c | 3 +- ssl/t1_lib.c | 26 +++++++++----- 24 files changed, 237 insertions(+), 136 deletions(-) diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index e2831af7f3..99f8b5e524 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -292,7 +292,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); - SSL_clear(ssl); + if(!SSL_clear(ssl)) { + ret = 0; + break; + } if (b->next_bio != NULL) ret = BIO_ctrl(b->next_bio, cmd, num, ptr); diff --git a/ssl/d1_both.c b/ssl/d1_both.c index a7d0a82085..22626f1f0b 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -989,7 +989,10 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) s->d1->handshake_write_seq, 0, 0); /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 1); + if(!dtls1_buffer_message(s, 1)) { + SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); + return -1; + } s->state = b; } @@ -1237,7 +1240,7 @@ void dtls1_clear_record_buffer(SSL *s) } } -unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, +void dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt, unsigned long len, unsigned long frag_off, unsigned long frag_len) @@ -1250,8 +1253,6 @@ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, frag_off, frag_len); - - return p += DTLS1_HM_HEADER_LENGTH; } /* don't actually do the writing, wait till the MTU has been retrieved */ diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 151dd47285..c5831cd2eb 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -181,8 +181,10 @@ int dtls1_connect(SSL *s) cb = s->ctx->info_callback; s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } #ifndef OPENSSL_NO_SCTP /* diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index e9a2fc5bf8..b568944ba0 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -567,7 +567,11 @@ static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH; s->init_off = 0; /* Buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); + /* + * Deliberately swallow error return. We really should do something with + * this - but its a void function that can't (easily) be changed + */ + if(!dtls1_buffer_message(s, 0)); } static int dtls1_handshake_write(SSL *s) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 4dbd694442..5463acfe7f 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -937,7 +937,10 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } #ifndef OPENSSL_NO_HEARTBEATS else if (rr->type == TLS1_RT_HEARTBEAT) { - dtls1_process_heartbeat(s); + /* We allow a 0 return */ + if(dtls1_process_heartbeat(s) < 0) { + return -1; + } /* Exit and notify application to read again */ rr->length = 0; @@ -1246,7 +1249,8 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (dtls1_check_timeout_num(s) < 0) return -1; - dtls1_retransmit_buffered_messages(s); + /* Ignore retransmit failures - swallow return code */ + if(dtls1_retransmit_buffered_messages(s)); rr->length = 0; goto start; } diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index bcf63e016b..24361ae5df 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -184,8 +184,10 @@ int dtls1_accept(SSL *s) /* init things to blank */ s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } s->d1->listen = listen; #ifndef OPENSSL_NO_SCTP diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index e04d3af9f6..21a32bce70 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -157,8 +157,10 @@ int ssl23_connect(SSL *s) cb = s->ctx->info_callback; s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } for (;;) { state = s->state; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 6ac6e4edad..255d27810f 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -156,8 +156,10 @@ int ssl23_accept(SSL *s) cb = s->ctx->info_callback; s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } for (;;) { state = s->state; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index b37a7339f4..3a37a240e3 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -197,8 +197,10 @@ int ssl3_connect(SSL *s) cb = s->ctx->info_callback; s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } #ifndef OPENSSL_NO_HEARTBEATS /* @@ -3044,6 +3046,11 @@ int ssl3_send_client_key_exchange(SSL *s) OPENSSL_cleanse(pms, pmslen); OPENSSL_free(pms); s->cert->pms = NULL; + if(s->session->master_key_length < 0) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; + } } return n; memerr: diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 83a576ad1a..bcefe12769 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -253,7 +253,10 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_init(s->enc_read_ctx); dd = s->enc_read_ctx; - ssl_replace_hash(&s->read_hash, m); + if(!ssl_replace_hash(&s->read_hash, m)) { + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); + goto err2; + } #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->expand != NULL) { @@ -288,7 +291,10 @@ int ssl3_change_cipher_state(SSL *s, int which) */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd = s->enc_write_ctx; - ssl_replace_hash(&s->write_hash, m); + if(!ssl_replace_hash(&s->write_hash, m)) { + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); + goto err2; + } #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->compress != NULL) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 3e6530e32b..d40a181ebe 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3114,7 +3114,8 @@ int ssl3_new(SSL *s) s->s3 = s3; #ifndef OPENSSL_NO_SRP - SSL_SRP_CTX_init(s); + if(!SSL_SRP_CTX_init(s)) + goto err; #endif s->method->ssl_clear(s); return (1); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index cf02e49f76..4f81f1a222 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1320,7 +1320,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } #ifndef OPENSSL_NO_HEARTBEATS else if (rr->type == TLS1_RT_HEARTBEAT) { - tls1_process_heartbeat(s); + /* We can ignore 0 return values */ + if(tls1_process_heartbeat(s) < 0) { + return -1; + } /* Exit and notify application to read again */ rr->length = 0; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index f8c7e373cd..16265dcb39 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -226,8 +226,10 @@ int ssl3_accept(SSL *s) /* init things to blank */ s->in_handshake++; - if (!SSL_in_init(s) || SSL_in_before(s)) - SSL_clear(s); + if (!SSL_in_init(s) || SSL_in_before(s)) { + if(!SSL_clear(s)) + return -1; + } if (s->cert == NULL) { SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET); @@ -2227,6 +2229,11 @@ int ssl3_get_client_key_exchange(SSL *s) sizeof (rand_premaster_secret)); OPENSSL_cleanse(p, sizeof(rand_premaster_secret)); + if(s->session->master_key_length < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } } else #endif #ifndef OPENSSL_NO_DH @@ -2319,6 +2326,11 @@ int ssl3_get_client_key_exchange(SSL *s) session->master_key, p, i); OPENSSL_cleanse(p, i); + if(s->session->master_key_length < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (dh_clnt) return 2; } else @@ -2484,6 +2496,11 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, pms, outl); + if(s->session->master_key_length < 0) { + al = SSL_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (kssl_ctx->client_princ) { size_t len = strlen(kssl_ctx->client_princ); @@ -2632,6 +2649,11 @@ int ssl3_get_client_key_exchange(SSL *s) p, i); OPENSSL_cleanse(p, i); + if(s->session->master_key_length < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } return (ret); } else #endif @@ -2716,6 +2738,11 @@ int ssl3_get_client_key_exchange(SSL *s) session->master_key, psk_or_pre_ms, pre_ms_len); + if(s->session->master_key_length < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto psk_err; + } psk_err = 0; psk_err: OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); @@ -2817,6 +2844,11 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, premaster_secret, 32); + if(s->session->master_key_length < 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } /* Check if pubkey from client certificate was used */ if (EVP_PKEY_CTX_ctrl (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) diff --git a/ssl/ssl.h b/ssl/ssl.h index ba58e0fd4c..60d196ecef 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1773,7 +1773,7 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl, __owur const COMP_METHOD *SSL_get_current_compression(SSL *s); __owur const COMP_METHOD *SSL_get_current_expansion(SSL *s); __owur const char *SSL_COMP_get_name(const COMP_METHOD *comp); -__owur STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); +STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); __owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths); void SSL_COMP_free_compression_methods(void); @@ -1782,7 +1782,7 @@ __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); __owur const void *SSL_get_current_compression(SSL *s); __owur const void *SSL_get_current_expansion(SSL *s); __owur const char *SSL_COMP_get_name(const void *comp); -__owur void *SSL_COMP_get_compression_methods(void); +void *SSL_COMP_get_compression_methods(void); __owur int SSL_COMP_add_compression_method(int id, void *cm); # endif @@ -1956,6 +1956,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_DTLS1_READ_BYTES 258 # define SSL_F_DTLS1_READ_FAILED 259 # define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260 +# define SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC 342 # define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261 # define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262 # define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263 diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 504e4d7a46..ba9fc48a8d 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -130,7 +130,7 @@ int SSL_library_init(void) * This will initialise the built-in compression algorithms. The value * returned is a STACK_OF(SSL_COMP), but that can be discarded safely */ - (void)SSL_COMP_get_compression_methods(); + SSL_COMP_get_compression_methods(); #endif /* initialize cipher/digest methods table */ ssl_load_ciphers(); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index f220e8e572..0f6758bb52 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -532,10 +532,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, else *comp = NULL; } + /* If were only interested in comp then return success */ + if((enc == NULL) && (md == NULL)) + return 1; } if ((enc == NULL) || (md == NULL)) - return (0); + return 0; switch (c->algorithm_enc) { case SSL_DES: diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index f370e9e383..5616f7d6b6 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -83,8 +83,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"}, {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"}, {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "dtls1_get_message"}, - {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), - "DTLS1_GET_MESSAGE_FRAGMENT"}, + {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"}, {ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "dtls1_get_record"}, {ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "dtls1_handle_timeout"}, {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"}, @@ -96,7 +95,9 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"}, {ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"}, {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST), - "dtls1_send_certificate_request"}, + "DTLS1_SEND_CERTIFICATE_REQUEST"}, + {ERR_FUNC(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC), + "dtls1_send_change_cipher_spec"}, {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "dtls1_send_client_certificate"}, {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE), @@ -109,8 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "dtls1_send_server_hello"}, {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "dtls1_send_server_key_exchange"}, - {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), - "dtls1_write_app_data_bytes"}, + {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"}, {ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"}, {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"}, {ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"}, @@ -130,10 +130,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"}, {ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"}, {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"}, - {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), - "ssl3_digest_cached_records"}, - {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), - "ssl3_do_change_cipher_spec"}, + {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "ssl3_digest_cached_records"}, + {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "ssl3_do_change_cipher_spec"}, {ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"}, {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), @@ -183,8 +181,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "SSL_ADD_CERT_TO_BUF"}, {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "ssl_add_clienthello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), - "ssl_add_clienthello_tlsext"}, + {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "ssl_add_clienthello_tlsext"}, {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), "ssl_add_clienthello_use_srtp_ext"}, {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), @@ -193,8 +190,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { "SSL_add_file_cert_subjects_to_stack"}, {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "ssl_add_serverhello_renegotiate_ext"}, - {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), - "ssl_add_serverhello_tlsext"}, + {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "ssl_add_serverhello_tlsext"}, {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), "ssl_add_serverhello_use_srtp_ext"}, {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"}, @@ -210,8 +206,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { "SSL_CHECK_SERVERHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG), "ssl_check_srvr_ecc_cert_and_alg"}, - {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), - "SSL_CIPHER_PROCESS_RULESTR"}, + {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"}, {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"}, {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), @@ -296,10 +291,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"}, {ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"}, {ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), - "SSL_set_session_id_context"}, - {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), - "SSL_set_session_ticket_ext"}, + {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"}, + {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"}, {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"}, {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"}, @@ -317,10 +310,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"}, {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"}, {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), - "SSL_use_RSAPrivateKey_ASN1"}, - {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), - "SSL_use_RSAPrivateKey_file"}, + {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"}, + {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"}, {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, {ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"}, @@ -391,16 +382,14 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_BAD_VALUE), "bad value"}, {ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"}, {ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"}, - {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), - "block cipher pad is wrong"}, + {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"}, {ERR_REASON(SSL_R_BN_LIB), "bn lib"}, {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"}, {ERR_REASON(SSL_R_CA_DN_TOO_LONG), "ca dn too long"}, {ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"}, {ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"}, {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"}, - {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), - "certificate verify failed"}, + {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"}, {ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"}, {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"}, {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, @@ -413,8 +402,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"}, {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "compression id not within private range"}, - {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), - "compression library error"}, + {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"}, {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"}, {ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"}, {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), @@ -443,8 +431,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"}, {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "empty srtp protection profile list"}, - {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), - "encrypted length too long"}, + {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"}, {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "error generating tmp rsa key"}, {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), @@ -494,8 +481,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"}, {ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT), "missing ecdsa signing cert"}, - {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), - "missing export tmp dh key"}, + {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"}, {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "missing export tmp rsa key"}, {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"}, @@ -527,8 +513,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"}, {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"}, {ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"}, - {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), - "digest requred for handshake isn't computed"}, + {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"}, {ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"}, {ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS), "no shared sigature algorithms"}, @@ -546,8 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "only TLS 1.2 allowed in Suite B mode"}, {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "only tls allowed in fips mode"}, - {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), - "opaque PRF input too long"}, + {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too long"}, {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"}, {ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"}, {ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"}, @@ -597,8 +581,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "ssl3 ext invalid servername type"}, {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"}, - {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), - "ssl3 session id too short"}, + {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"}, {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "sslv3 alert bad certificate"}, {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), @@ -634,13 +617,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "ssl session id context too long"}, {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), - "tlsv1 alert access denied"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), - "tlsv1 alert decrypt error"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), @@ -683,8 +664,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "tls rsa encrypted value length is wrong"}, {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "tried to use unsupported cipher"}, - {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), - "unable to decode dh certs"}, + {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"}, {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "unable to decode ecdh certs"}, {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), @@ -693,8 +673,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "unable to find ecdh parameters"}, {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "unable to find public key parameters"}, - {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), - "unable to find ssl method"}, + {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"}, {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "unable to load ssl3 md5 routines"}, {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), @@ -708,12 +687,10 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"}, {ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"}, {ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"}, - {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), - "unknown key exchange type"}, + {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"}, {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"}, {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"}, - {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), - "unknown remote error type"}, + {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"}, {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"}, {ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"}, {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 1e9b34f78a..0c9f4f7006 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -378,7 +378,8 @@ SSL *SSL_new(SSL_CTX *ctx) s->references = 1; s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; - SSL_clear(s); + if(!SSL_clear(s)) + goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); @@ -885,7 +886,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f) CERT *tmp; /* Do we need to to SSL locking? */ - SSL_set_session(t, SSL_get_session(f)); + if(!SSL_set_session(t, SSL_get_session(f))) { + /* How do we handle this!! void function */ + return; + } /* * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa @@ -904,7 +908,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f) t->cert = NULL; if (tmp != NULL) ssl_cert_free(tmp); - SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length); + if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) { + /* Really should do something about this..but void function - ignore */ + ; + } } /* Fix this so it checks all the valid key/cert options */ @@ -1924,10 +1931,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->cert_store == NULL) goto err; - ssl_create_cipher_list(ret->method, + if(!ssl_create_cipher_list(ret->method, &ret->cipher_list, &ret->cipher_list_by_id, - SSL_DEFAULT_CIPHER_LIST, ret->cert); - if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + SSL_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } @@ -1980,7 +1987,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->psk_server_callback = NULL; #endif #ifndef OPENSSL_NO_SRP - SSL_CTX_SRP_CTX_init(ret); + if(!SSL_CTX_SRP_CTX_init(ret)) + goto err; #endif #ifndef OPENSSL_NO_ENGINE ret->client_cert_engine = NULL; @@ -2783,7 +2791,8 @@ SSL *SSL_dup(SSL *s) goto err; } - SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length); + if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length)) + goto err; } ret->options = s->options; diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 8799d3dd56..60a68340d1 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -693,7 +693,10 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) int r; unsigned long err; - SSL_CTX_clear_chain_certs(ctx); + if(!SSL_CTX_clear_chain_certs(ctx)) { + ret = 0; + goto end; + } while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index cf019c8346..22d2e661b9 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -510,12 +510,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, */ if (! (s->session_ctx->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_STORE)) + SSL_SESS_CACHE_NO_INTERNAL_STORE)) { /* * The following should not return 1, otherwise, things are * very strange */ - SSL_CTX_add_session(s->session_ctx, ret); + if(SSL_CTX_add_session(s->session_ctx, ret)) + goto err; + } } } diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index e5774d2c14..ccdf8ec257 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -214,7 +214,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->compress_meth != 0) { SSL_COMP *comp = NULL; - ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0); + if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0)) + goto err; if (comp == NULL) { if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0) diff --git a/ssl/ssltest.c b/ssl/ssltest.c index a57d5052c3..457ba86a7b 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -1443,8 +1443,11 @@ int main(int argc, char *argv[]) SSL_CTX_set_security_level(s_ctx, 0); if (cipher != NULL) { - SSL_CTX_set_cipher_list(c_ctx, cipher); - SSL_CTX_set_cipher_list(s_ctx, cipher); + if(!SSL_CTX_set_cipher_list(c_ctx, cipher) + || !SSL_CTX_set_cipher_list(s_ctx, cipher)) { + ERR_print_errors(bio_err); + goto end; + } } /* Process SSL_CONF arguments */ @@ -1537,10 +1540,13 @@ int main(int argc, char *argv[]) } if (client_auth) { - SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file(c_ctx, + if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) + || !SSL_CTX_use_PrivateKey_file(c_ctx, (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM); + SSL_FILETYPE_PEM)) { + ERR_print_errors(bio_err); + goto end; + } } if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || @@ -1569,8 +1575,11 @@ int main(int argc, char *argv[]) { int session_id_context = 0; - SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, - sizeof session_id_context); + if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, + sizeof session_id_context)) { + ERR_print_errors(bio_err); + goto end; + } } /* Use PSK only if PSK key is given */ @@ -1637,15 +1646,22 @@ int main(int argc, char *argv[]) } #endif - if (serverinfo_sct) - SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, + if (serverinfo_sct) { + if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, NULL, NULL, NULL, - serverinfo_cli_parse_cb, NULL); - if (serverinfo_tack) - SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, + serverinfo_cli_parse_cb, NULL)) { + BIO_printf(bio_err, "Error adding SCT extension\n"); + goto end; + } + } + if (serverinfo_tack) { + if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, NULL, NULL, NULL, - serverinfo_cli_parse_cb, NULL); - + serverinfo_cli_parse_cb, NULL)) { + BIO_printf(bio_err, "Error adding TACK extension\n"); + goto end; + } + } if (serverinfo_file) if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) { BIO_printf(bio_err, "missing serverinfo file\n"); @@ -1653,39 +1669,41 @@ int main(int argc, char *argv[]) } if (custom_ext) { - SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, + if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_cli_add_cb, NULL, NULL, - custom_ext_0_cli_parse_cb, NULL); - SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, + custom_ext_0_cli_parse_cb, NULL) + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_cli_add_cb, NULL, NULL, - custom_ext_1_cli_parse_cb, NULL); - SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, + custom_ext_1_cli_parse_cb, NULL) + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_cli_add_cb, NULL, NULL, - custom_ext_2_cli_parse_cb, NULL); - SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, + custom_ext_2_cli_parse_cb, NULL) + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_cli_add_cb, NULL, NULL, - custom_ext_3_cli_parse_cb, NULL); - - SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, + custom_ext_3_cli_parse_cb, NULL) + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_srv_add_cb, NULL, NULL, - custom_ext_0_srv_parse_cb, NULL); - SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, + custom_ext_0_srv_parse_cb, NULL) + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_srv_add_cb, NULL, NULL, - custom_ext_1_srv_parse_cb, NULL); - SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, + custom_ext_1_srv_parse_cb, NULL) + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_srv_add_cb, NULL, NULL, - custom_ext_2_srv_parse_cb, NULL); - SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, + custom_ext_2_srv_parse_cb, NULL) + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_srv_add_cb, NULL, NULL, - custom_ext_3_srv_parse_cb, NULL); + custom_ext_3_srv_parse_cb, NULL)) { + BIO_printf(bio_err, "Error setting custom extensions\n"); + goto end; + } } if (alpn_server) @@ -1699,7 +1717,12 @@ int main(int argc, char *argv[]) BIO_printf(bio_err, "Error parsing -alpn_client argument\n"); goto end; } - SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len); + /* Returns 0 on success!! */ + if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { + BIO_printf(bio_err, "Error setting ALPN\n"); + OPENSSL_free(alpn); + goto end; + } OPENSSL_free(alpn); } @@ -1722,8 +1745,12 @@ int main(int argc, char *argv[]) #endif /* OPENSSL_NO_KRB5 */ for (i = 0; i < number; i++) { - if (!reuse) - SSL_set_session(c_ssl, NULL); + if (!reuse) { + if(!SSL_set_session(c_ssl, NULL)) { + BIO_printf(bio_err, "Failed to set session\n"); + goto end; + } + } if (bio_pair) ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); else diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 26f8415dcb..df97f19386 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1095,7 +1095,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, * exchange and before certificate verify) */ s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - ssl3_digest_cached_records(s); + if(!ssl3_digest_cached_records(s)) + return -1; } hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); #ifdef SSL_DEBUG diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 511223eb94..dd28cd6ed8 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1431,7 +1431,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el; - ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); + /* Returns 0 on success!! */ + if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } if ((limit - ret - 4 - el) < 0) return NULL; @@ -1601,8 +1605,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, if (SSL_IS_DTLS(s) && s->srtp_profile) { int el; - ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - + /* Returns 0 on success!! */ + if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } if ((limit - ret - 4 - el) < 0) return NULL; @@ -4141,12 +4148,13 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* Set validity of certificates in an SSL structure */ void tls1_set_cert_validity(SSL *s) { - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA); - tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC); + /* Deliberately ignore all return values */ + if(tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC) + || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN) + || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN) + || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA) + || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA) + || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC)); } /* User level utiity function to check a chain is suitable */ -- 2.34.1