Fix missing return value checks
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.
Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index e2831af..99f8b5e 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -292,7 +292,10 @@
else if (ssl->handshake_func == ssl->method->ssl_accept)
SSL_set_accept_state(ssl);
- SSL_clear(ssl);
+ if(!SSL_clear(ssl)) {
+ ret = 0;
+ break;
+ }
if (b->next_bio != NULL)
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index a7d0a82..22626f1 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -989,7 +989,10 @@
s->d1->handshake_write_seq, 0, 0);
/* buffer the message to handle re-xmits */
- dtls1_buffer_message(s, 1);
+ if(!dtls1_buffer_message(s, 1)) {
+ SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
s->state = b;
}
@@ -1237,7 +1240,7 @@
}
}
-unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+void dtls1_set_message_header(SSL *s, unsigned char *p,
unsigned char mt, unsigned long len,
unsigned long frag_off,
unsigned long frag_len)
@@ -1250,8 +1253,6 @@
dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
frag_off, frag_len);
-
- return p += DTLS1_HM_HEADER_LENGTH;
}
/* don't actually do the writing, wait till the MTU has been retrieved */
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 151dd47..c5831cd 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -181,8 +181,10 @@
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
#ifndef OPENSSL_NO_SCTP
/*
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index e9a2fc5..b568944 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -567,7 +567,11 @@
s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
s->init_off = 0;
/* Buffer the message to handle re-xmits */
- dtls1_buffer_message(s, 0);
+ /*
+ * Deliberately swallow error return. We really should do something with
+ * this - but its a void function that can't (easily) be changed
+ */
+ if(!dtls1_buffer_message(s, 0));
}
static int dtls1_handshake_write(SSL *s)
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 4dbd694..5463acf 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -937,7 +937,10 @@
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
- dtls1_process_heartbeat(s);
+ /* We allow a 0 return */
+ if(dtls1_process_heartbeat(s) < 0) {
+ return -1;
+ }
/* Exit and notify application to read again */
rr->length = 0;
@@ -1246,7 +1249,8 @@
if (dtls1_check_timeout_num(s) < 0)
return -1;
- dtls1_retransmit_buffered_messages(s);
+ /* Ignore retransmit failures - swallow return code */
+ if(dtls1_retransmit_buffered_messages(s));
rr->length = 0;
goto start;
}
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index bcf63e0..24361ae 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -184,8 +184,10 @@
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
s->d1->listen = listen;
#ifndef OPENSSL_NO_SCTP
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index e04d3af..21a32bc 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -157,8 +157,10 @@
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
for (;;) {
state = s->state;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6ac6e4e..255d278 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -156,8 +156,10 @@
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
for (;;) {
state = s->state;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b37a733..3a37a24 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -197,8 +197,10 @@
cb = s->ctx->info_callback;
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
#ifndef OPENSSL_NO_HEARTBEATS
/*
@@ -3044,6 +3046,11 @@
OPENSSL_cleanse(pms, pmslen);
OPENSSL_free(pms);
s->cert->pms = NULL;
+ if(s->session->master_key_length < 0) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
}
return n;
memerr:
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 83a576a..bcefe12 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -253,7 +253,10 @@
EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd = s->enc_read_ctx;
- ssl_replace_hash(&s->read_hash, m);
+ if(!ssl_replace_hash(&s->read_hash, m)) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->expand != NULL) {
@@ -288,7 +291,10 @@
*/
EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd = s->enc_write_ctx;
- ssl_replace_hash(&s->write_hash, m);
+ if(!ssl_replace_hash(&s->write_hash, m)) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->compress != NULL) {
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3e6530e..d40a181 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3114,7 +3114,8 @@
s->s3 = s3;
#ifndef OPENSSL_NO_SRP
- SSL_SRP_CTX_init(s);
+ if(!SSL_SRP_CTX_init(s))
+ goto err;
#endif
s->method->ssl_clear(s);
return (1);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index cf02e49..4f81f1a 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1320,7 +1320,10 @@
}
#ifndef OPENSSL_NO_HEARTBEATS
else if (rr->type == TLS1_RT_HEARTBEAT) {
- tls1_process_heartbeat(s);
+ /* We can ignore 0 return values */
+ if(tls1_process_heartbeat(s) < 0) {
+ return -1;
+ }
/* Exit and notify application to read again */
rr->length = 0;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f8c7e37..16265dc 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -226,8 +226,10 @@
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s))
- SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s)) {
+ if(!SSL_clear(s))
+ return -1;
+ }
if (s->cert == NULL) {
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
@@ -2227,6 +2229,11 @@
sizeof
(rand_premaster_secret));
OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
} else
#endif
#ifndef OPENSSL_NO_DH
@@ -2319,6 +2326,11 @@
session->master_key,
p, i);
OPENSSL_cleanse(p, i);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (dh_clnt)
return 2;
} else
@@ -2484,6 +2496,11 @@
s->
session->master_key,
pms, outl);
+ if(s->session->master_key_length < 0) {
+ al = SSL_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (kssl_ctx->client_princ) {
size_t len = strlen(kssl_ctx->client_princ);
@@ -2632,6 +2649,11 @@
p, i);
OPENSSL_cleanse(p, i);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
return (ret);
} else
#endif
@@ -2716,6 +2738,11 @@
session->master_key,
psk_or_pre_ms,
pre_ms_len);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto psk_err;
+ }
psk_err = 0;
psk_err:
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@@ -2817,6 +2844,11 @@
s->
session->master_key,
premaster_secret, 32);
+ if(s->session->master_key_length < 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
/* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index ba58e0f..60d196e 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1773,7 +1773,7 @@
__owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-__owur STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
__owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
*meths);
void SSL_COMP_free_compression_methods(void);
@@ -1782,7 +1782,7 @@
__owur const void *SSL_get_current_compression(SSL *s);
__owur const void *SSL_get_current_expansion(SSL *s);
__owur const char *SSL_COMP_get_name(const void *comp);
-__owur void *SSL_COMP_get_compression_methods(void);
+void *SSL_COMP_get_compression_methods(void);
__owur int SSL_COMP_add_compression_method(int id, void *cm);
# endif
@@ -1956,6 +1956,7 @@
# define SSL_F_DTLS1_READ_BYTES 258
# define SSL_F_DTLS1_READ_FAILED 259
# define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
+# define SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC 342
# define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
# define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
# define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 504e4d7..ba9fc48 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -130,7 +130,7 @@
* This will initialise the built-in compression algorithms. The value
* returned is a STACK_OF(SSL_COMP), but that can be discarded safely
*/
- (void)SSL_COMP_get_compression_methods();
+ SSL_COMP_get_compression_methods();
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index f220e8e..0f6758b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -532,10 +532,13 @@
else
*comp = NULL;
}
+ /* If were only interested in comp then return success */
+ if((enc == NULL) && (md == NULL))
+ return 1;
}
if ((enc == NULL) || (md == NULL))
- return (0);
+ return 0;
switch (c->algorithm_enc) {
case SSL_DES:
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index f370e9e..5616f7d 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
- * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -83,8 +83,7 @@
{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
{ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY), "DTLS1_GET_HELLO_VERIFY"},
{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE), "dtls1_get_message"},
- {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),
- "DTLS1_GET_MESSAGE_FRAGMENT"},
+ {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "dtls1_get_record"},
{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "dtls1_handle_timeout"},
{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
@@ -96,7 +95,9 @@
{ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "dtls1_read_bytes"},
{ERR_FUNC(SSL_F_DTLS1_READ_FAILED), "dtls1_read_failed"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),
- "dtls1_send_certificate_request"},
+ "DTLS1_SEND_CERTIFICATE_REQUEST"},
+ {ERR_FUNC(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC),
+ "dtls1_send_change_cipher_spec"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),
"dtls1_send_client_certificate"},
{ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),
@@ -109,8 +110,7 @@
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO), "dtls1_send_server_hello"},
{ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),
"dtls1_send_server_key_exchange"},
- {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),
- "dtls1_write_app_data_bytes"},
+ {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"},
{ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
{ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"},
@@ -130,10 +130,8 @@
{ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"},
{ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "ssl3_ctx_ctrl"},
- {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),
- "ssl3_digest_cached_records"},
- {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),
- "ssl3_do_change_cipher_spec"},
+ {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS), "ssl3_digest_cached_records"},
+ {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "ssl3_do_change_cipher_spec"},
{ERR_FUNC(SSL_F_SSL3_ENC), "ssl3_enc"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),
@@ -183,8 +181,7 @@
{ERR_FUNC(SSL_F_SSL_ADD_CERT_TO_BUF), "SSL_ADD_CERT_TO_BUF"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),
"ssl_add_clienthello_renegotiate_ext"},
- {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),
- "ssl_add_clienthello_tlsext"},
+ {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "ssl_add_clienthello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),
"ssl_add_clienthello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),
@@ -193,8 +190,7 @@
"SSL_add_file_cert_subjects_to_stack"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),
"ssl_add_serverhello_renegotiate_ext"},
- {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),
- "ssl_add_serverhello_tlsext"},
+ {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "ssl_add_serverhello_tlsext"},
{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),
"ssl_add_serverhello_use_srtp_ext"},
{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "ssl_bad_method"},
@@ -210,8 +206,7 @@
"SSL_CHECK_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),
"ssl_check_srvr_ecc_cert_and_alg"},
- {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),
- "SSL_CIPHER_PROCESS_RULESTR"},
+ {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR), "SSL_CIPHER_PROCESS_RULESTR"},
{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"},
{ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"},
{ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),
@@ -296,10 +291,8 @@
{ERR_FUNC(SSL_F_SSL_SET_PURPOSE), "SSL_set_purpose"},
{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
- {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),
- "SSL_set_session_id_context"},
- {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),
- "SSL_set_session_ticket_ext"},
+ {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
+ {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@@ -317,10 +310,8 @@
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
- {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),
- "SSL_use_RSAPrivateKey_ASN1"},
- {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),
- "SSL_use_RSAPrivateKey_file"},
+ {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
+ {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
{ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
@@ -391,16 +382,14 @@
{ERR_REASON(SSL_R_BAD_VALUE), "bad value"},
{ERR_REASON(SSL_R_BAD_WRITE_RETRY), "bad write retry"},
{ERR_REASON(SSL_R_BIO_NOT_SET), "bio not set"},
- {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
- "block cipher pad is wrong"},
+ {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
{ERR_REASON(SSL_R_BN_LIB), "bn lib"},
{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH), "ca dn length mismatch"},
{ERR_REASON(SSL_R_CA_DN_TOO_LONG), "ca dn too long"},
{ERR_REASON(SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
{ERR_REASON(SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
- {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),
- "certificate verify failed"},
+ {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
{ERR_REASON(SSL_R_CERT_CB_ERROR), "cert cb error"},
{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH), "cert length mismatch"},
{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
@@ -413,8 +402,7 @@
{ERR_REASON(SSL_R_COMPRESSION_FAILURE), "compression failure"},
{ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
"compression id not within private range"},
- {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),
- "compression library error"},
+ {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
{ERR_REASON(SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
@@ -443,8 +431,7 @@
{ERR_REASON(SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
"empty srtp protection profile list"},
- {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
- "encrypted length too long"},
+ {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
"error generating tmp rsa key"},
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
@@ -494,8 +481,7 @@
{ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
- {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
- "missing export tmp dh key"},
+ {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
"missing export tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
@@ -527,8 +513,7 @@
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
{ERR_REASON(SSL_R_NO_RENEGOTIATION), "no renegotiation"},
- {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST),
- "digest requred for handshake isn't computed"},
+ {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
{ERR_REASON(SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
{ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),
"no shared sigature algorithms"},
@@ -546,8 +531,7 @@
"only TLS 1.2 allowed in Suite B mode"},
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),
"only tls allowed in fips mode"},
- {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG),
- "opaque PRF input too long"},
+ {ERR_REASON(SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "opaque PRF input too long"},
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
{ERR_REASON(SSL_R_PARSE_TLSEXT), "parse tlsext"},
{ERR_REASON(SSL_R_PATH_TOO_LONG), "path too long"},
@@ -597,8 +581,7 @@
{ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
"ssl3 ext invalid servername type"},
{ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
- {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT),
- "ssl3 session id too short"},
+ {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
"sslv3 alert bad certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
@@ -634,13 +617,11 @@
"ssl session id context too long"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
"ssl session id has bad length"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),
- "tlsv1 alert access denied"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
"tlsv1 alert decryption failed"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
- "tlsv1 alert decrypt error"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
"tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
@@ -683,8 +664,7 @@
"tls rsa encrypted value length is wrong"},
{ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),
"tried to use unsupported cipher"},
- {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),
- "unable to decode dh certs"},
+ {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),
"unable to decode ecdh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS),
@@ -693,8 +673,7 @@
"unable to find ecdh parameters"},
{ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
"unable to find public key parameters"},
- {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD),
- "unable to find ssl method"},
+ {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
"unable to load ssl3 md5 routines"},
{ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
@@ -708,12 +687,10 @@
{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE), "unknown cipher type"},
{ERR_REASON(SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
{ERR_REASON(SSL_R_UNKNOWN_DIGEST), "unknown digest"},
- {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
- "unknown key exchange type"},
+ {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
- {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),
- "unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION), "unknown ssl version"},
{ERR_REASON(SSL_R_UNKNOWN_STATE), "unknown state"},
{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1e9b34f..0c9f4f7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -378,7 +378,8 @@
s->references = 1;
s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
- SSL_clear(s);
+ if(!SSL_clear(s))
+ goto err;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
@@ -885,7 +886,10 @@
CERT *tmp;
/* Do we need to to SSL locking? */
- SSL_set_session(t, SSL_get_session(f));
+ if(!SSL_set_session(t, SSL_get_session(f))) {
+ /* How do we handle this!! void function */
+ return;
+ }
/*
* what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
@@ -904,7 +908,10 @@
t->cert = NULL;
if (tmp != NULL)
ssl_cert_free(tmp);
- SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
+ if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
+ /* Really should do something about this..but void function - ignore */
+ ;
+ }
}
/* Fix this so it checks all the valid key/cert options */
@@ -1924,10 +1931,10 @@
if (ret->cert_store == NULL)
goto err;
- ssl_create_cipher_list(ret->method,
+ if(!ssl_create_cipher_list(ret->method,
&ret->cipher_list, &ret->cipher_list_by_id,
- SSL_DEFAULT_CIPHER_LIST, ret->cert);
- if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+ SSL_DEFAULT_CIPHER_LIST, ret->cert)
+ || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
}
@@ -1980,7 +1987,8 @@
ret->psk_server_callback = NULL;
#endif
#ifndef OPENSSL_NO_SRP
- SSL_CTX_SRP_CTX_init(ret);
+ if(!SSL_CTX_SRP_CTX_init(ret))
+ goto err;
#endif
#ifndef OPENSSL_NO_ENGINE
ret->client_cert_engine = NULL;
@@ -2783,7 +2791,8 @@
goto err;
}
- SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length);
+ if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length))
+ goto err;
}
ret->options = s->options;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 8799d3d..60a6834 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -693,7 +693,10 @@
int r;
unsigned long err;
- SSL_CTX_clear_chain_certs(ctx);
+ if(!SSL_CTX_clear_chain_certs(ctx)) {
+ ret = 0;
+ goto end;
+ }
while ((ca = PEM_read_bio_X509(in, NULL,
ctx->default_passwd_callback,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index cf019c8..22d2e66 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -510,12 +510,14 @@
*/
if (!
(s->session_ctx->session_cache_mode &
- SSL_SESS_CACHE_NO_INTERNAL_STORE))
+ SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
/*
* The following should not return 1, otherwise, things are
* very strange
*/
- SSL_CTX_add_session(s->session_ctx, ret);
+ if(SSL_CTX_add_session(s->session_ctx, ret))
+ goto err;
+ }
}
}
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index e5774d2..ccdf8ec 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -214,7 +214,8 @@
if (x->compress_meth != 0) {
SSL_COMP *comp = NULL;
- ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0);
+ if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
+ goto err;
if (comp == NULL) {
if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <=
0)
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index a57d505..457ba86 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -1443,8 +1443,11 @@
SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL) {
- SSL_CTX_set_cipher_list(c_ctx, cipher);
- SSL_CTX_set_cipher_list(s_ctx, cipher);
+ if(!SSL_CTX_set_cipher_list(c_ctx, cipher)
+ || !SSL_CTX_set_cipher_list(s_ctx, cipher)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
/* Process SSL_CONF arguments */
@@ -1537,10 +1540,13 @@
}
if (client_auth) {
- SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM);
- SSL_CTX_use_PrivateKey_file(c_ctx,
+ if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
+ || !SSL_CTX_use_PrivateKey_file(c_ctx,
(client_key ? client_key : client_cert),
- SSL_FILETYPE_PEM);
+ SSL_FILETYPE_PEM)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
@@ -1569,8 +1575,11 @@
{
int session_id_context = 0;
- SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
- sizeof session_id_context);
+ if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
+ sizeof session_id_context)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
/* Use PSK only if PSK key is given */
@@ -1637,15 +1646,22 @@
}
#endif
- if (serverinfo_sct)
- SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+ if (serverinfo_sct) {
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL);
- if (serverinfo_tack)
- SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+ serverinfo_cli_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error adding SCT extension\n");
+ goto end;
+ }
+ }
+ if (serverinfo_tack) {
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL);
-
+ serverinfo_cli_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error adding TACK extension\n");
+ goto end;
+ }
+ }
if (serverinfo_file)
if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) {
BIO_printf(bio_err, "missing serverinfo file\n");
@@ -1653,39 +1669,41 @@
}
if (custom_ext) {
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+ if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_cli_add_cb,
NULL, NULL,
- custom_ext_0_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_0_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_cli_add_cb,
NULL, NULL,
- custom_ext_1_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_1_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_cli_add_cb,
NULL, NULL,
- custom_ext_2_cli_parse_cb, NULL);
- SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_2_cli_parse_cb, NULL)
+ || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_cli_add_cb,
NULL, NULL,
- custom_ext_3_cli_parse_cb, NULL);
-
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_3_cli_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
custom_ext_0_srv_add_cb,
NULL, NULL,
- custom_ext_0_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_0_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
custom_ext_1_srv_add_cb,
NULL, NULL,
- custom_ext_1_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_1_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
custom_ext_2_srv_add_cb,
NULL, NULL,
- custom_ext_2_srv_parse_cb, NULL);
- SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_2_srv_parse_cb, NULL)
+ || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
custom_ext_3_srv_add_cb,
NULL, NULL,
- custom_ext_3_srv_parse_cb, NULL);
+ custom_ext_3_srv_parse_cb, NULL)) {
+ BIO_printf(bio_err, "Error setting custom extensions\n");
+ goto end;
+ }
}
if (alpn_server)
@@ -1699,7 +1717,12 @@
BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
goto end;
}
- SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
+ /* Returns 0 on success!! */
+ if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
+ BIO_printf(bio_err, "Error setting ALPN\n");
+ OPENSSL_free(alpn);
+ goto end;
+ }
OPENSSL_free(alpn);
}
@@ -1722,8 +1745,12 @@
#endif /* OPENSSL_NO_KRB5 */
for (i = 0; i < number; i++) {
- if (!reuse)
- SSL_set_session(c_ssl, NULL);
+ if (!reuse) {
+ if(!SSL_set_session(c_ssl, NULL)) {
+ BIO_printf(bio_err, "Failed to set session\n");
+ goto end;
+ }
+ }
if (bio_pair)
ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
else
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 26f8415..df97f19 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1095,7 +1095,8 @@
* exchange and before certificate verify)
*/
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
- ssl3_digest_cached_records(s);
+ if(!ssl3_digest_cached_records(s))
+ return -1;
}
hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
#ifdef SSL_DEBUG
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 511223e..dd28cd6 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1431,7 +1431,11 @@
if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
int el;
- ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
+ /* Returns 0 on success!! */
+ if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
if ((limit - ret - 4 - el) < 0)
return NULL;
@@ -1601,8 +1605,11 @@
if (SSL_IS_DTLS(s) && s->srtp_profile) {
int el;
- ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
-
+ /* Returns 0 on success!! */
+ if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
if ((limit - ret - 4 - el) < 0)
return NULL;
@@ -4141,12 +4148,13 @@
/* Set validity of certificates in an SSL structure */
void tls1_set_cert_validity(SSL *s)
{
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
- tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
+ /* Deliberately ignore all return values */
+ if(tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA)
+ || tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC));
}
/* User level utiity function to check a chain is suitable */
