src - OpenBSD base system

diff options


context:
space:
mode:

author	Bob Beck <beck@cvs.openbsd.org>	2017-01-26 12:16:14 +0000
committer	Bob Beck <beck@cvs.openbsd.org>	2017-01-26 12:16:14 +0000
commit	65492273e6466c04f1c6d4d6571a42d0332ca057 (patch)
tree	1e012875c21b05abf8cc05044f2195a0ac487a12
parent	75995d59749c2cd878cc58ce2039d4a6584527cf (diff)

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly

line wraps that resulted

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

lib/libssl/ssl_both.c

-rw-r--r--

lib/libssl/ssl_cert.c

-rw-r--r--

lib/libssl/ssl_ciph.c

-rw-r--r--

lib/libssl/ssl_clnt.c

287

-rw-r--r--

lib/libssl/ssl_lib.c

-rw-r--r--

lib/libssl/ssl_packet.c

-rw-r--r--

lib/libssl/ssl_pkt.c

-rw-r--r--

lib/libssl/ssl_rsa.c

-rw-r--r--

lib/libssl/ssl_sess.c

-rw-r--r--

lib/libssl/ssl_srvr.c

254

-rw-r--r--

lib/libssl/t1_enc.c

-rw-r--r--

lib/libssl/t1_lib.c

-rw-r--r--

lib/libssl/t1_reneg.c

18 files changed, 335 insertions, 653 deletions

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index fb7e289d961..0e4317653d1 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: d1_both.c,v 1.47 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: d1_both.c,v 1.48 2017/01/26 12:16:13 beck Exp $ */

* DTLS implementation written by Nagendra Modadugu

* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.

@@ -410,8 +410,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

S3I(s)->tmp.reuse_message = 0;

if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

goto f_err;

}

*ok = 1;

@@ -476,14 +475,12 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)

/* sanity checking */

if ((frag_off + frag_len) > msg_len) {

- SSLerror(

- SSL_R_EXCESSIVE_MESSAGE_SIZE);

+ SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);

return SSL_AD_ILLEGAL_PARAMETER;

}

if ((frag_off + frag_len) > (unsigned long)max) {

- SSLerror(

- SSL_R_EXCESSIVE_MESSAGE_SIZE);

+ SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);

return SSL_AD_ILLEGAL_PARAMETER;

}

@@ -509,8 +506,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)

* They must be playing with us! BTW, failure to enforce

* upper limit would open possibility for buffer overrun.

- SSLerror(

- SSL_R_EXCESSIVE_MESSAGE_SIZE);

+ SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);

return SSL_AD_ILLEGAL_PARAMETER;

}

@@ -803,8 +799,7 @@ again:

/* parse the message fragment header */

dtls1_get_message_header(wire, &msg_hdr) == 0) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

goto f_err;

}

@@ -846,8 +841,7 @@ again:

else /* Incorrectly formated Hello request */

{

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

goto f_err;

}

@@ -878,8 +872,7 @@ again:

if (i != (int)frag_len) {

al = SSL3_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL3_AD_ILLEGAL_PARAMETER);

+ SSLerror(SSL3_AD_ILLEGAL_PARAMETER);

goto f_err;

}

diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c
index fd981c5f8ee..6e124c7a855 100644
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: d1_clnt.c,v 1.72 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: d1_clnt.c,v 1.73 2017/01/26 12:16:13 beck Exp $ */

* DTLS implementation written by Nagendra Modadugu

* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.

@@ -216,8 +216,7 @@ dtls1_connect(SSL *s)

cb(s, SSL_CB_HANDSHAKE_START, 1);

if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

ret = -1;

goto end;

}

diff --git a/lib/libssl/d1_srtp.c b/lib/libssl/d1_srtp.c
index b98c04b7cf8..82dc8bfdefd 100644
--- a/lib/libssl/d1_srtp.c
+++ b/lib/libssl/d1_srtp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: d1_srtp.c,v 1.19 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: d1_srtp.c,v 1.20 2017/01/26 12:16:13 beck Exp $ */

@@ -187,8 +187,7 @@ ssl_ctx_make_profiles(const char *profiles_string,

SRTP_PROTECTION_PROFILE *p;

if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) {

- SSLerror(

- SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);

+ SSLerror(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);

return 1;

}

@@ -199,8 +198,7 @@ ssl_ctx_make_profiles(const char *profiles_string,

col ? col - ptr : (int)strlen(ptr))) {

sk_SRTP_PROTECTION_PROFILE_push(profiles, p);

} else {

- SSLerror(

- SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);

+ SSLerror(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);

sk_SRTP_PROTECTION_PROFILE_free(profiles);

return 1;

}

@@ -264,14 +262,12 @@ ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)

if (p) {

if (ct == 0) {

- SSLerror(

- SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);

return 1;

}

if ((2 + ct * 2 + 1) > maxlen) {

- SSLerror(

- SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);

+ SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);

return 1;

}

@@ -304,8 +300,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,

CBS cbs, ciphers, mki;

if (len < 0) {

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

goto done;

}

@@ -314,8 +309,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,

/* Pull off the cipher suite list */

if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) ||

CBS_len(&ciphers) % 2) {

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

goto done;

}

@@ -324,8 +318,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,

while (CBS_len(&ciphers) > 0) {

if (!CBS_get_u16(&ciphers, &id)) {

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

goto done;

}

@@ -339,8 +332,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,

/* Extract the MKI value as a sanity check, but discard it for now. */

if (!CBS_get_u8_length_prefixed(&cbs, &mki) ||

CBS_len(&cbs) != 0) {

- SSLerror(

- SSL_R_BAD_SRTP_MKI_VALUE);

+ SSLerror(SSL_R_BAD_SRTP_MKI_VALUE);

*al = SSL_AD_DECODE_ERROR;

goto done;

}

@@ -381,14 +373,12 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)

{

if (p) {

if (maxlen < 5) {

- SSLerror(

- SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);

+ SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);

return 1;

}

if (s->internal->srtp_profile == 0) {

- SSLerror(

- SSL_R_USE_SRTP_NOT_NEGOTIATED);

+ SSLerror(SSL_R_USE_SRTP_NOT_NEGOTIATED);

return 1;

}

s2n(2, p);

@@ -411,8 +401,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int

CBS cbs, profile_ids, mki;

if (len < 0) {

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

return 1;

}

@@ -425,16 +414,14 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int

if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) ||

!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

return 1;

}

/* Must be no MKI, since we never offer one. */

if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) {

- SSLerror(

- SSL_R_BAD_SRTP_MKI_VALUE);

+ SSLerror(SSL_R_BAD_SRTP_MKI_VALUE);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 1;

}

@@ -443,8 +430,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int

/* Throw an error if the server gave us an unsolicited extension. */

if (clnt == NULL) {

- SSLerror(

- SSL_R_NO_SRTP_PROFILES);

+ SSLerror(SSL_R_NO_SRTP_PROFILES);

*al = SSL_AD_DECODE_ERROR;

return 1;

}

@@ -463,8 +449,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int

}

- SSLerror(

- SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

+ SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);

*al = SSL_AD_DECODE_ERROR;

return 1;

}

diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index 80d7d639c3f..fa860b8d5ac 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: d1_srvr.c,v 1.82 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: d1_srvr.c,v 1.83 2017/01/26 12:16:13 beck Exp $ */

* DTLS implementation written by Nagendra Modadugu

* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.

@@ -506,8 +506,7 @@ dtls1_accept(SSL *s)

* at this point and digest cached records.

if (!S3I(s)->handshake_buffer) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

ret = -1;

goto end;

}

@@ -706,8 +705,7 @@ dtls1_send_hello_verify_request(SSL *s)

if (s->ctx->internal->app_gen_cookie_cb == NULL ||

s->ctx->internal->app_gen_cookie_cb(s,

D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return 0;

}

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 6287f6cbc66..108cc9f71e5 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: s3_lib.c,v 1.132 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: s3_lib.c,v 1.133 2017/01/26 12:16:13 beck Exp $ */

@@ -1980,8 +1980,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {

if (!ssl_cert_inst(&s->cert)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

return (0);

}

@@ -2016,13 +2015,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

{

DH *dh = (DH *)parg;

if (dh == NULL) {

- SSLerror(

- ERR_R_PASSED_NULL_PARAMETER);

+ SSLerror(ERR_R_PASSED_NULL_PARAMETER);

return (ret);

}

if ((dh = DHparams_dup(dh)) == NULL) {

- SSLerror(

- ERR_R_DH_LIB);

+ SSLerror(ERR_R_DH_LIB);

return (ret);

}

DH_free(s->cert->dh_tmp);

@@ -2044,21 +2041,18 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

EC_KEY *ecdh = NULL;

if (parg == NULL) {

- SSLerror(

- ERR_R_PASSED_NULL_PARAMETER);

+ SSLerror(ERR_R_PASSED_NULL_PARAMETER);

return (ret);

}

if (!EC_KEY_up_ref((EC_KEY *)parg)) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

return (ret);

}

ecdh = (EC_KEY *)parg;

if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {

if (!EC_KEY_generate_key(ecdh)) {

EC_KEY_free(ecdh);

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

return (ret);

}

@@ -2069,8 +2063,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

break;

case SSL_CTRL_SET_TMP_ECDH_CB:

{

- SSLerror(

- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

+ SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

return (ret);

}

break;

@@ -2083,19 +2076,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

if (parg == NULL)

break;

if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {

- SSLerror(

- SSL_R_SSL3_EXT_INVALID_SERVERNAME);

+ SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME);

return 0;

}

if ((s->tlsext_hostname = strdup((char *)parg))

== NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return 0;

}

} else {

- SSLerror(

- SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);

+ SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);

return 0;

}

break;

@@ -2177,8 +2167,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))

if (cmd == SSL_CTRL_SET_TMP_DH_CB) {

if (!ssl_cert_inst(&s->cert)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

return (0);

}

@@ -2223,8 +2212,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

dh = (DH *)parg;

if ((new = DHparams_dup(dh)) == NULL) {

- SSLerror(

- ERR_R_DH_LIB);

+ SSLerror(ERR_R_DH_LIB);

return 0;

}

DH_free(cert->dh_tmp);

@@ -2246,21 +2234,18 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

EC_KEY *ecdh = NULL;

if (parg == NULL) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

return 0;

}

ecdh = EC_KEY_dup((EC_KEY *)parg);

if (ecdh == NULL) {

- SSLerror(

- ERR_R_EC_LIB);

+ SSLerror(ERR_R_EC_LIB);

return 0;

}

if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) {

if (!EC_KEY_generate_key(ecdh)) {

EC_KEY_free(ecdh);

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

return 0;

}

@@ -2272,8 +2257,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

/* break; */

case SSL_CTRL_SET_TMP_ECDH_CB:

{

- SSLerror(

- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

+ SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

return (0);

}

break;

@@ -2287,8 +2271,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

if (!keys)

return 48;

if (larg != 48) {

- SSLerror(

- SSL_R_INVALID_TICKET_KEYS_LENGTH);

+ SSLerror(SSL_R_INVALID_TICKET_KEYS_LENGTH);

return 0;

}

if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {

diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c
index 707feb6d099..0a330028096 100644
--- a/lib/libssl/ssl_both.c
+++ b/lib/libssl/ssl_both.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_both.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_both.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */

@@ -365,8 +365,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)

if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,

x, NULL)) {

- SSLerror(

- ERR_R_X509_LIB);

+ SSLerror(ERR_R_X509_LIB);

goto err;

}

X509_verify_cert(&xs_ctx);

@@ -420,8 +419,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

S3I(s)->tmp.reuse_message = 0;

if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

goto f_err;

}

*ok = 1;

@@ -473,8 +471,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

if ((mt >= 0) && (*p != mt)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

goto f_err;

}

@@ -488,8 +485,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

if (l > (unsigned long)max) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_EXCESSIVE_MESSAGE_SIZE);

+ SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);

goto f_err;

}

if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) {

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 4f714f751ac..e608bcfea43 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_cert.c,v 1.61 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_cert.c,v 1.62 2017/01/26 12:16:13 beck Exp $ */

@@ -587,8 +587,7 @@ SSL_load_client_CA_file(const char *file)

if (ret == NULL) {

ret = sk_X509_NAME_new_null();

if (ret == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -643,8 +642,7 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,

in = BIO_new(BIO_s_file_internal());

if (in == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index c1dee99e584..f167244eb4f 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_ciph.c,v 1.91 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_ciph.c,v 1.92 2017/01/26 12:16:13 beck Exp $ */

@@ -1162,8 +1162,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,

* it is no command or separator nor

* alphanumeric, so we call this an error.

- SSLerror(

- SSL_R_INVALID_COMMAND);

+ SSLerror(SSL_R_INVALID_COMMAND);

retval = found = 0;

l++;

break;

@@ -1309,8 +1308,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,

if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))

ok = ssl_cipher_strength_sort(head_p, tail_p);

else

- SSLerror(

- SSL_R_INVALID_COMMAND);

+ SSLerror(SSL_R_INVALID_COMMAND);

if (ok == 0)

retval = 0;

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c8d4aca1c30..6f2edf5d904 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_clnt.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_clnt.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */

@@ -211,8 +211,7 @@ ssl3_connect(SSL *s)

cb(s, SSL_CB_HANDSHAKE_START, 1);

if ((s->version & 0xff00 ) != 0x0300) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

ret = -1;

goto end;

}

@@ -551,8 +550,7 @@ ssl3_connect(SSL *s)

/* break; */

default:

- SSLerror(

- SSL_R_UNKNOWN_STATE);

+ SSLerror(SSL_R_UNKNOWN_STATE);

ret = -1;

goto end;

/* break; */

@@ -597,8 +595,7 @@ ssl3_client_hello(SSL *s)

SSL_SESSION *sess = s->session;

if (ssl_supported_version_range(s, NULL, &max_version) != 1) {

- SSLerror(

- SSL_R_NO_PROTOCOLS_AVAILABLE);

+ SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);

return (-1);

}

s->client_version = s->version = max_version;

@@ -668,8 +665,7 @@ ssl3_client_hello(SSL *s)

*(p++) = i;

if (i != 0) {

if (i > (int)sizeof(s->session->session_id)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

memcpy(p, s->session->session_id, i);

@@ -679,8 +675,7 @@ ssl3_client_hello(SSL *s)

/* DTLS Cookie. */

if (SSL_IS_DTLS(s)) {

if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

*(p++) = D1I(s)->cookie_len;

@@ -693,8 +688,7 @@ ssl3_client_hello(SSL *s)

bufend - &p[2], &outlen))

goto err;

if (outlen == 0) {

- SSLerror(

- SSL_R_NO_CIPHERS_AVAILABLE);

+ SSLerror(SSL_R_NO_CIPHERS_AVAILABLE);

goto err;

}

s2n(outlen, p);

@@ -706,8 +700,7 @@ ssl3_client_hello(SSL *s)

/* TLS extensions*/

if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -759,8 +752,7 @@ ssl3_get_server_hello(SSL *s)

} else {

/* Already sent a cookie. */

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_BAD_MESSAGE_TYPE);

+ SSLerror(SSL_R_BAD_MESSAGE_TYPE);

goto f_err;

}

@@ -768,8 +760,7 @@ ssl3_get_server_hello(SSL *s)

if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_BAD_MESSAGE_TYPE);

+ SSLerror(SSL_R_BAD_MESSAGE_TYPE);

goto f_err;

}

@@ -777,8 +768,7 @@ ssl3_get_server_hello(SSL *s)

goto truncated;

if (ssl_supported_version_range(s, &min_version, &max_version) != 1) {

- SSLerror(

- SSL_R_NO_PROTOCOLS_AVAILABLE);

+ SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);

goto err;

}

@@ -812,8 +802,7 @@ ssl3_get_server_hello(SSL *s)

if ((CBS_len(&session_id) > sizeof(s->session->session_id)) ||

(CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_SSL3_SESSION_ID_TOO_LONG);

+ SSLerror(SSL_R_SSL3_SESSION_ID_TOO_LONG);

goto f_err;

}

@@ -845,8 +834,7 @@ ssl3_get_server_hello(SSL *s)

s->sid_ctx, s->sid_ctx_length) != 0) {

/* actually a client application bug */

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

+ SSLerror(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

goto f_err;

}

s->s3->flags |= SSL3_FLAGS_CCS_OK;

@@ -878,8 +866,7 @@ ssl3_get_server_hello(SSL *s)

if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_UNKNOWN_CIPHER_RETURNED);

+ SSLerror(SSL_R_UNKNOWN_CIPHER_RETURNED);

goto f_err;

}

@@ -887,8 +874,7 @@ ssl3_get_server_hello(SSL *s)

if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&

(TLS1_get_version(s) < TLS1_2_VERSION)) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_WRONG_CIPHER_RETURNED);

+ SSLerror(SSL_R_WRONG_CIPHER_RETURNED);

goto f_err;

}

@@ -897,8 +883,7 @@ ssl3_get_server_hello(SSL *s)

if (i < 0) {

/* we did not say we would use this cipher */

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_WRONG_CIPHER_RETURNED);

+ SSLerror(SSL_R_WRONG_CIPHER_RETURNED);

goto f_err;

}

@@ -911,8 +896,7 @@ ssl3_get_server_hello(SSL *s)

s->session->cipher_id = s->session->cipher->id;

if (s->internal->hit && (s->session->cipher_id != cipher->id)) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

+ SSLerror(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

goto f_err;

}

S3I(s)->tmp.new_cipher = cipher;

@@ -933,8 +917,7 @@ ssl3_get_server_hello(SSL *s)

if (compression_method != 0) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);

+ SSLerror(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);

goto f_err;

}

@@ -991,15 +974,13 @@ ssl3_get_server_certificate(SSL *s)

if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_BAD_MESSAGE_TYPE);

+ SSLerror(SSL_R_BAD_MESSAGE_TYPE);

goto f_err;

}

if ((sk = sk_X509_new_null()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1013,8 +994,7 @@ ssl3_get_server_certificate(SSL *s)

if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||

CBS_len(&cbs) != 0) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

@@ -1025,8 +1005,7 @@ ssl3_get_server_certificate(SSL *s)

goto truncated;

if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_CERT_LENGTH_MISMATCH);

+ SSLerror(SSL_R_CERT_LENGTH_MISMATCH);

goto f_err;

}

@@ -1034,19 +1013,16 @@ ssl3_get_server_certificate(SSL *s)

x = d2i_X509(NULL, &q, CBS_len(&cert));

if (x == NULL) {

al = SSL_AD_BAD_CERTIFICATE;

- SSLerror(

- ERR_R_ASN1_LIB);

+ SSLerror(ERR_R_ASN1_LIB);

goto f_err;

}

if (q != CBS_data(&cert) + CBS_len(&cert)) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_CERT_LENGTH_MISMATCH);

+ SSLerror(SSL_R_CERT_LENGTH_MISMATCH);

goto f_err;

}

if (!sk_X509_push(sk, x)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

x = NULL;

@@ -1055,8 +1031,7 @@ ssl3_get_server_certificate(SSL *s)

i = ssl_verify_cert_chain(s, sk);

if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) {

al = ssl_verify_alarm_type(s->verify_result);

- SSLerror(

- SSL_R_CERTIFICATE_VERIFY_FAILED);

+ SSLerror(SSL_R_CERTIFICATE_VERIFY_FAILED);

goto f_err;

}

@@ -1082,8 +1057,7 @@ ssl3_get_server_certificate(SSL *s)

if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {

x = NULL;

al = SSL3_AL_FATAL;

- SSLerror(

- SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);

+ SSLerror(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);

goto f_err;

}

@@ -1091,8 +1065,7 @@ ssl3_get_server_certificate(SSL *s)

if (i < 0) {

x = NULL;

al = SSL3_AL_FATAL;

- SSLerror(

- SSL_R_UNKNOWN_CERTIFICATE_TYPE);

+ SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE);

goto f_err;

}

@@ -1118,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)

truncated:

/* wrong packet length */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_BAD_PACKET_LENGTH);

+ SSLerror(SSL_R_BAD_PACKET_LENGTH);

f_err:

ssl3_send_alert(s, SSL3_AL_FATAL, al);

}

@@ -1337,8 +1309,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)

if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) {

al = SSL_AD_INTERNAL_ERROR;

- SSLerror(

- SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);

+ SSLerror(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);

goto f_err;

}

@@ -1414,8 +1385,7 @@ ssl3_get_server_key_exchange(SSL *s)

* ephemeral keys.

if (alg_k & (SSL_kDHE|SSL_kECDHE)) {

- SSLerror(

- SSL_R_UNEXPECTED_MESSAGE);

+ SSLerror(SSL_R_UNEXPECTED_MESSAGE);

al = SSL_AD_UNEXPECTED_MESSAGE;

goto f_err;

}

@@ -1463,8 +1433,7 @@ ssl3_get_server_key_exchange(SSL *s)

int sigalg = tls12_get_sigid(pkey);

/* Should never happen */

if (sigalg == -1) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1474,15 +1443,13 @@ ssl3_get_server_key_exchange(SSL *s)

if (2 > n)

goto truncated;

if (sigalg != (int)p[1]) {

- SSLerror(

- SSL_R_WRONG_SIGNATURE_TYPE);

+ SSLerror(SSL_R_WRONG_SIGNATURE_TYPE);

al = SSL_AD_DECODE_ERROR;

goto f_err;

}

md = tls12_get_hash(p[0]);

if (md == NULL) {

- SSLerror(

- SSL_R_UNKNOWN_DIGEST);

+ SSLerror(SSL_R_UNKNOWN_DIGEST);

al = SSL_AD_DECODE_ERROR;

goto f_err;

}

@@ -1500,8 +1467,7 @@ ssl3_get_server_key_exchange(SSL *s)

if (i != n || n > j) {

/* wrong packet length */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_WRONG_SIGNATURE_LENGTH);

+ SSLerror(SSL_R_WRONG_SIGNATURE_LENGTH);

goto f_err;

}

@@ -1533,15 +1499,13 @@ ssl3_get_server_key_exchange(SSL *s)

p, n, pkey->pkey.rsa);

if (i < 0) {

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_RSA_DECRYPT);

+ SSLerror(SSL_R_BAD_RSA_DECRYPT);

goto f_err;

}

if (i == 0) {

/* bad signature */

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_SIGNATURE);

+ SSLerror(SSL_R_BAD_SIGNATURE);

goto f_err;

}

} else {

@@ -1554,23 +1518,20 @@ ssl3_get_server_key_exchange(SSL *s)

if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {

/* bad signature */

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_SIGNATURE);

+ SSLerror(SSL_R_BAD_SIGNATURE);

goto f_err;

}

} else {

/* aNULL does not need public keys. */

if (!(alg_a & SSL_aNULL)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

/* still data left over */

if (n != 0) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_EXTRA_DATA_IN_MESSAGE);

+ SSLerror(SSL_R_EXTRA_DATA_IN_MESSAGE);

goto f_err;

}

@@ -1630,16 +1591,14 @@ ssl3_get_certificate_request(SSL *s)

if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

- SSLerror(

- SSL_R_WRONG_MESSAGE_TYPE);

+ SSLerror(SSL_R_WRONG_MESSAGE_TYPE);

goto err;

}

/* TLS does not like anon-DH with client cert */

if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

- SSLerror(

- SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);

+ SSLerror(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);

goto err;

}

@@ -1648,8 +1607,7 @@ ssl3_get_certificate_request(SSL *s)

CBS_init(&cert_request, s->internal->init_msg, n);

if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1662,8 +1620,7 @@ ssl3_get_certificate_request(SSL *s)

if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) ||

!CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype,

sizeof(S3I(s)->tmp.ctype), NULL)) {

- SSLerror(

- SSL_R_DATA_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);

goto err;

}

@@ -1671,8 +1628,7 @@ ssl3_get_certificate_request(SSL *s)

CBS sigalgs;

if (CBS_len(&cert_request) < 2) {

- SSLerror(

- SSL_R_DATA_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);

goto err;

}

@@ -1681,32 +1637,28 @@ ssl3_get_certificate_request(SSL *s)

if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

- SSLerror(

- SSL_R_DATA_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);

goto err;

}

if ((CBS_len(&sigalgs) & 1) ||

!tls1_process_sigalgs(s, CBS_data(&sigalgs),

CBS_len(&sigalgs))) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

- SSLerror(

- SSL_R_SIGNATURE_ALGORITHMS_ERROR);

+ SSLerror(SSL_R_SIGNATURE_ALGORITHMS_ERROR);

goto err;

}

/* get the CA RDNs */

if (CBS_len(&cert_request) < 2) {

- SSLerror(

- SSL_R_DATA_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);

goto err;

}

if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||

CBS_len(&cert_request) != 0) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto err;

}

@@ -1714,15 +1666,13 @@ ssl3_get_certificate_request(SSL *s)

CBS rdn;

if (CBS_len(&rdn_list) < 2) {

- SSLerror(

- SSL_R_DATA_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);

goto err;

}

if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

- SSLerror(

- SSL_R_CA_DN_TOO_LONG);

+ SSLerror(SSL_R_CA_DN_TOO_LONG);

goto err;

}

@@ -1730,20 +1680,17 @@ ssl3_get_certificate_request(SSL *s)

if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_DECODE_ERROR);

- SSLerror(

- ERR_R_ASN1_LIB);

+ SSLerror(ERR_R_ASN1_LIB);

goto err;

}

if (q != CBS_data(&rdn) + CBS_len(&rdn)) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

- SSLerror(

- SSL_R_CA_DN_LENGTH_MISMATCH);

+ SSLerror(SSL_R_CA_DN_LENGTH_MISMATCH);

goto err;

}

if (!sk_X509_NAME_push(ca_sk, xn)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

xn = NULL; /* avoid free in err block */

@@ -1759,8 +1706,7 @@ ssl3_get_certificate_request(SSL *s)

ret = 1;

if (0) {

truncated:

- SSLerror(

- SSL_R_BAD_PACKET_LENGTH);

+ SSLerror(SSL_R_BAD_PACKET_LENGTH);

}

err:

X509_NAME_free(xn);

@@ -1793,15 +1739,13 @@ ssl3_get_new_session_ticket(SSL *s)

}

if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_BAD_MESSAGE_TYPE);

+ SSLerror(SSL_R_BAD_MESSAGE_TYPE);

goto f_err;

}

if (n < 0) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

@@ -1813,16 +1757,14 @@ ssl3_get_new_session_ticket(SSL *s)

!CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||

CBS_len(&cbs) != 0) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint;

if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,

&s->session->tlsext_ticklen)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1872,8 +1814,7 @@ ssl3_get_cert_status(SSL *s)

if (n < 0) {

/* need at least status type + length */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

@@ -1882,23 +1823,20 @@ ssl3_get_cert_status(SSL *s)

CBS_len(&cert_status) < 3) {

/* need at least status type + length */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

if (status_type != TLSEXT_STATUSTYPE_ocsp) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_UNSUPPORTED_STATUS_TYPE);

+ SSLerror(SSL_R_UNSUPPORTED_STATUS_TYPE);

goto f_err;

}

if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||

CBS_len(&cert_status) != 0) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_LENGTH_MISMATCH);

+ SSLerror(SSL_R_LENGTH_MISMATCH);

goto f_err;

}

@@ -1906,8 +1844,7 @@ ssl3_get_cert_status(SSL *s)

&stow_len) || stow_len > INT_MAX) {

s->internal->tlsext_ocsp_resplen = 0;

al = SSL_AD_INTERNAL_ERROR;

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto f_err;

}

s->internal->tlsext_ocsp_resplen = (int)stow_len;

@@ -1918,14 +1855,12 @@ ssl3_get_cert_status(SSL *s)

s->ctx->internal->tlsext_status_arg);

if (ret == 0) {

al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;

- SSLerror(

- SSL_R_INVALID_STATUS_RESPONSE);

+ SSLerror(SSL_R_INVALID_STATUS_RESPONSE);

goto f_err;

}

if (ret < 0) {

al = SSL_AD_INTERNAL_ERROR;

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto f_err;

}

@@ -1974,8 +1909,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

if (pkey == NULL || pkey->type != EVP_PKEY_RSA ||

pkey->pkey.rsa == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1984,16 +1918,14 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

arc4random_buf(&pms[2], sizeof(pms) - 2);

if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa,

RSA_PKCS1_PADDING);

if (enc_len <= 0) {

- SSLerror(

- SSL_R_BAD_RSA_ENCRYPT);

+ SSLerror(SSL_R_BAD_RSA_ENCRYPT);

goto err;

}

@@ -2031,8 +1963,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

/* Ensure that we have an ephemeral key for DHE. */

if (sess_cert->peer_dh_tmp == NULL) {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

- SSLerror(

- SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);

+ SSLerror(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);

goto err;

}

dh_srvr = sess_cert->peer_dh_tmp;

@@ -2048,8 +1979,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

}

key_size = DH_size(dh_clnt);

if ((key = malloc(key_size)) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt);

@@ -2098,14 +2028,12 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)

if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL ||

(point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

if ((ecdh = EC_KEY_new()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -2124,8 +2052,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)

goto err;

}

if ((key = malloc(key_size)) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

}

key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL);

if (key_len <= 0) {

@@ -2146,8 +2073,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)

}

if ((bn_ctx = BN_CTX_new()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -2233,8 +2159,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)

goto err;

} else {

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -2261,8 +2186,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

/* Get server sertificate PKEY and create ctx from it */

peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;

if (peer_cert == NULL) {

- SSLerror(

- SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);

+ SSLerror(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);

goto err;

}

@@ -2298,8 +2222,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

ukm_hash = EVP_MD_CTX_create();

if (ukm_hash == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -2371,8 +2294,7 @@ ssl3_send_client_key_exchange(SSL *s)

if ((sess_cert = SSI(s)->sess_cert) == NULL) {

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_UNEXPECTED_MESSAGE);

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -2395,8 +2317,7 @@ ssl3_send_client_key_exchange(SSL *s)

} else {

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_HANDSHAKE_FAILURE);

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -2458,16 +2379,14 @@ ssl3_send_client_verify(SSL *s)

&hdata);

if (hdatalen <= 0 ||

!tls12_get_sigandhash(p, pkey, md)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

p += 2;

if (!EVP_SignInit_ex(&mctx, md, NULL) ||

!EVP_SignUpdate(&mctx, hdata, hdatalen) ||

!EVP_SignFinal(&mctx, p + 2, &u, pkey)) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

goto err;

}

s2n(u, p);

@@ -2480,8 +2399,7 @@ ssl3_send_client_verify(SSL *s)

if (RSA_sign(NID_md5_sha1, data,

MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),

&u, pkey->pkey.rsa) <= 0 ) {

- SSLerror(

- ERR_R_RSA_LIB);

+ SSLerror(ERR_R_RSA_LIB);

goto err;

}

s2n(u, p);

@@ -2491,8 +2409,7 @@ ssl3_send_client_verify(SSL *s)

&(data[MD5_DIGEST_LENGTH]),

SHA_DIGEST_LENGTH, &(p[2]),

(unsigned int *)&j, pkey->pkey.dsa)) {

- SSLerror(

- ERR_R_DSA_LIB);

+ SSLerror(ERR_R_DSA_LIB);

goto err;

}

s2n(j, p);

@@ -2502,8 +2419,7 @@ ssl3_send_client_verify(SSL *s)

&(data[MD5_DIGEST_LENGTH]),

SHA_DIGEST_LENGTH, &(p[2]),

(unsigned int *)&j, pkey->pkey.ec)) {

- SSLerror(

- ERR_R_ECDSA_LIB);

+ SSLerror(ERR_R_ECDSA_LIB);

goto err;

}

s2n(j, p);

@@ -2520,14 +2436,12 @@ ssl3_send_client_verify(SSL *s)

hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);

if (hdatalen <= 0) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||

!(md = EVP_get_digestbynid(nid))) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

goto err;

}

if (!EVP_DigestInit_ex(&mctx, md, NULL) ||

@@ -2540,8 +2454,7 @@ ssl3_send_client_verify(SSL *s)

NULL) <= 0) ||

(EVP_PKEY_sign(pctx, &(p[2]), &sigsize,

signbuf, u) <= 0)) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

goto err;

}

if (!tls1_digest_cached_records(s))

@@ -2551,8 +2464,7 @@ ssl3_send_client_verify(SSL *s)

n = j + 2;

#endif

} else {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -2610,8 +2522,7 @@ ssl3_send_client_certificate(SSL *s)

i = 0;

} else if (i == 1) {

i = 0;

- SSLerror(

- SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);

+ SSLerror(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);

}

X509_free(x509);

@@ -2665,8 +2576,7 @@ ssl3_check_cert_and_algorithm(SSL *s)

sc = SSI(s)->sess_cert;

if (sc == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

dh = SSI(s)->sess_cert->peer_dh_tmp;

@@ -2678,8 +2588,7 @@ ssl3_check_cert_and_algorithm(SSL *s)

if (ssl_check_srvr_ecc_cert_and_alg(

sc->peer_pkeys[idx].x509, s) == 0) {

/* check failed */

- SSLerror(

- SSL_R_BAD_ECC_CERT);

+ SSLerror(SSL_R_BAD_ECC_CERT);

goto f_err;

} else {

return (1);

@@ -2691,25 +2600,21 @@ ssl3_check_cert_and_algorithm(SSL *s)

/* Check that we have a certificate if we require one. */

if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {

- SSLerror(

- SSL_R_MISSING_RSA_SIGNING_CERT);

+ SSLerror(SSL_R_MISSING_RSA_SIGNING_CERT);

goto f_err;

} else if ((alg_a & SSL_aDSS) &&

!has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {

- SSLerror(

- SSL_R_MISSING_DSA_SIGNING_CERT);

+ SSLerror(SSL_R_MISSING_DSA_SIGNING_CERT);

goto f_err;

}

if ((alg_k & SSL_kRSA) &&

!has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {

- SSLerror(

- SSL_R_MISSING_RSA_ENCRYPTING_CERT);

+ SSLerror(SSL_R_MISSING_RSA_ENCRYPTING_CERT);

goto f_err;

}

if ((alg_k & SSL_kDHE) &&

!(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {

- SSLerror(

- SSL_R_MISSING_DH_KEY);

+ SSLerror(SSL_R_MISSING_DH_KEY);

goto f_err;

}

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 605fc428ad8..898fdbc4799 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_lib.c,v 1.154 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_lib.c,v 1.155 2017/01/26 12:16:13 beck Exp $ */

@@ -226,8 +226,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)

sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),

&(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);

if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {

- SSLerror(

- SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);

+ SSLerror(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);

return (0);

}

return (1);

@@ -381,8 +380,7 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,

unsigned int sid_ctx_len)

{

if (sid_ctx_len > sizeof ctx->sid_ctx) {

- SSLerror(

- SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

+ SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

return (0);

}

ctx->sid_ctx_length = sid_ctx_len;

@@ -396,8 +394,7 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,

unsigned int sid_ctx_len)

{

if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {

- SSLerror(

- SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

+ SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

return (0);

}

ssl->sid_ctx_length = sid_ctx_len;

@@ -873,13 +870,11 @@ SSL_CTX_check_private_key(const SSL_CTX *ctx)

{

if ((ctx == NULL) || (ctx->internal->cert == NULL) ||

(ctx->internal->cert->key->x509 == NULL)) {

- SSLerror(

- SSL_R_NO_CERTIFICATE_ASSIGNED);

+ SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);

return (0);

}

if (ctx->internal->cert->key->privatekey == NULL) {

- SSLerror(

- SSL_R_NO_PRIVATE_KEY_ASSIGNED);

+ SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED);

return (0);

}

return (X509_check_private_key(ctx->internal->cert->key->x509,

@@ -891,23 +886,19 @@ int

SSL_check_private_key(const SSL *ssl)

{

if (ssl == NULL) {

- SSLerror(

- ERR_R_PASSED_NULL_PARAMETER);

+ SSLerror(ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

if (ssl->cert == NULL) {

- SSLerror(

- SSL_R_NO_CERTIFICATE_ASSIGNED);

+ SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);

return (0);

}

if (ssl->cert->key->x509 == NULL) {

- SSLerror(

- SSL_R_NO_CERTIFICATE_ASSIGNED);

+ SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);

return (0);

}

if (ssl->cert->key->privatekey == NULL) {

- SSLerror(

- SSL_R_NO_PRIVATE_KEY_ASSIGNED);

+ SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED);

return (0);

}

return (X509_check_private_key(ssl->cert->key->x509,

@@ -1428,8 +1419,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)

* RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2].

if (num < 2 || num > 0x10000 - 2) {

- SSLerror(

- SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);

+ SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);

return (NULL);

}

@@ -1441,8 +1431,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)

CBS_init(&cbs, p, num);

while (CBS_len(&cbs) > 0) {

if (!CBS_get_u16(&cbs, &cipher_value)) {

- SSLerror(

- SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);

+ SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);

goto err;

}

@@ -1454,8 +1443,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)

* renegotiating.

if (s->internal->renegotiate) {

- SSLerror(

- SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);

+ SSLerror(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_HANDSHAKE_FAILURE);

@@ -1474,8 +1462,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)

max_version = ssl_max_server_version(s);

if (max_version == 0 || s->version < max_version) {

- SSLerror(

- SSL_R_INAPPROPRIATE_FALLBACK);

+ SSLerror(SSL_R_INAPPROPRIATE_FALLBACK);

if (s->s3 != NULL)

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_INAPPROPRIATE_FALLBACK);

@@ -1486,8 +1473,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)

if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {

if (!sk_SSL_CIPHER_push(sk, c)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1812,8 +1798,7 @@ SSL_CTX_new(const SSL_METHOD *meth)

}

if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {

- SSLerror(

- SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);

+ SSLerror(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);

goto err;

}

@@ -1881,13 +1866,11 @@ SSL_CTX_new(const SSL_METHOD *meth)

goto err;

if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {

- SSLerror(

- SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);

+ SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);

goto err2;

}

if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {

- SSLerror(

- SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);

+ SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);

goto err2;

}

@@ -2126,8 +2109,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)

/* Key usage, if present, must allow signing. */

if ((x->ex_flags & EXFLAG_KUSAGE) &&

((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {

- SSLerror(

- SSL_R_ECC_CERT_NOT_FOR_SIGNING);

+ SSLerror(SSL_R_ECC_CERT_NOT_FOR_SIGNING);

return (0);

}

@@ -2448,24 +2430,21 @@ SSL_set_connect_state(SSL *s)

int

ssl_undefined_function(SSL *s)

{

- SSLerror(

- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

+ SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

return (0);

}

int

ssl_undefined_void_function(void)

{

- SSLerror(

- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

+ SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

return (0);

}

int

ssl_undefined_const_function(const SSL *s)

{

- SSLerror(

- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

+ SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

return (0);

}

diff --git a/lib/libssl/ssl_packet.c b/lib/libssl/ssl_packet.c
index a8462ffd848..9ffc27e9a7c 100644
--- a/lib/libssl/ssl_packet.c
+++ b/lib/libssl/ssl_packet.c

@@ -106,8 +106,7 @@ ssl_convert_sslv2_client_hello(SSL *s)

return -1;

if (record_length < 9) {

- SSLerror(

- SSL_R_RECORD_LENGTH_MISMATCH);

+ SSLerror(SSL_R_RECORD_LENGTH_MISMATCH);

return -1;

}

if (record_length > 4096) {

@@ -150,8 +149,7 @@ ssl_convert_sslv2_client_hello(SSL *s)

if (!CBS_get_bytes(&cbs, &challenge, challenge_length))

return -1;

if (CBS_len(&cbs) != 0) {

- SSLerror(

- SSL_R_RECORD_LENGTH_MISMATCH);

+ SSLerror(SSL_R_RECORD_LENGTH_MISMATCH);

return -1;

}

@@ -236,16 +234,14 @@ ssl_server_legacy_first_packet(SSL *s)

if (ssl_is_sslv2_client_hello(&header) == 1) {

/* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */

if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {

- SSLerror(

- SSL_R_NO_PROTOCOLS_AVAILABLE);

+ SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);

return -1;

}

if (min_version > TLS1_VERSION)

return 1;

if (ssl_convert_sslv2_client_hello(s) != 1) {

- SSLerror(

- SSL_R_BAD_PACKET_LENGTH);

+ SSLerror(SSL_R_BAD_PACKET_LENGTH);

return -1;

}

diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index f354fb82bf9..38d011fdc32 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_pkt.c,v 1.6 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_pkt.c,v 1.7 2017/01/26 12:16:13 beck Exp $ */

@@ -364,8 +364,7 @@ ssl3_get_record(SSL *s)

if (!CBS_get_u8(&header, &type) ||

!CBS_get_u16(&header, &ssl_version) ||

!CBS_get_u16(&header, &len)) {

- SSLerror(

- SSL_R_BAD_PACKET_LENGTH);

+ SSLerror(SSL_R_BAD_PACKET_LENGTH);

goto err;

}

@@ -374,8 +373,7 @@ ssl3_get_record(SSL *s)

/* Lets check version */

if (!s->internal->first_packet && ssl_version != s->version) {

- SSLerror(

- SSL_R_WRONG_VERSION_NUMBER);

+ SSLerror(SSL_R_WRONG_VERSION_NUMBER);

if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&

!s->internal->enc_write_ctx && !s->internal->write_hash)

/* Send back error using their minor version number :-) */

@@ -385,15 +383,13 @@ ssl3_get_record(SSL *s)

}

if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) {

- SSLerror(

- SSL_R_WRONG_VERSION_NUMBER);

+ SSLerror(SSL_R_WRONG_VERSION_NUMBER);

goto err;

}

if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {

al = SSL_AD_RECORD_OVERFLOW;

- SSLerror(

- SSL_R_PACKET_LENGTH_TOO_LONG);

+ SSLerror(SSL_R_PACKET_LENGTH_TOO_LONG);

goto f_err;

}

@@ -510,8 +506,7 @@ ssl3_get_record(SSL *s)

* (e.g. via a logfile)

al = SSL_AD_BAD_RECORD_MAC;

- SSLerror(

- SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);

+ SSLerror(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);

goto f_err;

}

@@ -543,8 +538,7 @@ ssl3_get_record(SSL *s)

* empty record without forcing want_read.

if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {

- SSLerror(

- SSL_R_PEER_BEHAVING_BADLY);

+ SSLerror(SSL_R_PEER_BEHAVING_BADLY);

return -1;

}

if (s->internal->empty_record_count > 1) {

@@ -588,8 +582,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)

if (i < 0)

return (i);

if (i == 0) {

- SSLerror(

- SSL_R_SSL_HANDSHAKE_FAILURE);

+ SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);

return -1;

}

@@ -698,8 +691,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,

if (prefix_len >

(SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {

/* insufficient space */

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -961,8 +953,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)

if (i < 0)

return (i);

if (i == 0) {

- SSLerror(

- SSL_R_SSL_HANDSHAKE_FAILURE);

+ SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);

return (-1);

}

@@ -1004,8 +995,7 @@ start:

* reset by ssl3_get_finished */

&& (rr->type != SSL3_RT_HANDSHAKE)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);

+ SSLerror(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);

goto f_err;

}

@@ -1025,8 +1015,7 @@ start:

if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&

(s->enc_read_ctx == NULL)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_APP_DATA_IN_HANDSHAKE);

+ SSLerror(SSL_R_APP_DATA_IN_HANDSHAKE);

goto f_err;

}

@@ -1126,8 +1115,7 @@ start:

if (i < 0)

return (i);

if (i == 0) {

- SSLerror(

- SSL_R_SSL_HANDSHAKE_FAILURE);

+ SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);

return (-1);

}

@@ -1200,15 +1188,13 @@ start:

else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_NO_RENEGOTIATION);

+ SSLerror(SSL_R_NO_RENEGOTIATION);

goto f_err;

}

} else if (alert_level == SSL3_AL_FATAL) {

s->internal->rwstate = SSL_NOTHING;

S3I(s)->fatal_alert = alert_descr;

- SSLerror(

- SSL_AD_REASON_OFFSET + alert_descr);

+ SSLerror(SSL_AD_REASON_OFFSET + alert_descr);

ERR_asprintf_error_data("SSL alert number %d",

alert_descr);

s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;

@@ -1236,24 +1222,21 @@ start:

if ((rr->length != 1) || (rr->off != 0) ||

(rr->data[0] != SSL3_MT_CCS)) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_BAD_CHANGE_CIPHER_SPEC);

+ SSLerror(SSL_R_BAD_CHANGE_CIPHER_SPEC);

goto f_err;

}

/* Check we have a cipher to change to */

if (S3I(s)->tmp.new_cipher == NULL) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_CCS_RECEIVED_EARLY);

+ SSLerror(SSL_R_CCS_RECEIVED_EARLY);

goto f_err;

}

/* Check that we should be receiving a Change Cipher Spec. */

if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_CCS_RECEIVED_EARLY);

+ SSLerror(SSL_R_CCS_RECEIVED_EARLY);

goto f_err;

}

s->s3->flags &= ~SSL3_FLAGS_CCS_OK;

@@ -1285,8 +1268,7 @@ start:

if (i < 0)

return (i);

if (i == 0) {

- SSLerror(

- SSL_R_SSL_HANDSHAKE_FAILURE);

+ SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);

return (-1);

}

@@ -1373,8 +1355,7 @@ ssl3_do_change_cipher_spec(SSL *s)

if (S3I(s)->tmp.key_block == NULL) {

if (s->session == NULL || s->session->master_key_length == 0) {

/* might happen if dtls1_read_bytes() calls this */

- SSLerror(

- SSL_R_CCS_RECEIVED_EARLY);

+ SSLerror(SSL_R_CCS_RECEIVED_EARLY);

return (0);

}

diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c
index 3efed227f09..facb8ac2747 100644
--- a/lib/libssl/ssl_rsa.c
+++ b/lib/libssl/ssl_rsa.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_rsa.c,v 1.26 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_rsa.c,v 1.27 2017/01/26 12:16:13 beck Exp $ */

@@ -565,8 +565,7 @@ int

SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)

{

if (pkey == NULL) {

- SSLerror(

- ERR_R_PASSED_NULL_PARAMETER);

+ SSLerror(ERR_R_PASSED_NULL_PARAMETER);

return (0);

}

if (!ssl_cert_inst(&ctx->internal->cert)) {

@@ -602,8 +601,7 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)

j = ERR_R_ASN1_LIB;

pkey = d2i_PrivateKey_bio(in, NULL);

} else {

- SSLerror(

- SSL_R_BAD_SSL_FILETYPE);

+ SSLerror(SSL_R_BAD_SSL_FILETYPE);

goto end;

}

if (pkey == NULL) {

diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index 5cd531ef591..5477e9a168a 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_sess.c,v 1.68 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_sess.c,v 1.69 2017/01/26 12:16:13 beck Exp $ */

@@ -312,8 +312,7 @@ ssl_get_new_session(SSL *s, int session)

ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;

break;

default:

- SSLerror(

- SSL_R_UNSUPPORTED_SSL_VERSION);

+ SSLerror(SSL_R_UNSUPPORTED_SSL_VERSION);

SSL_SESSION_free(ss);

return (0);

}

@@ -336,8 +335,7 @@ ssl_get_new_session(SSL *s, int session)

tmp = ss->session_id_length;

if (!cb(s, ss->session_id, &tmp)) {

/* The callback failed */

- SSLerror(

- SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);

+ SSLerror(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);

SSL_SESSION_free(ss);

return (0);

}

@@ -348,8 +346,7 @@ ssl_get_new_session(SSL *s, int session)

if (!tmp || (tmp > ss->session_id_length)) {

/* The callback set an illegal length */

- SSLerror(

- SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);

+ SSLerror(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);

SSL_SESSION_free(ss);

return (0);

}

@@ -358,8 +355,7 @@ ssl_get_new_session(SSL *s, int session)

/* Finally, check for a conflict. */

if (SSL_has_matching_session_id(s, ss->session_id,

ss->session_id_length)) {

- SSLerror(

- SSL_R_SSL_SESSION_ID_CONFLICT);

+ SSLerror(SSL_R_SSL_SESSION_ID_CONFLICT);

SSL_SESSION_free(ss);

return (0);

}

@@ -368,8 +364,7 @@ sess_id_done:

if (s->tlsext_hostname) {

ss->tlsext_hostname = strdup(s->tlsext_hostname);

if (ss->tlsext_hostname == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

SSL_SESSION_free(ss);

return 0;

}

@@ -528,8 +523,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,

* applications to effectively disable the session cache by

* accident without anyone noticing).

- SSLerror(

- SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);

+ SSLerror(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);

fatal = 1;

goto err;

}

@@ -729,8 +723,7 @@ SSL_set_session(SSL *s, SSL_SESSION *session)

if (meth == NULL)

meth = s->method->internal->get_ssl_method(session->ssl_version);

if (meth == NULL) {

- SSLerror(

- SSL_R_UNABLE_TO_FIND_SSL_METHOD);

+ SSLerror(SSL_R_UNABLE_TO_FIND_SSL_METHOD);

return (0);

}

@@ -810,8 +803,7 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,

unsigned int sid_ctx_len)

{

if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {

- SSLerror(

- SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

+ SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);

return 0;

}

s->sid_ctx_length = sid_ctx_len;

@@ -872,8 +864,7 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)

s->internal->tlsext_session_ticket =

malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);

if (!s->internal->tlsext_session_ticket) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

return 0;

}

@@ -1080,13 +1071,11 @@ int

SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)

{

if (!ENGINE_init(e)) {

- SSLerror(

- ERR_R_ENGINE_LIB);

+ SSLerror(ERR_R_ENGINE_LIB);

return 0;

}

if (!ENGINE_get_ssl_client_cert_function(e)) {

- SSLerror(

- SSL_R_NO_CLIENT_CERT_METHOD);

+ SSLerror(SSL_R_NO_CLIENT_CERT_METHOD);

ENGINE_finish(e);

return 0;

}

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 46ca4d6c9ce..0b110d6a729 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_srvr.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: ssl_srvr.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */

@@ -253,8 +253,7 @@ ssl3_accept(SSL *s)

* client that doesn't support secure

* renegotiation.

- SSLerror(

- SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

+ SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

ssl3_send_alert(s, SSL3_AL_FATAL,

SSL_AD_HANDSHAKE_FAILURE);

ret = -1;

@@ -484,8 +483,7 @@ ssl3_accept(SSL *s)

* at this point and digest cached records.

if (!S3I(s)->handshake_buffer) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

ret = -1;

goto end;

}

@@ -673,8 +671,7 @@ ssl3_accept(SSL *s)

/* break; */

default:

- SSLerror(

- SSL_R_UNKNOWN_STATE);

+ SSLerror(SSL_R_UNKNOWN_STATE);

ret = -1;

goto end;

/* break; */

@@ -868,8 +865,7 @@ ssl3_get_client_hello(SSL *s)

if (cookie_len > sizeof(D1I(s)->rcvd_cookie)) {

/* too much data */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_COOKIE_MISMATCH);

+ SSLerror(SSL_R_COOKIE_MISMATCH);

goto f_err;

}

@@ -885,8 +881,7 @@ ssl3_get_client_hello(SSL *s)

if (s->ctx->internal->app_verify_cookie_cb(s,

D1I(s)->rcvd_cookie, cookie_len) == 0) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_COOKIE_MISMATCH);

+ SSLerror(SSL_R_COOKIE_MISMATCH);

goto f_err;

}

/* else cookie verification succeeded */

@@ -894,8 +889,7 @@ ssl3_get_client_hello(SSL *s)

D1I(s)->cookie_len) != 0) {

/* default verification */

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_COOKIE_MISMATCH);

+ SSLerror(SSL_R_COOKIE_MISMATCH);

goto f_err;

}

@@ -911,8 +905,7 @@ ssl3_get_client_hello(SSL *s)

if ((i == 0) && (j != 0)) {

/* we need a cipher if we are not resuming a session */

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_NO_CIPHERS_SPECIFIED);

+ SSLerror(SSL_R_NO_CIPHERS_SPECIFIED);

goto f_err;

}

if (p - d + i > n)

@@ -941,8 +934,7 @@ ssl3_get_client_hello(SSL *s)

* list if we are asked to reuse it

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_REQUIRED_CIPHER_MISSING);

+ SSLerror(SSL_R_REQUIRED_CIPHER_MISSING);

goto f_err;

}

@@ -962,8 +954,7 @@ ssl3_get_client_hello(SSL *s)

if (j >= i) {

/* no compress */

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_NO_COMPRESSION_SPECIFIED);

+ SSLerror(SSL_R_NO_COMPRESSION_SPECIFIED);

goto f_err;

}

@@ -974,8 +965,7 @@ ssl3_get_client_hello(SSL *s)

goto f_err;

}

if (ssl_check_clienthello_tlsext_early(s) <= 0) {

- SSLerror(

- SSL_R_CLIENTHELLO_TLSEXT);

+ SSLerror(SSL_R_CLIENTHELLO_TLSEXT);

goto err;

}

@@ -1006,8 +996,7 @@ ssl3_get_client_hello(SSL *s)

SSL_get_ciphers(s));

if (pref_cipher == NULL) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_NO_SHARED_CIPHER);

+ SSLerror(SSL_R_NO_SHARED_CIPHER);

goto f_err;

}

@@ -1032,8 +1021,7 @@ ssl3_get_client_hello(SSL *s)

s->session->ciphers = ciphers;

if (ciphers == NULL) {

al = SSL_AD_ILLEGAL_PARAMETER;

- SSLerror(

- SSL_R_NO_CIPHERS_PASSED);

+ SSLerror(SSL_R_NO_CIPHERS_PASSED);

goto f_err;

}

ciphers = NULL;

@@ -1042,8 +1030,7 @@ ssl3_get_client_hello(SSL *s)

if (c == NULL) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_NO_SHARED_CIPHER);

+ SSLerror(SSL_R_NO_SHARED_CIPHER);

goto f_err;

}

S3I(s)->tmp.new_cipher = c;

@@ -1142,8 +1129,7 @@ ssl3_send_server_hello(SSL *s)

sl = s->session->session_id_length;

if (sl > (int)sizeof(s->session->session_id)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1166,8 +1152,7 @@ ssl3_send_server_hello(SSL *s)

if ((p = ssl_add_serverhello_tlsext(s, p + outlen,

bufend)) == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1208,8 +1193,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)

if (s->cert->dh_tmp_auto != 0) {

if ((dhp = ssl_get_auto_dh(s)) == NULL) {

al = SSL_AD_INTERNAL_ERROR;

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto f_err;

}

} else

@@ -1221,14 +1205,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)

if (dhp == NULL) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_MISSING_TMP_DH_KEY);

+ SSLerror(SSL_R_MISSING_TMP_DH_KEY);

goto f_err;

}

if (S3I(s)->tmp.dh != NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1299,14 +1281,12 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

}

if (ecdhp == NULL) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_MISSING_TMP_ECDH_KEY);

+ SSLerror(SSL_R_MISSING_TMP_ECDH_KEY);

goto f_err;

}

if (S3I(s)->tmp.ecdh != NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

@@ -1314,8 +1294,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

if (s->cert->ecdh_tmp_auto != 0) {

ecdh = ecdhp;

} else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

goto err;

}

S3I(s)->tmp.ecdh = ecdh;

@@ -1324,8 +1303,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

(EC_KEY_get0_private_key(ecdh) == NULL) ||

(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {

if (!EC_KEY_generate_key(ecdh)) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

goto err;

}

@@ -1333,8 +1311,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||

(EC_KEY_get0_public_key(ecdh) == NULL) ||

(EC_KEY_get0_private_key(ecdh) == NULL)) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

goto err;

}

@@ -1344,8 +1321,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

if ((curve_id = tls1_ec_nid2curve_id(

EC_GROUP_get_curve_name(group))) == 0) {

- SSLerror(

- SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

+ SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

goto err;

}

@@ -1360,8 +1336,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)

bn_ctx = BN_CTX_new();

if ((encodedPoint == NULL) || (bn_ctx == NULL)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1421,8 +1396,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)

/* Generate an X25519 key pair. */

if (S3I(s)->tmp.x25519 != NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

goto err;

}

if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL)

@@ -1433,8 +1407,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)

/* Serialize public key. */

if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {

- SSLerror(

- SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

+ SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);

goto err;

}

@@ -1509,8 +1482,7 @@ ssl3_send_server_key_exchange(SSL *s)

goto err;

} else {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);

+ SSLerror(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);

goto f_err;

}

@@ -1531,8 +1503,7 @@ ssl3_send_server_key_exchange(SSL *s)

if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) +

params_len + kn)) {

- SSLerror(

- ERR_LIB_BUF);

+ SSLerror(ERR_LIB_BUF);

goto err;

}

@@ -1611,8 +1582,7 @@ ssl3_send_server_key_exchange(SSL *s)

} else {

/* Is this error check actually needed? */

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNKNOWN_PKEY_TYPE);

+ SSLerror(SSL_R_UNKNOWN_PKEY_TYPE);

goto f_err;

}

@@ -1724,8 +1694,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)

if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||

(pkey->pkey.rsa == NULL)) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_MISSING_RSA_CERTIFICATE);

+ SSLerror(SSL_R_MISSING_RSA_CERTIFICATE);

goto f_err;

}

rsa = pkey->pkey.rsa;

@@ -1734,8 +1703,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)

goto truncated;

n2s(p, i);

if (n != i + 2) {

- SSLerror(

- SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);

+ SSLerror(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);

goto err;

} else

n = i;

@@ -1836,15 +1804,13 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)

if (S3I(s)->tmp.dh == NULL) {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_MISSING_TMP_DH_KEY);

+ SSLerror(SSL_R_MISSING_TMP_DH_KEY);

goto f_err;

}

dh = S3I(s)->tmp.dh;

if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {

- SSLerror(

- SSL_R_BN_LIB);

+ SSLerror(SSL_R_BN_LIB);

goto err;

}

@@ -1894,8 +1860,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

/* Initialize structures for server's ECDH key pair. */

if ((srvr_ecdh = EC_KEY_new()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1910,15 +1875,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

if (!EC_KEY_set_group(srvr_ecdh, group) ||

!EC_KEY_set_private_key(srvr_ecdh, priv_key)) {

- SSLerror(

- ERR_R_EC_LIB);

+ SSLerror(ERR_R_EC_LIB);

goto err;

}

/* Let's get client's public key */

if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1940,16 +1903,14 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

* group.

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);

+ SSLerror(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);

goto f_err;

}

if (EC_POINT_copy(clnt_ecpoint,

EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))

== 0) {

- SSLerror(

- ERR_R_EC_LIB);

+ SSLerror(ERR_R_EC_LIB);

goto err;

}

ret = 2; /* Skip certificate verify processing */

@@ -1959,8 +1920,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

* in the ClientKeyExchange message.

if ((bn_ctx = BN_CTX_new()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -1969,14 +1929,12 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

p += 1;

if (n != 1 + i) {

- SSLerror(

- ERR_R_EC_LIB);

+ SSLerror(ERR_R_EC_LIB);

goto err;

}

if (EC_POINT_oct2point(group,

clnt_ecpoint, p, i, bn_ctx) == 0) {

- SSLerror(

- ERR_R_EC_LIB);

+ SSLerror(ERR_R_EC_LIB);

goto err;

}

@@ -1989,15 +1947,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)

/* Compute the shared pre-master secret */

key_size = ECDH_size(srvr_ecdh);

if (key_size <= 0) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

goto err;

}

i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh,

NULL);

if (i <= 0) {

- SSLerror(

- ERR_R_ECDH_LIB);

+ SSLerror(ERR_R_ECDH_LIB);

goto err;

}

@@ -2114,16 +2070,14 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)

if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag,

&Tclass, n) != V_ASN1_CONSTRUCTED ||

Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {

- SSLerror(

- SSL_R_DECRYPTION_FAILED);

+ SSLerror(SSL_R_DECRYPTION_FAILED);

goto gerr;

}

start = p;

inlen = Tlen;

if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,

start, inlen) <=0) {

- SSLerror(

- SSL_R_DECRYPTION_FAILED);

+ SSLerror(SSL_R_DECRYPTION_FAILED);

goto gerr;

}

/* Generate master secret */

@@ -2184,8 +2138,7 @@ ssl3_get_client_key_exchange(SSL *s)

goto err;

} else {

al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNKNOWN_CIPHER_TYPE);

+ SSLerror(SSL_R_UNKNOWN_CIPHER_TYPE);

goto f_err;

}

@@ -2228,8 +2181,7 @@ ssl3_get_cert_verify(SSL *s)

S3I(s)->tmp.reuse_message = 1;

if (peer != NULL) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_MISSING_VERIFY_MESSAGE);

+ SSLerror(SSL_R_MISSING_VERIFY_MESSAGE);

goto f_err;

}

ret = 1;

@@ -2237,22 +2189,19 @@ ssl3_get_cert_verify(SSL *s)

}

if (peer == NULL) {

- SSLerror(

- SSL_R_NO_CLIENT_CERT_RECEIVED);

+ SSLerror(SSL_R_NO_CLIENT_CERT_RECEIVED);

al = SSL_AD_UNEXPECTED_MESSAGE;

goto f_err;

}

if (!(type & EVP_PKT_SIGN)) {

- SSLerror(

- SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);

+ SSLerror(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);

al = SSL_AD_ILLEGAL_PARAMETER;

goto f_err;

}

if (S3I(s)->change_cipher_spec) {

- SSLerror(

- SSL_R_CCS_RECEIVED_EARLY);

+ SSLerror(SSL_R_CCS_RECEIVED_EARLY);

al = SSL_AD_UNEXPECTED_MESSAGE;

goto f_err;

}

@@ -2273,8 +2222,7 @@ ssl3_get_cert_verify(SSL *s)

int sigalg = tls12_get_sigid(pkey);

/* Should never happen */

if (sigalg == -1) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

@@ -2282,15 +2230,13 @@ ssl3_get_cert_verify(SSL *s)

goto truncated;

/* Check key type is consistent with signature */

if (sigalg != (int)p[1]) {

- SSLerror(

- SSL_R_WRONG_SIGNATURE_TYPE);

+ SSLerror(SSL_R_WRONG_SIGNATURE_TYPE);

al = SSL_AD_DECODE_ERROR;

goto f_err;

}

md = tls12_get_hash(p[0]);

if (md == NULL) {

- SSLerror(

- SSL_R_UNKNOWN_DIGEST);

+ SSLerror(SSL_R_UNKNOWN_DIGEST);

al = SSL_AD_DECODE_ERROR;

goto f_err;

}

@@ -2306,8 +2252,7 @@ ssl3_get_cert_verify(SSL *s)

}

j = EVP_PKEY_size(pkey);

if ((i > j) || (n > j) || (n <= 0)) {

- SSLerror(

- SSL_R_WRONG_SIGNATURE_SIZE);

+ SSLerror(SSL_R_WRONG_SIGNATURE_SIZE);

al = SSL_AD_DECODE_ERROR;

goto f_err;

}

@@ -2317,23 +2262,20 @@ ssl3_get_cert_verify(SSL *s)

void *hdata;

hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);

if (hdatalen <= 0) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||

!EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_SIGNATURE);

+ SSLerror(SSL_R_BAD_SIGNATURE);

goto f_err;

}

} else

@@ -2343,14 +2285,12 @@ ssl3_get_cert_verify(SSL *s)

pkey->pkey.rsa);

if (i < 0) {

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_RSA_DECRYPT);

+ SSLerror(SSL_R_BAD_RSA_DECRYPT);

goto f_err;

}

if (i == 0) {

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_RSA_SIGNATURE);

+ SSLerror(SSL_R_BAD_RSA_SIGNATURE);

goto f_err;

}

} else

@@ -2361,8 +2301,7 @@ ssl3_get_cert_verify(SSL *s)

if (j <= 0) {

/* bad signature */

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_DSA_SIGNATURE);

+ SSLerror(SSL_R_BAD_DSA_SIGNATURE);

goto f_err;

}

} else

@@ -2373,8 +2312,7 @@ ssl3_get_cert_verify(SSL *s)

if (j <= 0) {

/* bad signature */

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_ECDSA_SIGNATURE);

+ SSLerror(SSL_R_BAD_ECDSA_SIGNATURE);

goto f_err;

}

} else

@@ -2390,22 +2328,19 @@ ssl3_get_cert_verify(SSL *s)

hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);

if (hdatalen <= 0) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||

!(md = EVP_get_digestbynid(nid))) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

pctx = EVP_PKEY_CTX_new(pkey, NULL);

if (!pctx) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

al = SSL_AD_INTERNAL_ERROR;

goto f_err;

}

@@ -2418,8 +2353,7 @@ ssl3_get_cert_verify(SSL *s)

EVP_PKEY_CTRL_GOST_SIG_FORMAT,

GOST_SIG_FORMAT_RS_LE,

NULL) <= 0)) {

- SSLerror(

- ERR_R_EVP_LIB);

+ SSLerror(ERR_R_EVP_LIB);

al = SSL_AD_INTERNAL_ERROR;

EVP_PKEY_CTX_free(pctx);

goto f_err;

@@ -2427,8 +2361,7 @@ ssl3_get_cert_verify(SSL *s)

if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) {

al = SSL_AD_DECRYPT_ERROR;

- SSLerror(

- SSL_R_BAD_SIGNATURE);

+ SSLerror(SSL_R_BAD_SIGNATURE);

EVP_PKEY_CTX_free(pctx);

goto f_err;

}

@@ -2437,8 +2370,7 @@ ssl3_get_cert_verify(SSL *s)

} else

#endif

{

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

al = SSL_AD_UNSUPPORTED_CERTIFICATE;

goto f_err;

}

@@ -2482,8 +2414,7 @@ ssl3_get_client_certificate(SSL *s)

if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {

if ((s->verify_mode & SSL_VERIFY_PEER) &&

(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {

- SSLerror(

- SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

+ SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

al = SSL_AD_HANDSHAKE_FAILURE;

goto f_err;

}

@@ -2492,8 +2423,7 @@ ssl3_get_client_certificate(SSL *s)

* the client must return a 0 list.

if (S3I(s)->tmp.cert_request) {

- SSLerror(

- SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST

+ SSLerror(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST

);

al = SSL_AD_UNEXPECTED_MESSAGE;

goto f_err;

@@ -2504,8 +2434,7 @@ ssl3_get_client_certificate(SSL *s)

if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {

al = SSL_AD_UNEXPECTED_MESSAGE;

- SSLerror(

- SSL_R_WRONG_MESSAGE_TYPE);

+ SSLerror(SSL_R_WRONG_MESSAGE_TYPE);

goto f_err;

}

@@ -2515,8 +2444,7 @@ ssl3_get_client_certificate(SSL *s)

CBS_init(&cbs, s->internal->init_msg, n);

if ((sk = sk_X509_new_null()) == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -2529,27 +2457,23 @@ ssl3_get_client_certificate(SSL *s)

if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_CERT_LENGTH_MISMATCH);

+ SSLerror(SSL_R_CERT_LENGTH_MISMATCH);

goto f_err;

}

q = CBS_data(&cert);

x = d2i_X509(NULL, &q, CBS_len(&cert));

if (x == NULL) {

- SSLerror(

- ERR_R_ASN1_LIB);

+ SSLerror(ERR_R_ASN1_LIB);

goto err;

}

if (q != CBS_data(&cert) + CBS_len(&cert)) {

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_CERT_LENGTH_MISMATCH);

+ SSLerror(SSL_R_CERT_LENGTH_MISMATCH);

goto f_err;

}

if (!sk_X509_push(sk, x)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

x = NULL;

@@ -2562,8 +2486,7 @@ ssl3_get_client_certificate(SSL *s)

if ((s->verify_mode & SSL_VERIFY_PEER) &&

(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {

- SSLerror(

- SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

+ SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

al = SSL_AD_HANDSHAKE_FAILURE;

goto f_err;

}

@@ -2576,8 +2499,7 @@ ssl3_get_client_certificate(SSL *s)

i = ssl_verify_cert_chain(s, sk);

if (i <= 0) {

al = ssl_verify_alarm_type(s->verify_result);

- SSLerror(

- SSL_R_NO_CERTIFICATE_RETURNED);

+ SSLerror(SSL_R_NO_CERTIFICATE_RETURNED);

goto f_err;

}

@@ -2593,8 +2515,7 @@ ssl3_get_client_certificate(SSL *s)

if (SSI(s)->sess_cert == NULL) {

SSI(s)->sess_cert = ssl_sess_cert_new();

if (SSI(s)->sess_cert == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

@@ -2612,8 +2533,7 @@ ssl3_get_client_certificate(SSL *s)

if (0) {

truncated:

al = SSL_AD_DECODE_ERROR;

- SSLerror(

- SSL_R_BAD_PACKET_LENGTH);

+ SSLerror(SSL_R_BAD_PACKET_LENGTH);

f_err:

ssl3_send_alert(s, SSL3_AL_FATAL, al);

}

@@ -2638,8 +2558,7 @@ ssl3_send_server_certificate(SSL *s)

if (s->internal->state == SSL3_ST_SW_CERT_A) {

if ((x = ssl_get_server_send_cert(s)) == NULL) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return (0);

}

@@ -2857,8 +2776,7 @@ ssl3_get_next_proto(SSL *s)

* extension in their ClientHello

if (!S3I(s)->next_proto_neg_seen) {

- SSLerror(

- SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);

+ SSLerror(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);

return (-1);

}

@@ -2874,8 +2792,7 @@ ssl3_get_next_proto(SSL *s)

* by ssl3_get_finished).

if (!S3I(s)->change_cipher_spec) {

- SSLerror(

- SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);

+ SSLerror(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);

return (-1);

}

@@ -2905,8 +2822,7 @@ ssl3_get_next_proto(SSL *s)

s->internal->next_proto_negotiated_len = 0;

if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

return (0);

}

s->internal->next_proto_negotiated_len = (uint8_t)len;

diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index f79219561a2..2ee521b0730 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_enc.c,v 1.94 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: t1_enc.c,v 1.95 2017/01/26 12:16:13 beck Exp $ */

@@ -228,8 +228,7 @@ tls1_digest_cached_records(SSL *s)

}

hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);

if (hdatalen <= 0) {

- SSLerror(

- SSL_R_BAD_HANDSHAKE_LENGTH);

+ SSLerror(SSL_R_BAD_HANDSHAKE_LENGTH);

goto err;

}

@@ -240,8 +239,7 @@ tls1_digest_cached_records(SSL *s)

S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create();

if (S3I(s)->handshake_dgst[i] == NULL) {

- SSLerror(

- ERR_R_MALLOC_FAILURE);

+ SSLerror(ERR_R_MALLOC_FAILURE);

goto err;

}

if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) {

@@ -385,8 +383,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,

count++;

}

if (count == 0) {

- SSLerror(

- SSL_R_SSL_HANDSHAKE_FAILURE);

+ SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);

goto err;

}

len = slen / count;

@@ -397,8 +394,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,

for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {

if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) {

if (!md) {

- SSLerror(

- SSL_R_UNSUPPORTED_DIGEST_TYPE);

+ SSLerror(SSL_R_UNSUPPORTED_DIGEST_TYPE);

goto err;

}

if (!tls1_P_hash(md , S1, len + (slen&1), seed1,

@@ -474,8 +470,7 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,

EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))

return (0);

if (iv_len > sizeof(aead_ctx->fixed_nonce)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return (0);

}

memcpy(aead_ctx->fixed_nonce, iv, iv_len);

@@ -491,15 +486,13 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,

if (aead_ctx->xor_fixed_nonce) {

if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||

aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return (0);

}

} else {

if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=

EVP_AEAD_nonce_length(aead)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return (0);

}

@@ -736,8 +729,7 @@ tls1_setup_key_block(SSL *s)

if (s->session->cipher &&

(s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) {

if (!ssl_cipher_get_evp_aead(s->session, &aead)) {

- SSLerror(

- SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

+ SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

return (0);

}

key_len = EVP_AEAD_key_length(aead);

@@ -745,8 +737,7 @@ tls1_setup_key_block(SSL *s)

} else {

if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type,

&mac_secret_size)) {

- SSLerror(

- SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

+ SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

return (0);

}

key_len = EVP_CIPHER_key_length(cipher);

@@ -1345,8 +1336,7 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,

goto ret;

err1:

- SSLerror(

- SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);

+ SSLerror(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);

rv = 0;

goto ret;

err2:

diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index b3e86c0a31b..2e9d31112db 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_lib.c,v 1.113 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: t1_lib.c,v 1.114 2017/01/26 12:16:13 beck Exp $ */

@@ -742,8 +742,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

int el;

if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -754,8 +753,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

s2n(el, ret);

if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -780,8 +778,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

if (formatslen > lenmax)

return NULL;

if (formatslen > 255) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -803,8 +800,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

if (curveslen * 2 > lenmax)

return NULL;

if (curveslen * 2 > 65532) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -946,8 +942,7 @@ skip_ext:

s2n(el, ret);

if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

ret += el;

@@ -1025,8 +1020,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

int el;

if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -1037,8 +1031,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

s2n(el, ret);

if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -1061,8 +1054,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

if (formatslen > lenmax)

return NULL;

if (formatslen > 255) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

@@ -1108,8 +1100,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)

s2n(el, ret);

if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {

- SSLerror(

- ERR_R_INTERNAL_ERROR);

+ SSLerror(ERR_R_INTERNAL_ERROR);

return NULL;

}

ret += el;

@@ -1627,8 +1618,7 @@ ri_check:

if (!renegotiate_seen && s->internal->renegotiate) {

*al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

+ SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

return 0;

}

@@ -1880,8 +1870,7 @@ ri_check:

if (!renegotiate_seen &&

!(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {

*al = SSL_AD_HANDSHAKE_FAILURE;

- SSLerror(

- SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

+ SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);

return 0;

}

diff --git a/lib/libssl/t1_reneg.c b/lib/libssl/t1_reneg.c
index ea432554b0e..596b96edd3e 100644
--- a/lib/libssl/t1_reneg.c
+++ b/lib/libssl/t1_reneg.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: t1_reneg.c,v 1.13 2017/01/26 10:40:21 beck Exp $ */

+/* $OpenBSD: t1_reneg.c,v 1.14 2017/01/26 12:16:13 beck Exp $ */

@@ -123,8 +123,7 @@ ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,

{

if (p) {

if ((S3I(s)->previous_client_finished_len + 1) > maxlen) {

- SSLerror(

- SSL_R_RENEGOTIATE_EXT_TOO_LONG);

+ SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG);

return 0;

}

@@ -151,8 +150,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,

CBS cbs, reneg;

if (len < 0) {

- SSLerror(

- SSL_R_RENEGOTIATION_ENCODING_ERR);

+ SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

@@ -161,24 +159,21 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,

if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||

/* Consistency check */

CBS_len(&cbs) != 0) {

- SSLerror(

- SSL_R_RENEGOTIATION_ENCODING_ERR);

+ SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

/* Check that the extension matches */

if (CBS_len(&reneg) != S3I(s)->previous_client_finished_len) {

- SSLerror(

- SSL_R_RENEGOTIATION_MISMATCH);

+ SSLerror(SSL_R_RENEGOTIATION_MISMATCH);

*al = SSL_AD_HANDSHAKE_FAILURE;

return 0;

}

if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,

S3I(s)->previous_client_finished_len)) {

- SSLerror(

- SSL_R_RENEGOTIATION_MISMATCH);

+ SSLerror(SSL_R_RENEGOTIATION_MISMATCH);

*al = SSL_AD_HANDSHAKE_FAILURE;

return 0;

}

@@ -196,8 +191,7 @@ ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,

if (p) {

if ((S3I(s)->previous_client_finished_len +

S3I(s)->previous_server_finished_len + 1) > maxlen) {

- SSLerror(

- SSL_R_RENEGOTIATE_EXT_TOO_LONG);

+ SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG);

return 0;

}

@@ -235,8 +229,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i

OPENSSL_assert(!expected_len || S3I(s)->previous_server_finished_len);

if (len < 0) {

- SSLerror(

- SSL_R_RENEGOTIATION_ENCODING_ERR);

+ SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

@@ -246,8 +239,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i

if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||

/* Consistency check */

CBS_len(&cbs) != 0) {

- SSLerror(

- SSL_R_RENEGOTIATION_ENCODING_ERR);

+ SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}

@@ -259,23 +251,20 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i

!CBS_get_bytes(&reneg, &previous_server,

S3I(s)->previous_server_finished_len) ||

CBS_len(&reneg) != 0) {

- SSLerror(

- SSL_R_RENEGOTIATION_MISMATCH);

+ SSLerror(SSL_R_RENEGOTIATION_MISMATCH);

*al = SSL_AD_HANDSHAKE_FAILURE;

return 0;

}

if (!CBS_mem_equal(&previous_client, S3I(s)->previous_client_finished,

CBS_len(&previous_client))) {

- SSLerror(

- SSL_R_RENEGOTIATION_MISMATCH);

+ SSLerror(SSL_R_RENEGOTIATION_MISMATCH);

*al = SSL_AD_HANDSHAKE_FAILURE;

return 0;

}

if (!CBS_mem_equal(&previous_server, S3I(s)->previous_server_finished,

CBS_len(&previous_server))) {

- SSLerror(

- SSL_R_RENEGOTIATION_MISMATCH);

+ SSLerror(SSL_R_RENEGOTIATION_MISMATCH);

*al = SSL_AD_ILLEGAL_PARAMETER;

return 0;

}