Fix missing return value checks
authorMatt Caswell <matt@openssl.org>
Fri, 6 Mar 2015 14:37:17 +0000 (14:37 +0000)
committerMatt Caswell <matt@openssl.org>
Mon, 23 Mar 2015 15:23:11 +0000 (15:23 +0000)
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
24 files changed:
ssl/bio_ssl.c
ssl/d1_both.c
ssl/d1_clnt.c
ssl/d1_lib.c
ssl/d1_pkt.c
ssl/d1_srvr.c
ssl/s23_clnt.c
ssl/s23_srvr.c
ssl/s3_clnt.c
ssl/s3_enc.c
ssl/s3_lib.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_algs.c
ssl/ssl_ciph.c
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_rsa.c
ssl/ssl_sess.c
ssl/ssl_txt.c
ssl/ssltest.c
ssl/t1_enc.c
ssl/t1_lib.c

index e2831af..99f8b5e 100644 (file)
@@ -292,7 +292,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
         else if (ssl->handshake_func == ssl->method->ssl_accept)
             SSL_set_accept_state(ssl);
 
-        SSL_clear(ssl);
+        if(!SSL_clear(ssl)) {
+            ret = 0;
+            break;
+        }
 
         if (b->next_bio != NULL)
             ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
index a7d0a82..22626f1 100644 (file)
@@ -989,7 +989,10 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
                                      s->d1->handshake_write_seq, 0, 0);
 
         /* buffer the message to handle re-xmits */
-        dtls1_buffer_message(s, 1);
+        if(!dtls1_buffer_message(s, 1)) {
+            SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
 
         s->state = b;
     }
@@ -1237,7 +1240,7 @@ void dtls1_clear_record_buffer(SSL *s)
     }
 }
 
-unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+void dtls1_set_message_header(SSL *s, unsigned char *p,
                                         unsigned char mt, unsigned long len,
                                         unsigned long frag_off,
                                         unsigned long frag_len)
@@ -1250,8 +1253,6 @@ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
 
     dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
                                  frag_off, frag_len);
-
-    return p += DTLS1_HM_HEADER_LENGTH;
 }
 
 /* don't actually do the writing, wait till the MTU has been retrieved */
index 151dd47..c5831cd 100644 (file)
@@ -181,8 +181,10 @@ int dtls1_connect(SSL *s)
         cb = s->ctx->info_callback;
 
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
 #ifndef OPENSSL_NO_SCTP
     /*
index e9a2fc5..b568944 100644 (file)
@@ -567,7 +567,11 @@ static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
     s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
     s->init_off = 0;
     /* Buffer the message to handle re-xmits */
-    dtls1_buffer_message(s, 0);
+    /*
+     * Deliberately swallow error return. We really should do something with
+     * this - but its a void function that can't (easily) be changed
+     */
+    if(!dtls1_buffer_message(s, 0));
 }
 
 static int dtls1_handshake_write(SSL *s)
index 4dbd694..5463acf 100644 (file)
@@ -937,7 +937,10 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         }
 #ifndef OPENSSL_NO_HEARTBEATS
         else if (rr->type == TLS1_RT_HEARTBEAT) {
-            dtls1_process_heartbeat(s);
+            /* We allow a 0 return */
+            if(dtls1_process_heartbeat(s) < 0) {
+                return -1;
+            }
 
             /* Exit and notify application to read again */
             rr->length = 0;
@@ -1246,7 +1249,8 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
             if (dtls1_check_timeout_num(s) < 0)
                 return -1;
 
-            dtls1_retransmit_buffered_messages(s);
+            /* Ignore retransmit failures - swallow return code */
+            if(dtls1_retransmit_buffered_messages(s));
             rr->length = 0;
             goto start;
         }
index bcf63e0..24361ae 100644 (file)
@@ -184,8 +184,10 @@ int dtls1_accept(SSL *s)
 
     /* init things to blank */
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
     s->d1->listen = listen;
 #ifndef OPENSSL_NO_SCTP
index e04d3af..21a32bc 100644 (file)
@@ -157,8 +157,10 @@ int ssl23_connect(SSL *s)
         cb = s->ctx->info_callback;
 
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
     for (;;) {
         state = s->state;
index 6ac6e4e..255d278 100644 (file)
@@ -156,8 +156,10 @@ int ssl23_accept(SSL *s)
         cb = s->ctx->info_callback;
 
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
     for (;;) {
         state = s->state;
index b37a733..3a37a24 100644 (file)
@@ -197,8 +197,10 @@ int ssl3_connect(SSL *s)
         cb = s->ctx->info_callback;
 
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
 #ifndef OPENSSL_NO_HEARTBEATS
     /*
@@ -3044,6 +3046,11 @@ int ssl3_send_client_key_exchange(SSL *s)
         OPENSSL_cleanse(pms, pmslen);
         OPENSSL_free(pms);
         s->cert->pms = NULL;
+        if(s->session->master_key_length < 0) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+            SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
     }
     return n;
  memerr:
index 83a576a..bcefe12 100644 (file)
@@ -253,7 +253,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
             EVP_CIPHER_CTX_init(s->enc_read_ctx);
         dd = s->enc_read_ctx;
 
-        ssl_replace_hash(&s->read_hash, m);
+        if(!ssl_replace_hash(&s->read_hash, m)) {
+                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+                goto err2;
+        }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
         if (s->expand != NULL) {
@@ -288,7 +291,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
              */
             EVP_CIPHER_CTX_init(s->enc_write_ctx);
         dd = s->enc_write_ctx;
-        ssl_replace_hash(&s->write_hash, m);
+        if(!ssl_replace_hash(&s->write_hash, m)) {
+                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+                goto err2;
+        }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
         if (s->compress != NULL) {
index 3e6530e..d40a181 100644 (file)
@@ -3114,7 +3114,8 @@ int ssl3_new(SSL *s)
     s->s3 = s3;
 
 #ifndef OPENSSL_NO_SRP
-    SSL_SRP_CTX_init(s);
+    if(!SSL_SRP_CTX_init(s))
+          goto err;
 #endif
     s->method->ssl_clear(s);
     return (1);
index cf02e49..4f81f1a 100644 (file)
@@ -1320,7 +1320,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         }
 #ifndef OPENSSL_NO_HEARTBEATS
         else if (rr->type == TLS1_RT_HEARTBEAT) {
-            tls1_process_heartbeat(s);
+            /* We can ignore 0 return values */
+            if(tls1_process_heartbeat(s) < 0) {
+                return -1;
+            }
 
             /* Exit and notify application to read again */
             rr->length = 0;
index f8c7e37..16265dc 100644 (file)
@@ -226,8 +226,10 @@ int ssl3_accept(SSL *s)
 
     /* init things to blank */
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
     if (s->cert == NULL) {
         SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
@@ -2227,6 +2229,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         sizeof
                                                         (rand_premaster_secret));
         OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
+        if(s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
     } else
 #endif
 #ifndef OPENSSL_NO_DH
@@ -2319,6 +2326,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         session->master_key,
                                                         p, i);
         OPENSSL_cleanse(p, i);
+        if(s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
         if (dh_clnt)
             return 2;
     } else
@@ -2484,6 +2496,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         s->
                                                         session->master_key,
                                                         pms, outl);
+        if(s->session->master_key_length < 0) {
+            al = SSL_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
 
         if (kssl_ctx->client_princ) {
             size_t len = strlen(kssl_ctx->client_princ);
@@ -2632,6 +2649,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         p, i);
 
         OPENSSL_cleanse(p, i);
+        if(s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
         return (ret);
     } else
 #endif
@@ -2716,6 +2738,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         session->master_key,
                                                         psk_or_pre_ms,
                                                         pre_ms_len);
+        if(s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto psk_err;
+        }
         psk_err = 0;
  psk_err:
         OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@@ -2817,6 +2844,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                         s->
                                                         session->master_key,
                                                         premaster_secret, 32);
+        if(s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
         /* Check if pubkey from client certificate was used */
         if (EVP_PKEY_CTX_ctrl
             (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
index ba58e0f..60d196e 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1773,7 +1773,7 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,
 __owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
 __owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
 __owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-__owur STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 __owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
                                                       *meths);
 void SSL_COMP_free_compression_methods(void);
@@ -1782,7 +1782,7 @@ __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
 __owur const void *SSL_get_current_compression(SSL *s);
 __owur const void *SSL_get_current_expansion(SSL *s);
 __owur const char *SSL_COMP_get_name(const void *comp);
-__owur void *SSL_COMP_get_compression_methods(void);
+void *SSL_COMP_get_compression_methods(void);
 __owur int SSL_COMP_add_compression_method(int id, void *cm);
 # endif
 
@@ -1956,6 +1956,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_DTLS1_READ_BYTES                           258
 # define SSL_F_DTLS1_READ_FAILED                          259
 # define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST             260
+# define SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC              342
 # define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE              261
 # define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE             262
 # define SSL_F_DTLS1_SEND_CLIENT_VERIFY                   263
index 504e4d7..ba9fc48 100644 (file)
@@ -130,7 +130,7 @@ int SSL_library_init(void)
      * This will initialise the built-in compression algorithms. The value
      * returned is a STACK_OF(SSL_COMP), but that can be discarded safely
      */
-    (void)SSL_COMP_get_compression_methods();
+    SSL_COMP_get_compression_methods();
 #endif
     /* initialize cipher/digest methods table */
     ssl_load_ciphers();
index f220e8e..0f6758b 100644 (file)
@@ -532,10 +532,13 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             else
                 *comp = NULL;
         }
+        /* If were only interested in comp then return success */
+        if((enc == NULL) && (md == NULL))
+            return 1;
     }
 
     if ((enc == NULL) || (md == NULL))
-        return (0);
+        return 0;
 
     switch (c->algorithm_enc) {
     case SSL_DES:
index f370e9e..5616f7d 100644 (file)
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -83,8 +83,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
     {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
     {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "dtls1_get_message"},
-    {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),
-     "DTLS1_GET_MESSAGE_FRAGMENT"},
+    {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
     {ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "dtls1_get_record"},
     {ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "dtls1_handle_timeout"},
     {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
@@ -96,7 +95,9 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"},
     {ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"},
     {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),
-     "dtls1_send_certificate_request"},
+     "DTLS1_SEND_CERTIFICATE_REQUEST"},
+    {ERR_FUNC(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC),
+     "dtls1_send_change_cipher_spec"},
     {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),
      "dtls1_send_client_certificate"},
     {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),
@@ -109,8 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "dtls1_send_server_hello"},
     {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),
      "dtls1_send_server_key_exchange"},
-    {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),
-     "dtls1_write_app_data_bytes"},
+    {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"},
     {ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
     {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
     {ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"},
@@ -130,10 +130,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"},
     {ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"},
     {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"},
-    {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),
-     "ssl3_digest_cached_records"},
-    {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
-     "ssl3_do_change_cipher_spec"},
+    {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "ssl3_digest_cached_records"},
+    {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "ssl3_do_change_cipher_spec"},
     {ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
     {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
     {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),
@@ -183,8 +181,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "SSL_ADD_CERT_TO_BUF"},
     {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),
      "ssl_add_clienthello_renegotiate_ext"},
-    {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),
-     "ssl_add_clienthello_tlsext"},
+    {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "ssl_add_clienthello_tlsext"},
     {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),
      "ssl_add_clienthello_use_srtp_ext"},
     {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),
@@ -193,8 +190,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "SSL_add_file_cert_subjects_to_stack"},
     {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),
      "ssl_add_serverhello_renegotiate_ext"},
-    {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),
-     "ssl_add_serverhello_tlsext"},
+    {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "ssl_add_serverhello_tlsext"},
     {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),
      "ssl_add_serverhello_use_srtp_ext"},
     {ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"},
@@ -210,8 +206,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "SSL_CHECK_SERVERHELLO_TLSEXT"},
     {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),
      "ssl_check_srvr_ecc_cert_and_alg"},
-    {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),
-     "SSL_CIPHER_PROCESS_RULESTR"},
+    {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
     {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
     {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
     {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),
@@ -296,10 +291,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
     {ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
     {ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
-    {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),
-     "SSL_set_session_id_context"},
-    {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),
-     "SSL_set_session_ticket_ext"},
+    {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
+    {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
     {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
     {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
     {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@@ -317,10 +310,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
     {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
     {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
-    {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),
-     "SSL_use_RSAPrivateKey_ASN1"},
-    {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),
-     "SSL_use_RSAPrivateKey_file"},
+    {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
+    {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
     {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
     {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
     {ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
@@ -391,16 +382,14 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_BAD_VALUE), "bad value"},
     {ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"},
     {ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"},
-    {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
-     "block cipher pad is wrong"},
+    {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
     {ERR_REASON(SSL_R_BN_LIB), "bn lib"},
     {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"},
     {ERR_REASON(SSL_R_CA_DN_TOO_LONG), "ca dn too long"},
     {ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
     {ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
     {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
-    {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),
-     "certificate verify failed"},
+    {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
     {ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"},
     {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"},
     {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
@@ -413,8 +402,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"},
     {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
      "compression id not within private range"},
-    {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),
-     "compression library error"},
+    {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
     {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
     {ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
     {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
@@ -443,8 +431,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
     {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
      "empty srtp protection profile list"},
-    {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
-     "encrypted length too long"},
+    {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
     {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
      "error generating tmp rsa key"},
     {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
@@ -494,8 +481,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
     {ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
      "missing ecdsa signing cert"},
-    {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
-     "missing export tmp dh key"},
+    {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
     {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
      "missing export tmp rsa key"},
     {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
@@ -527,8 +513,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
     {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
     {ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"},
-    {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST),
-     "digest requred for handshake isn't computed"},
+    {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
     {ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
     {ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),
      "no shared sigature algorithms"},
@@ -546,8 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "only TLS 1.2 allowed in Suite B mode"},
     {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),
      "only tls allowed in fips mode"},
-    {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),
-     "opaque PRF input too long"},
+    {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too long"},
     {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
     {ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"},
     {ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"},
@@ -597,8 +581,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
      "ssl3 ext invalid servername type"},
     {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
-    {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),
-     "ssl3 session id too short"},
+    {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
     {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
      "sslv3 alert bad certificate"},
     {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
@@ -634,13 +617,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "ssl session id context too long"},
     {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
      "ssl session id has bad length"},
-    {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),
-     "tlsv1 alert access denied"},
+    {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
      "tlsv1 alert decryption failed"},
-    {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
-     "tlsv1 alert decrypt error"},
+    {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
      "tlsv1 alert export restriction"},
     {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
@@ -683,8 +664,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "tls rsa encrypted value length is wrong"},
     {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),
      "tried to use unsupported cipher"},
-    {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),
-     "unable to decode dh certs"},
+    {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
     {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),
      "unable to decode ecdh certs"},
     {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),
@@ -693,8 +673,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "unable to find ecdh parameters"},
     {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
      "unable to find public key parameters"},
-    {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),
-     "unable to find ssl method"},
+    {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
     {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
      "unable to load ssl3 md5 routines"},
     {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
@@ -708,12 +687,10 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
     {ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
     {ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
-    {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
-     "unknown key exchange type"},
+    {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
     {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
     {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
-    {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),
-     "unknown remote error type"},
+    {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
     {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"},
     {ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"},
     {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),
index 1e9b34f..0c9f4f7 100644 (file)
@@ -378,7 +378,8 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->references = 1;
     s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
 
-    SSL_clear(s);
+    if(!SSL_clear(s))
+        goto err;
 
     CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
 
@@ -885,7 +886,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
     CERT *tmp;
 
     /* Do we need to to SSL locking? */
-    SSL_set_session(t, SSL_get_session(f));
+    if(!SSL_set_session(t, SSL_get_session(f))) {
+        /* How do we handle this!! void function */
+        return;
+    }
 
     /*
      * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
@@ -904,7 +908,10 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
         t->cert = NULL;
     if (tmp != NULL)
         ssl_cert_free(tmp);
-    SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
+    if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
+        /* Really should do something about this..but void function - ignore */
+        ;
+    }
 }
 
 /* Fix this so it checks all the valid key/cert options */
@@ -1924,10 +1931,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     if (ret->cert_store == NULL)
         goto err;
 
-    ssl_create_cipher_list(ret->method,
+    if(!ssl_create_cipher_list(ret->method,
                            &ret->cipher_list, &ret->cipher_list_by_id,
-                           SSL_DEFAULT_CIPHER_LIST, ret->cert);
-    if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+                           SSL_DEFAULT_CIPHER_LIST, ret->cert)
+       || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
         goto err2;
     }
@@ -1980,7 +1987,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     ret->psk_server_callback = NULL;
 #endif
 #ifndef OPENSSL_NO_SRP
-    SSL_CTX_SRP_CTX_init(ret);
+    if(!SSL_CTX_SRP_CTX_init(ret))
+        goto err;
 #endif
 #ifndef OPENSSL_NO_ENGINE
     ret->client_cert_engine = NULL;
@@ -2783,7 +2791,8 @@ SSL *SSL_dup(SSL *s)
                 goto err;
         }
 
-        SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length);
+        if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length))
+            goto err;
     }
 
     ret->options = s->options;
index 8799d3d..60a6834 100644 (file)
@@ -693,7 +693,10 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
         int r;
         unsigned long err;
 
-        SSL_CTX_clear_chain_certs(ctx);
+        if(!SSL_CTX_clear_chain_certs(ctx)) {
+            ret = 0;
+            goto end;
+        }
 
         while ((ca = PEM_read_bio_X509(in, NULL,
                                        ctx->default_passwd_callback,
index cf019c8..22d2e66 100644 (file)
@@ -510,12 +510,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
              */
             if (!
                 (s->session_ctx->session_cache_mode &
-                 SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                 SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
                 /*
                  * The following should not return 1, otherwise, things are
                  * very strange
                  */
-                SSL_CTX_add_session(s->session_ctx, ret);
+                if(SSL_CTX_add_session(s->session_ctx, ret))
+                    goto err;
+            }
         }
     }
 
index e5774d2..ccdf8ec 100644 (file)
@@ -214,7 +214,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     if (x->compress_meth != 0) {
         SSL_COMP *comp = NULL;
 
-        ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0);
+        if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
+            goto err;
         if (comp == NULL) {
             if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <=
                 0)
index a57d505..457ba86 100644 (file)
@@ -1443,8 +1443,11 @@ int main(int argc, char *argv[])
     SSL_CTX_set_security_level(s_ctx, 0);
 
     if (cipher != NULL) {
-        SSL_CTX_set_cipher_list(c_ctx, cipher);
-        SSL_CTX_set_cipher_list(s_ctx, cipher);
+        if(!SSL_CTX_set_cipher_list(c_ctx, cipher)
+           || !SSL_CTX_set_cipher_list(s_ctx, cipher)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
     }
 
     /* Process SSL_CONF arguments */
@@ -1537,10 +1540,13 @@ int main(int argc, char *argv[])
     }
 
     if (client_auth) {
-        SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM);
-        SSL_CTX_use_PrivateKey_file(c_ctx,
+        if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
+           || !SSL_CTX_use_PrivateKey_file(c_ctx,
                                     (client_key ? client_key : client_cert),
-                                    SSL_FILETYPE_PEM);
+                                    SSL_FILETYPE_PEM)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
     }
 
     if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
@@ -1569,8 +1575,11 @@ int main(int argc, char *argv[])
 
     {
         int session_id_context = 0;
-        SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
-                                       sizeof session_id_context);
+        if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
+                                       sizeof session_id_context)) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
     }
 
     /* Use PSK only if PSK key is given */
@@ -1637,15 +1646,22 @@ int main(int argc, char *argv[])
     }
 #endif
 
-    if (serverinfo_sct)
-        SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+    if (serverinfo_sct) {
+        if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
                                       NULL, NULL, NULL,
-                                      serverinfo_cli_parse_cb, NULL);
-    if (serverinfo_tack)
-        SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+                                      serverinfo_cli_parse_cb, NULL)) {
+            BIO_printf(bio_err, "Error adding SCT extension\n");
+            goto end;
+        }
+    }
+    if (serverinfo_tack) {
+        if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
                                       NULL, NULL, NULL,
-                                      serverinfo_cli_parse_cb, NULL);
-
+                                      serverinfo_cli_parse_cb, NULL)) {
+            BIO_printf(bio_err, "Error adding TACK extension\n");
+            goto end;
+        }
+    }
     if (serverinfo_file)
         if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) {
             BIO_printf(bio_err, "missing serverinfo file\n");
@@ -1653,39 +1669,41 @@ int main(int argc, char *argv[])
         }
 
     if (custom_ext) {
-        SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+        if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
                                       custom_ext_0_cli_add_cb,
                                       NULL, NULL,
-                                      custom_ext_0_cli_parse_cb, NULL);
-        SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+                                      custom_ext_0_cli_parse_cb, NULL)
+           || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
                                       custom_ext_1_cli_add_cb,
                                       NULL, NULL,
-                                      custom_ext_1_cli_parse_cb, NULL);
-        SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+                                      custom_ext_1_cli_parse_cb, NULL)
+           || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
                                       custom_ext_2_cli_add_cb,
                                       NULL, NULL,
-                                      custom_ext_2_cli_parse_cb, NULL);
-        SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+                                      custom_ext_2_cli_parse_cb, NULL)
+           || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
                                       custom_ext_3_cli_add_cb,
                                       NULL, NULL,
-                                      custom_ext_3_cli_parse_cb, NULL);
-
-        SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+                                      custom_ext_3_cli_parse_cb, NULL)
+           || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
                                       custom_ext_0_srv_add_cb,
                                       NULL, NULL,
-                                      custom_ext_0_srv_parse_cb, NULL);
-        SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+                                      custom_ext_0_srv_parse_cb, NULL)
+           || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
                                       custom_ext_1_srv_add_cb,
                                       NULL, NULL,
-                                      custom_ext_1_srv_parse_cb, NULL);
-        SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+                                      custom_ext_1_srv_parse_cb, NULL)
+           || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
                                       custom_ext_2_srv_add_cb,
                                       NULL, NULL,
-                                      custom_ext_2_srv_parse_cb, NULL);
-        SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+                                      custom_ext_2_srv_parse_cb, NULL)
+           || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
                                       custom_ext_3_srv_add_cb,
                                       NULL, NULL,
-                                      custom_ext_3_srv_parse_cb, NULL);
+                                      custom_ext_3_srv_parse_cb, NULL)) {
+            BIO_printf(bio_err, "Error setting custom extensions\n");
+            goto end;
+        }
     }
 
     if (alpn_server)
@@ -1699,7 +1717,12 @@ int main(int argc, char *argv[])
             BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
             goto end;
         }
-        SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
+        /* Returns 0 on success!! */
+        if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
+            BIO_printf(bio_err, "Error setting ALPN\n");
+            OPENSSL_free(alpn);
+            goto end;
+        }
         OPENSSL_free(alpn);
     }
 
@@ -1722,8 +1745,12 @@ int main(int argc, char *argv[])
 #endif                          /* OPENSSL_NO_KRB5 */
 
     for (i = 0; i < number; i++) {
-        if (!reuse)
-            SSL_set_session(c_ssl, NULL);
+        if (!reuse) {
+            if(!SSL_set_session(c_ssl, NULL)) {
+                BIO_printf(bio_err, "Failed to set session\n");
+                goto end;
+            }
+        }
         if (bio_pair)
             ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
         else
index 26f8415..df97f19 100644 (file)
@@ -1095,7 +1095,8 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
              * exchange and before certificate verify)
              */
             s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
-            ssl3_digest_cached_records(s);
+            if(!ssl3_digest_cached_records(s))
+                return -1;
         }
         hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
 #ifdef SSL_DEBUG
index 511223e..dd28cd6 100644 (file)
@@ -1431,7 +1431,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
         int el;
 
-        ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
+        /* Returns 0 on success!! */
+        if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
+            SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return NULL;
+        }
 
         if ((limit - ret - 4 - el) < 0)
             return NULL;
@@ -1601,8 +1605,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
     if (SSL_IS_DTLS(s) && s->srtp_profile) {
         int el;
 
-        ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
-
+        /* Returns 0 on success!! */
+        if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return NULL;
+        }
         if ((limit - ret - 4 - el) < 0)
             return NULL;
 
@@ -4141,12 +4148,13 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 /* Set validity of certificates in an SSL structure */
 void tls1_set_cert_validity(SSL *s)
 {
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
-    tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+    /* Deliberately ignore all return values */
+    if(tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC)
+       || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN)
+       || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN)
+       || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA)
+       || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA)
+       || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC));
 }
 
 /* User level utiity function to check a chain is suitable */